keys and more

2019-12-03 09:48:30 +01:00 · 2019-12-03 09:48:30 +01:00 · 3082234dae
commit 3082234dae
parent 92dee085b7
9 changed files with 74 additions and 3 deletions
--- a/example/internal/mock/storage.go
+++ b/example/internal/mock/storage.go
@ -1,6 +1,8 @@
 package mock

 import (
+	"crypto/rand"
+	"crypto/rsa"
 	"errors"
 	"time"

@ -11,6 +13,19 @@ import (
 )

 type Storage struct {
+	key *rsa.PrivateKey
+}
+
+func NewStorage() op.Storage {
+	reader := rand.Reader
+	bitSize := 2048
+	key, err := rsa.GenerateKey(reader, bitSize)
+	if err != nil {
+		panic(err)
+	}
+	return &Storage{
+		key: key,
+	}
 }

 type AuthRequest struct {
@ -113,7 +128,15 @@ func (s *Storage) AuthRequestByID(id string) (op.AuthRequest, error) {
 }

 func (s *Storage) GetSigningKey() (*jose.SigningKey, error) {
-	return &jose.SigningKey{Algorithm: jose.HS256, Key: []byte("test")}, nil
+	return &jose.SigningKey{Algorithm: jose.RS256, Key: s.key}, nil
+}
+func (s *Storage) GetKeySet() (jose.JSONWebKeySet, error) {
+	pubkey := s.key.Public()
+	return jose.JSONWebKeySet{
+		Keys: []jose.JSONWebKey{
+			jose.JSONWebKey{Key: pubkey, Use: "sig", Algorithm: "RS256"},
+		},
+	}, nil
 }

 type ConfClient struct {
--- a/example/server/default/default.go
+++ b/example/server/default/default.go
@ -15,7 +15,7 @@ func main() {

 		Port: "9998",
 	}
-	storage := &mock.Storage{}
+	storage := mock.NewStorage()
 	handler, err := op.NewDefaultOP(config, storage, op.WithCustomTokenEndpoint("test"))
 	if err != nil {
 		log.Fatal(err)
--- a/pkg/op/config.go
+++ b/pkg/op/config.go
@ -11,6 +11,7 @@ type Configuration interface {
 	AuthorizationEndpoint() Endpoint
 	TokenEndpoint() Endpoint
 	UserinfoEndpoint() Endpoint
+	KeysEndpoint() Endpoint
 	Port() string
 }

--- a/pkg/op/default_op.go
+++ b/pkg/op/default_op.go
@ -14,6 +14,7 @@ const (
 	defaulTokenEndpoint          = "oauth/token"
 	defaultIntrospectEndpoint    = "introspect"
 	defaultUserinfoEndpoint      = "userinfo"
+	defaultKeysEndpoint          = "keys"
 )

 var (
@ -22,6 +23,7 @@ var (
 		Token:                 defaulTokenEndpoint,
 		IntrospectionEndpoint: defaultIntrospectEndpoint,
 		Userinfo:              defaultUserinfoEndpoint,
+		JwksURI:               defaultKeysEndpoint,
 	}
 	DefaultIDTokenValidity = time.Duration(5 * time.Minute)
 )
@ -146,6 +148,10 @@ func (p *DefaultOP) UserinfoEndpoint() Endpoint {
 	return Endpoint(p.endpoints.Userinfo)
 }

+func (p *DefaultOP) KeysEndpoint() Endpoint {
+	return Endpoint(p.endpoints.JwksURI)
+}
+
 func (p *DefaultOP) Port() string {
 	return p.config.Port
 }
@ -186,6 +192,10 @@ func (p *DefaultOP) IDTokenValidity() time.Duration {
 // 	return AuthRequestError
 // }

+func (p *DefaultOP) HandleKeys(w http.ResponseWriter, r *http.Request) {
+	Keys(w, r, p)
+}
+
 func (p *DefaultOP) HandleAuthorize(w http.ResponseWriter, r *http.Request) {
 	Authorize(w, r, p)
 }
--- a/pkg/op/discovery.go
+++ b/pkg/op/discovery.go
@ -20,7 +20,7 @@ func CreateDiscoveryConfig(c Configuration) *oidc.DiscoveryConfiguration {
 		UserinfoEndpoint: c.UserinfoEndpoint().Absolute(c.Issuer()),
 		// EndSessionEndpoint: c.TokenEndpoint().Absolute(c.Issuer())(c.EndSessionEndpoint),
 		// CheckSessionIframe: c.TokenEndpoint().Absolute(c.Issuer())(c.CheckSessionIframe),
-		// JwksURI:            c.TokenEndpoint().Absolute(c.Issuer())(c.JwksURI),
+		JwksURI: c.KeysEndpoint().Absolute(c.Issuer()),
 		// ScopesSupported:                   oidc.SupportedScopes,
 		// ResponseTypesSupported:            responseTypes,
 		// GrantTypesSupported:               oidc.SupportedGrantTypes,
--- a/pkg/op/keys.go
+++ b/pkg/op/keys.go
@ -0,0 +1,19 @@
+package op
+
+import (
+	"net/http"
+
+	"github.com/caos/oidc/pkg/utils"
+)
+
+type KeyProvider interface {
+	Storage() Storage
+}
+
+func Keys(w http.ResponseWriter, r *http.Request, k KeyProvider) {
+	keySet, err := k.Storage().GetKeySet()
+	if err != nil {
+
+	}
+	utils.MarshalJSON(w, keySet)
+}
--- a/pkg/op/mock/storage.mock.go
+++ b/pkg/op/mock/storage.mock.go
@ -139,6 +139,21 @@ func (mr *MockStorageMockRecorder) GetClientByClientID(arg0 interface{}) *gomock
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetClientByClientID", reflect.TypeOf((*MockStorage)(nil).GetClientByClientID), arg0)
 }

+// GetKeySet mocks base method
+func (m *MockStorage) GetKeySet() (go_jose_v2.JSONWebKeySet, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetKeySet")
+	ret0, _ := ret[0].(go_jose_v2.JSONWebKeySet)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetKeySet indicates an expected call of GetKeySet
+func (mr *MockStorageMockRecorder) GetKeySet() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetKeySet", reflect.TypeOf((*MockStorage)(nil).GetKeySet))
+}
+
 // GetSigningKey mocks base method
 func (m *MockStorage) GetSigningKey() (*go_jose_v2.SigningKey, error) {
 	m.ctrl.T.Helper()
--- a/pkg/op/op.go
+++ b/pkg/op/op.go
@ -18,6 +18,7 @@ type OpenIDProvider interface {
 	HandleAuthorizeCallback(w http.ResponseWriter, r *http.Request)
 	HandleExchange(w http.ResponseWriter, r *http.Request)
 	HandleUserinfo(w http.ResponseWriter, r *http.Request)
+	HandleKeys(w http.ResponseWriter, r *http.Request)
 	// Storage() Storage
 	HttpHandler() *http.Server
 }
@ -29,6 +30,7 @@ func CreateRouter(o OpenIDProvider) *mux.Router {
 	router.HandleFunc(o.AuthorizationEndpoint().Relative()+"/{id}", o.HandleAuthorizeCallback)
 	router.HandleFunc(o.TokenEndpoint().Relative(), o.HandleExchange)
 	router.HandleFunc(o.UserinfoEndpoint().Relative(), o.HandleUserinfo)
+	router.HandleFunc(o.KeysEndpoint().Relative(), o.HandleKeys)
 	return router
 }

--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@ -17,6 +17,7 @@ type Storage interface {
 	AuthorizeClientIDCodeVerifier(string, string) (Client, error)
 	DeleteAuthRequestAndCode(string, string) error
 	GetSigningKey() (*jose.SigningKey, error)
+	GetKeySet() (jose.JSONWebKeySet, error)
 }

 type AuthRequest interface {