some ideas to implement jwt client assertion

2020-09-08 17:09:27 +02:00 · 2020-09-08 17:09:27 +02:00 · bfbd4adb1c
commit bfbd4adb1c
parent a37a8461a5
3 changed files with 88 additions and 18 deletions
--- a/pkg/oidc/verifier.go
+++ b/pkg/oidc/verifier.go
@ -118,8 +118,8 @@ func CheckAuthorizedParty(audiences []string, authorizedParty string, v Verifier
 	return nil
 }

-func CheckSignature(ctx context.Context, idTokenString string, payload []byte, claims Claims, v Verifier) error {
-	jws, err := jose.ParseSigned(idTokenString)
+func CheckSignature(ctx context.Context, token string, payload []byte, claims Claims, supportedSigAlgs []string, set KeySet) error {
+	jws, err := jose.ParseSigned(token)
 	if err != nil {
 		return err
 	}
@ -130,7 +130,6 @@ func CheckSignature(ctx context.Context, idTokenString string, payload []byte, c
 		return ErrSignatureMultiple
 	}
 	sig := jws.Signatures[0]
-	supportedSigAlgs := v.SupportedSignAlgs()
 	if len(supportedSigAlgs) == 0 {
 		supportedSigAlgs = []string{"RS256"}
 	}
@ -138,7 +137,7 @@ func CheckSignature(ctx context.Context, idTokenString string, payload []byte, c
 		return fmt.Errorf("%w: id token signed with unsupported algorithm, expected %q got %q", ErrSignatureUnsupportedAlg, supportedSigAlgs, sig.Header.Algorithm)
 	}

-	signedPayload, err := v.KeySet().VerifySignature(ctx, jws)
+	signedPayload, err := set.VerifySignature(ctx, jws)
 	if err != nil {
 		return err
 	}
--- a/pkg/op/tokenrequest.go
+++ b/pkg/op/tokenrequest.go
@ -4,6 +4,9 @@ import (
 	"context"
 	"errors"
 	"net/http"
+	"time"
+
+	"gopkg.in/square/go-jose.v2"

 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/rp"
@ -125,9 +128,40 @@ type ClientJWTVerifier struct {
 	Storage
 }

-func (c *ClientJWTVerifier) Issuer() string {
-	client, err := Storage.GetClientByClientID(context.TODO(), c.claims.Issuer)
-	return client.GetID()
+func (c ClientJWTVerifier) Storage() Storage {
+	panic("implement me")
+}
+
+func (c ClientJWTVerifier) Issuer() string {
+	panic("implement me")
+}
+
+func (c ClientJWTVerifier) ClientID() string {
+	panic("implement me")
+}
+
+func (c ClientJWTVerifier) SupportedSignAlgs() []string {
+	panic("implement me")
+}
+
+func (c ClientJWTVerifier) KeySet() oidc.KeySet {
+	return c.claims
+}
+
+func (c ClientJWTVerifier) ACR() oidc.ACRVerifier {
+	panic("implement me")
+}
+
+func (c ClientJWTVerifier) MaxAge() time.Duration {
+	panic("implement me")
+}
+
+func (c ClientJWTVerifier) MaxAgeIAT() time.Duration {
+	panic("implement me")
+}
+
+func (c ClientJWTVerifier) Offset() time.Duration {
+	panic("implement me")
 }

 func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchanger) {
@ -138,8 +172,7 @@ func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchang
 	claims := new(oidc.JWTTokenRequest)
 	//var keyset oidc.KeySet
 	verifier := new(ClientJWTVerifier)
-	verifier.claims = claims
-	err = verifier.VerifyToken(r.Context(), assertion, claims)
+	req, err := VerifyJWTAssertion(r.Context(), assertion, verifier)
 	if err != nil {
 		RequestError(w, r, err)
 	}
@ -152,6 +185,53 @@ func JWTExchange(w http.ResponseWriter, r *http.Request, exchanger VerifyExchang
 	utils.MarshalJSON(w, resp)
 }

+type JWTAssertionVerifier interface {
+	Storage() Storage
+	oidc.Verifier
+}
+
+func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTAssertionVerifier) (*oidc.JWTTokenRequest, error) {
+	claims := new(oidc.JWTTokenRequest)
+	payload, err := oidc.ParseToken(assertion, claims)
+
+	oidc.CheckAudience(claims.Audience, v)
+
+	oidc.CheckExpiration(claims.ExpiresAt, v)
+
+	oidc.CheckIssuedAt(claims.IssuedAt, v)
+
+	if claims.Issuer != claims.Subject {
+
+	}
+	v.Storage().GetClientByClientID(ctx, claims.Issuer)
+
+	keySet := &ClientAssertionKeySet{v.Storage(), claims.Issuer}
+
+	oidc.CheckSignature(ctx, assertion, payload, claims, nil, keySet)
+}
+
+type ClientAssertionKeySet struct {
+	Storage
+	id string
+}
+
+func (c *ClientAssertionKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) {
+	keyID := ""
+	for _, sig := range jws.Signatures {
+		keyID = sig.Header.KeyID
+		break
+	}
+	keySet, err := c.Storage.GetKeysByServiceAccount(id)
+	if err != nil {
+		return nil, errors.New("error fetching keys")
+	}
+	payload, err, ok := rp.CheckKey(keyID, keySet.Keys, jws)
+	if !ok {
+		return nil, errors.New("invalid kid")
+	}
+	return payload, err
+}
+
 func ParseJWTTokenRequest(r *http.Request, decoder utils.Decoder) (string, error) {
 	err := r.ParseForm()
 	if err != nil {
--- a/pkg/rp/verity.go
+++ b/pkg/rp/verity.go
@ -1,9 +0,0 @@
-package rp
-
-import (
-	"context"
-
-	"gopkg.in/square/go-jose.v2"
-
-	"github.com/caos/oidc/pkg/oidc"
-)