cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

some ideas to implement jwt client assertion

Browse source
This commit is contained in:
Livio Amstutz 2020-09-08 17:09:27 +02:00
parent a37a8461a5
commit bfbd4adb1c
3 changed files with 88 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

7
pkg/oidc/verifier.go
View file

@ -118,8 +118,8 @@ func CheckAuthorizedParty(audiences []string, authorizedParty string, v Verifier
return nil return nil
} }
func CheckSignature(ctx context.Context, idTokenString string, payload []byte, claims Claims, v Verifier) error { func CheckSignature(ctx context.Context, token string, payload []byte, claims Claims, supportedSigAlgs []string, set KeySet) error {
jws, err := jose.ParseSigned(idTokenString) jws, err := jose.ParseSigned(token)
if err != nil { if err != nil {
return err return err
} }
@ -130,7 +130,6 @@ func CheckSignature(ctx context.Context, idTokenString string, payload []byte, c
return ErrSignatureMultiple return ErrSignatureMultiple
} }
sig := jws.Signatures[0] sig := jws.Signatures[0]
supportedSigAlgs := v.SupportedSignAlgs()
if len(supportedSigAlgs) == 0 { if len(supportedSigAlgs) == 0 {
supportedSigAlgs = []string{"RS256"} supportedSigAlgs = []string{"RS256"}
} }
@ -138,7 +137,7 @@ func CheckSignature(ctx context.Context, idTokenString string, payload []byte, c
return fmt.Errorf("%w: id token signed with unsupported algorithm, expected %q got %q", ErrSignatureUnsupportedAlg, supportedSigAlgs, sig.Header.Algorithm) return fmt.Errorf("%w: id token signed with unsupported algorithm, expected %q got %q", ErrSignatureUnsupportedAlg, supportedSigAlgs, sig.Header.Algorithm)
} }
signedPayload, err := v.KeySet().VerifySignature(ctx, jws) signedPayload, err := set.VerifySignature(ctx, jws)
if err != nil { if err != nil {
return err return err
} }

90
pkg/op/tokenrequest.go
View file

@ -4,6 +4,9 @@ import (
"context" "context"
"errors" "errors"
"net/http" "net/http"
"time"
"gopkg.in/square/go-jose.v2"
"github.com/caos/oidc/pkg/oidc" "github.com/caos/oidc/pkg/oidc"
"github.com/caos/oidc/pkg/rp" "github.com/caos/oidc/pkg/rp"
@ -125,9 +128,40 @@ type ClientJWTVerifier struct {
Storage Storage
} }
func (c *ClientJWTVerifier) Issuer() string { func (c ClientJWTVerifier) Storage() Storage {
client, err := Storage.GetClientByClientID(context.TODO(), c.claims.Issuer) panic("implement me")
return client.GetID() }
func (c ClientJWTVerifier) Issuer() string {
panic("implement me")
}
func (c ClientJWTVerifier) ClientID() string {
panic("implement me")
}
func (c ClientJWTVerifier) SupportedSignAlgs() []string {
panic("implement me")
}
func (c ClientJWTVerifier) KeySet() oidc.KeySet {
return c.claims
}
func (c ClientJWTVerifier) ACR() oidc.ACRVerifier {
panic("implement me")
}
func (c ClientJWTVerifier) MaxAge() time.Duration {
panic("implement me")
}
func (c ClientJWTVerifier) MaxAgeIAT() time.Duration {
panic("implement me")
}
func (c ClientJWTVerifier) Offset() time.Duration {
panic("implement me")
} }
func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchanger) { func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchanger) {
@ -138,8 +172,7 @@ func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchang
claims := new(oidc.JWTTokenRequest) claims := new(oidc.JWTTokenRequest)
//var keyset oidc.KeySet //var keyset oidc.KeySet
verifier := new(ClientJWTVerifier) verifier := new(ClientJWTVerifier)
verifier.claims = claims req, err := VerifyJWTAssertion(r.Context(), assertion, verifier)
err = verifier.VerifyToken(r.Context(), assertion, claims)
if err != nil { if err != nil {
RequestError(w, r, err) RequestError(w, r, err)
} }
@ -152,6 +185,53 @@ func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchang
utils.MarshalJSON(w, resp) utils.MarshalJSON(w, resp)
} }
type JWTAssertionVerifier interface {
Storage() Storage
oidc.Verifier
}
func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTAssertionVerifier) (*oidc.JWTTokenRequest, error) {
claims := new(oidc.JWTTokenRequest)
payload, err := oidc.ParseToken(assertion, claims)
oidc.CheckAudience(claims.Audience, v)
oidc.CheckExpiration(claims.ExpiresAt, v)
oidc.CheckIssuedAt(claims.IssuedAt, v)
if claims.Issuer != claims.Subject {
}
v.Storage().GetClientByClientID(ctx, claims.Issuer)
keySet := &ClientAssertionKeySet{v.Storage(), claims.Issuer}
oidc.CheckSignature(ctx, assertion, payload, claims, nil, keySet)
}
type ClientAssertionKeySet struct {
Storage
id string
}
func (c *ClientAssertionKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) {
keyID := ""
for _, sig := range jws.Signatures {
keyID = sig.Header.KeyID
break
}
keySet, err := c.Storage.GetKeysByServiceAccount(id)
if err != nil {
return nil, errors.New("error fetching keys")
}
payload, err, ok := rp.CheckKey(keyID, keySet.Keys, jws)
if !ok {
return nil, errors.New("invalid kid")
}
return payload, err
}
func ParseJWTTokenRequest(r *http.Request, decoder utils.Decoder) (string, error) { func ParseJWTTokenRequest(r *http.Request, decoder utils.Decoder) (string, error) {
err := r.ParseForm() err := r.ParseForm()
if err != nil { if err != nil {

9
pkg/rp/verity.go
View file

@ -1,9 +0,0 @@
package rp
import (
"context"
"gopkg.in/square/go-jose.v2"
"github.com/caos/oidc/pkg/oidc"
)