feat: token introspection (#83)

* introspect * introspect and client assertion * introspect and client assertion * scopes * token introspection * introspect * refactoring * fixes * clenaup * Update example/internal/mock/storage.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * clenaup Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2021-02-15 13:43:50 +01:00 · 2021-02-15 13:43:50 +01:00 · 1518c843de
commit 1518c843de
parent fa92a20615
46 changed files with 1672 additions and 570 deletions
--- a/pkg/oidc/code_challenge.go
+++ b/pkg/oidc/code_challenge.go
@ -24,7 +24,7 @@ func NewSHACodeChallenge(code string) string {

 func VerifyCodeChallenge(c *CodeChallenge, codeVerifier string) bool {
 	if c == nil {
-		return false //TODO: ?
+		return false
 	}
 	if c.Method == CodeChallengeMethodS256 {
 		codeVerifier = NewSHACodeChallenge(codeVerifier)
--- a/pkg/oidc/discovery.go
+++ b/pkg/oidc/discovery.go
@ -1,25 +1,68 @@
 package oidc

+import (
+	"golang.org/x/text/language"
+)
+
 const (
 	DiscoveryEndpoint = "/.well-known/openid-configuration"
 )

 type DiscoveryConfiguration struct {
-	Issuer                            string   `json:"issuer,omitempty"`
-	AuthorizationEndpoint             string   `json:"authorization_endpoint,omitempty"`
-	TokenEndpoint                     string   `json:"token_endpoint,omitempty"`
-	IntrospectionEndpoint             string   `json:"introspection_endpoint,omitempty"`
-	UserinfoEndpoint                  string   `json:"userinfo_endpoint,omitempty"`
-	EndSessionEndpoint                string   `json:"end_session_endpoint,omitempty"`
-	CheckSessionIframe                string   `json:"check_session_iframe,omitempty"`
-	JwksURI                           string   `json:"jwks_uri,omitempty"`
-	ScopesSupported                   []string `json:"scopes_supported,omitempty"`
-	ResponseTypesSupported            []string `json:"response_types_supported,omitempty"`
-	ResponseModesSupported            []string `json:"response_modes_supported,omitempty"`
-	GrantTypesSupported               []string `json:"grant_types_supported,omitempty"`
-	SubjectTypesSupported             []string `json:"subject_types_supported,omitempty"`
-	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported,omitempty"`
-	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
-	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported,omitempty"`
-	ClaimsSupported                   []string `json:"claims_supported,omitempty"`
+	Issuer                                             string                `json:"issuer,omitempty"`
+	AuthorizationEndpoint                              string                `json:"authorization_endpoint,omitempty"`
+	TokenEndpoint                                      string                `json:"token_endpoint,omitempty"`
+	IntrospectionEndpoint                              string                `json:"introspection_endpoint,omitempty"`
+	UserinfoEndpoint                                   string                `json:"userinfo_endpoint,omitempty"`
+	RevocationEndpoint                                 string                `json:"revocation_endpoint,omitempty"`
+	EndSessionEndpoint                                 string                `json:"end_session_endpoint,omitempty"`
+	CheckSessionIframe                                 string                `json:"check_session_iframe,omitempty"`
+	JwksURI                                            string                `json:"jwks_uri,omitempty"`
+	ScopesSupported                                    []string              `json:"scopes_supported,omitempty"`
+	ResponseTypesSupported                             []string              `json:"response_types_supported,omitempty"`
+	ResponseModesSupported                             []string              `json:"response_modes_supported,omitempty"`
+	GrantTypesSupported                                []GrantType           `json:"grant_types_supported,omitempty"`
+	ACRValuesSupported                                 []string              `json:"acr_values_supported,omitempty"`
+	SubjectTypesSupported                              []string              `json:"subject_types_supported,omitempty"`
+	IDTokenSigningAlgValuesSupported                   []string              `json:"id_token_signing_alg_values_supported,omitempty"`
+	IDTokenEncryptionAlgValuesSupported                []string              `json:"id_token_encryption_alg_values_supported,omitempty"`
+	IDTokenEncryptionEncValuesSupported                []string              `json:"id_token_encryption_enc_values_supported,omitempty"`
+	UserinfoSigningAlgValuesSupported                  []string              `json:"userinfo_signing_alg_values_supported,omitempty"`
+	UserinfoEncryptionAlgValuesSupported               []string              `json:"userinfo_encryption_alg_values_supported,omitempty"`
+	UserinfoEncryptionEncValuesSupported               []string              `json:"userinfo_encryption_enc_values_supported,omitempty"`
+	RequestObjectSigningAlgValuesSupported             []string              `json:"request_object_signing_alg_values_supported,omitempty"`
+	RequestObjectEncryptionAlgValuesSupported          []string              `json:"request_object_encryption_alg_values_supported,omitempty"`
+	RequestObjectEncryptionEncValuesSupported          []string              `json:"request_object_encryption_enc_values_supported,omitempty"`
+	TokenEndpointAuthMethodsSupported                  []AuthMethod          `json:"token_endpoint_auth_methods_supported,omitempty"`
+	TokenEndpointAuthSigningAlgValuesSupported         []string              `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
+	RevocationEndpointAuthMethodsSupported             []AuthMethod          `json:"revocation_endpoint_auth_methods_supported,omitempty"`
+	RevocationEndpointAuthSigningAlgValuesSupported    []string              `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
+	IntrospectionEndpointAuthMethodsSupported          []AuthMethod          `json:"introspection_endpoint_auth_methods_supported,omitempty"`
+	IntrospectionEndpointAuthSigningAlgValuesSupported []string              `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
+	DisplayValuesSupported                             []Display             `json:"display_values_supported,omitempty"`
+	ClaimTypesSupported                                []string              `json:"claim_types_supported,omitempty"`
+	ClaimsSupported                                    []string              `json:"claims_supported,omitempty"`
+	ClaimsParameterSupported                           bool                  `json:"claims_parameter_supported,omitempty"`
+	CodeChallengeMethodsSupported                      []CodeChallengeMethod `json:"code_challenge_methods_supported,omitempty"`
+	ServiceDocumentation                               string                `json:"service_documentation,omitempty"`
+	ClaimsLocalesSupported                             []language.Tag        `json:"claims_locales_supported,omitempty"`
+	UILocalesSupported                                 []language.Tag        `json:"ui_locales_supported,omitempty"`
+	RequestParameterSupported                          bool                  `json:"request_parameter_supported,omitempty"`
+	RequestURIParameterSupported                       bool                  `json:"request_uri_parameter_supported"` //no omitempty because: If omitted, the default value is true
+	RequireRequestURIRegistration                      bool                  `json:"require_request_uri_registration,omitempty"`
+	OPPolicyURI                                        string                `json:"op_policy_uri,omitempty"`
+	OPTermsOfServiceURI                                string                `json:"op_tos_uri,omitempty"`
 }
+
+type AuthMethod string
+
+const (
+	AuthMethodBasic         AuthMethod = "client_secret_basic"
+	AuthMethodPost          AuthMethod = "client_secret_post"
+	AuthMethodNone          AuthMethod = "none"
+	AuthMethodPrivateKeyJWT AuthMethod = "private_key_jwt"
+)
+
+const (
+	GrantTypeImplicit GrantType = "implicit"
+)
--- a/pkg/oidc/grants/tokenexchange/tokenexchange.go
+++ b/pkg/oidc/grants/tokenexchange/tokenexchange.go
@ -1,9 +1,5 @@
 package tokenexchange

-import (
-	"github.com/caos/oidc/pkg/oidc"
-)
-
 const (
 	AccessTokenType     = "urn:ietf:params:oauth:token-type:access_token"
 	RefreshTokenType    = "urn:ietf:params:oauth:token-type:refresh_token"
@ -26,22 +22,6 @@ type TokenExchangeRequest struct {
 	requestedTokenType string   `schema:"requested_token_type"`
 }

-type JWTProfileRequest struct {
-	Assertion string         `schema:"assertion"`
-	Scope     oidc.Scopes    `schema:"scope"`
-	GrantType oidc.GrantType `schema:"grant_type"`
-}
-
-//ClientCredentialsGrantBasic creates an oauth2 `Client Credentials` Grant
-//sneding client_id and client_secret as basic auth header
-func NewJWTProfileRequest(assertion string, scopes ...string) *JWTProfileRequest {
-	return &JWTProfileRequest{
-		GrantType: oidc.GrantTypeBearer,
-		Assertion: assertion,
-		Scope:     scopes,
-	}
-}
-
 func NewTokenExchangeRequest(subjectToken, subjectTokenType string, opts ...TokenExchangeOption) *TokenExchangeRequest {
 	t := &TokenExchangeRequest{
 		grantType:          TokenExchangeGrantType,
--- a/pkg/oidc/introspection.go
+++ b/pkg/oidc/introspection.go
@ -0,0 +1,276 @@
+package oidc
+
+import (
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"golang.org/x/text/language"
+)
+
+type IntrospectionRequest struct {
+	Token string `schema:"token"`
+}
+
+type ClientAssertionParams struct {
+	ClientAssertion     string `schema:"client_assertion"`
+	ClientAssertionType string `schema:"client_assertion_type"`
+}
+
+type IntrospectionResponse interface {
+	UserInfoSetter
+	SetActive(bool)
+	IsActive() bool
+	SetScopes(scopes Scopes)
+	SetClientID(id string)
+}
+
+func NewIntrospectionResponse() IntrospectionResponse {
+	return &introspectionResponse{}
+}
+
+type introspectionResponse struct {
+	Active   bool   `json:"active"`
+	Scope    Scopes `json:"scope,omitempty"`
+	ClientID string `json:"client_id,omitempty"`
+	Subject  string `json:"sub,omitempty"`
+	userInfoProfile
+	userInfoEmail
+	userInfoPhone
+
+	Address UserInfoAddress `json:"address,omitempty"`
+	claims  map[string]interface{}
+}
+
+func (u *introspectionResponse) IsActive() bool {
+	return u.Active
+}
+
+func (u *introspectionResponse) SetScopes(scope Scopes) {
+	u.Scope = scope
+}
+
+func (u *introspectionResponse) SetClientID(id string) {
+	u.ClientID = id
+}
+
+func (u *introspectionResponse) GetSubject() string {
+	return u.Subject
+}
+
+func (u *introspectionResponse) GetName() string {
+	return u.Name
+}
+
+func (u *introspectionResponse) GetGivenName() string {
+	return u.GivenName
+}
+
+func (u *introspectionResponse) GetFamilyName() string {
+	return u.FamilyName
+}
+
+func (u *introspectionResponse) GetMiddleName() string {
+	return u.MiddleName
+}
+
+func (u *introspectionResponse) GetNickname() string {
+	return u.Nickname
+}
+
+func (u *introspectionResponse) GetProfile() string {
+	return u.Profile
+}
+
+func (u *introspectionResponse) GetPicture() string {
+	return u.Picture
+}
+
+func (u *introspectionResponse) GetWebsite() string {
+	return u.Website
+}
+
+func (u *introspectionResponse) GetGender() Gender {
+	return u.Gender
+}
+
+func (u *introspectionResponse) GetBirthdate() string {
+	return u.Birthdate
+}
+
+func (u *introspectionResponse) GetZoneinfo() string {
+	return u.Zoneinfo
+}
+
+func (u *introspectionResponse) GetLocale() language.Tag {
+	return u.Locale
+}
+
+func (u *introspectionResponse) GetPreferredUsername() string {
+	return u.PreferredUsername
+}
+
+func (u *introspectionResponse) GetEmail() string {
+	return u.Email
+}
+
+func (u *introspectionResponse) IsEmailVerified() bool {
+	return u.EmailVerified
+}
+
+func (u *introspectionResponse) GetPhoneNumber() string {
+	return u.PhoneNumber
+}
+
+func (u *introspectionResponse) IsPhoneNumberVerified() bool {
+	return u.PhoneNumberVerified
+}
+
+func (u *introspectionResponse) GetAddress() UserInfoAddress {
+	return u.Address
+}
+
+func (u *introspectionResponse) GetClaim(key string) interface{} {
+	return u.claims[key]
+}
+
+func (u *introspectionResponse) SetActive(active bool) {
+	u.Active = active
+}
+
+func (u *introspectionResponse) SetSubject(sub string) {
+	u.Subject = sub
+}
+
+func (u *introspectionResponse) SetName(name string) {
+	u.Name = name
+}
+
+func (u *introspectionResponse) SetGivenName(name string) {
+	u.GivenName = name
+}
+
+func (u *introspectionResponse) SetFamilyName(name string) {
+	u.FamilyName = name
+}
+
+func (u *introspectionResponse) SetMiddleName(name string) {
+	u.MiddleName = name
+}
+
+func (u *introspectionResponse) SetNickname(name string) {
+	u.Nickname = name
+}
+
+func (u *introspectionResponse) SetUpdatedAt(date time.Time) {
+	u.UpdatedAt = Time(date)
+}
+
+func (u *introspectionResponse) SetProfile(profile string) {
+	u.Profile = profile
+}
+
+func (u *introspectionResponse) SetPicture(picture string) {
+	u.Picture = picture
+}
+
+func (u *introspectionResponse) SetWebsite(website string) {
+	u.Website = website
+}
+
+func (u *introspectionResponse) SetGender(gender Gender) {
+	u.Gender = gender
+}
+
+func (u *introspectionResponse) SetBirthdate(birthdate string) {
+	u.Birthdate = birthdate
+}
+
+func (u *introspectionResponse) SetZoneinfo(zoneInfo string) {
+	u.Zoneinfo = zoneInfo
+}
+
+func (u *introspectionResponse) SetLocale(locale language.Tag) {
+	u.Locale = locale
+}
+
+func (u *introspectionResponse) SetPreferredUsername(name string) {
+	u.PreferredUsername = name
+}
+
+func (u *introspectionResponse) SetEmail(email string, verified bool) {
+	u.Email = email
+	u.EmailVerified = verified
+}
+
+func (u *introspectionResponse) SetPhone(phone string, verified bool) {
+	u.PhoneNumber = phone
+	u.PhoneNumberVerified = verified
+}
+
+func (u *introspectionResponse) SetAddress(address UserInfoAddress) {
+	u.Address = address
+}
+
+func (u *introspectionResponse) AppendClaims(key string, value interface{}) {
+	if u.claims == nil {
+		u.claims = make(map[string]interface{})
+	}
+	u.claims[key] = value
+}
+
+func (i *introspectionResponse) MarshalJSON() ([]byte, error) {
+	type Alias introspectionResponse
+	a := &struct {
+		*Alias
+		Locale    interface{} `json:"locale,omitempty"`
+		UpdatedAt int64       `json:"updated_at,omitempty"`
+		Username  string      `json:"username,omitempty"`
+	}{
+		Alias: (*Alias)(i),
+	}
+	if !i.Locale.IsRoot() {
+		a.Locale = i.Locale
+	}
+	if !time.Time(i.UpdatedAt).IsZero() {
+		a.UpdatedAt = time.Time(i.UpdatedAt).Unix()
+	}
+	a.Username = i.PreferredUsername
+
+	b, err := json.Marshal(a)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(i.claims) == 0 {
+		return b, nil
+	}
+
+	err = json.Unmarshal(b, &i.claims)
+	if err != nil {
+		return nil, fmt.Errorf("jws: invalid map of custom claims %v", i.claims)
+	}
+
+	return json.Marshal(i.claims)
+}
+
+func (i *introspectionResponse) UnmarshalJSON(data []byte) error {
+	type Alias introspectionResponse
+	a := &struct {
+		*Alias
+		UpdatedAt int64 `json:"update_at,omitempty"`
+	}{
+		Alias: (*Alias)(i),
+	}
+	if err := json.Unmarshal(data, &a); err != nil {
+		return err
+	}
+
+	i.UpdatedAt = Time(time.Unix(a.UpdatedAt, 0).UTC())
+
+	if err := json.Unmarshal(data, &i.claims); err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/pkg/oidc/jwt_profile.go
+++ b/pkg/oidc/jwt_profile.go
@ -0,0 +1,18 @@
+package oidc
+
+type JWTProfileGrantRequest struct {
+	Assertion string    `schema:"assertion"`
+	Scope     Scopes    `schema:"scope"`
+	GrantType GrantType `schema:"grant_type"`
+}
+
+//NewJWTProfileGrantRequest creates an oauth2 `JSON Web Token (JWT) Profile` Grant
+//`urn:ietf:params:oauth:grant-type:jwt-bearer`
+//sending a self-signed jwt as assertion
+func NewJWTProfileGrantRequest(assertion string, scopes ...string) *JWTProfileGrantRequest {
+	return &JWTProfileGrantRequest{
+		GrantType: GrantTypeBearer,
+		Assertion: assertion,
+		Scope:     scopes,
+	}
+}
--- a/pkg/oidc/token.go
+++ b/pkg/oidc/token.go
@ -1,7 +1,10 @@
 package oidc

 import (
+	"crypto/rsa"
+	"crypto/x509"
 	"encoding/json"
+	"encoding/pem"
 	"io/ioutil"
 	"time"

@ -14,6 +17,8 @@ import (
 const (
 	//BearerToken defines the token_type `Bearer`, which is returned in a successful token response
 	BearerToken = "Bearer"
+
+	PrefixBearer = BearerToken + " "
 )

 type Tokens struct {
@ -397,7 +402,7 @@ type AccessTokenResponse struct {
 type JWTProfileAssertion struct {
 	PrivateKeyID string   `json:"-"`
 	PrivateKey   []byte   `json:"-"`
-	Issuer       string   `json:"issuer"`
+	Issuer       string   `json:"iss"`
 	Subject      string   `json:"sub"`
 	Audience     Audience `json:"aud"`
 	Expiration   Time     `json:"exp"`
@ -412,6 +417,19 @@ func NewJWTProfileAssertionFromKeyJSON(filename string, audience []string) (*JWT
 	return NewJWTProfileAssertionFromFileData(data, audience)
 }

+func NewJWTProfileAssertionStringFromFileData(data []byte, audience []string) (string, error) {
+	keyData := new(struct {
+		KeyID  string `json:"keyId"`
+		Key    string `json:"key"`
+		UserID string `json:"userId"`
+	})
+	err := json.Unmarshal(data, keyData)
+	if err != nil {
+		return "", err
+	}
+	return GenerateJWTProfileToken(NewJWTProfileAssertion(keyData.UserID, keyData.KeyID, audience, []byte(keyData.Key)))
+}
+
 func NewJWTProfileAssertionFromFileData(data []byte, audience []string) (*JWTProfileAssertion, error) {
 	keyData := new(struct {
 		KeyID  string `json:"keyId"`
@ -454,3 +472,46 @@ func AppendClientIDToAudience(clientID string, audience []string) []string {
 	}
 	return append(audience, clientID)
 }
+
+func GenerateJWTProfileToken(assertion *JWTProfileAssertion) (string, error) {
+	privateKey, err := bytesToPrivateKey(assertion.PrivateKey)
+	if err != nil {
+		return "", err
+	}
+	key := jose.SigningKey{
+		Algorithm: jose.RS256,
+		Key:       &jose.JSONWebKey{Key: privateKey, KeyID: assertion.PrivateKeyID},
+	}
+	signer, err := jose.NewSigner(key, &jose.SignerOptions{})
+	if err != nil {
+		return "", err
+	}
+
+	marshalledAssertion, err := json.Marshal(assertion)
+	if err != nil {
+		return "", err
+	}
+	signedAssertion, err := signer.Sign(marshalledAssertion)
+	if err != nil {
+		return "", err
+	}
+	return signedAssertion.CompactSerialize()
+}
+
+func bytesToPrivateKey(priv []byte) (*rsa.PrivateKey, error) {
+	block, _ := pem.Decode(priv)
+	enc := x509.IsEncryptedPEMBlock(block)
+	b := block.Bytes
+	var err error
+	if enc {
+		b, err = x509.DecryptPEMBlock(block, nil)
+		if err != nil {
+			return nil, err
+		}
+	}
+	key, err := x509.ParsePKCS1PrivateKey(b)
+	if err != nil {
+		return nil, err
+	}
+	return key, nil
+}
--- a/pkg/oidc/token_request.go
+++ b/pkg/oidc/token_request.go
@ -15,6 +15,10 @@ const (

 	//GrantTypeTokenExchange defines the grant_type `urn:ietf:params:oauth:grant-type:token-exchange` used for the OAuth Token Exchange Grant
 	GrantTypeTokenExchange GrantType = "urn:ietf:params:oauth:grant-type:token-exchange"
+
+	//ClientAssertionTypeJWTAssertion defines the client_assertion_type `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`
+	//used for the OAuth JWT Profile Client Authentication
+	ClientAssertionTypeJWTAssertion = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
 )

 type GrantType string
@ -27,11 +31,13 @@ type TokenRequest interface {
 type TokenRequestType GrantType

 type AccessTokenRequest struct {
-	Code         string `schema:"code"`
-	RedirectURI  string `schema:"redirect_uri"`
-	ClientID     string `schema:"client_id"`
-	ClientSecret string `schema:"client_secret"`
-	CodeVerifier string `schema:"code_verifier"`
+	Code                string `schema:"code"`
+	RedirectURI         string `schema:"redirect_uri"`
+	ClientID            string `schema:"client_id"`
+	ClientSecret        string `schema:"client_secret"`
+	CodeVerifier        string `schema:"code_verifier"`
+	ClientAssertion     string `schema:"client_assertion"`
+	ClientAssertionType string `schema:"client_assertion_type"`
 }

 func (a *AccessTokenRequest) GrantType() GrantType {
--- a/pkg/oidc/types.go
+++ b/pkg/oidc/types.go
@ -73,6 +73,19 @@ func (s *Scopes) MarshalText() ([]byte, error) {
 	return []byte(s.Encode()), nil
 }

+func (s *Scopes) MarshalJSON() ([]byte, error) {
+	return json.Marshal((*s).Encode())
+}
+
+func (s *Scopes) UnmarshalJSON(data []byte) error {
+	var str string
+	if err := json.Unmarshal(data, &str); err != nil {
+		return err
+	}
+	*s = strings.Split(str, " ")
+	return nil
+}
+
 type Time time.Time

 func (t *Time) UnmarshalJSON(data []byte) error {
--- a/pkg/oidc/userinfo.go
+++ b/pkg/oidc/userinfo.go
@ -6,8 +6,6 @@ import (
 	"time"

 	"golang.org/x/text/language"
-
-	"github.com/caos/oidc/pkg/utils"
 )

 type UserInfo interface {
@ -351,11 +349,12 @@ func (i *userinfo) MarshalJSON() ([]byte, error) {
 		return b, nil
 	}

-	claims, err := json.Marshal(i.claims)
+	err = json.Unmarshal(b, &i.claims)
 	if err != nil {
 		return nil, fmt.Errorf("jws: invalid map of custom claims %v", i.claims)
 	}
-	return utils.ConcatenateJSON(b, claims)
+
+	return json.Marshal(i.claims)
 }

 func (i *userinfo) UnmarshalJSON(data []byte) error {
@ -372,6 +371,10 @@ func (i *userinfo) UnmarshalJSON(data []byte) error {

 	i.UpdatedAt = Time(time.Unix(a.UpdatedAt, 0).UTC())

+	if err := json.Unmarshal(data, &i.claims); err != nil {
+		return err
+	}
+
 	return nil
 }