Merge remote-tracking branch 'origin/service-accounts' into service-accounts

2020-09-10 16:24:58 +02:00 · 2020-09-10 16:24:58 +02:00 · 3777f1436d
commit 3777f1436d
parent f8707958fc a731a46ccf
4 changed files with 17 additions and 14 deletions
--- a/pkg/oidc/authorization.go
+++ b/pkg/oidc/authorization.go
@ -153,7 +153,7 @@ type JWTTokenRequest struct {
 	Issuer    string      `json:"iss"`
 	Subject   string      `json:"sub"`
 	Scopes    Scopes      `json:"scope"`
-	Audience  []string `json:"aud"`
+	Audience  interface{} `json:"aud"`
 	IssuedAt  Time        `json:"iat"`
 	ExpiresAt Time        `json:"exp"`
 }
@ -186,7 +186,7 @@ func (j *JWTTokenRequest) GetIssuer() string {
 }
 func (j *JWTTokenRequest) GetAudience() []string {
-	return j.Audience
+	return audienceFromJSON(j.Audience)
 }
 func (j *JWTTokenRequest) GetExpiration() time.Time {
--- a/pkg/oidc/verifier.go
+++ b/pkg/oidc/verifier.go
@ -97,7 +97,7 @@ func CheckIssuer(issuer string, i Verifier) error {
 func CheckAudience(audiences []string, i Verifier) error {
 	if !utils.Contains(audiences, i.ClientID()) {
-		return fmt.Errorf("%w: Audience must contain client_id (%s)", ErrAudience, i.ClientID())
+		return fmt.Errorf("%w: Audience must contain client_id %q", ErrAudience, i.ClientID())
 	}
 	//TODO: check aud trusted
--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@ -31,6 +31,7 @@ type OPStorage interface {
 	GetUserinfoFromScopes(context.Context, string, []string) (*oidc.Userinfo, error)
 	GetUserinfoFromToken(context.Context, string, string) (*oidc.Userinfo, error)
 	GetKeysByServiceAccount(ctx context.Context, id string) (*jose.JSONWebKeySet, error)
 	GetKeyByID(ctx context.Context, keyID string) (*jose.JSONWebKeySet, error)
 }
 type Storage interface {
--- a/pkg/op/tokenrequest.go
+++ b/pkg/op/tokenrequest.go
@ -146,6 +146,7 @@ func AuthorizeCodeChallenge(ctx context.Context, tokenReq *oidc.AccessTokenReque
 type ClientJWTVerifier struct {
 	claims  *oidc.JWTTokenRequest
 	storage Storage
 	issuer  string
 }
 func (c ClientJWTVerifier) Storage() Storage {
@ -157,7 +158,7 @@ func (c ClientJWTVerifier) Issuer() string {
 }
 func (c ClientJWTVerifier) ClientID() string {
-	return c.claims.Issuer
+	return c.issuer
 }
 func (c ClientJWTVerifier) SupportedSignAlgs() []string {
@ -193,7 +194,7 @@ func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchang
 		RequestError(w, r, err)
 	}
-	claims, err := VerifyJWTAssertion(r.Context(), assertion, exchanger.Storage())
+	claims, err := VerifyJWTAssertion(r.Context(), assertion, exchanger)
 	if err != nil {
 		RequestError(w, r, err)
 		return
@ -212,9 +213,10 @@ type JWTAssertionVerifier interface {
 	oidc.Verifier
 }
-func VerifyJWTAssertion(ctx context.Context, assertion string, storage Storage) (*oidc.JWTTokenRequest, error) {
+func VerifyJWTAssertion(ctx context.Context, assertion string, exchanger Exchanger) (*oidc.JWTTokenRequest, error) {
 	verifier := &ClientJWTVerifier{
-		storage: storage,
+		storage: exchanger.Storage(),
 		issuer:  exchanger.Issuer(),
 		claims:  new(oidc.JWTTokenRequest),
 	}
 	payload, err := oidc.ParseToken(assertion, verifier.claims)
@ -239,7 +241,7 @@ func VerifyJWTAssertion(ctx context.Context, assertion string, storage Storage)
 	}
 	verifier.Storage().GetClientByClientID(ctx, verifier.claims.Subject)
-	keySet := &ClientAssertionKeySet{storage, verifier.claims.Subject}
+	keySet := &ClientAssertionKeySet{exchanger.Storage(), verifier.claims.Subject}
 	if err = oidc.CheckSignature(ctx, assertion, payload, verifier.claims, nil, keySet); err != nil {
 		return nil, err
@ -258,7 +260,7 @@ func (c *ClientAssertionKeySet) VerifySignature(ctx context.Context, jws *jose.J
 		keyID = sig.Header.KeyID
 		break
 	}
-	keySet, err := c.Storage.GetKeysByServiceAccount(ctx, c.id)
+	keySet, err := c.Storage.GetKeyByID(ctx, keyID)
 	if err != nil {
 		return nil, errors.New("error fetching keys")
 	}