oidc/oauth2: use an opaque state

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-07 23:00:55 +03:00 · 2024-11-11 19:43:57 +01:00
parent f22ec2275f
commit 4cb6acefb2
2 changed files with 11 additions and 5 deletions
--- a/internal/httpd/oidc.go
+++ b/internal/httpd/oidc.go
@@ -16,6 +16,7 @@ package httpd

 import (
 	"context"
+	"crypto/sha256"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -203,9 +204,12 @@ type oidcPendingAuth struct {
 }

 func newOIDCPendingAuth(audience tokenAudience) oidcPendingAuth {
+	state := sha256.Sum256(util.GenerateRandomBytes(32))
+	nonce := util.GenerateUniqueID()
+
 	return oidcPendingAuth{
-		State:    xid.New().String(),
-		Nonce:    hex.EncodeToString(util.GenerateRandomBytes(20)),
+		State:    hex.EncodeToString(state[:]),
+		Nonce:    nonce,
 		Audience: audience,
 		IssuedAt: util.GetTimeAsMsSinceEpoch(time.Now()),
 	}