manage id token generation failure

Author: patatoid

lib/boruta/oauth/authorization.ex

@@ -238,6 +238,7 @@ defimpl Boruta.Oauth.Authorization, for: Boruta.Oauth.AuthorizationCodeRequest d
   alias Boruta.Oauth.AuthorizationCodeRequest
   alias Boruta.Oauth.AuthorizationSuccess
   alias Boruta.Oauth.Client
+  alias Boruta.Oauth.Error
   alias Boruta.Oauth.IdToken
   alias Boruta.Oauth.ResourceOwner
   alias Boruta.Oauth.Scope
@@ -315,9 +316,16 @@ defimpl Boruta.Oauth.Authorization, for: Boruta.Oauth.AuthorizationCodeRequest d
           {:ok, %{token: access_token}}
 
         {_, true} ->
-          id_token = IdToken.generate(%{token: access_token}, nonce)
-
-          {:ok, %{token: access_token, id_token: id_token}}
+              case IdToken.generate(%{token: access_token}, nonce) do
+                {:ok, id_token} ->
+                  {:ok, %{token: access_token, id_token: id_token}}
+                {:error, error} ->
+                  {:error, %Error{
+                    status: :internal_server_error,
+                    error: :unknown_error,
+                    error_description: error
+                  }}
+              end
 
         {_, false} ->
           {:ok, %{token: access_token}}
@@ -434,6 +442,7 @@ end
 
 defimpl Boruta.Oauth.Authorization, for: Boruta.Oauth.PreauthorizationCodeRequest do
   alias Boruta.Oauth.Client
+  alias Boruta.Oauth.Error
   alias Boruta.AccessTokensAdapter
   alias Boruta.CodesAdapter
   alias Boruta.Oauth.Authorization
@@ -501,9 +510,16 @@ defimpl Boruta.Oauth.Authorization, for: Boruta.Oauth.PreauthorizationCodeReques
          {:ok, _code} <- CodesAdapter.revoke(code) do
       case String.match?(scope, ~r/#{Scope.openid().name}/) do
         true ->
-          id_token = IdToken.generate(%{token: access_token}, nonce)
-
-          {:ok, %{preauthorized_token: access_token, id_token: id_token}}
+          case IdToken.generate(%{token: access_token}, nonce) do
+            {:ok, id_token} ->
+              {:ok, %{preauthorized_token: access_token, id_token: id_token}}
+            {:error, error} ->
+              {:error, %Error{
+                status: :internal_server_error,
+                error: :unknown_error,
+                error_description: error
+              }}
+          end
 
         false ->
           {:ok, %{preauthorized_token: access_token}}
@@ -536,6 +552,7 @@ defimpl Boruta.Oauth.Authorization, for: Boruta.Oauth.TokenRequest do
   alias Boruta.AccessTokensAdapter
   alias Boruta.Oauth.Authorization
   alias Boruta.Oauth.AuthorizationSuccess
+  alias Boruta.Oauth.Error
   alias Boruta.Oauth.IdToken
   alias Boruta.Oauth.ResourceOwner
   alias Boruta.Oauth.Scope
@@ -612,8 +629,9 @@ defimpl Boruta.Oauth.Authorization, for: Boruta.Oauth.TokenRequest do
                 inserted_at: DateTime.utc_now()
               }
 
-              id_token = IdToken.generate(%{base_token: base_token}, nonce)
-              {:ok, %{id_token: id_token}}
+              with {:ok, id_token} <- IdToken.generate(%{base_token: base_token}, nonce) do
+                {:ok, %{id_token: id_token}}
+              end
 
             false ->
               {:ok, %{}}
@@ -622,8 +640,16 @@ defimpl Boruta.Oauth.Authorization, for: Boruta.Oauth.TokenRequest do
         "id_token", {:ok, tokens} ->
           case String.match?(scope, ~r/#{Scope.openid().name}/) do
             true ->
-              id_token = IdToken.generate(tokens, nonce)
-              {:ok, Map.put(tokens, :id_token, id_token)}
+              case IdToken.generate(tokens, nonce) do
+                {:ok, id_token} ->
+                  {:ok, Map.put(tokens, :id_token, id_token)}
+                {:error, error} ->
+                  {:error, %Error{
+                    status: :internal_server_error,
+                    error: :unknown_error,
+                    error_description: error
+                  }}
+              end
 
             false ->
               {:ok, tokens}
@@ -644,6 +670,13 @@ defimpl Boruta.Oauth.Authorization, for: Boruta.Oauth.TokenRequest do
                  ) do
             {:ok, Map.put(tokens, :token, access_token)}
           end
+        _, {:error, error} ->
+          {:error,
+           %Error{
+             status: :internal_server_error,
+             error: :unknown_error,
+             error_description: "An error occurred during token creation: #{inspect(error)}."
+           }}
       end)
     end
   end
@@ -1139,9 +1172,9 @@ defimpl Boruta.Oauth.Authorization, for: Boruta.Oauth.HybridRequest do
         "id_token", {:ok, tokens} ->
           case String.match?(scope, ~r/#{Scope.openid().name}/) do
             true ->
-              id_token = IdToken.generate(tokens, nonce)
-
-              {:ok, Map.put(tokens, :id_token, id_token)}
+              with {:ok, id_token} <- IdToken.generate(tokens, nonce) do
+                {:ok, Map.put(tokens, :id_token, id_token)}
+              end
 
             false ->
               {:ok, tokens}

lib/boruta/oauth/schemas/id_token.ex

@@ -40,12 +40,14 @@ defmodule Boruta.Oauth.IdToken do
           }
         }
 
-  @spec generate(tokens :: tokens(), nonce :: String.t()) :: id_token :: Oauth.Token.t()
+  @spec generate(tokens :: tokens(), nonce :: String.t()) ::
+          {:ok, id_token :: Oauth.Token.t()} | {:error, reason :: String.t()}
   def generate(tokens, nonce) do
     {base_token, payload} = payload(tokens, nonce, %{})
 
-    value = Client.Crypto.id_token_sign(payload, base_token.client)
-    %{base_token | type: "id_token", value: value}
+    with "" <> value <- Client.Crypto.id_token_sign(payload, base_token.client) do
+      {:ok, %{base_token | type: "id_token", value: value}}
+    end
   end
 
   defp payload(%{code: code} = tokens, nonce, acc) do

test/boruta/oauth/schemas/id_token_test.exs

@@ -44,14 +44,14 @@ defmodule Boruta.Oauth.IdTokenTest do
 
     nonce = "nonce"
 
-    assert %{
+    assert {:ok, %{
              sub: "sub",
              client: ^client,
              inserted_at: ^inserted_at,
              scope: "scope",
              value: value,
              type: "id_token"
-           } = IdToken.generate(%{code: code}, nonce)
+           }} = IdToken.generate(%{code: code}, nonce)
 
     signer = Joken.Signer.create("RS512", %{"pem" => client.private_key, "aud" => client.id})
 
@@ -92,14 +92,14 @@ defmodule Boruta.Oauth.IdTokenTest do
 
     nonce = "nonce"
 
-    assert %{
+    assert {:ok, %{
              sub: "sub",
              client: ^client,
              inserted_at: ^inserted_at,
              scope: "scope",
              value: value,
              type: "id_token"
-           } = IdToken.generate(%{token: token}, nonce)
+           }} = IdToken.generate(%{token: token}, nonce)
 
     signer = Joken.Signer.create("RS512", %{"pem" => client.private_key, "aud" => client.id})
 
@@ -150,14 +150,14 @@ defmodule Boruta.Oauth.IdTokenTest do
 
     nonce = "nonce"
 
-    assert %{
+    assert {:ok, %{
              sub: "sub",
              client: ^client,
              inserted_at: ^inserted_at,
              scope: "scope",
              value: value,
              type: "id_token"
-           } = IdToken.generate(%{token: token, code: code}, nonce)
+           }} = IdToken.generate(%{token: token, code: code}, nonce)
 
     signer = Joken.Signer.create("RS512", %{"pem" => client.private_key, "aud" => client.id})
 
@@ -198,14 +198,14 @@ defmodule Boruta.Oauth.IdTokenTest do
 
     nonce = "nonce"
 
-    assert %{
+    assert {:ok, %{
              sub: "sub",
              client: ^client,
              inserted_at: ^inserted_at,
              scope: "scope",
              value: value,
              type: "id_token"
-           } = IdToken.generate(%{base_token: base_token}, nonce)
+           }} = IdToken.generate(%{base_token: base_token}, nonce)
 
     signer = Joken.Signer.create("RS512", %{"pem" => client.private_key, "aud" => client.id})
 
@@ -244,14 +244,14 @@ defmodule Boruta.Oauth.IdTokenTest do
 
     nonce = "nonce"
 
-    assert %{
+    assert {:ok, %{
              sub: "sub",
              client: ^client,
              inserted_at: ^inserted_at,
              scope: "scope",
              value: value,
              type: "id_token"
-           } = IdToken.generate(%{base_token: base_token}, nonce)
+           }} = IdToken.generate(%{base_token: base_token}, nonce)
 
     signer = Joken.Signer.create("RS512", %{"pem" => client.private_key, "aud" => client.id})
 
@@ -300,14 +300,14 @@ defmodule Boruta.Oauth.IdTokenTest do
 
       nonce = "nonce"
 
-      assert %{
+    assert {:ok, %{
                sub: "sub",
                client: ^client,
                inserted_at: ^inserted_at,
                scope: "scope",
                value: value,
                type: "id_token"
-             } = IdToken.generate(%{token: token, code: code}, nonce)
+             }} = IdToken.generate(%{token: token, code: code}, nonce)
 
       signer = Joken.Signer.create("RS256", %{"pem" => client.private_key, "aud" => client.id})
 
@@ -362,14 +362,14 @@ defmodule Boruta.Oauth.IdTokenTest do
 
       nonce = "nonce"
 
-      assert %{
+    assert {:ok, %{
                sub: "sub",
                client: ^client,
                inserted_at: ^inserted_at,
                scope: "scope",
                value: value,
                type: "id_token"
-             } = IdToken.generate(%{token: token, code: code}, nonce)
+             }} = IdToken.generate(%{token: token, code: code}, nonce)
 
       signer = Joken.Signer.create("RS384", %{"pem" => client.private_key, "aud" => client.id})
 
@@ -424,14 +424,14 @@ defmodule Boruta.Oauth.IdTokenTest do
 
       nonce = "nonce"
 
-      assert %{
+    assert {:ok, %{
                sub: "sub",
                client: ^client,
                inserted_at: ^inserted_at,
                scope: "scope",
                value: value,
                type: "id_token"
-             } = IdToken.generate(%{token: token, code: code}, nonce)
+             }} = IdToken.generate(%{token: token, code: code}, nonce)
 
       signer = Joken.Signer.create("HS256", client.secret)
 
@@ -485,14 +485,14 @@ defmodule Boruta.Oauth.IdTokenTest do
 
       nonce = "nonce"
 
-      assert %{
+    assert {:ok, %{
                sub: "sub",
                client: ^client,
                inserted_at: ^inserted_at,
                scope: "scope",
                value: value,
                type: "id_token"
-             } = IdToken.generate(%{token: token, code: code}, nonce)
+             }} = IdToken.generate(%{token: token, code: code}, nonce)
 
       signer = Joken.Signer.create("HS384", client.secret)
 
@@ -554,14 +554,14 @@ defmodule Boruta.Oauth.IdTokenTest do
 
       nonce = "nonce"
 
-      assert %{
+    assert {:ok, %{
                sub: "sub",
                client: ^client,
                inserted_at: ^inserted_at,
                scope: "scope",
                value: value,
                type: "id_token"
-             } = IdToken.generate(%{token: token, code: code}, nonce)
+             }} = IdToken.generate(%{token: token, code: code}, nonce)
 
       signer = Joken.Signer.create("HS512", client.secret)