From 6e3f5b63142ab860475e8c44f449d914a9d23c7e Mon Sep 17 00:00:00 2001
From: aeneasr <3372410+aeneasr@users.noreply.github.com>
Date: Wed, 3 Apr 2024 11:47:13 +0200
Subject: [PATCH] fix: remove transient oidc session after use

---
 handler/openid/flow_explicit_token.go | 9 ++++++---
 handler/openid/storage.go             | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/handler/openid/flow_explicit_token.go b/handler/openid/flow_explicit_token.go
index 67bea340..665ad67e 100644
--- a/handler/openid/flow_explicit_token.go
+++ b/handler/openid/flow_explicit_token.go
@@ -22,15 +22,18 @@ func (c *OpenIDConnectExplicitHandler) PopulateTokenEndpointResponse(ctx context
 		return errorsx.WithStack(fosite.ErrUnknownRequest)
 	}
 
-	authorizeCode := requester.GetRequestForm().Get("code")
-
-	authorize, err := c.OpenIDConnectRequestStorage.GetOpenIDConnectSession(ctx, authorizeCode, requester)
+	code := requester.GetRequestForm().Get("code")
+	authorize, err := c.OpenIDConnectRequestStorage.GetOpenIDConnectSession(ctx, code, requester)
 	if errors.Is(err, ErrNoSessionFound) {
 		return errorsx.WithStack(fosite.ErrUnknownRequest.WithWrap(err).WithDebug(err.Error()))
 	} else if err != nil {
 		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
 	}
 
+	if err := c.OpenIDConnectRequestStorage.DeleteOpenIDConnectSession(ctx, code); err != nil {
+		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
+	}
+
 	if !authorize.GetGrantedScopes().Has("openid") {
 		return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("An OpenID Connect session was found but the openid scope is missing, probably due to a broken code configuration."))
 	}
diff --git a/handler/openid/storage.go b/handler/openid/storage.go
index 6f09a7b8..e08eb585 100644
--- a/handler/openid/storage.go
+++ b/handler/openid/storage.go
@@ -22,6 +22,6 @@ type OpenIDConnectRequestStorage interface {
 	// - or an arbitrary error if an error occurred.
 	GetOpenIDConnectSession(ctx context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error)
 
-	// DeleteOpenIDConnectSession removes an open id connect session from the store.
+	// DeleteOpenIDConnectSession removes the OpenID Connect Session from the store.
 	DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) error
 }