cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: rp verification process (#95)

Browse source 
* fix: rp verification process

* types

* comments

* fix cli client
This commit is contained in:
Livio Amstutz 2021-06-23 11:08:54 +02:00 committed by GitHub
parent 400f5c4de4
commit 850faa159d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 175 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

36
pkg/client/rp/relaying_party.go
View file

@ -22,6 +22,10 @@ const (
pkceCode = "pkce"
)
var (
ErrUserInfoSubNotMatching = errors.New("sub from userinfo does not match the sub from the id_token")
)
//RelyingParty declares the minimal interface for oidc clients
type RelyingParty interface {
//OAuthConfig returns the oauth2 Config
@ -244,6 +248,9 @@ func Discover(issuer string, httpClient *http.Client) (Endpoints, error) {
if err != nil {
return Endpoints{}, err
}
if discoveryConfig.Issuer != issuer {
return Endpoints{}, oidc.ErrIssuerInvalid
}
return GetEndpoints(discoveryConfig), nil
}
@ -319,10 +326,12 @@ func CodeExchange(ctx context.Context, code string, rp RelyingParty, opts ...Cod
return &oidc.Tokens{Token: token, IDTokenClaims: idToken, IDToken: idTokenString}, nil
}
type CodeExchangeCallback func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp RelyingParty)
//CodeExchangeHandler extends the `CodeExchange` method with a http handler
//including cookie handling for secure `state` transfer
//and optional PKCE code verifier checking
func CodeExchangeHandler(callback func(http.ResponseWriter, *http.Request, *oidc.Tokens, string), rp RelyingParty) http.HandlerFunc {
func CodeExchangeHandler(callback CodeExchangeCallback, rp RelyingParty) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
state, err := tryReadStateCookie(w, r, rp)
if err != nil {
@ -356,21 +365,40 @@ func CodeExchangeHandler(callback func(http.ResponseWriter, *http.Request, *oidc
http.Error(w, "failed to exchange token: "+err.Error(), http.StatusUnauthorized)
return
}
callback(w, r, tokens, state)
callback(w, r, tokens, state, rp)
}
}
type CodeExchangeUserinfoCallback func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, provider RelyingParty, info oidc.UserInfo)
//UserinfoCallback wraps the callback function of the CodeExchangeHandler
//and calls the userinfo endpoint with the access token
//on success it will pass the userinfo into its callback function as well
func UserinfoCallback(f CodeExchangeUserinfoCallback) CodeExchangeCallback {
return func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string, rp RelyingParty) {
info, err := Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.GetSubject(), rp)
if err != nil {
http.Error(w, "userinfo failed: "+err.Error(), http.StatusUnauthorized)
return
}
f(w, r, tokens, state, rp, info)
}
}
//Userinfo will call the OIDC Userinfo Endpoint with the provided token
func Userinfo(token string, rp RelyingParty) (oidc.UserInfo, error) {
func Userinfo(token, tokenType, subject string, rp RelyingParty) (oidc.UserInfo, error) {
req, err := http.NewRequest("GET", rp.UserinfoEndpoint(), nil)
if err != nil {
return nil, err
}
req.Header.Set("authorization", token)
req.Header.Set("authorization", tokenType+" "+token)
userinfo := oidc.NewUserInfo()
if err := utils.HttpRequest(rp.HttpClient(), req, &userinfo); err != nil {
return nil, err
}
if userinfo.GetSubject() != subject {
return nil, ErrUserInfoSubNotMatching
}
return userinfo, nil
}