diff --git a/pkg/oidc/verifier.go b/pkg/oidc/verifier.go index 4b0f684..e375ade 100644 --- a/pkg/oidc/verifier.go +++ b/pkg/oidc/verifier.go @@ -118,8 +118,8 @@ func CheckAuthorizedParty(audiences []string, authorizedParty string, v Verifier return nil } -func CheckSignature(ctx context.Context, idTokenString string, payload []byte, claims Claims, v Verifier) error { - jws, err := jose.ParseSigned(idTokenString) +func CheckSignature(ctx context.Context, token string, payload []byte, claims Claims, supportedSigAlgs []string, set KeySet) error { + jws, err := jose.ParseSigned(token) if err != nil { return err } @@ -130,7 +130,6 @@ func CheckSignature(ctx context.Context, idTokenString string, payload []byte, c return ErrSignatureMultiple } sig := jws.Signatures[0] - supportedSigAlgs := v.SupportedSignAlgs() if len(supportedSigAlgs) == 0 { supportedSigAlgs = []string{"RS256"} } @@ -138,7 +137,7 @@ func CheckSignature(ctx context.Context, idTokenString string, payload []byte, c return fmt.Errorf("%w: id token signed with unsupported algorithm, expected %q got %q", ErrSignatureUnsupportedAlg, supportedSigAlgs, sig.Header.Algorithm) } - signedPayload, err := v.KeySet().VerifySignature(ctx, jws) + signedPayload, err := set.VerifySignature(ctx, jws) if err != nil { return err } diff --git a/pkg/op/tokenrequest.go b/pkg/op/tokenrequest.go index f208fcc..7c8e663 100644 --- a/pkg/op/tokenrequest.go +++ b/pkg/op/tokenrequest.go @@ -4,6 +4,9 @@ import ( "context" "errors" "net/http" + "time" + + "gopkg.in/square/go-jose.v2" "github.com/caos/oidc/pkg/oidc" "github.com/caos/oidc/pkg/rp" @@ -125,9 +128,40 @@ type ClientJWTVerifier struct { Storage } -func (c *ClientJWTVerifier) Issuer() string { - client, err := Storage.GetClientByClientID(context.TODO(), c.claims.Issuer) - return client.GetID() +func (c ClientJWTVerifier) Storage() Storage { + panic("implement me") +} + +func (c ClientJWTVerifier) Issuer() string { + panic("implement me") +} + +func (c ClientJWTVerifier) ClientID() string { + panic("implement me") +} + +func (c ClientJWTVerifier) SupportedSignAlgs() []string { + panic("implement me") +} + +func (c ClientJWTVerifier) KeySet() oidc.KeySet { + return c.claims +} + +func (c ClientJWTVerifier) ACR() oidc.ACRVerifier { + panic("implement me") +} + +func (c ClientJWTVerifier) MaxAge() time.Duration { + panic("implement me") +} + +func (c ClientJWTVerifier) MaxAgeIAT() time.Duration { + panic("implement me") +} + +func (c ClientJWTVerifier) Offset() time.Duration { + panic("implement me") } func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchanger) { @@ -138,8 +172,7 @@ func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchang claims := new(oidc.JWTTokenRequest) //var keyset oidc.KeySet verifier := new(ClientJWTVerifier) - verifier.claims = claims - err = verifier.VerifyToken(r.Context(), assertion, claims) + req, err := VerifyJWTAssertion(r.Context(), assertion, verifier) if err != nil { RequestError(w, r, err) } @@ -152,6 +185,53 @@ func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchang utils.MarshalJSON(w, resp) } +type JWTAssertionVerifier interface { + Storage() Storage + oidc.Verifier +} + +func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTAssertionVerifier) (*oidc.JWTTokenRequest, error) { + claims := new(oidc.JWTTokenRequest) + payload, err := oidc.ParseToken(assertion, claims) + + oidc.CheckAudience(claims.Audience, v) + + oidc.CheckExpiration(claims.ExpiresAt, v) + + oidc.CheckIssuedAt(claims.IssuedAt, v) + + if claims.Issuer != claims.Subject { + + } + v.Storage().GetClientByClientID(ctx, claims.Issuer) + + keySet := &ClientAssertionKeySet{v.Storage(), claims.Issuer} + + oidc.CheckSignature(ctx, assertion, payload, claims, nil, keySet) +} + +type ClientAssertionKeySet struct { + Storage + id string +} + +func (c *ClientAssertionKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) { + keyID := "" + for _, sig := range jws.Signatures { + keyID = sig.Header.KeyID + break + } + keySet, err := c.Storage.GetKeysByServiceAccount(id) + if err != nil { + return nil, errors.New("error fetching keys") + } + payload, err, ok := rp.CheckKey(keyID, keySet.Keys, jws) + if !ok { + return nil, errors.New("invalid kid") + } + return payload, err +} + func ParseJWTTokenRequest(r *http.Request, decoder utils.Decoder) (string, error) { err := r.ParseForm() if err != nil { diff --git a/pkg/rp/verity.go b/pkg/rp/verity.go deleted file mode 100644 index 189ce90..0000000 --- a/pkg/rp/verity.go +++ /dev/null @@ -1,9 +0,0 @@ -package rp - -import ( - "context" - - "gopkg.in/square/go-jose.v2" - - "github.com/caos/oidc/pkg/oidc" -)