feat: Token Revocation, Request Object and OP Certification (#130)
FEATURES (and FIXES): - support OAuth 2.0 Token Revocation [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009) - handle request object using `request` parameter [OIDC Core 1.0 Request Object](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject) - handle response mode - added some information to the discovery endpoint: - revocation_endpoint (added with token revocation) - revocation_endpoint_auth_methods_supported (added with token revocation) - revocation_endpoint_auth_signing_alg_values_supported (added with token revocation) - token_endpoint_auth_signing_alg_values_supported (was missing) - introspection_endpoint_auth_signing_alg_values_supported (was missing) - request_object_signing_alg_values_supported (added with request object) - request_parameter_supported (added with request object) - fixed `removeUserinfoScopes ` now returns the scopes without "userinfo" scopes (profile, email, phone, addedd) [source diff](https://github.com/caos/oidc/pull/130/files#diff-fad50c8c0f065d4dbc49d6c6a38f09c992c8f5d651a479ba00e31b500543559eL170-R171) - improved error handling (pkg/oidc/error.go) and fixed some wrong OAuth errors (e.g. `invalid_grant` instead of `invalid_request`) - improved MarshalJSON and added MarshalJSONWithStatus - removed deprecated PEM decryption from `BytesToPrivateKey` [source diff](https://github.com/caos/oidc/pull/130/files#diff-fe246e428e399ccff599627c71764de51387b60b4df84c67de3febd0954e859bL11-L19) - NewAccessTokenVerifier now uses correct (internal) `accessTokenVerifier` [source diff](https://github.com/caos/oidc/pull/130/files#diff-3a01c7500ead8f35448456ef231c7c22f8d291710936cac91de5edeef52ffc72L52-R52) BREAKING CHANGE: - move functions from `utils` package into separate packages - added various methods to the (OP) `Configuration` interface [source diff](https://github.com/caos/oidc/pull/130/files#diff-2538e0dfc772fdc37f057aecd6fcc2943f516c24e8be794cce0e368a26d20a82R19-R32) - added revocationEndpoint to `WithCustomEndpoints ` [source diff](https://github.com/caos/oidc/pull/130/files#diff-19ae13a743eb7cebbb96492798b1bec556673eb6236b1387e38d722900bae1c3L355-R391) - remove unnecessary context parameter from JWTProfileExchange [source diff](https://github.com/caos/oidc/pull/130/files#diff-4ed8f6affa4a9631fa8a034b3d5752fbb6a819107141aae00029014e950f7b4cL14)
This commit is contained in:
Livio Amstutz
GitHub
parent
763d3334e7
commit
eb10752e48
63 changed files with 1738 additions and 624 deletions
26
pkg/client/rp/cli/browser.go
Normal file
26
pkg/client/rp/cli/browser.go
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
package cli
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
"os/exec"
|
||||
"runtime"
|
||||
)
|
||||
|
||||
func OpenBrowser(url string) {
|
||||
var err error
|
||||
|
||||
switch runtime.GOOS {
|
||||
case "linux":
|
||||
err = exec.Command("xdg-open", url).Start()
|
||||
case "windows":
|
||||
err = exec.Command("rundll32", "url.dll,FileProtocolHandler", url).Start()
|
||||
case "darwin":
|
||||
err = exec.Command("open", url).Start()
|
||||
default:
|
||||
err = fmt.Errorf("unsupported platform")
|
||||
}
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
|
@ -5,8 +5,8 @@ import (
|
|||
"net/http"
|
||||
|
||||
"github.com/caos/oidc/pkg/client/rp"
|
||||
httphelper "github.com/caos/oidc/pkg/http"
|
||||
"github.com/caos/oidc/pkg/oidc"
|
||||
"github.com/caos/oidc/pkg/utils"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -28,9 +28,9 @@ func CodeFlow(ctx context.Context, relyingParty rp.RelyingParty, callbackPath, p
|
|||
http.Handle(loginPath, rp.AuthURLHandler(stateProvider, relyingParty))
|
||||
http.Handle(callbackPath, rp.CodeExchangeHandler(callback, relyingParty))
|
||||
|
||||
utils.StartServer(codeflowCtx, ":"+port)
|
||||
httphelper.StartServer(codeflowCtx, ":"+port)
|
||||
|
||||
utils.OpenBrowser("http://localhost:" + port + loginPath)
|
||||
OpenBrowser("http://localhost:" + port + loginPath)
|
||||
|
||||
return <-tokenChan
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,8 +5,8 @@ import (
|
|||
)
|
||||
|
||||
//DelegationTokenRequest is an implementation of TokenExchangeRequest
|
||||
//it exchanges a "urn:ietf:params:oauth:token-type:access_token" with an optional
|
||||
//"urn:ietf:params:oauth:token-type:access_token" actor token for a
|
||||
//it exchanges an "urn:ietf:params:oauth:token-type:access_token" with an optional
|
||||
//"urn:ietf:params:oauth:token-type:access_token" actor token for an
|
||||
//"urn:ietf:params:oauth:token-type:access_token" delegation token
|
||||
func DelegationTokenRequest(subjectToken string, opts ...tokenexchange.TokenExchangeOption) *tokenexchange.TokenExchangeRequest {
|
||||
return tokenexchange.NewTokenExchangeRequest(subjectToken, tokenexchange.AccessTokenType, opts...)
|
||||
|
|
|
|||
|
|
@ -7,9 +7,9 @@ import (
|
|||
"net/http"
|
||||
"sync"
|
||||
|
||||
"github.com/caos/oidc/pkg/utils"
|
||||
"gopkg.in/square/go-jose.v2"
|
||||
|
||||
httphelper "github.com/caos/oidc/pkg/http"
|
||||
"github.com/caos/oidc/pkg/oidc"
|
||||
)
|
||||
|
||||
|
|
@ -207,7 +207,7 @@ func (r *remoteKeySet) fetchRemoteKeys(ctx context.Context) ([]jose.JSONWebKey,
|
|||
}
|
||||
|
||||
keySet := new(jsonWebKeySet)
|
||||
if err = utils.HttpRequest(r.httpClient, req, keySet); err != nil {
|
||||
if err = httphelper.HttpRequest(r.httpClient, req, keySet); err != nil {
|
||||
return nil, fmt.Errorf("oidc: failed to get keys: %v", err)
|
||||
}
|
||||
return keySet.Keys, nil
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ import (
|
|||
"gopkg.in/square/go-jose.v2"
|
||||
|
||||
"github.com/caos/oidc/pkg/client"
|
||||
httphelper "github.com/caos/oidc/pkg/http"
|
||||
"github.com/caos/oidc/pkg/oidc"
|
||||
"github.com/caos/oidc/pkg/utils"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -39,7 +39,7 @@ type RelyingParty interface {
|
|||
IsPKCE() bool
|
||||
|
||||
//CookieHandler returns a http cookie handler used for various state transfer cookies
|
||||
CookieHandler() *utils.CookieHandler
|
||||
CookieHandler() *httphelper.CookieHandler
|
||||
|
||||
//HttpClient returns a http client used for calls to the openid provider, e.g. calling token endpoint
|
||||
HttpClient() *http.Client
|
||||
|
|
@ -76,7 +76,7 @@ type relyingParty struct {
|
|||
pkce bool
|
||||
|
||||
httpClient *http.Client
|
||||
cookieHandler *utils.CookieHandler
|
||||
cookieHandler *httphelper.CookieHandler
|
||||
|
||||
errorHandler func(http.ResponseWriter, *http.Request, string, string, string)
|
||||
idTokenVerifier IDTokenVerifier
|
||||
|
|
@ -96,7 +96,7 @@ func (rp *relyingParty) IsPKCE() bool {
|
|||
return rp.pkce
|
||||
}
|
||||
|
||||
func (rp *relyingParty) CookieHandler() *utils.CookieHandler {
|
||||
func (rp *relyingParty) CookieHandler() *httphelper.CookieHandler {
|
||||
return rp.cookieHandler
|
||||
}
|
||||
|
||||
|
|
@ -136,7 +136,7 @@ func (rp *relyingParty) ErrorHandler() func(http.ResponseWriter, *http.Request,
|
|||
func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingParty, error) {
|
||||
rp := &relyingParty{
|
||||
oauthConfig: config,
|
||||
httpClient: utils.DefaultHTTPClient,
|
||||
httpClient: httphelper.DefaultHTTPClient,
|
||||
oauth2Only: true,
|
||||
}
|
||||
|
||||
|
|
@ -161,7 +161,7 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
|
|||
RedirectURL: redirectURI,
|
||||
Scopes: scopes,
|
||||
},
|
||||
httpClient: utils.DefaultHTTPClient,
|
||||
httpClient: httphelper.DefaultHTTPClient,
|
||||
oauth2Only: false,
|
||||
}
|
||||
|
||||
|
|
@ -181,11 +181,11 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
|
|||
return rp, nil
|
||||
}
|
||||
|
||||
//Option is the type for providing dynamic options to the DefaultRP
|
||||
//Option is the type for providing dynamic options to the relyingParty
|
||||
type Option func(*relyingParty) error
|
||||
|
||||
//WithCookieHandler set a `CookieHandler` for securing the various redirects
|
||||
func WithCookieHandler(cookieHandler *utils.CookieHandler) Option {
|
||||
func WithCookieHandler(cookieHandler *httphelper.CookieHandler) Option {
|
||||
return func(rp *relyingParty) error {
|
||||
rp.cookieHandler = cookieHandler
|
||||
return nil
|
||||
|
|
@ -195,7 +195,7 @@ func WithCookieHandler(cookieHandler *utils.CookieHandler) Option {
|
|||
//WithPKCE sets the RP to use PKCE (oauth2 code challenge)
|
||||
//it also sets a `CookieHandler` for securing the various redirects
|
||||
//and exchanging the code challenge
|
||||
func WithPKCE(cookieHandler *utils.CookieHandler) Option {
|
||||
func WithPKCE(cookieHandler *httphelper.CookieHandler) Option {
|
||||
return func(rp *relyingParty) error {
|
||||
rp.pkce = true
|
||||
rp.cookieHandler = cookieHandler
|
||||
|
|
@ -246,7 +246,7 @@ func Discover(issuer string, httpClient *http.Client) (Endpoints, error) {
|
|||
return Endpoints{}, err
|
||||
}
|
||||
discoveryConfig := new(oidc.DiscoveryConfiguration)
|
||||
err = utils.HttpRequest(httpClient, req, &discoveryConfig)
|
||||
err = httphelper.HttpRequest(httpClient, req, &discoveryConfig)
|
||||
if err != nil {
|
||||
return Endpoints{}, err
|
||||
}
|
||||
|
|
@ -395,7 +395,7 @@ func Userinfo(token, tokenType, subject string, rp RelyingParty) (oidc.UserInfo,
|
|||
}
|
||||
req.Header.Set("authorization", tokenType+" "+token)
|
||||
userinfo := oidc.NewUserInfo()
|
||||
if err := utils.HttpRequest(rp.HttpClient(), req, &userinfo); err != nil {
|
||||
if err := httphelper.HttpRequest(rp.HttpClient(), req, &userinfo); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if userinfo.GetSubject() != subject {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue