From 07cdc1021c762e9facf73313dc84685f46a1d509 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Tue, 12 Mar 2019 15:47:18 -0700
Subject: [PATCH] Use OIDC nonce as the reuse key.

---
 authority/authorize.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/authority/authorize.go b/authority/authorize.go
index 5b1acf72..0b207ee9 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -61,8 +61,15 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) {
 	}
 
 	// Store the token to protect against reuse.
-	if p.GetType() == provisioner.TypeJWK && claims.ID != "" {
-		if _, ok := a.ottMap.LoadOrStore(claims.ID, &idUsed{
+	var reuseKey string
+	switch p.GetType() {
+	case provisioner.TypeJWK:
+		reuseKey = claims.ID
+	case provisioner.TypeOIDC:
+		reuseKey = claims.Nonce
+	}
+	if reuseKey != "" {
+		if _, ok := a.ottMap.LoadOrStore(reuseKey, &idUsed{
 			UsedAt:  time.Now().Unix(),
 			Subject: claims.Subject,
 		}); ok {