Fix returned token encoding

nacx · nacx · commit 9725ce99d08f · 2024-02-23T16:13:06.000+01:00
diff --git a/internal/authz/oidc.go b/internal/authz/oidc.go
@@ -731,18 +731,26 @@ func (o *oidcHandler) encodeTokensToHeaders(tokens *oidc.TokenResponse) map[stri
 	headers := make(map[string]string)
 
 	// Always add the ID token to the headers
-	headers[o.config.GetIdToken().GetHeader()] = o.config.IdToken.GetPreamble() + " " + oidc.EncodeToken(tokens.IDToken)
+	headers[o.config.GetIdToken().GetHeader()] = encodeHeaderValue(o.config.IdToken.GetPreamble(), tokens.IDToken)
 
 	if o.config.GetAccessToken() == nil || tokens.AccessToken == "" {
 		return headers
 	}
 
 	// If there is an access token and config enables it, add it to the headers
-	headers[o.config.GetAccessToken().GetHeader()] = o.config.GetAccessToken().GetPreamble() + " " + oidc.EncodeToken(tokens.AccessToken)
+	headers[o.config.GetAccessToken().GetHeader()] = encodeHeaderValue(o.config.GetAccessToken().GetPreamble(), tokens.AccessToken)
 
 	return headers
 }
 
+// encodeHeaderValue encodes the value with the given preamble, if any
+func encodeHeaderValue(preamble string, value string) string {
+	if preamble != "" {
+		return preamble + " " + value
+	}
+	return value
+}
+
 // areRequiredTokensExpired checks if the required tokens are expired.
 func (o *oidcHandler) areRequiredTokensExpired(tokens *oidc.TokenResponse) (bool, error) {
 	idToken, err := tokens.ParseIDToken()
diff --git a/internal/authz/oidc_test.go b/internal/authz/oidc_test.go
@@ -1152,10 +1152,8 @@ func TestMatchesLogoutPath(t *testing.T) {
 
 func TestEncodeTokensToHeaders(t *testing.T) {
 	const (
-		idToken        = "id-token"
-		accessToken    = "access-token"
-		idTokenB64     = "aWQtdG9rZW4="
-		accessTokenB64 = "YWNjZXNzLXRva2Vu"
+		idToken     = "id-token"
+		accessToken = "access-token"
 	)
 
 	tests := []struct {
@@ -1171,7 +1169,7 @@ func TestEncodeTokensToHeaders(t *testing.T) {
 			},
 			idToken: idToken, accessToken: "",
 			want: map[string]string{
-				"Authorization": "Bearer " + idTokenB64,
+				"Authorization": "Bearer " + idToken,
 			},
 		},
 		{
@@ -1182,8 +1180,8 @@ func TestEncodeTokensToHeaders(t *testing.T) {
 			},
 			idToken: idToken, accessToken: accessToken,
 			want: map[string]string{
-				"Authorization":  "Bearer " + idTokenB64,
-				"X-Access-Token": "Bearer " + accessTokenB64,
+				"Authorization":  "Bearer " + idToken,
+				"X-Access-Token": "Bearer " + accessToken,
 			},
 		},
 		{
@@ -1194,8 +1192,8 @@ func TestEncodeTokensToHeaders(t *testing.T) {
 			},
 			idToken: idToken, accessToken: accessToken,
 			want: map[string]string{
-				"X-Id-Token":           "Other " + idTokenB64,
-				"X-Access-Token-Other": "Other " + accessTokenB64,
+				"X-Id-Token":           "Other " + idToken,
+				"X-Access-Token-Other": "Other " + accessToken,
 			},
 		},
 		{
@@ -1206,7 +1204,7 @@ func TestEncodeTokensToHeaders(t *testing.T) {
 			},
 			idToken: idToken, accessToken: "",
 			want: map[string]string{
-				"Authorization": "Bearer " + idTokenB64,
+				"Authorization": "Bearer " + idToken,
 			},
 		},
 		{
@@ -1216,7 +1214,19 @@ func TestEncodeTokensToHeaders(t *testing.T) {
 			},
 			idToken: idToken, accessToken: accessToken,
 			want: map[string]string{
-				"Authorization": "Bearer " + idTokenB64,
+				"Authorization": "Bearer " + idToken,
+			},
+		},
+		{
+			name: "config with out preamble",
+			config: &oidcv1.OIDCConfig{
+				IdToken:     &oidcv1.TokenConfig{Header: "X-ID-Token"},
+				AccessToken: &oidcv1.TokenConfig{Header: "X-Access-Token"},
+			},
+			idToken: idToken, accessToken: accessToken,
+			want: map[string]string{
+				"X-ID-Token":     idToken,
+				"X-Access-Token": accessToken,
 			},
 		},
 	}
diff --git a/internal/oidc/token.go b/internal/oidc/token.go
@@ -15,7 +15,6 @@
 package oidc
 
 import (
-	"encoding/base64"
 	"time"
 
 	"github.com/lestrrat-go/jwx/jwt"
@@ -36,8 +35,3 @@ func (t *TokenResponse) ParseIDToken() (jwt.Token, error) { return ParseToken(t.
 func ParseToken(token string) (jwt.Token, error) {
 	return jwt.Parse([]byte(token), jwt.WithValidate(false))
 }
-
-// EncodeToken returns the base64 encoded string representation of the token. Compatible with HTTP headers.
-func EncodeToken(token string) string {
-	return base64.URLEncoding.EncodeToString([]byte(token))
-}
diff --git a/internal/oidc/token_test.go b/internal/oidc/token_test.go
@@ -50,7 +50,3 @@ func newToken() string {
 	signed, _ := jwt.Sign(token, jwa.HS256, []byte("key"))
 	return string(signed)
 }
-
-func TestEncodeToken(t *testing.T) {
-	require.Equal(t, "dGVzdA==", EncodeToken("test"))
-}

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,3 @@ func newToken() string {`
`50`	`50`	`signed, _ := jwt.Sign(token, jwa.HS256, []byte("key"))`
`51`	`51`	`return string(signed)`
`52`	`52`	`}`
`53`		`-`
`54`		`-func TestEncodeToken(t *testing.T) {`
`55`		`- require.Equal(t, "dGVzdA==", EncodeToken("test"))`
`56`		`-}`