From 4e834896a1c68cd536971dcfff7c3afbcff637ae Mon Sep 17 00:00:00 2001
From: jwijenbergh <jeroenwijenbergh@protonmail.com>
Date: Mon, 17 Oct 2022 10:51:35 +0200
Subject: OAuth: Implement Authorization Server Issuer Identification (ISS)

- This patch implements ISS checking according to RFC 9207
https://datatracker.ietf.org/doc/html/rfc9207

- This tries to prevent so called "mix-up" attacks where the client is
fooled into authorizing with an honest AS through a malicious entity
---
 internal/server/common.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'internal/server/common.go')

diff --git a/internal/server/common.go b/internal/server/common.go
index fcba07f..2ab282d 100644
--- a/internal/server/common.go
+++ b/internal/server/common.go
@@ -253,8 +253,21 @@ func ShouldRenewButton(server Server) bool {
 	return true
 }
 
+func GetISS(server Server) (string, error) {
+	base, baseErr := server.GetBase()
+	if baseErr != nil {
+		return "", &types.WrappedErrorMessage{Message: "failed getting server ISS", Err: baseErr}
+	}
+	// The base URL does not end with a /, but the ISS does
+	return base.URL + "/", nil
+}
+
 func GetOAuthURL(server Server, name string) (string, error) {
-	return server.GetOAuth().GetAuthURL(name, server.GetTemplateAuth())
+	iss, issErr := GetISS(server)
+	if issErr != nil {
+		return "", issErr
+	}
+	return server.GetOAuth().GetAuthURL(name, iss, server.GetTemplateAuth())
 }
 
 func OAuthExchange(server Server) error {
-- 
cgit v1.2.3