Added option to disable access token hash verification

MarcelCoding · MarcelCoding · commit 92a18019bf3a · 2023-10-31T15:10:09.000+01:00
diff --git a/README.md b/README.md
@@ -59,7 +59,9 @@ services:
                                                  #    space seperated list of allowed actions (OPTIONAL), see
                                                  #    https://github.com/MarcelCoding/jitsi-openid/issues/122
     # - 'SCOPES=openid email jitsi'              # <- OpenID Scopes, space seperated list of scopes (OPTIONAL),
-                                                 # default: openid email
+                                                 #    default: openid email
+    # - 'VERIFY_ACCESS_TOKEN_HASH=false          # <- explicitly disable access token hash verification (OPTIONAL),
+                                                 #    default: true
     ports:
       - '3000:3000'
 
diff --git a/src/cfg.rs b/src/cfg.rs
@@ -25,6 +25,8 @@ pub(crate) struct Cfg {
   #[serde(default)]
   #[serde(deserialize_with = "string_array2")]
   pub(crate) scopes: Option<Vec<String>>,
+  #[serde(default)]
+  pub(crate) verify_access_token_hash: Option<bool>,
 }
 
 fn default_listen_addr() -> SocketAddr {
diff --git a/src/routes.rs b/src/routes.rs
@@ -196,31 +196,33 @@ fn id_token_claims(
     }
   }
 
-  match claims.access_token_hash() {
-    Some(expected_access_token_hash) => {
-      let algorithm = id_token.signing_alg().map_err(|err| {
-        warn!(
-          "Authentication failed, UnsupportedSigningAlgorithm: {:?}",
-          err
-        );
-        UnsupportedSigningAlgorithm
-      })?;
-
-      let actual_access_token_hash =
-        AccessTokenHash::from_token(response.access_token(), &algorithm).map_err(|err| {
+  if config.verify_access_token_hash.unwrap_or(true) {
+    match claims.access_token_hash() {
+      Some(expected_access_token_hash) => {
+        let algorithm = id_token.signing_alg().map_err(|err| {
           warn!(
             "Authentication failed, UnsupportedSigningAlgorithm: {:?}",
             err
           );
           UnsupportedSigningAlgorithm
         })?;
 
-      if &actual_access_token_hash != expected_access_token_hash {
-        return Err(InvalidAccessToken);
+        let actual_access_token_hash =
+          AccessTokenHash::from_token(response.access_token(), &algorithm).map_err(|err| {
+            warn!(
+              "Authentication failed, UnsupportedSigningAlgorithm: {:?}",
+              err
+            );
+            UnsupportedSigningAlgorithm
+          })?;
+
+        if &actual_access_token_hash != expected_access_token_hash {
+          return Err(InvalidAccessToken);
+        }
       }
-    }
-    None => return Err(MissingAccessTokenHash),
-  };
+      None => return Err(MissingAccessTokenHash),
+    };
+  }
 
   let uid = match claims.preferred_username() {
     Some(name) => name.to_string(),

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@ pub(crate) struct Cfg {`
`25`	`25`	`#[serde(default)]`
`26`	`26`	`#[serde(deserialize_with = "string_array2")]`
`27`	`27`	`pub(crate) scopes: Option<Vec<String>>,`
	`28`	`+ #[serde(default)]`
	`29`	`+ pub(crate) verify_access_token_hash: Option<bool>,`
`28`	`30`	`}`
`29`	`31`
`30`	`32`	`fn default_listen_addr() -> SocketAddr {`