always treat invalid id_tokens as an error

zmartzone · May 26, 2018 · 13516c4 · 13516c4
1 parent b27009f
commit 13516c4
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 12 deletions.
diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
@@ -1108,6 +1108,14 @@ local function openidc_access_token(opts, session, try_to_renew)
   if err then
     return nil, err
   end
+  local id_token
+  if json.id_token then
+    id_token, err = openidc_load_and_validate_jwt_id_token(opts, json.id_token, session)
+    if err then
+      ngx.log(ngx.ERR, "invalid id token, discarding tokens returned while refreshing")
+      return nil, err
+    end
+  end
   ngx.log(ngx.DEBUG, "access_token refreshed: ", json.access_token, " updated refresh_token: ", json.refresh_token)
 
   session:start()
@@ -1119,21 +1127,11 @@ local function openidc_access_token(opts, session, try_to_renew)
 
   if json.id_token and
     (store_in_session(opts, 'enc_id_token') or store_in_session(opts, 'id_token')) then
-
     ngx.log(ngx.DEBUG, "id_token refreshed: ", json.id_token)
     if store_in_session(opts, 'enc_id_token') then
       session.data.enc_id_token = json.id_token
     end
     if store_in_session(opts, 'id_token') then
-      local id_token, err = openidc_load_and_validate_jwt_id_token(opts, json.id_token, session)
-      if err then
-        ngx.log(ngx.ERR, "invalid id token, discarding tokens returned while refreshing")
-        session.data.access_token = nil
-        session.data.access_token_expiration = nil
-        session.data.refresh_token = nil
-        session:save()
-        return nil, err
-      end
       session.data.id_token = id_token
     end
   end

diff --git a/tests/spec/token_refresh_spec.lua b/tests/spec/token_refresh_spec.lua
@@ -194,8 +194,8 @@ describe("if refresh contains an invalid id_token", function()
     redirect = false,
     headers = { cookie = cookies },
   })
-  it ("the id token gets refreshed", function()
-    assert.error_log_contains("id_token refreshed")
+  it ("the id token doesn't get refreshed", function()
+    assert.is_not.error_log_contains("id_token refreshed")
   end)
   it("the tokens are rejected", function()
     assert.error_log_contains("invalid id token, discarding tokens returned while refreshing")