forked from baron/baron-sso
비활성화 클라이언트 OIDC 인증 차단 로직 구현
This commit is contained in:
@@ -1558,6 +1558,18 @@ func (h *AuthHandler) PasswordLogin(c *fiber.Ctx) error {
|
|||||||
// --- OIDC 로그인 흐름 처리 ---
|
// --- OIDC 로그인 흐름 처리 ---
|
||||||
if req.LoginChallenge != "" {
|
if req.LoginChallenge != "" {
|
||||||
slog.Info("OIDC login flow detected", "challenge", req.LoginChallenge)
|
slog.Info("OIDC login flow detected", "challenge", req.LoginChallenge)
|
||||||
|
|
||||||
|
// Check if the client is active
|
||||||
|
loginReq, err := h.Hydra.GetLoginRequest(c.Context(), req.LoginChallenge)
|
||||||
|
if err == nil && loginReq != nil && loginReq.Client.Metadata != nil {
|
||||||
|
if status, ok := loginReq.Client.Metadata["status"].(string); ok {
|
||||||
|
if strings.ToLower(status) == "inactive" {
|
||||||
|
slog.Warn("Login rejected for inactive client in PasswordLogin", "client_id", loginReq.Client.ClientID)
|
||||||
|
return fiber.NewError(fiber.StatusForbidden, "The client application is disabled.")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
acceptResp, err := h.Hydra.AcceptLoginRequest(c.Context(), req.LoginChallenge, subject)
|
acceptResp, err := h.Hydra.AcceptLoginRequest(c.Context(), req.LoginChallenge, subject)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
slog.Error("failed to accept hydra login request", "error", err)
|
slog.Error("failed to accept hydra login request", "error", err)
|
||||||
@@ -3546,6 +3558,17 @@ func (h *AuthHandler) AcceptOidcLoginRequest(c *fiber.Ctx) error {
|
|||||||
return fiber.NewError(fiber.StatusBadRequest, "login_challenge is required")
|
return fiber.NewError(fiber.StatusBadRequest, "login_challenge is required")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if the client is active
|
||||||
|
loginReq, err := h.Hydra.GetLoginRequest(c.Context(), req.LoginChallenge)
|
||||||
|
if err == nil && loginReq != nil && loginReq.Client.Metadata != nil {
|
||||||
|
if status, ok := loginReq.Client.Metadata["status"].(string); ok {
|
||||||
|
if strings.ToLower(status) == "inactive" {
|
||||||
|
slog.Warn("Login rejected for inactive client in AcceptOidcLoginRequest", "client_id", loginReq.Client.ClientID)
|
||||||
|
return fiber.NewError(fiber.StatusForbidden, "The client application is disabled.")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
subject, err := h.resolveConsentSubject(c)
|
subject, err := h.resolveConsentSubject(c)
|
||||||
if err != nil || subject == "" {
|
if err != nil || subject == "" {
|
||||||
return fiber.NewError(fiber.StatusUnauthorized, "Authentication required")
|
return fiber.NewError(fiber.StatusUnauthorized, "Authentication required")
|
||||||
|
|||||||
Reference in New Issue
Block a user