Fix retreiveID token when encryption and compression are enabled (#690)

p53 · web-flow · commit fd6d73117ad2 · 2026-02-27T19:37:43.000+01:00
diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go
@@ -2803,6 +2803,110 @@ var _ = Describe("Code Flow login/logout DisableLogoutAuth", func() {
 	})
 })
 
+var _ = Describe("Code Flow login/logout compressed and encrypted ID token", func() {
+	var portNum string
+	var proxyAddress string
+	errGroup, _ := errgroup.WithContext(context.Background())
+	var server *http.Server
+
+	AfterEach(func() {
+		if server != nil {
+			err := server.Shutdown(context.Background())
+			Expect(err).NotTo(HaveOccurred())
+		}
+		if errGroup != nil {
+			err := errGroup.Wait()
+			Expect(err).NotTo(HaveOccurred())
+		}
+	})
+
+	BeforeEach(func() {
+		var err error
+		var upstreamSvcPort string
+
+		server, upstreamSvcPort = startAndWaitTestUpstream(errGroup, false, false, false)
+		portNum, err = generateRandomPort()
+		Expect(err).NotTo(HaveOccurred())
+		proxyAddress = localURI + portNum
+
+		proxyArgs := []string{
+			"--discovery-url=" + idpRealmURI,
+			"--openid-provider-timeout=300s",
+			"--tls-openid-provider-ca-certificate=" + tlsCaCertificate,
+			"--tls-openid-provider-client-certificate=" + tlsCertificate,
+			"--tls-openid-provider-client-private-key=" + tlsPrivateKey,
+			"--listen=" + allInterfaces + portNum,
+			"--client-id=" + testClient,
+			"--client-secret=" + testClientSecret,
+			"--upstream-url=" + localURI + upstreamSvcPort,
+			"--no-redirects=false",
+			"--skip-access-token-clientid-check=true",
+			"--skip-access-token-issuer-check=true",
+			"--enable-idp-session-check=false",
+			"--enable-default-deny=false",
+			"--enable-logout-redirect=true",
+			"--enable-id-token-cookie=true",
+			"--post-logout-redirect-uri=https://" + testExternalURI,
+			"--resources=uri=/*|roles=uma_authorization,offline_access",
+			"--openid-provider-retry-count=30",
+			"--enable-refresh-tokens=true",
+			"--encryption-key=" + testKey,
+			"--secure-cookie=false",
+			"--post-login-redirect-path=" + postLoginRedirectPath,
+			"--enable-register-handler=true",
+			"--enable-pkce=false",
+			"--tls-cert=" + tlsCertificate,
+			"--tls-private-key=" + tlsPrivateKey,
+			"--upstream-ca=" + tlsCaCertificate,
+			"--enable-encrypted-token=true",
+			"--enable-logout-auth=false",
+			"--enable-compress-token=true",
+		}
+
+		osArgs := make([]string, 0, 1+len(proxyArgs))
+		osArgs = append(osArgs, os.Args[0])
+		osArgs = append(osArgs, proxyArgs...)
+		startAndWait(portNum, osArgs)
+	})
+
+	When("Performing standard login", func() {
+		It("should login with user/password and logout with redirect successfully",
+			Label("code_flow"),
+			Label("compressed_encrypted_id_token"),
+			func(_ context.Context) {
+				var err error
+				rClient := resty.New()
+				rClient.SetTLSClientConfig(&tls.Config{RootCAs: caPool, MinVersion: tls.VersionTLS13})
+				resp := codeFlowLogin(rClient, proxyAddress, http.StatusOK, testUser, testPass)
+				Expect(resp.Header().Get("Proxy-Accepted")).To(Equal("true"))
+				body := resp.Body()
+				Expect(strings.Contains(string(body), postLoginRedirectPath)).To(BeTrue())
+				Expect(err).NotTo(HaveOccurred())
+
+				By("make another request with access token")
+				resp, err = rClient.R().Get(proxyAddress + anyURI)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(resp.Header().Get("Proxy-Accepted")).To(Equal("true"))
+				body = resp.Body()
+				Expect(strings.Contains(string(body), anyURI)).To(BeTrue())
+				Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+
+				By("log out")
+				//nolint:gosec
+				rClient.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
+				resp, err = rClient.R().Get(proxyAddress + logoutURI)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+				Expect(strings.Contains(string(resp.Body()), testExternalURI)).To(BeTrue())
+
+				rClient.SetRedirectPolicy(resty.NoRedirectPolicy())
+				resp, _ = rClient.R().Get(proxyAddress)
+				Expect(resp.StatusCode()).To(Equal(http.StatusSeeOther))
+			},
+		)
+	})
+})
+
 var _ = Describe("Code Flow Request Upstream Compression", func() {
 	var portNum1 string
 	var proxyAddress1 string
diff --git a/pkg/proxy/handlers/handlers.go b/pkg/proxy/handlers/handlers.go
@@ -126,7 +126,7 @@ func RetrieveIDToken(
 		}
 
 		if enableCompressToken {
-			token, err = session.DecryptAndDecompressToken(token, encryptionKey)
+			token, err = session.DecryptAndDecompressToken(encrypted, encryptionKey)
 			if err != nil {
 				return "", "", errors.Join(apperrors.ErrDecryptAndDecompressToken, err)
 			}

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ func RetrieveIDToken(`
`126`	`126`	`}`
`127`	`127`
`128`	`128`	`if enableCompressToken {`
`129`		`- token, err = session.DecryptAndDecompressToken(token, encryptionKey)`
	`129`	`+ token, err = session.DecryptAndDecompressToken(encrypted, encryptionKey)`
`130`	`130`	`if err != nil {`
`131`	`131`	`return "", "", errors.Join(apperrors.ErrDecryptAndDecompressToken, err)`
`132`	`132`	`}`