fix: [#630] Use the correct algorithm for at_hash and c_hash

handler/openid/flow_hybrid.go

@@ -23,7 +23,6 @@ package openid
 
 import (
 	"context"
-	"encoding/base64"
 	"time"
 
 	"github.com/ory/x/errorsx"
@@ -122,11 +121,11 @@ func (c *OpenIDConnectHybridHandler) HandleAuthorizeEndpointRequest(ctx context.
 		resp.AddParameter("code", code)
 		ar.SetResponseTypeHandled("code")
 
-		hash, err := c.Enigma.Hash(ctx, []byte(resp.GetParameters().Get("code")))
+		hash, err := c.IDTokenHandleHelper.ComputeHash(ctx, sess, resp.GetParameters().Get("code"))
 		if err != nil {
 			return err
 		}
-		claims.CodeHash = base64.RawURLEncoding.EncodeToString([]byte(hash[:c.Enigma.GetSigningMethodLength()/2]))
+		claims.CodeHash = hash
 
 		if ar.GetGrantedScopes().Has("openid") {
 			if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, resp.GetCode(), ar.Sanitize(oidcParameters)); err != nil {
@@ -143,11 +142,11 @@ func (c *OpenIDConnectHybridHandler) HandleAuthorizeEndpointRequest(ctx context.
 		}
 		ar.SetResponseTypeHandled("token")
 
-		hash, err := c.Enigma.Hash(ctx, []byte(resp.GetParameters().Get("access_token")))
+		hash, err := c.IDTokenHandleHelper.ComputeHash(ctx, sess, resp.GetParameters().Get("access_token"))
 		if err != nil {
 			return err
 		}
-		claims.AccessTokenHash = base64.RawURLEncoding.EncodeToString([]byte(hash[:c.Enigma.GetSigningMethodLength()/2]))
+		claims.AccessTokenHash = hash
 	}
 
 	if resp.GetParameters().Get("state") == "" {

handler/openid/flow_implicit.go

@@ -23,7 +23,6 @@ package openid
 
 import (
 	"context"
-	"encoding/base64"
 
 	"github.com/ory/x/errorsx"
 
@@ -93,12 +92,12 @@ func (c *OpenIDConnectImplicitHandler) HandleAuthorizeEndpointRequest(ctx contex
 		}
 
 		ar.SetResponseTypeHandled("token")
-		hash, err := c.RS256JWTStrategy.Hash(ctx, []byte(resp.GetParameters().Get("access_token")))
+		hash, err := c.ComputeHash(ctx, sess, resp.GetParameters().Get("access_token"))
 		if err != nil {
 			return err
 		}
 
-		claims.AccessTokenHash = base64.RawURLEncoding.EncodeToString([]byte(hash[:c.RS256JWTStrategy.GetSigningMethodLength()/2]))
+		claims.AccessTokenHash = hash
 	} else {
 		resp.AddParameter("state", ar.GetState())
 	}

handler/openid/helper.go

@@ -25,7 +25,10 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha256"
+	"crypto/sha512"
 	"encoding/base64"
+	"hash"
+	"strconv"
 
 	"github.com/ory/fosite"
 )
@@ -36,6 +39,16 @@ type IDTokenHandleHelper struct {
 
 func (i *IDTokenHandleHelper) GetAccessTokenHash(ctx context.Context, requester fosite.AccessRequester, responder fosite.AccessResponder) string {
 	token := responder.GetAccessToken()
+	// The session should always be a openid.Session but best to safely cast
+	if session, ok := requester.GetSession().(Session); ok {
+		val, err := i.ComputeHash(ctx, session, token)
+		if err != nil {
+			// this should never happen
+			panic(err)
+		}
+
+		return val
+	}
 
 	buffer := bytes.NewBufferString(token)
 	hash := sha256.New()
@@ -76,3 +89,34 @@ func (i *IDTokenHandleHelper) IssueExplicitIDToken(ctx context.Context, ar fosit
 	resp.SetExtra("id_token", token)
 	return nil
 }
+
+// ComputeHash computes the hash using the alg defined in the id_token header
+func (i *IDTokenHandleHelper) ComputeHash(ctx context.Context, sess Session, token string) (string, error) {
+	var err error
+	hashSize := 256
+	if alg, ok := sess.IDTokenHeaders().Get("alg").(string); ok {
+		hashSize, err = strconv.Atoi(alg[2:])
+		if err != nil {
+			hashSize = 256
+		}
+	}
+
+	var hash hash.Hash
+	if hashSize == 384 {
+		hash = sha512.New384()
+	} else if hashSize == 512 {
+		hash = sha512.New()
+	} else {
+		// fallback to 256
+		hash = sha256.New()
+	}
+
+	buffer := bytes.NewBufferString(token)
+	_, err = hash.Write(buffer.Bytes())
+	if err != nil {
+		return "", err
+	}
+	hashBuf := bytes.NewBuffer(hash.Sum([]byte{}))
+
+	return base64.RawURLEncoding.EncodeToString(hashBuf.Bytes()[:hashBuf.Len()/2]), nil
+}

handler/openid/helper_test.go

@@ -130,10 +130,32 @@ func TestGetAccessTokenHash(t *testing.T) {
 
 	defer ctrl.Finish()
 
+	req.EXPECT().GetSession().Return(nil)
 	resp.EXPECT().GetAccessToken().Return("7a35f818-9164-48cb-8c8f-e1217f44228431c41102-d410-4ed5-9276-07ba53dfdcd8")
 
 	h := &IDTokenHandleHelper{IDTokenStrategy: strat}
 
 	hash := h.GetAccessTokenHash(nil, req, resp)
 	assert.Equal(t, "Zfn_XBitThuDJiETU3OALQ", hash)
 }
+
+func TestGetAccessTokenHashWithDifferentKeyLength(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	req := internal.NewMockAccessRequester(ctrl)
+	resp := internal.NewMockAccessResponder(ctrl)
+
+	defer ctrl.Finish()
+
+	headers := &jwt.Headers{
+		Extra: map[string]interface{}{
+			"alg": "RS384",
+		},
+	}
+	req.EXPECT().GetSession().Return(&DefaultSession{Headers: headers})
+	resp.EXPECT().GetAccessToken().Return("7a35f818-9164-48cb-8c8f-e1217f44228431c41102-d410-4ed5-9276-07ba53dfdcd8")
+
+	h := &IDTokenHandleHelper{IDTokenStrategy: strat}
+
+	hash := h.GetAccessTokenHash(nil, req, resp)
+	assert.Equal(t, "VNX38yiOyeqBPheW5jDsWQKa6IjJzK66", hash)
+}