cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: option to ignore expiration on id_token and error handling

Browse source
This commit is contained in:
Livio Amstutz 2020-07-06 10:34:35 +02:00
parent a56c3f92c3
commit 320dd41137
2 changed files with 27 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

26
pkg/rp/default_verifier.go
View file

@ -46,13 +46,20 @@ func NewDefaultVerifier(issuer, clientID string, keySet oidc.KeySet, confOpts ..
return &DefaultVerifier{config: conf, keySet: keySet} return &DefaultVerifier{config: conf, keySet: keySet}
} }
//WithIgnoreAudience will turn off audience claim (should only be used for id_token_hints) //WithIgnoreAudience will turn off validation for audience claim (should only be used for id_token_hints)
func WithIgnoreAudience() func(*verifierConfig) { func WithIgnoreAudience() func(*verifierConfig) {
return func(conf *verifierConfig) { return func(conf *verifierConfig) {
conf.ignoreAudience = true conf.ignoreAudience = true
} }
} }
//WithIgnoreExpiration will turn off validation for expiration claim (should only be used for id_token_hints)
func WithIgnoreExpiration() func(*verifierConfig) {
return func(conf *verifierConfig) {
conf.ignoreExpiration = true
}
}
//WithIgnoreIssuedAt will turn off iat claim verification //WithIgnoreIssuedAt will turn off iat claim verification
func WithIgnoreIssuedAt() func(*verifierConfig) { func WithIgnoreIssuedAt() func(*verifierConfig) {
return func(conf *verifierConfig) { return func(conf *verifierConfig) {
@ -108,6 +115,7 @@ type verifierConfig struct {
clientID string clientID string
nonce string nonce string
ignoreAudience bool ignoreAudience bool
ignoreExpiration bool
iat *iatConfig iat *iatConfig
acr ACRVerifier acr ACRVerifier
maxAge time.Duration maxAge time.Duration
@ -275,10 +283,10 @@ func (v *DefaultVerifier) checkSignature(ctx context.Context, idTokenString stri
return "", err return "", err
} }
if len(jws.Signatures) == 0 { if len(jws.Signatures) == 0 {
return "", nil //TODO: error return "", ErrSignatureMissing()
} }
if len(jws.Signatures) > 1 { if len(jws.Signatures) > 1 {
return "", nil //TODO: error return "", ErrSignatureMultiple()
} }
sig := jws.Signatures[0] sig := jws.Signatures[0]
supportedSigAlgs := v.config.supportedSignAlgs supportedSigAlgs := v.config.supportedSignAlgs
@ -292,16 +300,18 @@ func (v *DefaultVerifier) checkSignature(ctx context.Context, idTokenString stri
signedPayload, err := v.keySet.VerifySignature(ctx, jws) signedPayload, err := v.keySet.VerifySignature(ctx, jws)
if err != nil { if err != nil {
return "", err return "", err
//TODO:
} }
if !bytes.Equal(signedPayload, payload) { if !bytes.Equal(signedPayload, payload) {
return "", ErrSignatureInvalidPayload() //TODO: err return "", ErrSignatureInvalidPayload()
} }
return jose.SignatureAlgorithm(sig.Header.Algorithm), nil return jose.SignatureAlgorithm(sig.Header.Algorithm), nil
} }
func (v *DefaultVerifier) checkExpiration(expiration time.Time) error { func (v *DefaultVerifier) checkExpiration(expiration time.Time) error {
if v.config.ignoreExpiration {
return nil
}
expiration = expiration.Round(time.Second) expiration = expiration.Round(time.Second)
if !v.now().Before(expiration) { if !v.now().Before(expiration) {
return ErrExpInvalid(expiration) return ErrExpInvalid(expiration)
@ -362,8 +372,8 @@ func (v *DefaultVerifier) decryptToken(tokenString string) (string, error) {
} }
func (v *DefaultVerifier) verifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error { func (v *DefaultVerifier) verifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error {
if atHash == "" { if accessToken == "" {
return nil //TODO: return error return nil
} }
actual, err := oidc.ClaimHash(accessToken, sigAlgorithm) actual, err := oidc.ClaimHash(accessToken, sigAlgorithm)
@ -371,7 +381,7 @@ func (v *DefaultVerifier) verifyAccessToken(accessToken, atHash string, sigAlgor
return err return err
} }
if actual != atHash { if actual != atHash {
return nil //TODO: error return ErrAtHash()
} }
return nil return nil
} }

9
pkg/rp/error.go
View file

@ -40,9 +40,18 @@ var (
ErrAuthTimeToOld = func(maxAge, authTime time.Time) *validationError { ErrAuthTimeToOld = func(maxAge, authTime time.Time) *validationError {
return ValidationError("Auth Time of token must not be older than %v, but was %v (%v to old)", maxAge, authTime, maxAge.Sub(authTime)) return ValidationError("Auth Time of token must not be older than %v, but was %v (%v to old)", maxAge, authTime, maxAge.Sub(authTime))
} }
ErrSignatureMissing = func() *validationError {
return ValidationError("id_token does not contain a signature")
}
ErrSignatureMultiple = func() *validationError {
return ValidationError("id_token contains multiple signatures")
}
ErrSignatureInvalidPayload = func() *validationError { ErrSignatureInvalidPayload = func() *validationError {
return ValidationError("Signature does not match Payload") return ValidationError("Signature does not match Payload")
} }
ErrAtHash = func() *validationError {
return ValidationError("at_hash does not correspond to access token")
}
) )
func ValidationError(message string, args ...interface{}) *validationError { func ValidationError(message string, args ...interface{}) *validationError {