feat: add WebAuthn support (#4704)

Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com>
Co-authored-by: Alwx <alwxsin@gmail.com>

Author: nabokihms

cmd/dex/config.go

@@ -143,7 +143,7 @@ func (c Config) validateMFA() error {
 		return fmt.Errorf("mfa requires sessions to be enabled (DEX_SESSIONS_ENABLED=true)")
 	}
 
-	knownTypes := map[string]bool{"TOTP": true}
+	knownTypes := map[string]bool{"TOTP": true, "WebAuthn": true}
 	ids := make(map[string]bool, len(mfa.Authenticators))
 
 	for _, auth := range mfa.Authenticators {
@@ -705,3 +705,36 @@ type TOTPConfig struct {
 	// Issuer is the name of the service shown in the authenticator app.
 	Issuer string `json:"issuer"`
 }
+
+// WebAuthnConfig holds configuration for a WebAuthn authenticator.
+type WebAuthnConfig struct {
+	// RPDisplayName is the human-readable relying party name shown in the browser
+	// dialog during key registration and authentication (e.g., "My Company SSO").
+	RPDisplayName string `json:"rpDisplayName"`
+	// RPID is the relying party identifier — must match the domain in the browser
+	// address bar. If empty, derived from the issuer URL hostname.
+	// Example: "auth.example.com"
+	RPID string `json:"rpID"`
+	// RPOrigins is the list of allowed origins for WebAuthn ceremonies.
+	// If empty, derived from the issuer URL (scheme + host).
+	// Example: ["https://auth.example.com"]
+	RPOrigins []string `json:"rpOrigins"`
+	// AttestationPreference controls what attestation data the authenticator should provide:
+	//   "none"     — don't request attestation (simpler, more private)
+	//   "indirect" — authenticator may anonymize attestation (default)
+	//   "direct"   — request full attestation (for enterprise key model verification)
+	AttestationPreference string `json:"attestationPreference"`
+	// UserVerification controls whether PIN or biometric verification is required:
+	//   "required"    — always require (PIN, fingerprint, etc.)
+	//   "preferred"   — request if the authenticator supports it (default)
+	//   "discouraged" — skip verification, presence check only
+	UserVerification string `json:"userVerification"`
+	// AuthenticatorAttachment restricts which authenticator types are allowed:
+	//   "platform"      — built-in only (Touch ID, Windows Hello)
+	//   "cross-platform" — external only (YubiKey, USB security keys)
+	//   ""              — any authenticator (default)
+	AuthenticatorAttachment string `json:"authenticatorAttachment"`
+	// Timeout is the duration allowed for the browser WebAuthn ceremony
+	// (registration or login). Defaults to "60s".
+	Timeout string `json:"timeout"`
+}

cmd/dex/serve.go

@@ -385,7 +385,7 @@ func runServe(options serveOptions) error {
 		ContinueOnConnectorFailure: featureflags.ContinueOnConnectorFailure.Enabled(),
 		Signer:                     signerInstance,
 		IDTokensValidFor:           idTokensValidFor,
-		MFAProviders:               buildMFAProviders(c.MFA.Authenticators, logger),
+		MFAProviders:               buildMFAProviders(c.MFA.Authenticators, c.Issuer, logger),
 		DefaultMFAChain:            c.MFA.DefaultMFAChain,
 	}
 
@@ -823,7 +823,7 @@ func parseSessionConfig(s *Sessions) (*server.SessionConfig, error) {
 	return sc, nil
 }
 
-func buildMFAProviders(authenticators []MFAAuthenticator, logger *slog.Logger) map[string]server.MFAProvider {
+func buildMFAProviders(authenticators []MFAAuthenticator, issuerURL string, logger *slog.Logger) map[string]server.MFAProvider {
 	if len(authenticators) == 0 {
 		return nil
 	}
@@ -839,6 +839,20 @@ func buildMFAProviders(authenticators []MFAAuthenticator, logger *slog.Logger) m
 			}
 			providers[auth.ID] = server.NewTOTPProvider(cfg.Issuer, auth.ConnectorTypes)
 			logger.Info("MFA authenticator configured", "id", auth.ID, "type", auth.Type)
+		case "WebAuthn":
+			var cfg WebAuthnConfig
+			if err := json.Unmarshal(auth.Config, &cfg); err != nil {
+				logger.Error("failed to parse WebAuthn config", "id", auth.ID, "err", err)
+				continue
+			}
+			provider, err := server.NewWebAuthnProvider(cfg.RPDisplayName, cfg.RPID, cfg.RPOrigins,
+				cfg.AttestationPreference, cfg.Timeout, issuerURL, auth.ConnectorTypes)
+			if err != nil {
+				logger.Error("failed to create WebAuthn provider", "id", auth.ID, "err", err)
+				continue
+			}
+			providers[auth.ID] = provider
+			logger.Info("MFA authenticator configured", "id", auth.ID, "type", auth.Type)
 		default:
 			logger.Error("unknown MFA authenticator type, skipping", "id", auth.ID, "type", auth.Type)
 		}

examples/config-dev.yaml

@@ -141,21 +141,32 @@ telemetry:
 # Multi-factor authentication configuration.
 # Requires DEX_SESSIONS_ENABLED=true feature flag.
 # mfa:
-#   authenticators:
-#   - id: totp-1
-#     type: TOTP
-#     config:
-#       issuer: "dex-1"
-#     # Optional: limit this authenticator to specific connector types (e.g., ldap, oidc, saml).
-#     # If omitted or empty, applies to all connector types.
-#     # It is recommended to use this option to prevent MFA from being used for connectors
-#     # with their own MFA mechanisms, e.g., OIDC, Google, etc. (but technically, it is possible).
-#     connectorTypes:
-#     - mockCallback
-#   # Default MFA chain applied to clients that don't specify their own mfaChain.
-#   # If omitted or empty, no MFA is required by default.
-#   defaultMFAChain:
-#   - totp-1
+#  authenticators:
+#  - id: totp-1
+#    type: TOTP
+#    config:
+#      issuer: "dex-1"
+#    # Optional: limit this authenticator to specific connector types (e.g., ldap, oidc, saml).
+#    # If omitted or empty, applies to all connector types.
+#    # It is recommended to use this option to prevent MFA from being used for connectors
+#    # with their own MFA mechanisms, e.g., OIDC, Google, etc. (but technically, it is possible).
+#    connectorTypes:
+#    - mockCallback
+#  - id: webauthn-1
+#    type: WebAuthn
+#    config:
+#      rpDisplayName: "Dex Dev"
+#      # rpID defaults to the hostname of the issuer URL.
+#      # rpID: "127.0.0.1"
+#      # rpOrigins defaults to the issuer URL.
+#      # rpOrigins:
+#      # - "http://127.0.0.1:5556"
+#      attestationPreference: "indirect"  # none, indirect, or direct
+#      userVerification: "preferred"      # required, preferred, or discouraged
+#      # authenticatorAttachment: ""      # platform, cross-platform, or empty (any)
+#      timeout: "60s"
+#  defaultMFAChain:
+#  - totp-1
 
 # Instead of reading from an external storage, use this list of clients.
 #

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/go-jose/go-jose/v4 v4.1.4
 	github.com/go-ldap/ldap/v3 v3.4.13
 	github.com/go-sql-driver/mysql v1.9.3
+	github.com/go-webauthn/webauthn v0.16.1
 	github.com/google/cel-go v0.27.0
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
@@ -70,14 +71,18 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/inflect v0.19.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
+	github.com/go-webauthn/x v0.2.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-tpm v0.9.8 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
 	github.com/googleapis/gax-go/v2 v2.19.0 // indirect
@@ -114,6 +119,7 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zclconf/go-cty v1.14.4 // indirect
 	github.com/zclconf/go-cty-yaml v1.1.0 // indirect
 	go.etcd.io/etcd/api/v3 v3.6.9 // indirect

go.sum

@@ -75,6 +75,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
@@ -94,17 +96,27 @@ github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
-github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
+github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-webauthn/webauthn v0.16.1 h1:x5/SSki5/aIfogaRukqvbg/RXa3Sgxy/9vU7UfFPHKU=
+github.com/go-webauthn/webauthn v0.16.1/go.mod h1:RBS+rtQJMkE5VfMQ4diDA2VNrEL8OeUhp4Srz37FHbQ=
+github.com/go-webauthn/x v0.2.2 h1:zIiipvMbr48CXi5RG0XdBJR94kd8I5LfzHPb/q+YYmk=
+github.com/go-webauthn/x v0.2.2/go.mod h1:IpJ5qyWB9NRhLX3C7gIfjTU7RZLXEP6kzFkoVSE7Fz4=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/cel-go v0.27.0 h1:e7ih85+4qVrBuqQWTW4FKSqZYokVuc3HnhH5keboFTo=
 github.com/google/cel-go v0.27.0/go.mod h1:tTJ11FWqnhw5KKpnWpvW9CJC3Y9GK4EIS0WXnBbebzw=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-tpm v0.9.8 h1:slArAR9Ft+1ybZu0lBwpSmpwhRXaa85hWtMinMyRAWo=
+github.com/google/go-tpm v0.9.8/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba h1:qJEJcuLzH5KDR0gKc0zcktin6KSAwL7+jWKBYceddTc=
+github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba/go.mod h1:EFYHy8/1y2KfgTAsx7Luu7NGhoxtuVHnNo8jE7FikKc=
 github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -250,6 +262,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zclconf/go-cty v1.14.4 h1:uXXczd9QDGsgu0i/QFR/hzI5NYCHLf6NQw/atrbnhq8=
@@ -280,6 +294,8 @@ go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4Len
 go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=

server/handlers.go

@@ -2,7 +2,6 @@ package server
 
 import (
 	"context"
-	"crypto/hmac"
 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/base64"
@@ -13,7 +12,6 @@ import (
 	"maps"
 	"net/http"
 	"net/url"
-	"path"
 	"sort"
 	"strconv"
 	"strings"
@@ -887,30 +885,13 @@ func (s *Server) finalizeLogin(ctx context.Context, identity connector.Identity,
 		userIdentity = &ui
 	}
 
-	// an HMAC is used here to ensure that the request ID is unpredictable, ensuring that an attacker who intercepted the original
-	// flow would be unable to poll for the result at the /approval endpoint
-	h := hmac.New(sha256.New, authReq.HMACKey)
-	h.Write([]byte(authReq.ID))
-	mac := h.Sum(nil)
-	hmacParam := base64.RawURLEncoding.EncodeToString(mac)
-
 	// Check if the client requires MFA.
 	mfaChain, err := s.mfaChainForClient(ctx, authReq.ClientID, authReq.ConnectorID)
 	if err != nil {
 		return "", false, fmt.Errorf("failed to get MFA chain for client: %v", err)
 	}
 	if len(mfaChain) > 0 {
-		// Redirect to MFA verification starting with the first authenticator.
-		// Each authenticator redirects to the next one in the chain upon success.
-		// HMAC includes authenticatorID to prevent skipping steps by URL manipulation.
-		h.Reset()
-		h.Write([]byte(authReq.ID + "|" + mfaChain[0]))
-		v := url.Values{}
-		v.Set("req", authReq.ID)
-		v.Set("hmac", base64.RawURLEncoding.EncodeToString(h.Sum(nil)))
-		v.Set("authenticator", mfaChain[0])
-		returnURL := path.Join(s.issuerURL.Path, "/mfa/verify") + "?" + v.Encode()
-		return returnURL, false, nil
+		return s.buildMFARedirectURL(authReq, mfaChain[0]), false, nil
 	}
 
 	// No MFA required — mark as validated.
@@ -933,8 +914,7 @@ func (s *Server) finalizeLogin(ctx context.Context, identity connector.Identity,
 		}
 	}
 
-	returnURL := path.Join(s.issuerURL.Path, "/approval") + "?req=" + authReq.ID + "&hmac=" + hmacParam
-	return returnURL, false, nil
+	return s.buildApprovalURL(authReq), false, nil
 }
 
 func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
@@ -944,12 +924,6 @@ func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
 		s.renderError(r, w, http.StatusUnauthorized, "Unauthorized request")
 		return
 	}
-	mac, err := base64.RawURLEncoding.DecodeString(macEncoded)
-	if err != nil {
-		s.renderError(r, w, http.StatusUnauthorized, "Unauthorized request")
-		return
-	}
-
 	authReq, err := s.storage.GetAuthRequest(ctx, r.FormValue("req"))
 	if err != nil {
 		if err == storage.ErrNotFound {
@@ -966,7 +940,6 @@ func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	h := hmac.New(sha256.New, authReq.HMACKey)
 	if !authReq.MFAValidated {
 		// Check if MFA is actually required — if so, redirect to TOTP instead of blocking.
 		// This handles the case where MFA was enabled after the auth flow started.
@@ -977,30 +950,37 @@ func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		if len(mfaChain) > 0 {
-			h.Write([]byte(authReq.ID + "|" + mfaChain[0]))
-			v := url.Values{}
-			v.Set("req", authReq.ID)
-			v.Set("hmac", base64.RawURLEncoding.EncodeToString(h.Sum(nil)))
-			v.Set("authenticator", mfaChain[0])
-			h.Reset()
-			totpURL := path.Join(s.issuerURL.Path, "/mfa/verify") + "?" + v.Encode()
-			http.Redirect(w, r, totpURL, http.StatusSeeOther)
+			http.Redirect(w, r, s.buildMFARedirectURL(authReq, mfaChain[0]), http.StatusSeeOther)
 			return
 		}
 		// No MFA required but flag not set — allow through (backward compat).
 	}
 
-	// build expected hmac with secret key
-	h.Write([]byte(authReq.ID))
-	expectedMAC := h.Sum(nil)
-	// constant time comparison
-	if !hmac.Equal(mac, expectedMAC) {
+	if !verifyHMAC(authReq.HMACKey, macEncoded, authReq.ID, "") {
 		s.renderError(r, w, http.StatusUnauthorized, "Unauthorized request")
 		return
 	}
 
 	switch r.Method {
 	case http.MethodGet:
+		// Skip the approval page and issue the code directly if:
+		// 1. The client didn't force the approval prompt, AND
+		// 2. Either the server is configured to skip approval globally,
+		//    or the user has already consented to all requested scopes for this client.
+		// This handles the MFA redirect case: after MFA completion the user lands on
+		// /approval via GET, and we don't want to show the consent screen again.
+		if !authReq.ForceApprovalPrompt {
+			if s.skipApproval {
+				s.sendCodeResponse(w, r, authReq)
+				return
+			}
+			ui, err := s.storage.GetUserIdentity(ctx, authReq.Claims.UserID, authReq.ConnectorID)
+			if err == nil && scopesCoveredByConsent(ui.Consents[authReq.ClientID], authReq.Scopes) {
+				s.sendCodeResponse(w, r, authReq)
+				return
+			}
+		}
+
 		client, err := s.storage.GetClient(ctx, authReq.ClientID)
 		if err != nil {
 			s.logger.ErrorContext(r.Context(), "Failed to get client", "client_id", authReq.ClientID, "err", err)

server/handlers_approval_test.go

@@ -2,9 +2,6 @@ package server
 
 import (
 	"context"
-	"crypto/hmac"
-	"crypto/sha256"
-	"encoding/base64"
 	"errors"
 	"net/http"
 	"net/http/httptest"
@@ -89,9 +86,7 @@ func TestHandleApprovalDoubleSubmitPOST(t *testing.T) {
 	}
 	require.NoError(t, server.storage.CreateAuthRequest(ctx, authReq))
 
-	h := hmac.New(sha256.New, authReq.HMACKey)
-	h.Write([]byte(authReq.ID))
-	mac := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
+	mac := computeHMAC(authReq.HMACKey, authReq.ID, "")
 
 	form := url.Values{
 		"approval": {"approve"},

server/handlers_test.go

@@ -3,9 +3,6 @@ package server
 import (
 	"bytes"
 	"context"
-	"crypto/hmac"
-	"crypto/sha256"
-	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -832,9 +829,7 @@ func TestConsentPersistedOnApproval(t *testing.T) {
 	}
 	require.NoError(t, s.storage.CreateAuthRequest(ctx, authReq))
 
-	h := hmac.New(sha256.New, authReq.HMACKey)
-	h.Write([]byte(authReq.ID))
-	mac := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
+	mac := computeHMAC(authReq.HMACKey, authReq.ID, "")
 
 	form := url.Values{
 		"approval": {"approve"},