lkddi/certd
1
0
Fork 0
mirror of https://github.com/certd/certd.git synced 2026-04-26 13:48:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: oidc 支持nonce

Browse Source
This commit is contained in:
xiaojunnuo
2025-12-03 22:00:35 +08:00
parent 2ea3810980
commit a5ca41131b
1 changed files with 4 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/ui/certd-server/src/plugins/plugin-oauth/oidc/plugin-oidc.ts
+4 -11
View File
@@ -90,24 +90,16 @@ export class OidcOauthProvider extends BaseAddon implements IOauthProvider {
code_challenge, code_challenge,
code_challenge_method: 'S256', code_challenge_method: 'S256',
state, state,
nonce: client.randomNonce(),
} }
// if (!config.serverMetadata().supportsPKCE()) {
// /**
// * We cannot be sure the server supports PKCE so we're going to use state too.
// * Use of PKCE is backwards compatible even if the AS doesn't support it which
// * is why we're using it regardless. Like PKCE, random state must be generated
// * for every redirect to the authorization_endpoint.
// */
// parameters.state = client.randomState()
// }
let redirectTo = client.buildAuthorizationUrl(config, parameters) let redirectTo = client.buildAuthorizationUrl(config, parameters)
return { return {
loginUrl: redirectTo.href, loginUrl: redirectTo.href,
ticketValue: { ticketValue: {
codeVerifier: code_verifier, codeVerifier: code_verifier,
state, state,
nonce: parameters.nonce,
}, },
}; };
} }
@@ -120,8 +112,9 @@ export class OidcOauthProvider extends BaseAddon implements IOauthProvider {
config, config,
req.currentURL, req.currentURL,
{ {
expectedState: client.skipStateCheck , expectedState: req.ticketValue.state,
pkceCodeVerifier: req.ticketValue.codeVerifier, pkceCodeVerifier: req.ticketValue.codeVerifier,
expectedNonce: req.ticketValue.nonce,
} }
) )