cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix idtokenvalidity and marshalling

Browse source
This commit is contained in:
Livio Amstutz 2020-01-30 08:48:18 +01:00
parent 42099c8207
commit 4d2387c472
4 changed files with 145 additions and 70 deletions
Download patch file Download diff file Expand all files Collapse all files

2
pkg/oidc/code_challenge.go
View file

@ -27,7 +27,7 @@ func VerifyCodeChallenge(c *CodeChallenge, codeVerifier string) bool {
return false //TODO: ? return false //TODO: ?
} }
if c.Method == CodeChallengeMethodS256 { if c.Method == CodeChallengeMethodS256 {
codeVerifier = utils.HashString(sha256.New(), codeVerifier) codeVerifier = NewSHACodeChallenge(codeVerifier)
} }
return codeVerifier == c.Challenge return codeVerifier == c.Challenge
} }

196
pkg/oidc/token.go
View file

@ -2,6 +2,7 @@ package oidc
import ( import (
"encoding/json" "encoding/json"
"strings"
"time" "time"
"github.com/caos/oidc/pkg/utils" "github.com/caos/oidc/pkg/utils"
@ -9,32 +10,160 @@ import (
"gopkg.in/square/go-jose.v2" "gopkg.in/square/go-jose.v2"
) )
type IDTokenClaims struct { type Tokens struct {
*oauth2.Token
IDTokenClaims *IDTokenClaims
IDToken string
}
type AccessTokenClaims struct {
Issuer string Issuer string
Subject string Subject string
Audiences []string Audiences []string
Expiration time.Time Expiration time.Time
IssuedAt time.Time IssuedAt time.Time
AuthTime time.Time NotBefore time.Time
JWTID string
AuthorizedParty string
Nonce string Nonce string
AuthTime time.Time
CodeHash string
AuthenticationContextClassReference string AuthenticationContextClassReference string
AuthenticationMethodsReferences []string AuthenticationMethodsReferences []string
SessionID string
Scopes []string
ClientID string
AccessTokenUseNumber int
}
type IDTokenClaims struct {
Issuer string
Subject string
Audiences []string
Expiration time.Time
NotBefore time.Time
IssuedAt time.Time
JWTID string
UpdatedAt time.Time
AuthorizedParty string AuthorizedParty string
Nonce string
AuthTime time.Time
AccessTokenHash string AccessTokenHash string
CodeHash string CodeHash string
AuthenticationContextClassReference string
AuthenticationMethodsReferences []string
ClientID string
Signature jose.SignatureAlgorithm //TODO: ??? Signature jose.SignatureAlgorithm //TODO: ???
} }
type jsonToken struct {
Issuer string `json:"iss,omitempty"`
Subject string `json:"sub,omitempty"`
Audiences []string `json:"aud,omitempty"`
Expiration int64 `json:"exp,omitempty"`
NotBefore int64 `json:"nbf,omitempty"`
IssuedAt int64 `json:"iat,omitempty"`
JWTID string `json:"jti,omitempty"`
UpdatedAt int64 `json:"updated_at,omitempty"`
AuthorizedParty string `json:"azp,omitempty"`
Nonce string `json:"nonce,omitempty"`
AuthTime int64 `json:"auth_time,omitempty"`
AccessTokenHash string `json:"at_hash,omitempty"`
CodeHash string `json:"c_hash,omitempty"`
AuthenticationContextClassReference string `json:"acr,omitempty"`
AuthenticationMethodsReferences []string `json:"amr,omitempty"`
SessionID string `json:"sid,omitempty"`
Actor interface{} `json:"act,omitempty"`
Scopes string `json:"scope,omitempty"`
ClientID string `json:"client_id,omitempty"`
AuthorizedActor interface{} `json:"may_act,omitempty"` //TODO: impl
AccessTokenUseNumber int `json:"at_use_nbr,omitempty"`
}
func (t *AccessTokenClaims) MarshalJSON() ([]byte, error) {
j := jsonToken{
Issuer: t.Issuer,
Subject: t.Subject,
Audiences: t.Audiences,
Expiration: timeToJSON(t.Expiration),
NotBefore: timeToJSON(t.NotBefore),
IssuedAt: timeToJSON(t.IssuedAt),
JWTID: t.JWTID,
AuthorizedParty: t.AuthorizedParty,
Nonce: t.Nonce,
AuthTime: timeToJSON(t.AuthTime),
CodeHash: t.CodeHash,
AuthenticationContextClassReference: t.AuthenticationContextClassReference,
AuthenticationMethodsReferences: t.AuthenticationMethodsReferences,
SessionID: t.SessionID,
Scopes: strings.Join(t.Scopes, " "),
ClientID: t.ClientID,
AccessTokenUseNumber: t.AccessTokenUseNumber,
}
return json.Marshal(j)
}
func (t *AccessTokenClaims) UnmarshalJSON(b []byte) error {
var j jsonToken
if err := json.Unmarshal(b, &j); err != nil {
return err
}
audience := j.Audiences
if len(audience) == 1 {
audience = strings.Split(audience[0], " ")
}
t.Issuer = j.Issuer
t.Subject = j.Subject
t.Audiences = audience
t.Expiration = time.Unix(j.Expiration, 0).UTC()
t.NotBefore = time.Unix(j.NotBefore, 0).UTC()
t.IssuedAt = time.Unix(j.IssuedAt, 0).UTC()
t.JWTID = j.JWTID
t.AuthorizedParty = j.AuthorizedParty
t.Nonce = j.Nonce
t.AuthTime = time.Unix(j.AuthTime, 0).UTC()
t.CodeHash = j.CodeHash
t.AuthenticationContextClassReference = j.AuthenticationContextClassReference
t.AuthenticationMethodsReferences = j.AuthenticationMethodsReferences
t.SessionID = j.SessionID
t.Scopes = strings.Split(j.Scopes, " ")
t.ClientID = j.ClientID
t.AccessTokenUseNumber = j.AccessTokenUseNumber
return nil
}
func (t *IDTokenClaims) MarshalJSON() ([]byte, error) {
j := jsonToken{
Issuer: t.Issuer,
Subject: t.Subject,
Audiences: t.Audiences,
Expiration: timeToJSON(t.Expiration),
NotBefore: timeToJSON(t.NotBefore),
IssuedAt: timeToJSON(t.IssuedAt),
JWTID: t.JWTID,
UpdatedAt: timeToJSON(t.UpdatedAt),
AuthorizedParty: t.AuthorizedParty,
Nonce: t.Nonce,
AuthTime: timeToJSON(t.AuthTime),
AccessTokenHash: t.AccessTokenHash,
CodeHash: t.CodeHash,
AuthenticationContextClassReference: t.AuthenticationContextClassReference,
AuthenticationMethodsReferences: t.AuthenticationMethodsReferences,
ClientID: t.ClientID,
}
return json.Marshal(j)
}
func (t *IDTokenClaims) UnmarshalJSON(b []byte) error { func (t *IDTokenClaims) UnmarshalJSON(b []byte) error {
var i jsonIDToken var i jsonToken
if err := json.Unmarshal(b, &i); err != nil { if err := json.Unmarshal(b, &i); err != nil {
return err return err
} }
audience := i.Audiences audience := i.Audiences
// if len(audience) == 1 { if len(audience) == 1 {
// audience = strings.Split(audience[0], " ") audience = strings.Split(audience[0], " ")
// } }
t.Issuer = i.Issuer t.Issuer = i.Issuer
t.Subject = i.Subject t.Subject = i.Subject
t.Audiences = audience t.Audiences = audience
@ -50,54 +179,6 @@ func (t *IDTokenClaims) UnmarshalJSON(b []byte) error {
return nil return nil
} }
func (t *IDTokenClaims) MarshalJSON() ([]byte, error) {
j := jsonIDToken{
Issuer: t.Issuer,
Subject: t.Subject,
Audiences: t.Audiences,
Expiration: t.Expiration.Unix(),
IssuedAt: t.IssuedAt.Unix(),
AuthTime: t.AuthTime.Unix(),
Nonce: t.Nonce,
AuthenticationContextClassReference: t.AuthenticationContextClassReference,
AuthenticationMethodsReferences: t.AuthenticationMethodsReferences,
AuthorizedParty: t.AuthorizedParty,
AccessTokenHash: t.AccessTokenHash,
CodeHash: t.CodeHash,
}
return json.Marshal(j)
}
type jsonIDToken struct {
Issuer string `json:"iss,omitempty"`
Subject string `json:"sub,omitempty"`
Audiences []string `json:"aud,omitempty"`
Expiration int64 `json:"exp,omitempty"`
IssuedAt int64 `json:"iat,omitempty"`
AuthTime int64 `json:"auth_time,omitempty"`
Nonce string `json:"nonce,omitempty"`
AuthenticationContextClassReference string `json:"acr,omitempty"`
AuthenticationMethodsReferences []string `json:"amr,omitempty"`
AuthorizedParty string `json:"azp,omitempty"`
AccessTokenHash string `json:"at_hash,omitempty"`
CodeHash string `json:"c_hash,omitempty"`
}
type Tokens struct {
*oauth2.Token
IDTokenClaims *IDTokenClaims
IDToken string
}
type AccessTokenClaims struct {
Issuer string
Subject string
Audiences []string
Expiration time.Time
IssuedAt time.Time
NotBefore time.Time
}
func ClaimHash(claim string, sigAlgorithm jose.SignatureAlgorithm) (string, error) { func ClaimHash(claim string, sigAlgorithm jose.SignatureAlgorithm) (string, error) {
hash, err := utils.GetHashAlgorithm(sigAlgorithm) hash, err := utils.GetHashAlgorithm(sigAlgorithm)
if err != nil { if err != nil {
@ -106,3 +187,10 @@ func ClaimHash(claim string, sigAlgorithm jose.SignatureAlgorithm) (string, erro
return utils.HashString(hash, claim), nil return utils.HashString(hash, claim), nil
} }
func timeToJSON(t time.Time) int64 {
if t.IsZero() {
return 0
}
return t.Unix()
}

11
pkg/op/default_op.go
View file

@ -3,7 +3,6 @@ package op
import ( import (
"context" "context"
"net/http" "net/http"
"time"
"github.com/gorilla/schema" "github.com/gorilla/schema"
@ -20,8 +19,6 @@ const (
AuthMethodBasic AuthMethod = "client_secret_basic" AuthMethodBasic AuthMethod = "client_secret_basic"
AuthMethodPost = "client_secret_post" AuthMethodPost = "client_secret_post"
AuthMethodNone = "none" AuthMethodNone = "none"
DefaultIDTokenValidity = time.Duration(5 * time.Minute)
) )
var ( var (
@ -48,7 +45,6 @@ type DefaultOP struct {
type Config struct { type Config struct {
Issuer string Issuer string
IDTokenValidity time.Duration
CryptoKey [32]byte CryptoKey [32]byte
// ScopesSupported: oidc.SupportedScopes, // ScopesSupported: oidc.SupportedScopes,
// ResponseTypesSupported: responseTypes, // ResponseTypesSupported: responseTypes,
@ -198,13 +194,6 @@ func (p *DefaultOP) Crypto() Crypto {
return p.crypto return p.crypto
} }
func (p *DefaultOP) IDTokenValidity() time.Duration {
if p.config.IDTokenValidity == 0 {
p.config.IDTokenValidity = DefaultIDTokenValidity
}
return p.config.IDTokenValidity
}
func (p *DefaultOP) HandleKeys(w http.ResponseWriter, r *http.Request) { func (p *DefaultOP) HandleKeys(w http.ResponseWriter, r *http.Request) {
Keys(w, r, p) Keys(w, r, p)
} }

2
pkg/op/tokenrequest.go
View file

@ -4,7 +4,6 @@ import (
"context" "context"
"errors" "errors"
"net/http" "net/http"
"time"
"github.com/gorilla/schema" "github.com/gorilla/schema"
@ -14,7 +13,6 @@ import (
type Exchanger interface { type Exchanger interface {
Issuer() string Issuer() string
IDTokenValidity() time.Duration
Storage() Storage Storage() Storage
Decoder() *schema.Decoder Decoder() *schema.Decoder
Signer() Signer Signer() Signer