cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #88 from caos/basic-auth

Browse source 
fix: encoding of basic auth header values
This commit is contained in:
Fabi 2021-03-05 08:37:03 +01:00 committed by GitHub
commit 84e5159508
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 22 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
pkg/client/rs/resource_server.go
View file

@ -37,11 +37,11 @@ func (r *resourceServer) AuthFn() (interface{}, error) {
return r.authFn() return r.authFn()
} }
func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option Option) (ResourceServer, error) { func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option ...Option) (ResourceServer, error) {
authorizer := func() (interface{}, error) { authorizer := func() (interface{}, error) {
return utils.AuthorizeBasic(clientID, clientSecret), nil return utils.AuthorizeBasic(clientID, clientSecret), nil
} }
return newResourceServer(issuer, authorizer, option) return newResourceServer(issuer, authorizer, option...)
} }
func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...Option) (ResourceServer, error) { func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...Option) (ResourceServer, error) {
signer, err := client.NewSignerFromPrivateKeyByte(key, keyID) signer, err := client.NewSignerFromPrivateKeyByte(key, keyID)

11
pkg/op/signer.go
View file

@ -51,9 +51,18 @@ func (s *tokenSigner) refreshSigningKey(ctx context.Context, keyCh <-chan jose.S
return return
case key := <-keyCh: case key := <-keyCh:
s.alg = key.Algorithm s.alg = key.Algorithm
if key.Algorithm == "" || key.Key == nil {
s.signer = nil
logging.Log("OP-DAvt4").Warn("signer has no key")
continue
}
var err error var err error
s.signer, err = jose.NewSigner(key, &jose.SignerOptions{}) s.signer, err = jose.NewSigner(key, &jose.SignerOptions{})
logging.Log("OP-pf32aw").OnError(err).Error("error creating signer") if err != nil {
logging.Log("OP-pf32aw").WithError(err).Error("error creating signer")
continue
}
logging.Log("OP-agRf2").Info("signer exchanged signing key")
} }
} }
} }

9
pkg/op/token_intospection.go
View file

@ -3,6 +3,7 @@ package op
import ( import (
"errors" "errors"
"net/http" "net/http"
"net/url"
"github.com/caos/oidc/pkg/oidc" "github.com/caos/oidc/pkg/oidc"
"github.com/caos/oidc/pkg/utils" "github.com/caos/oidc/pkg/utils"
@ -68,6 +69,14 @@ func ParseTokenIntrospectionRequest(r *http.Request, introspector Introspector)
} }
clientID, clientSecret, ok := r.BasicAuth() clientID, clientSecret, ok := r.BasicAuth()
if ok { if ok {
clientID, err = url.QueryUnescape(clientID)
if err != nil {
return "", "", errors.New("invalid basic auth header")
}
clientSecret, err = url.QueryUnescape(clientSecret)
if err != nil {
return "", "", errors.New("invalid basic auth header")
}
if err := introspector.Storage().AuthorizeClientIDSecret(r.Context(), clientID, clientSecret); err != nil { if err := introspector.Storage().AuthorizeClientIDSecret(r.Context(), clientID, clientSecret); err != nil {
return "", "", err return "", "", err
} }

2
pkg/utils/http.go
View file

@ -30,7 +30,7 @@ type RequestAuthorization func(*http.Request)
func AuthorizeBasic(user, password string) RequestAuthorization { func AuthorizeBasic(user, password string) RequestAuthorization {
return func(req *http.Request) { return func(req *http.Request) {
req.SetBasicAuth(user, password) req.SetBasicAuth(url.QueryEscape(user), url.QueryEscape(password))
} }
} }