From 89d1c90bf26bed5e23f57f92a8640010131ed425 Mon Sep 17 00:00:00 2001 From: David Sharnoff Date: Mon, 14 Nov 2022 07:58:36 -0800 Subject: [PATCH 1/7] fix: WithPath on NewCookieHandler set domain instead! (#240) --- pkg/http/cookie.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/http/cookie.go b/pkg/http/cookie.go index 4949b77..1ebc9e2 100644 --- a/pkg/http/cookie.go +++ b/pkg/http/cookie.go @@ -59,7 +59,7 @@ func WithDomain(domain string) CookieHandlerOpt { func WithPath(path string) CookieHandlerOpt { return func(c *CookieHandler) { - c.domain = path + c.path = path } } From 1aa75ec9533f7cb1f00533f5cf3d7dac7619242e Mon Sep 17 00:00:00 2001 From: David Sharnoff Date: Mon, 14 Nov 2022 07:59:33 -0800 Subject: [PATCH 2/7] feat: allow id token hint verifier to specify algs (#229) --- pkg/op/op.go | 10 +++++++++- pkg/op/verifier_id_token_hint.go | 13 ++++++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/pkg/op/op.go b/pkg/op/op.go index db35a87..59f1897 100644 --- a/pkg/op/op.go +++ b/pkg/op/op.go @@ -190,6 +190,7 @@ type openidProvider struct { interceptors []HttpInterceptor timer <-chan time.Time accessTokenVerifierOpts []AccessTokenVerifierOpt + idTokenHintVerifierOpts []IDTokenHintVerifierOpt } func (o *openidProvider) Issuer() string { @@ -299,7 +300,7 @@ func (o *openidProvider) Encoder() httphelper.Encoder { func (o *openidProvider) IDTokenHintVerifier() IDTokenHintVerifier { if o.idTokenHintVerifier == nil { - o.idTokenHintVerifier = NewIDTokenHintVerifier(o.Issuer(), o.openIDKeySet()) + o.idTokenHintVerifier = NewIDTokenHintVerifier(o.Issuer(), o.openIDKeySet(), o.idTokenHintVerifierOpts...) } return o.idTokenHintVerifier } @@ -465,6 +466,13 @@ func WithAccessTokenVerifierOpts(opts ...AccessTokenVerifierOpt) Option { } } +func WithIDTokenHintVerifierOpts(opts ...IDTokenHintVerifierOpt) Option { + return func(o *openidProvider) error { + o.idTokenHintVerifierOpts = opts + return nil + } +} + func buildInterceptor(interceptors ...HttpInterceptor) func(http.HandlerFunc) http.Handler { return func(handlerFunc http.HandlerFunc) http.Handler { handler := handlerFuncToHandler(handlerFunc) diff --git a/pkg/op/verifier_id_token_hint.go b/pkg/op/verifier_id_token_hint.go index e0372ee..d36bbd8 100644 --- a/pkg/op/verifier_id_token_hint.go +++ b/pkg/op/verifier_id_token_hint.go @@ -53,11 +53,22 @@ func (i *idTokenHintVerifier) MaxAge() time.Duration { return i.maxAge } -func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet) IDTokenHintVerifier { +type IDTokenHintVerifierOpt func(*idTokenHintVerifier) + +func WithSupportedIDTokenHintSigningAlgorithms(algs ...string) IDTokenHintVerifierOpt { + return func(verifier *idTokenHintVerifier) { + verifier.supportedSignAlgs = algs + } +} + +func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHintVerifierOpt) IDTokenHintVerifier { verifier := &idTokenHintVerifier{ issuer: issuer, keySet: keySet, } + for _, opt := range opts { + opt(verifier) + } return verifier } From a314c1483fc866ccf5850ccf2b06a8a57d900609 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Utku=20=C3=96zdemir?= Date: Mon, 14 Nov 2022 16:59:56 +0100 Subject: [PATCH 3/7] fix: allow http schema for redirect url for native apps in dev mode (#242) --- pkg/op/auth_request.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/op/auth_request.go b/pkg/op/auth_request.go index 9dc07d2..d8c960e 100644 --- a/pkg/op/auth_request.go +++ b/pkg/op/auth_request.go @@ -314,6 +314,9 @@ func validateAuthReqRedirectURINative(client Client, uri string, responseType oi parsedURL, isLoopback := HTTPLoopbackOrLocalhost(uri) isCustomSchema := !strings.HasPrefix(uri, "http://") if str.Contains(client.RedirectURIs(), uri) { + if client.DevMode() { + return nil + } if isLoopback || isCustomSchema { return nil } From 4e302ca4da3f579d0900750ca35495ccfa9da610 Mon Sep 17 00:00:00 2001 From: David Sharnoff Date: Mon, 14 Nov 2022 08:00:27 -0800 Subject: [PATCH 4/7] bugfix: access token verifier opts was not used (#237) --- pkg/op/op.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/op/op.go b/pkg/op/op.go index 59f1897..8a0dc46 100644 --- a/pkg/op/op.go +++ b/pkg/op/op.go @@ -314,7 +314,7 @@ func (o *openidProvider) JWTProfileVerifier() JWTProfileVerifier { func (o *openidProvider) AccessTokenVerifier() AccessTokenVerifier { if o.accessTokenVerifier == nil { - o.accessTokenVerifier = NewAccessTokenVerifier(o.Issuer(), o.openIDKeySet()) + o.accessTokenVerifier = NewAccessTokenVerifier(o.Issuer(), o.openIDKeySet(), o.accessTokenVerifierOpts...) } return o.accessTokenVerifier } From bd47b5ddc4eeb1ff8fb42ca2ed5379620eb9cdbc Mon Sep 17 00:00:00 2001 From: David Sharnoff Date: Mon, 14 Nov 2022 08:01:19 -0800 Subject: [PATCH 5/7] feat: support EndSession with RelyingParty client (#230) * feat: support EndSession with RelyingPart client * do not error if OP does not provide a redirect * undo that last change, but noice error returns from EndSession * ioutil.ReadAll, for now --- pkg/client/client.go | 38 ++++++++++++++++++++++++++++++++++ pkg/client/rp/relying_party.go | 11 ++++++++++ 2 files changed, 49 insertions(+) diff --git a/pkg/client/client.go b/pkg/client/client.go index d6d27f7..e286a00 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -1,7 +1,11 @@ package client import ( + "errors" + "fmt" + "io/ioutil" "net/http" + "net/url" "reflect" "strings" "time" @@ -71,6 +75,40 @@ func callTokenEndpoint(request interface{}, authFn interface{}, caller TokenEndp }, nil } +type EndSessionCaller interface { + GetEndSessionEndpoint() string + HttpClient() *http.Client +} + +func CallEndSessionEndpoint(request interface{}, authFn interface{}, caller EndSessionCaller) (*url.URL, error) { + req, err := httphelper.FormRequest(caller.GetEndSessionEndpoint(), request, Encoder, authFn) + if err != nil { + return nil, err + } + client := caller.HttpClient() + client.CheckRedirect = func(_ *http.Request, _ []*http.Request) error { + return http.ErrUseLastResponse + } + resp, err := client.Do(req) + defer resp.Body.Close() + if resp.StatusCode < 200 || resp.StatusCode >= 400 { + // TODO: switch to io.ReadAll when go1.15 support is retired + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + return nil, err + } + return nil, fmt.Errorf("EndSession failure, %d status code: %s", resp.StatusCode, string(body)) + } + location, err := resp.Location() + if err != nil { + if errors.Is(err, http.ErrNoLocation) { + return nil, nil + } + return nil, err + } + return location, nil +} + func NewSignerFromPrivateKeyByte(key []byte, keyID string) (jose.Signer, error) { privateKey, err := crypto.BytesToPrivateKey(key) if err != nil { diff --git a/pkg/client/rp/relying_party.go b/pkg/client/rp/relying_party.go index cb271e7..39c2fe7 100644 --- a/pkg/client/rp/relying_party.go +++ b/pkg/client/rp/relying_party.go @@ -5,6 +5,7 @@ import ( "encoding/base64" "errors" "net/http" + "net/url" "strings" "time" @@ -573,3 +574,13 @@ func RefreshAccessToken(rp RelyingParty, refreshToken, clientAssertion, clientAs } return client.CallTokenEndpoint(request, tokenEndpointCaller{RelyingParty: rp}) } + +func EndSession(rp RelyingParty, idToken, optionalRedirectURI, optionalState string) (*url.URL, error) { + request := oidc.EndSessionRequest{ + IdTokenHint: idToken, + ClientID: rp.OAuthConfig().ClientID, + PostLogoutRedirectURI: optionalRedirectURI, + State: optionalState, + } + return client.CallEndSessionEndpoint(request, nil, rp) +} From 0e30c387910587698bc4996a782aeaaa6908cb2c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Nov 2022 17:02:22 +0100 Subject: [PATCH 6/7] chore(deps): bump golang.org/x/text from 0.3.8 to 0.4.0 (#234) Bumps [golang.org/x/text](https://github.com/golang/text) from 0.3.8 to 0.4.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](https://github.com/golang/text/compare/v0.3.8...v0.4.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index f6385ef..5369de9 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/stretchr/testify v1.8.0 github.com/zitadel/logging v0.3.4 golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43 - golang.org/x/text v0.3.8 + golang.org/x/text v0.4.0 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect gopkg.in/square/go-jose.v2 v2.6.0 ) diff --git a/go.sum b/go.sum index c3f393a..a02f522 100644 --- a/go.sum +++ b/go.sum @@ -283,8 +283,8 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 0847a5985a5ffa034bf58a32405a61587f9e2de4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 14 Nov 2022 17:02:43 +0100 Subject: [PATCH 7/7] chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#236) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.0 to 1.8.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.0...v1.8.1) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 5369de9..572b3e8 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/gorilla/securecookie v1.1.1 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect github.com/sirupsen/logrus v1.9.0 - github.com/stretchr/testify v1.8.0 + github.com/stretchr/testify v1.8.1 github.com/zitadel/logging v0.3.4 golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43 golang.org/x/text v0.4.0 diff --git a/go.sum b/go.sum index a02f522..f02e038 100644 --- a/go.sum +++ b/go.sum @@ -136,12 +136,14 @@ github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=