From a6a05ef373a3d1a275a90053641e11fed077a80f Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Tue, 28 Jun 2022 10:21:57 +1000
Subject: [PATCH] fix(oidc): session refresh failure (#3603)

This fixes an issue with OpenID Connect where refresh sessions fail to process.
---
 go.mod                 |  2 +-
 internal/model/oidc.go | 41 ++++++++++++++++++++++++-----------------
 2 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/go.mod b/go.mod
index 9520da552..c3b23af3e 100644
--- a/go.mod
+++ b/go.mod
@@ -22,6 +22,7 @@ require (
 	github.com/knadh/koanf v1.4.2
 	github.com/mattn/go-sqlite3 v2.0.3+incompatible
 	github.com/mitchellh/mapstructure v1.5.0
+	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
 	github.com/ory/fosite v0.42.2
 	github.com/ory/herodot v0.9.13
 	github.com/otiai10/copy v1.7.0
@@ -76,7 +77,6 @@ require (
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/ory/go-acc v0.2.6 // indirect
 	github.com/ory/go-convenience v0.1.0 // indirect
 	github.com/ory/viper v1.7.5 // indirect
diff --git a/internal/model/oidc.go b/internal/model/oidc.go
index 845790e5d..5b7b9f786 100644
--- a/internal/model/oidc.go
+++ b/internal/model/oidc.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	"github.com/mohae/deepcopy"
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/openid"
 
@@ -40,16 +41,13 @@ func NewOAuth2SessionFromRequest(signature string, r fosite.Requester) (session
 	var (
 		subject       string
 		sessionOpenID *OpenIDSession
+		ok            bool
 		sessionData   []byte
 	)
 
-	s := r.GetSession()
-
-	switch t := s.(type) {
-	case *OpenIDSession:
-		sessionOpenID = t
-	default:
-		return nil, fmt.Errorf("can't convert type '%T' to an *OAuth2Session", s)
+	sessionOpenID, ok = r.GetSession().(*OpenIDSession)
+	if !ok {
+		return nil, fmt.Errorf("can't convert type '%T' to an *OAuth2Session", r.GetSession())
 	}
 
 	subject = sessionOpenID.GetSubject()
@@ -163,16 +161,6 @@ type OAuth2BlacklistedJTI struct {
 	ExpiresAt time.Time `db:"expires_at"`
 }
 
-// OpenIDSession holds OIDC Session information.
-type OpenIDSession struct {
-	*openid.DefaultSession `json:"id_token"`
-
-	ChallengeID uuid.UUID `db:"challenge_id"`
-	ClientID    string
-
-	Extra map[string]interface{} `json:"extra"`
-}
-
 // OAuth2Session represents a OAuth2.0 session.
 type OAuth2Session struct {
 	ID                int                      `db:"id"`
@@ -229,3 +217,22 @@ func (s OAuth2Session) ToRequest(ctx context.Context, session fosite.Session, st
 		Session:           session,
 	}, nil
 }
+
+// OpenIDSession holds OIDC Session information.
+type OpenIDSession struct {
+	*openid.DefaultSession `json:"id_token"`
+
+	ChallengeID uuid.UUID `db:"challenge_id"`
+	ClientID    string
+
+	Extra map[string]interface{} `json:"extra"`
+}
+
+// Clone copies the OpenIDSession to a new fosite.Session.
+func (s *OpenIDSession) Clone() fosite.Session {
+	if s == nil {
+		return nil
+	}
+
+	return deepcopy.Copy(s).(fosite.Session)
+}