mirror of
https://github.com/bolkedebruin/rdpgw.git
synced 2026-05-13 03:40:01 +00:00
49fa170023
CheckPAACookie used to call OIDCProvider.UserInfo with a copy of the IdP access token embedded in the cookie itself, just to recover the Subject. The gateway already signs Subject at issue time, so the roundtrip is redundant -- and copying the IdP access token into the .rdp file makes the cookie much larger and ties gateway availability to IdP availability. Drop the AccessToken field from customClaims and from GeneratePAAToken (no other consumer exists), set tunnel.User.SetUserName from the signed Subject claim, and remove the UserInfo call from CheckPAACookie. Add Audience: "rdpgw-paa" to standard claims at issue and AnyAudience to the validation expectation so a JWS minted with the same signing key for any other purpose can't be presented as a PAA. For a representative RS256 access token the cookie shrinks from ~961 bytes to ~259 bytes. Adds tests: - TestPAACookieDoesNotEmbedAccessToken - TestPAACookieHasAudienceClaim - TestCheckPAACookieIsSelfContained