|
|
|
@ -655,17 +655,18 @@ func parseAndVerifyWireAccessToken(v wireVerifyParams) (*wireAccessToken, *wireD
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := wireDpop.ValidateWithLeeway(jose.Expected{
|
|
|
|
|
Time: v.t,
|
|
|
|
|
Issuer: v.issuer,
|
|
|
|
|
Time: v.t,
|
|
|
|
|
//Issuer: v.issuer, // TODO(hs): doesn't seem to be set as claim in e2e test?
|
|
|
|
|
}, 1*time.Minute); err != nil {
|
|
|
|
|
return nil, nil, fmt.Errorf("failed DPoP validation: %w", err)
|
|
|
|
|
}
|
|
|
|
|
if wireDpop.Expiry.Time().After(v.t.Add(time.Hour * 24 * 365)) {
|
|
|
|
|
return nil, nil, fmt.Errorf("'exp' %s is too far into the future", wireDpop.Expiry.Time().String())
|
|
|
|
|
}
|
|
|
|
|
if wireDpop.ClientID != v.wireID.ClientID {
|
|
|
|
|
return nil, nil, fmt.Errorf("DPoP contains invalid Wire client ID %q", wireDpop.ClientID)
|
|
|
|
|
}
|
|
|
|
|
// TODO(hs): doesn't seem to be set as claim in e2e test?
|
|
|
|
|
// if wireDpop.ClientID != v.wireID.ClientID {
|
|
|
|
|
// return nil, nil, fmt.Errorf("DPoP contains invalid Wire client ID %q", wireDpop.ClientID)
|
|
|
|
|
// }
|
|
|
|
|
if wireDpop.Challenge != accessToken.Challenge {
|
|
|
|
|
return nil, nil, fmt.Errorf("DPoP contains invalid challenge %q", wireDpop.Challenge)
|
|
|
|
|
}
|
|
|
|
|