From da9530a8f77e61eb1672565572c3885384718833 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=81=BE=E3=81=A3=E3=81=A1=E3=82=83=E3=81=A8=E3=83=BC?=
 =?UTF-8?q?=E3=81=AB=E3=82=85?=
 <17376330+u1-liquid@users.noreply.github.com>
Date: Tue, 19 Mar 2024 06:32:50 +0900
Subject: [PATCH] =?UTF-8?q?fix(SSO/JWT):=20JWT=E3=81=AE=E3=83=98=E3=83=83?=
 =?UTF-8?q?=E3=83=80=E3=83=BC=E3=81=AB`typ`=E3=82=92=E8=BF=BD=E5=8A=A0?=
 =?UTF-8?q?=E3=80=81serviceurl=E3=83=91=E3=83=A9=E3=83=A1=E3=83=BC?=
 =?UTF-8?q?=E3=82=BF=E3=81=AB=E5=AF=BE=E5=BF=9C=20(MisskeyIO#537)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/server/sso/JWTIdentifyProviderService.ts     | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts
index 9069c24fdf..03ee7a7298 100644
--- a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts
+++ b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts
@@ -63,11 +63,11 @@ export class JWTIdentifyProviderService {
 
 		fastify.all<{
 			Params: { serviceId: string };
-			Querystring?: { return_to?: string };
-			Body?: { return_to?: string };
+			Querystring?: { serviceurl?: string, return_to?: string };
+			Body?: { serviceurl?: string, return_to?: string };
 		}>('/:serviceId', async (request, reply) => {
 			const serviceId = request.params.serviceId;
-			const returnTo = request.query?.return_to ?? request.body?.return_to;
+			const returnTo = request.query?.return_to ?? request.query?.serviceurl ?? request.body?.return_to ?? request.body?.serviceurl;
 
 			const ssoServiceProvider = await this.singleSignOnServiceProviderRepository.findOneBy({ id: serviceId, type: 'jwt' });
 			if (!ssoServiceProvider) {
@@ -193,6 +193,7 @@ export class JWTIdentifyProviderService {
 
 					jwt = await new jose.EncryptJWT(payload)
 						.setProtectedHeader({
+							typ: 'JWT',
 							alg: ssoServiceProvider.signatureAlgorithm,
 							enc: ssoServiceProvider.cipherAlgorithm,
 						})
@@ -209,7 +210,10 @@ export class JWTIdentifyProviderService {
 						: jose.base64url.decode(ssoServiceProvider.publicKey);
 
 					jwt = await new jose.SignJWT(payload)
-						.setProtectedHeader({ alg: ssoServiceProvider.signatureAlgorithm })
+						.setProtectedHeader({
+							typ: 'JWT',
+							alg: ssoServiceProvider.signatureAlgorithm,
+						})
 						.setIssuer(ssoServiceProvider.issuer)
 						.setAudience(ssoServiceProvider.audience)
 						.setIssuedAt()