Validate token_type case-insensitively (#256)

* Validate token_type case-insensitive Signed-off-by: Joseph Petitti <[email protected]> * Fix indentation Signed-off-by: Joseph Petitti <[email protected]> --------- Signed-off-by: Joseph Petitti <[email protected]>
istio-ecosystem · May 13, 2024 · 0d8008e · 0d8008e
1 parent 98a764d
commit 0d8008e
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/internal/authz/oidc.go b/internal/authz/oidc.go
@@ -528,7 +528,7 @@ func performIDPRequest(log telemetry.Logger, client *http.Client, uri string, fo
 // https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
 func isValidIDPNewTokensResponse(log telemetry.Logger, config *oidcv1.OIDCConfig, tokenResponse *idpTokensResponse) bool {
  // token_type must be Bearer
- if tokenResponse.TokenType != "Bearer" {
+ if !strings.EqualFold(tokenResponse.TokenType, "Bearer") {
  log.Info("token type is not Bearer in token response", "token-type", tokenResponse.TokenType)
  return false
  }
@@ -553,7 +553,7 @@ func isValidIDPNewTokensResponse(log telemetry.Logger, config *oidcv1.OIDCConfig
 // https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
 func isValidIDPRefreshTokenResponse(log telemetry.Logger, tokenResponse *idpTokensResponse) bool {
  // token_type must be Bearer
- if tokenResponse.TokenType != "Bearer" {
+ if !strings.EqualFold(tokenResponse.TokenType, "Bearer") {
  log.Info("token type is not Bearer in token response", "token-type", tokenResponse.TokenType)
  return false
  }

diff --git a/internal/authz/oidc_test.go b/internal/authz/oidc_test.go
@@ -868,6 +868,24 @@ func TestOIDCProcess(t *testing.T) {
  requireStoredState(t, store, sessionID, false)
  },
  },
+ {
+ name: "IDP server returns lowercase 'bearer' token, succeeds",
+ req: withSessionHeader,
+ storedTokenResponse: expiredTokenResponse,
+ mockTokensResponse: &idpTokensResponse{
+ IDToken: validIDToken,
+ AccessToken: "access-token",
+ TokenType: "bearer",
+ ExpiresIn: 10,
+ },
+ responseVerify: func(t *testing.T, resp *envoy.CheckResponse) {
+ require.Equal(t, int32(codes.OK), resp.GetStatus().GetCode())
+ require.NotNil(t, resp.GetOkResponse())
+ requireTokensInResponse(t, resp.GetOkResponse(), basicOIDCConfig, validIDToken, "access-token")
+ requireStoredTokens(t, store, sessionID, true)
+ requireStoredTokens(t, store, newSessionID, false)
+ },
+ },
  {
  name: "succeed",
  req: withSessionHeader,