update openidconnect

kitsune-soc · Apr 22, 2024 · a713716 · a713716
1 parent dcb721d
commit a713716
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 30 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/kitsune-oidc/Cargo.toml b/crates/kitsune-oidc/Cargo.toml
@@ -8,14 +8,14 @@ license.workspace = true
 [dependencies]
 enum_dispatch = "0.3.13"
 http = "1.1.0"
-http-compat = { path = "../../lib/http-compat" }
 kitsune-config = { path = "../kitsune-config" }
 kitsune-error = { path = "../kitsune-error" }
 kitsune-http-client = { path = "../kitsune-http-client" }
 moka = { version = "0.12.7", features = ["future"] }
 multiplex-pool = { path = "../../lib/multiplex-pool" }
+oauth2 = { version = "5.0.0-alpha.4", default-features = false }
 once_cell = "1.19.0"
-openidconnect = { version = "3.5.0", default-features = false, features = [
+openidconnect = { version = "4.0.0-alpha.1", default-features = false, features = [
     # Accept these two, per specification invalid, cases to increase compatibility
     "accept-rfc3339-timestamps",
     "accept-string-booleans",

diff --git a/crates/kitsune-oidc/src/http.rs b/crates/kitsune-oidc/src/http.rs
@@ -1,22 +1,16 @@
-use http::Request;
-use http_compat::Compat;
 use kitsune_http_client::Client as HttpClient;
 use once_cell::sync::Lazy;
 use openidconnect::{HttpRequest, HttpResponse};
 
 static HTTP_CLIENT: Lazy<HttpClient> = Lazy::new(HttpClient::default);
 
 pub async fn async_client(req: HttpRequest) -> Result<HttpResponse, kitsune_http_client::Error> {
-    let mut request = Request::builder()
-        .method(req.method.compat())
-        .uri(req.url.as_str());
-    *request.headers_mut().unwrap() = req.headers.compat();
-    let request = request.body(req.body.into()).unwrap();
-    let response = HTTP_CLIENT.execute(request).await?;
+    let response = HTTP_CLIENT.execute(req.map(Into::into)).await?;
 
-    Ok(HttpResponse {
-        status_code: response.status().compat(),
-        headers: response.headers().clone().compat(),
-        body: response.bytes().await?.to_vec(),
-    })
+    let mut builder = http::Response::builder()
+        .status(response.status())
+        .version(response.version());
+    *builder.headers_mut().unwrap() = response.headers().clone();
+
+    Ok(builder.body(response.bytes().await?.to_vec()).unwrap())
 }
diff --git a/crates/kitsune-oidc/src/lib.rs b/crates/kitsune-oidc/src/lib.rs
@@ -13,6 +13,38 @@ use openidconnect::{
 use speedy_uuid::Uuid;
 use url::Url;
 
+type OidcClient = openidconnect::Client<
+    openidconnect::EmptyAdditionalClaims,
+    openidconnect::core::CoreAuthDisplay,
+    openidconnect::core::CoreGenderClaim,
+    openidconnect::core::CoreJweContentEncryptionAlgorithm,
+    openidconnect::core::CoreJsonWebKey,
+    openidconnect::core::CoreAuthPrompt,
+    openidconnect::StandardErrorResponse<oauth2::basic::BasicErrorResponseType>,
+    openidconnect::StandardTokenResponse<
+        openidconnect::IdTokenFields<
+            openidconnect::EmptyAdditionalClaims,
+            openidconnect::EmptyExtraTokenFields,
+            openidconnect::core::CoreGenderClaim,
+            openidconnect::core::CoreJweContentEncryptionAlgorithm,
+            openidconnect::core::CoreJwsSigningAlgorithm,
+        >,
+        oauth2::basic::BasicTokenType,
+    >,
+    openidconnect::StandardTokenIntrospectionResponse<
+        openidconnect::EmptyExtraTokenFields,
+        oauth2::basic::BasicTokenType,
+    >,
+    oauth2::StandardRevocableToken,
+    openidconnect::StandardErrorResponse<openidconnect::RevocationErrorResponseType>,
+    openidconnect::EndpointSet,
+    openidconnect::EndpointNotSet,
+    openidconnect::EndpointNotSet,
+    openidconnect::EndpointNotSet,
+    openidconnect::EndpointMaybeSet,
+    openidconnect::EndpointMaybeSet,
+>;
+
 mod state;
 
 pub mod http;
@@ -36,7 +68,7 @@ pub struct UserInfo {
 
 #[derive(Clone)]
 pub struct OidcService {
-    client: CoreClient,
+    client: OidcClient,
     login_state_store: self::state::AnyStore,
 }
 
@@ -45,7 +77,7 @@ impl OidcService {
     pub async fn initialise(config: &Configuration, redirect_uri: String) -> Result<Self> {
         let provider_metadata = CoreProviderMetadata::discover_async(
             IssuerUrl::new(config.server_url.to_string())?,
-            self::http::async_client,
+            &self::http::async_client,
         )
         .await?;
 
@@ -125,20 +157,22 @@ impl OidcService {
 
         let token_response = self
             .client
-            .exchange_code(AuthorizationCode::new(authorization_code))
+            .exchange_code(AuthorizationCode::new(authorization_code))?
             .set_pkce_verifier(pkce_verifier)
-            .request_async(self::http::async_client)
+            .request_async(&self::http::async_client)
             .await?;
 
         let id_token = token_response
             .id_token()
             .ok_or_else(|| kitsune_error!("missing id token"))?;
+        let id_token_verifier = self.client.id_token_verifier();
         let claims = id_token.claims(&self.client.id_token_verifier(), &nonce)?;
 
         if let Some(expected_hash) = claims.access_token_hash() {
             let actual_hash = AccessTokenHash::from_token(
                 token_response.access_token(),
-                &id_token.signing_alg()?,
+                id_token.signing_alg()?,
+                id_token.signing_key(&id_token_verifier)?,
             )?;
 
             if actual_hash != *expected_hash {