oidc/oauth2: use an opaque state

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-07 23:00:55 +03:00 · 2024-11-11 19:43:57 +01:00
parent f22ec2275f
commit 4cb6acefb2
2 changed files with 11 additions and 5 deletions
--- a/internal/httpd/oauth2.go
+++ b/internal/httpd/oauth2.go
@@ -15,13 +15,13 @@
 package httpd

 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"sync"
 	"time"

-	"github.com/rs/xid"
-
 	"github.com/drakkan/sftpgo/v2/internal/dataprovider"
 	"github.com/drakkan/sftpgo/v2/internal/kms"
 	"github.com/drakkan/sftpgo/v2/internal/logger"
@@ -53,8 +53,10 @@ type oauth2PendingAuth struct {
 }

 func newOAuth2PendingAuth(provider int, redirectURL, clientID string, clientSecret *kms.Secret) oauth2PendingAuth {
+	state := sha256.Sum256(util.GenerateRandomBytes(32))
+
 	return oauth2PendingAuth{
-		State:        xid.New().String(),
+		State:        hex.EncodeToString(state[:]),
 		Provider:     provider,
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
--- a/internal/httpd/oidc.go
+++ b/internal/httpd/oidc.go
@@ -16,6 +16,7 @@ package httpd

 import (
 	"context"
+	"crypto/sha256"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -203,9 +204,12 @@ type oidcPendingAuth struct {
 }

 func newOIDCPendingAuth(audience tokenAudience) oidcPendingAuth {
+	state := sha256.Sum256(util.GenerateRandomBytes(32))
+	nonce := util.GenerateUniqueID()
+
 	return oidcPendingAuth{
-		State:    xid.New().String(),
-		Nonce:    hex.EncodeToString(util.GenerateRandomBytes(20)),
+		State:    hex.EncodeToString(state[:]),
+		Nonce:    nonce,
 		Audience: audience,
 		IssuedAt: util.GetTimeAsMsSinceEpoch(time.Now()),
 	}