cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix token revocation authentication and discovery config

Browse source
This commit is contained in:
Livio Amstutz 2021-11-02 09:43:14 +01:00
parent 162990f974
commit 4ddf7c7764
4 changed files with 74 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

2
pkg/op/config.go
View file

@ -29,6 +29,8 @@ type Configuration interface {
GrantTypeJWTAuthorizationSupported() bool GrantTypeJWTAuthorizationSupported() bool
IntrospectionAuthMethodPrivateKeyJWTSupported() bool IntrospectionAuthMethodPrivateKeyJWTSupported() bool
IntrospectionEndpointSigningAlgorithmsSupported() []string IntrospectionEndpointSigningAlgorithmsSupported() []string
RevocationAuthMethodPrivateKeyJWTSupported() bool
RevocationEndpointSigningAlgorithmsSupported() []string
RequestObjectSupported() bool RequestObjectSupported() bool
RequestObjectSigningAlgorithmsSupported() []string RequestObjectSigningAlgorithmsSupported() []string

23
pkg/op/discovery.go
View file

@ -37,6 +37,8 @@ func CreateDiscoveryConfig(c Configuration, s Signer) *oidc.DiscoveryConfigurati
TokenEndpointAuthSigningAlgValuesSupported: TokenSigAlgorithms(c), TokenEndpointAuthSigningAlgValuesSupported: TokenSigAlgorithms(c),
IntrospectionEndpointAuthSigningAlgValuesSupported: IntrospectionSigAlgorithms(c), IntrospectionEndpointAuthSigningAlgValuesSupported: IntrospectionSigAlgorithms(c),
IntrospectionEndpointAuthMethodsSupported: AuthMethodsIntrospectionEndpoint(c), IntrospectionEndpointAuthMethodsSupported: AuthMethodsIntrospectionEndpoint(c),
RevocationEndpointAuthSigningAlgValuesSupported: RevocationSigAlgorithms(c),
RevocationEndpointAuthMethodsSupported: AuthMethodsRevocationEndpoint(c),
ClaimsSupported: SupportedClaims(c), ClaimsSupported: SupportedClaims(c),
CodeChallengeMethodsSupported: CodeChallengeMethods(c), CodeChallengeMethodsSupported: CodeChallengeMethods(c),
UILocalesSupported: c.SupportedUILocales(), UILocalesSupported: c.SupportedUILocales(),
@ -150,6 +152,20 @@ func AuthMethodsIntrospectionEndpoint(c Configuration) []oidc.AuthMethod {
return authMethods return authMethods
} }
func AuthMethodsRevocationEndpoint(c Configuration) []oidc.AuthMethod {
authMethods := []oidc.AuthMethod{
oidc.AuthMethodNone,
oidc.AuthMethodBasic,
}
if c.AuthMethodPostSupported() {
authMethods = append(authMethods, oidc.AuthMethodPost)
}
if c.AuthMethodPrivateKeyJWTSupported() {
authMethods = append(authMethods, oidc.AuthMethodPrivateKeyJWT)
}
return authMethods
}
func CodeChallengeMethods(c Configuration) []oidc.CodeChallengeMethod { func CodeChallengeMethods(c Configuration) []oidc.CodeChallengeMethod {
codeMethods := make([]oidc.CodeChallengeMethod, 0, 1) codeMethods := make([]oidc.CodeChallengeMethod, 0, 1)
if c.CodeMethodS256Supported() { if c.CodeMethodS256Supported() {
@ -165,6 +181,13 @@ func IntrospectionSigAlgorithms(c Configuration) []string {
return c.IntrospectionEndpointSigningAlgorithmsSupported() return c.IntrospectionEndpointSigningAlgorithmsSupported()
} }
func RevocationSigAlgorithms(c Configuration) []string {
if !c.RevocationAuthMethodPrivateKeyJWTSupported() {
return nil
}
return c.RevocationEndpointSigningAlgorithmsSupported()
}
func RequestObjectSigAlgorithms(c Configuration) []string { func RequestObjectSigAlgorithms(c Configuration) []string {
if !c.RequestObjectSupported() { if !c.RequestObjectSupported() {
return nil return nil

10
pkg/op/op.go
View file

@ -23,6 +23,7 @@ const (
defaultTokenEndpoint = "oauth/token" defaultTokenEndpoint = "oauth/token"
defaultIntrospectEndpoint = "oauth/introspect" defaultIntrospectEndpoint = "oauth/introspect"
defaultUserinfoEndpoint = "userinfo" defaultUserinfoEndpoint = "userinfo"
defaultRevocationEndpoint = "revoke"
defaultEndSessionEndpoint = "end_session" defaultEndSessionEndpoint = "end_session"
defaultKeysEndpoint = "keys" defaultKeysEndpoint = "keys"
) )
@ -33,6 +34,7 @@ var (
Token: NewEndpoint(defaultTokenEndpoint), Token: NewEndpoint(defaultTokenEndpoint),
Introspection: NewEndpoint(defaultIntrospectEndpoint), Introspection: NewEndpoint(defaultIntrospectEndpoint),
Userinfo: NewEndpoint(defaultUserinfoEndpoint), Userinfo: NewEndpoint(defaultUserinfoEndpoint),
Revocation: NewEndpoint(defaultRevocationEndpoint),
EndSession: NewEndpoint(defaultEndSessionEndpoint), EndSession: NewEndpoint(defaultEndSessionEndpoint),
JwksURI: NewEndpoint(defaultKeysEndpoint), JwksURI: NewEndpoint(defaultKeysEndpoint),
} }
@ -222,6 +224,14 @@ func (o *openidProvider) IntrospectionEndpointSigningAlgorithmsSupported() []str
return []string{"RS256"} return []string{"RS256"}
} }
func (o *openidProvider) RevocationAuthMethodPrivateKeyJWTSupported() bool {
return true
}
func (o *openidProvider) RevocationEndpointSigningAlgorithmsSupported() []string {
return []string{"RS256"}
}
func (o *openidProvider) RequestObjectSupported() bool { func (o *openidProvider) RequestObjectSupported() bool {
return o.config.RequestObjectSupported return o.config.RequestObjectSupported
} }

44
pkg/op/token_revocation.go
View file

@ -2,7 +2,6 @@ package op
import ( import (
"context" "context"
"errors"
"net/http" "net/http"
"net/url" "net/url"
"strings" "strings"
@ -16,6 +15,8 @@ type Revoker interface {
Crypto() Crypto Crypto() Crypto
Storage() Storage Storage() Storage
AccessTokenVerifier() AccessTokenVerifier AccessTokenVerifier() AccessTokenVerifier
AuthMethodPrivateKeyJWTSupported() bool
AuthMethodPostSupported() bool
} }
type RevokerJWTProfile interface { type RevokerJWTProfile interface {
@ -51,17 +52,23 @@ func Revoke(w http.ResponseWriter, r *http.Request, revoker Revoker) {
func ParseTokenRevocationRequest(r *http.Request, revoker Revoker) (token, tokenTypeHint, clientID string, err error) { func ParseTokenRevocationRequest(r *http.Request, revoker Revoker) (token, tokenTypeHint, clientID string, err error) {
err = r.ParseForm() err = r.ParseForm()
if err != nil { if err != nil {
return "", "", "", errors.New("unable to parse request") return "", "", "", oidc.ErrInvalidRequest().WithDescription("unable to parse request").WithParent(err)
} }
req := new(struct { req := new(struct {
oidc.RevocationRequest oidc.RevocationRequest
oidc.ClientAssertionParams oidc.ClientAssertionParams //for auth_method private_key_jwt
ClientID string `schema:"client_id"` //for auth_method none and post
ClientSecret string `schema:"client_secret"` //for auth_method post
}) })
err = revoker.Decoder().Decode(req, r.Form) err = revoker.Decoder().Decode(req, r.Form)
if err != nil { if err != nil {
return "", "", "", errors.New("unable to parse request") return "", "", "", oidc.ErrInvalidRequest().WithDescription("error decoding form").WithParent(err)
}
if req.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
revokerJWTProfile, ok := revoker.(RevokerJWTProfile)
if !ok || !revoker.AuthMethodPrivateKeyJWTSupported() {
return "", "", "", oidc.ErrInvalidClient().WithDescription("auth_method private_key_jwt not supported")
} }
if revokerJWTProfile, ok := revoker.(RevokerJWTProfile); ok && req.ClientAssertion != "" {
profile, err := VerifyJWTAssertion(r.Context(), req.ClientAssertion, revokerJWTProfile.JWTProfileVerifier()) profile, err := VerifyJWTAssertion(r.Context(), req.ClientAssertion, revokerJWTProfile.JWTProfileVerifier())
if err == nil { if err == nil {
return req.Token, req.TokenTypeHint, profile.Issuer, nil return req.Token, req.TokenTypeHint, profile.Issuer, nil
@ -72,18 +79,37 @@ func ParseTokenRevocationRequest(r *http.Request, revoker Revoker) (token, token
if ok { if ok {
clientID, err = url.QueryUnescape(clientID) clientID, err = url.QueryUnescape(clientID)
if err != nil { if err != nil {
return "", "", "", errors.New("invalid basic auth header") return "", "", "", oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
} }
clientSecret, err = url.QueryUnescape(clientSecret) clientSecret, err = url.QueryUnescape(clientSecret)
if err != nil { if err != nil {
return "", "", "", errors.New("invalid basic auth header") return "", "", "", oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
} }
if err := revoker.Storage().AuthorizeClientIDSecret(r.Context(), clientID, clientSecret); err != nil { if err = AuthorizeClientIDSecret(r.Context(), clientID, clientSecret, revoker.Storage()); err != nil {
return "", "", "", err return "", "", "", err
} }
return req.Token, req.TokenTypeHint, clientID, nil return req.Token, req.TokenTypeHint, clientID, nil
} }
return "", "", "", errors.New("invalid authorization") if req.ClientID == "" {
return "", "", "", oidc.ErrInvalidClient().WithDescription("invalid authorization")
}
client, err := revoker.Storage().GetClientByClientID(r.Context(), req.ClientID)
if err != nil {
return "", "", "", oidc.ErrInvalidClient().WithParent(err)
}
if req.ClientSecret == "" {
if client.AuthMethod() != oidc.AuthMethodNone {
return "", "", "", oidc.ErrInvalidClient().WithDescription("invalid authorization")
}
return req.Token, req.TokenTypeHint, req.ClientID, nil
}
if client.AuthMethod() == oidc.AuthMethodPost && !revoker.AuthMethodPostSupported() {
return "", "", "", oidc.ErrInvalidClient().WithDescription("auth_method post not supported")
}
if err = AuthorizeClientIDSecret(r.Context(), req.ClientID, req.ClientSecret, revoker.Storage()); err != nil {
return "", "", "", err
}
return req.Token, req.TokenTypeHint, req.ClientID, nil
} }
func RevocationRequestError(w http.ResponseWriter, r *http.Request, err error) { func RevocationRequestError(w http.ResponseWriter, r *http.Request, err error) {