cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: implement storage

Browse source
This commit is contained in:
adlerhurst 2020-09-10 15:43:21 +02:00
parent bfbd4adb1c
commit 7700cb3539
5 changed files with 61 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

7
pkg/oidc/authorization.go
View file

@ -7,6 +7,7 @@ import (
"time" "time"
"golang.org/x/text/language" "golang.org/x/text/language"
"gopkg.in/square/go-jose.v2"
) )
const ( const (
@ -152,7 +153,7 @@ type JWTTokenRequest struct {
Issuer string `json:"iss"` Issuer string `json:"iss"`
Subject string `json:"sub"` Subject string `json:"sub"`
Scopes Scopes `json:"scope"` Scopes Scopes `json:"scope"`
Audience string `json:"aud"` Audience []string `json:"aud"`
IssuedAt Time `json:"iat"` IssuedAt Time `json:"iat"`
ExpiresAt Time `json:"exp"` ExpiresAt Time `json:"exp"`
} }
@ -185,7 +186,7 @@ func (j *JWTTokenRequest) GetIssuer() string {
} }
func (j *JWTTokenRequest) GetAudience() []string { func (j *JWTTokenRequest) GetAudience() []string {
return []string{j.Audience} return j.Audience
} }
func (j *JWTTokenRequest) GetExpiration() time.Time { func (j *JWTTokenRequest) GetExpiration() time.Time {
@ -212,6 +213,8 @@ func (j *JWTTokenRequest) GetAuthorizedParty() string {
return "" return ""
} }
func (j *JWTTokenRequest) SetSignature(algorithm jose.SignatureAlgorithm) {}
type TokenExchangeRequest struct { type TokenExchangeRequest struct {
subjectToken string `schema:"subject_token"` subjectToken string `schema:"subject_token"`
subjectTokenType string `schema:"subject_token_type"` subjectTokenType string `schema:"subject_token_type"`

4
pkg/op/default_op.go
View file

@ -238,6 +238,10 @@ func (p *DefaultOP) HandleDiscovery(w http.ResponseWriter, r *http.Request) {
Discover(w, CreateDiscoveryConfig(p, p.Signer())) Discover(w, CreateDiscoveryConfig(p, p.Signer()))
} }
func (p *DefaultOP) Probes() []ProbesFn {
return nil
}
func (p *DefaultOP) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error) { func (p *DefaultOP) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error) {
keyID := "" keyID := ""
for _, sig := range jws.Signatures { for _, sig := range jws.Signatures {

1
pkg/op/storage.go
View file

@ -30,6 +30,7 @@ type OPStorage interface {
AuthorizeClientIDSecret(context.Context, string, string) error AuthorizeClientIDSecret(context.Context, string, string) error
GetUserinfoFromScopes(context.Context, string, []string) (*oidc.Userinfo, error) GetUserinfoFromScopes(context.Context, string, []string) (*oidc.Userinfo, error)
GetUserinfoFromToken(context.Context, string, string) (*oidc.Userinfo, error) GetUserinfoFromToken(context.Context, string, string) (*oidc.Userinfo, error)
GetKeysByServiceAccount(ctx context.Context, id string) (*jose.JSONWebKeySet, error)
} }
type Storage interface { type Storage interface {

71
pkg/op/tokenrequest.go
View file

@ -125,19 +125,19 @@ func AuthorizeCodeChallenge(ctx context.Context, tokenReq *oidc.AccessTokenReque
type ClientJWTVerifier struct { type ClientJWTVerifier struct {
claims *oidc.JWTTokenRequest claims *oidc.JWTTokenRequest
Storage storage Storage
} }
func (c ClientJWTVerifier) Storage() Storage { func (c ClientJWTVerifier) Storage() Storage {
panic("implement me") return c.storage
} }
func (c ClientJWTVerifier) Issuer() string { func (c ClientJWTVerifier) Issuer() string {
panic("implement me") return c.claims.Issuer
} }
func (c ClientJWTVerifier) ClientID() string { func (c ClientJWTVerifier) ClientID() string {
panic("implement me") return c.claims.Issuer
} }
func (c ClientJWTVerifier) SupportedSignAlgs() []string { func (c ClientJWTVerifier) SupportedSignAlgs() []string {
@ -145,7 +145,8 @@ func (c ClientJWTVerifier) SupportedSignAlgs() []string {
} }
func (c ClientJWTVerifier) KeySet() oidc.KeySet { func (c ClientJWTVerifier) KeySet() oidc.KeySet {
return c.claims // return c.claims
return nil
} }
func (c ClientJWTVerifier) ACR() oidc.ACRVerifier { func (c ClientJWTVerifier) ACR() oidc.ACRVerifier {
@ -157,11 +158,13 @@ func (c ClientJWTVerifier) MaxAge() time.Duration {
} }
func (c ClientJWTVerifier) MaxAgeIAT() time.Duration { func (c ClientJWTVerifier) MaxAgeIAT() time.Duration {
panic("implement me") //TODO: define in conf/opts
return 1 * time.Hour
} }
func (c ClientJWTVerifier) Offset() time.Duration { func (c ClientJWTVerifier) Offset() time.Duration {
panic("implement me") //TODO: define in conf/opts
return time.Second
} }
func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchanger) { func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchanger) {
@ -169,12 +172,11 @@ func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchang
if err != nil { if err != nil {
RequestError(w, r, err) RequestError(w, r, err)
} }
claims := new(oidc.JWTTokenRequest)
//var keyset oidc.KeySet claims, err := VerifyJWTAssertion(r.Context(), assertion, exchanger.Storage())
verifier := new(ClientJWTVerifier)
req, err := VerifyJWTAssertion(r.Context(), assertion, verifier)
if err != nil { if err != nil {
RequestError(w, r, err) RequestError(w, r, err)
return
} }
resp, err := CreateJWTTokenResponse(r.Context(), claims, exchanger) resp, err := CreateJWTTokenResponse(r.Context(), claims, exchanger)
@ -190,24 +192,39 @@ type JWTAssertionVerifier interface {
oidc.Verifier oidc.Verifier
} }
func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTAssertionVerifier) (*oidc.JWTTokenRequest, error) { func VerifyJWTAssertion(ctx context.Context, assertion string, storage Storage) (*oidc.JWTTokenRequest, error) {
claims := new(oidc.JWTTokenRequest) verifier := &ClientJWTVerifier{
payload, err := oidc.ParseToken(assertion, claims) storage: storage,
claims: new(oidc.JWTTokenRequest),
oidc.CheckAudience(claims.Audience, v) }
payload, err := oidc.ParseToken(assertion, verifier.claims)
oidc.CheckExpiration(claims.ExpiresAt, v) if err != nil {
return nil, err
oidc.CheckIssuedAt(claims.IssuedAt, v)
if claims.Issuer != claims.Subject {
} }
v.Storage().GetClientByClientID(ctx, claims.Issuer)
keySet := &ClientAssertionKeySet{v.Storage(), claims.Issuer} if err = oidc.CheckAudience(verifier.claims.GetAudience(), verifier); err != nil {
return nil, err
}
oidc.CheckSignature(ctx, assertion, payload, claims, nil, keySet) if err = oidc.CheckExpiration(verifier.claims.GetExpiration(), verifier); err != nil {
return nil, err
}
if err = oidc.CheckIssuedAt(verifier.claims.GetIssuedAt(), verifier); err != nil {
return nil, err
}
if verifier.claims.Issuer != verifier.claims.Subject {
//TODO: implement delegation (openid core / oauth rfc)
}
verifier.Storage().GetClientByClientID(ctx, verifier.claims.Subject)
keySet := &ClientAssertionKeySet{storage, verifier.claims.Subject}
if err = oidc.CheckSignature(ctx, assertion, payload, verifier.claims, nil, keySet); err != nil {
return nil, err
}
return verifier.claims, nil
} }
type ClientAssertionKeySet struct { type ClientAssertionKeySet struct {
@ -221,7 +238,7 @@ func (c *ClientAssertionKeySet) VerifySignature(ctx context.Context, jws *jose.J
keyID = sig.Header.KeyID keyID = sig.Header.KeyID
break break
} }
keySet, err := c.Storage.GetKeysByServiceAccount(id) keySet, err := c.Storage.GetKeysByServiceAccount(ctx, c.id)
if err != nil { if err != nil {
return nil, errors.New("error fetching keys") return nil, errors.New("error fetching keys")
} }

2
pkg/rp/verifier.go
View file

@ -65,7 +65,7 @@ func VerifyIDToken(ctx context.Context, token string, v IDTokenVerifier) (*oidc.
//6. check signature by keys //6. check signature by keys
//7. check alg default is rs256 //7. check alg default is rs256
//8. check if alg is mac based (hs...) -> audience contains client_id. for validation use utf-8 representation of your client_secret //8. check if alg is mac based (hs...) -> audience contains client_id. for validation use utf-8 representation of your client_secret
if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v); err != nil { if err = oidc.CheckSignature(ctx, decrypted, payload, claims, v.SupportedSignAlgs(), v.KeySet()); err != nil {
return nil, err return nil, err
} }