2023-05-15 00:32:10 +00:00
|
|
|
package oidc_test
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
|
|
|
import (
|
2023-05-15 00:03:19 +00:00
|
|
|
"context"
|
2023-05-15 00:32:10 +00:00
|
|
|
"crypto"
|
2023-05-15 00:03:19 +00:00
|
|
|
"encoding/json"
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
"fmt"
|
|
|
|
"testing"
|
|
|
|
|
2023-05-15 00:03:19 +00:00
|
|
|
fjwt "github.com/ory/fosite/token/jwt"
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/stretchr/testify/require"
|
2023-05-15 00:03:19 +00:00
|
|
|
"gopkg.in/square/go-jose.v2"
|
2022-10-02 02:07:40 +00:00
|
|
|
|
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
2023-05-15 00:32:10 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/oidc"
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
)
|
|
|
|
|
2023-05-15 00:03:19 +00:00
|
|
|
func TestKeyManager(t *testing.T) {
|
2023-01-26 02:23:47 +00:00
|
|
|
config := &schema.IdentityProvidersOpenIDConnect{
|
2023-05-15 00:32:10 +00:00
|
|
|
IssuerPrivateKeys: []schema.JWK{
|
2023-05-15 00:03:19 +00:00
|
|
|
{
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAUsingSHA256,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA2048,
|
|
|
|
CertificateChain: certRSA2048,
|
|
|
|
},
|
|
|
|
{
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAUsingSHA384,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA2048,
|
|
|
|
CertificateChain: certRSA2048,
|
|
|
|
},
|
|
|
|
{
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAUsingSHA512,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA4096,
|
|
|
|
CertificateChain: certRSA4096,
|
|
|
|
},
|
|
|
|
{
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAPSSUsingSHA256,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA2048,
|
|
|
|
CertificateChain: certRSA2048,
|
|
|
|
},
|
|
|
|
{
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAPSSUsingSHA384,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA2048,
|
|
|
|
CertificateChain: certRSA2048,
|
|
|
|
},
|
|
|
|
{
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAPSSUsingSHA512,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA4096,
|
|
|
|
CertificateChain: certRSA4096,
|
|
|
|
},
|
|
|
|
{
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgECDSAUsingP256AndSHA256,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyECDSAP256,
|
|
|
|
CertificateChain: certECDSAP256,
|
|
|
|
},
|
|
|
|
{
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgECDSAUsingP384AndSHA384,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyECDSAP384,
|
|
|
|
CertificateChain: certECDSAP384,
|
|
|
|
},
|
|
|
|
{
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgECDSAUsingP521AndSHA512,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyECDSAP521,
|
|
|
|
CertificateChain: certECDSAP521,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
2023-05-22 11:14:32 +00:00
|
|
|
config.Discovery.DefaultKeyIDs = map[string]string{}
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
for i, key := range config.IssuerPrivateKeys {
|
2023-05-22 11:14:32 +00:00
|
|
|
kid := fmt.Sprintf("kid-%s-%s", key.Algorithm, key.Use)
|
|
|
|
|
|
|
|
config.IssuerPrivateKeys[i].KeyID = kid
|
|
|
|
|
|
|
|
if _, ok := config.Discovery.DefaultKeyIDs[key.Algorithm]; !ok {
|
|
|
|
config.Discovery.DefaultKeyIDs[key.Algorithm] = kid
|
|
|
|
}
|
2023-05-15 00:03:19 +00:00
|
|
|
}
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
manager := oidc.NewKeyManager(config)
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
2023-05-15 00:03:19 +00:00
|
|
|
assert.NotNil(t, manager)
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
2023-05-15 00:03:19 +00:00
|
|
|
ctx := context.Background()
|
|
|
|
|
2023-05-22 11:14:32 +00:00
|
|
|
assert.Equal(t, "kid-RS256-sig", manager.GetDefaultKeyID(ctx))
|
|
|
|
|
|
|
|
require.NotNil(t, manager.Get(ctx, "kid-RS256-sig", oidc.SigningAlgRSAUsingSHA256))
|
|
|
|
assert.Equal(t, "kid-RS256-sig", manager.Get(ctx, "kid-RS256-sig", oidc.SigningAlgRSAUsingSHA256).KeyID())
|
|
|
|
assert.Equal(t, "kid-RS256-sig", manager.Get(ctx, "", oidc.SigningAlgRSAUsingSHA256).KeyID())
|
|
|
|
assert.Nil(t, manager.Get(ctx, "", "NOKEY"))
|
|
|
|
|
|
|
|
assert.Equal(t, "kid-RS256-sig", manager.GetKeyID(ctx, "", oidc.SigningAlgRSAUsingSHA256))
|
|
|
|
assert.Equal(t, "kid-RS256-sig", manager.GetKeyID(ctx, "kid-RS256-sig", oidc.SigningAlgRSAPSSUsingSHA256))
|
|
|
|
assert.Equal(t, "kid-RS256-sig", manager.GetKeyID(ctx, "", ""))
|
|
|
|
assert.Equal(t, "kid-PS256-sig", manager.GetKeyID(ctx, "kid-PS256-sig", oidc.SigningAlgRSAPSSUsingSHA256))
|
|
|
|
assert.Equal(t, "kid-PS256-sig", manager.GetKeyID(ctx, "", oidc.SigningAlgRSAPSSUsingSHA256))
|
2023-05-15 00:32:10 +00:00
|
|
|
|
2023-05-15 00:03:19 +00:00
|
|
|
var (
|
2023-05-15 00:32:10 +00:00
|
|
|
jwk *oidc.JWK
|
|
|
|
tokenString, sig string
|
|
|
|
sum []byte
|
|
|
|
token *fjwt.Token
|
|
|
|
err error
|
2023-05-15 00:03:19 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
jwk = manager.GetByAlg(ctx, "notalg")
|
|
|
|
assert.Nil(t, jwk)
|
|
|
|
|
|
|
|
jwk = manager.GetByKID(ctx, "notalg")
|
|
|
|
assert.Nil(t, jwk)
|
|
|
|
|
|
|
|
jwk = manager.GetByKID(ctx, "")
|
|
|
|
assert.NotNil(t, jwk)
|
2023-05-22 11:14:32 +00:00
|
|
|
assert.Equal(t, config.Discovery.DefaultKeyIDs[oidc.SigningAlgRSAUsingSHA256], jwk.KeyID())
|
2023-05-15 00:03:19 +00:00
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
jwk, err = manager.GetByHeader(ctx, &fjwt.Headers{Extra: map[string]any{oidc.JWTHeaderKeyIdentifier: "notalg"}})
|
2023-05-15 00:03:19 +00:00
|
|
|
assert.EqualError(t, err, "jwt header 'kid' with value 'notalg' does not match a managed jwk")
|
|
|
|
assert.Nil(t, jwk)
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
2023-05-15 00:03:19 +00:00
|
|
|
jwk, err = manager.GetByHeader(ctx, &fjwt.Headers{Extra: map[string]any{}})
|
|
|
|
assert.EqualError(t, err, "jwt header did not have a kid")
|
|
|
|
assert.Nil(t, jwk)
|
|
|
|
|
|
|
|
jwk, err = manager.GetByHeader(ctx, nil)
|
|
|
|
assert.EqualError(t, err, "jwt header was nil")
|
|
|
|
assert.Nil(t, jwk)
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
kid, err := manager.GetKeyIDFromAlgStrict(ctx, "notalg")
|
2023-05-15 00:03:19 +00:00
|
|
|
assert.EqualError(t, err, "alg not found")
|
|
|
|
assert.Equal(t, "", kid)
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
kid = manager.GetKeyIDFromAlg(ctx, "notalg")
|
2023-05-22 11:14:32 +00:00
|
|
|
assert.Equal(t, config.Discovery.DefaultKeyIDs[oidc.SigningAlgRSAUsingSHA256], kid)
|
2023-05-15 00:03:19 +00:00
|
|
|
|
|
|
|
set := manager.Set(ctx)
|
|
|
|
|
|
|
|
assert.NotNil(t, set)
|
2023-05-15 00:32:10 +00:00
|
|
|
assert.Len(t, set.Keys, len(config.IssuerPrivateKeys))
|
2023-05-15 00:03:19 +00:00
|
|
|
|
|
|
|
data, err := json.Marshal(&set)
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
assert.NoError(t, err)
|
2023-05-15 00:03:19 +00:00
|
|
|
assert.NotNil(t, data)
|
|
|
|
|
|
|
|
out := jose.JSONWebKeySet{}
|
|
|
|
assert.NoError(t, json.Unmarshal(data, &out))
|
|
|
|
assert.Equal(t, *set, out)
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
jwk, err = manager.GetByTokenString(ctx, badTokenString)
|
|
|
|
assert.EqualError(t, err, "token contains an invalid number of segments")
|
|
|
|
assert.Nil(t, jwk)
|
|
|
|
|
|
|
|
tokenString, sig, err = manager.Generate(ctx, nil, nil)
|
|
|
|
assert.EqualError(t, err, "error getting jwk from header: jwt header was nil")
|
|
|
|
assert.Equal(t, "", tokenString)
|
|
|
|
assert.Equal(t, "", sig)
|
|
|
|
|
|
|
|
sig, err = manager.Validate(ctx, badTokenString)
|
|
|
|
assert.EqualError(t, err, "error getting jwk from token string: token contains an invalid number of segments")
|
|
|
|
assert.Equal(t, "", sig)
|
|
|
|
|
|
|
|
token, err = manager.Decode(ctx, badTokenString)
|
|
|
|
assert.EqualError(t, err, "error getting jwk from token string: token contains an invalid number of segments")
|
|
|
|
assert.Nil(t, token)
|
|
|
|
|
|
|
|
sum, err = manager.Hash(ctx, []byte("abc"))
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad", fmt.Sprintf("%x", sum))
|
|
|
|
|
|
|
|
assert.Equal(t, crypto.SHA256.Size(), manager.GetSigningMethodLength(ctx))
|
|
|
|
|
|
|
|
for _, alg := range []string{oidc.SigningAlgRSAUsingSHA256, oidc.SigningAlgRSAUsingSHA384, oidc.SigningAlgRSAPSSUsingSHA512, oidc.SigningAlgRSAPSSUsingSHA256, oidc.SigningAlgRSAPSSUsingSHA384, oidc.SigningAlgRSAPSSUsingSHA512, oidc.SigningAlgECDSAUsingP256AndSHA256, oidc.SigningAlgECDSAUsingP384AndSHA384, oidc.SigningAlgECDSAUsingP521AndSHA512} {
|
2023-05-15 00:03:19 +00:00
|
|
|
t.Run(alg, func(t *testing.T) {
|
2023-05-15 00:32:10 +00:00
|
|
|
expectedKID := fmt.Sprintf("kid-%s-%s", alg, oidc.KeyUseSignature)
|
2023-05-15 00:03:19 +00:00
|
|
|
|
|
|
|
t.Run("ShouldGetCorrectKey", func(t *testing.T) {
|
|
|
|
jwk = manager.GetByKID(ctx, expectedKID)
|
|
|
|
assert.NotNil(t, jwk)
|
|
|
|
assert.Equal(t, expectedKID, jwk.KeyID())
|
|
|
|
|
|
|
|
jwk = manager.GetByAlg(ctx, alg)
|
|
|
|
assert.NotNil(t, jwk)
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
assert.Equal(t, alg, jwk.GetSigningMethod().Alg())
|
2023-05-15 00:03:19 +00:00
|
|
|
assert.Equal(t, expectedKID, jwk.KeyID())
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
kid, err = manager.GetKeyIDFromAlgStrict(ctx, alg)
|
2023-05-15 00:03:19 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, expectedKID, kid)
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
kid = manager.GetKeyIDFromAlg(ctx, alg)
|
2023-05-15 00:03:19 +00:00
|
|
|
assert.Equal(t, expectedKID, kid)
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
jwk, err = manager.GetByHeader(ctx, &fjwt.Headers{Extra: map[string]any{oidc.JWTHeaderKeyIdentifier: expectedKID}})
|
2023-05-15 00:03:19 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.NotNil(t, jwk)
|
|
|
|
|
|
|
|
assert.Equal(t, expectedKID, jwk.KeyID())
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("ShouldUseCorrectSigner", func(t *testing.T) {
|
2023-05-15 00:32:10 +00:00
|
|
|
var sigb string
|
2023-05-15 00:03:19 +00:00
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
tokenString, sig, err = manager.Generate(ctx, fjwt.MapClaims{}, &fjwt.Headers{Extra: map[string]any{oidc.JWTHeaderKeyIdentifier: expectedKID}})
|
2023-05-15 00:03:19 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
sigb, err = manager.GetSignature(ctx, tokenString)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, sig, sigb)
|
|
|
|
|
|
|
|
sigb, err = manager.Validate(ctx, tokenString)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, sig, sigb)
|
|
|
|
|
|
|
|
token, err = manager.Decode(ctx, tokenString)
|
|
|
|
assert.NoError(t, err)
|
2023-05-15 00:32:10 +00:00
|
|
|
assert.Equal(t, expectedKID, token.Header[oidc.JWTHeaderKeyIdentifier])
|
2023-05-15 00:03:19 +00:00
|
|
|
|
|
|
|
jwk, err = manager.GetByTokenString(ctx, tokenString)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
sigb, err = jwk.Strategy().Validate(ctx, tokenString)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, sig, sigb)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestJWKFunctionality(t *testing.T) {
|
|
|
|
testCases := []struct {
|
|
|
|
have schema.JWK
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa2048-rs256",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAUsingSHA256,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA2048,
|
|
|
|
CertificateChain: certRSA2048,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa2048-rs384",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAUsingSHA384,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA2048,
|
|
|
|
CertificateChain: certRSA2048,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa2048-rs512",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAUsingSHA512,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA2048,
|
|
|
|
CertificateChain: certRSA2048,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa4096-rs256",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAUsingSHA256,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA4096,
|
|
|
|
CertificateChain: certRSA4096,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa4096-rs384",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAUsingSHA384,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA4096,
|
|
|
|
CertificateChain: certRSA4096,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa4096-rs512",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAUsingSHA512,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA4096,
|
|
|
|
CertificateChain: certRSA4096,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa2048-rs256",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAPSSUsingSHA256,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA2048,
|
|
|
|
CertificateChain: certRSA2048,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa2048-ps384",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAPSSUsingSHA384,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA2048,
|
|
|
|
CertificateChain: certRSA2048,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa2048-ps512",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAPSSUsingSHA512,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA2048,
|
|
|
|
CertificateChain: certRSA2048,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa4096-ps256",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAPSSUsingSHA256,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA4096,
|
|
|
|
CertificateChain: certRSA4096,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa4096-ps384",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAPSSUsingSHA384,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA4096,
|
|
|
|
CertificateChain: certRSA4096,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "rsa4096-ps512",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgRSAPSSUsingSHA512,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyRSA4096,
|
|
|
|
CertificateChain: certRSA4096,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "ecdsaP256",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgECDSAUsingP256AndSHA256,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyECDSAP256,
|
|
|
|
CertificateChain: certECDSAP256,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "ecdsaP384",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgECDSAUsingP384AndSHA384,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyECDSAP384,
|
|
|
|
CertificateChain: certECDSAP384,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
schema.JWK{
|
|
|
|
KeyID: "ecdsaP521",
|
2023-05-15 00:32:10 +00:00
|
|
|
Use: oidc.KeyUseSignature,
|
|
|
|
Algorithm: oidc.SigningAlgECDSAUsingP521AndSHA512,
|
2023-05-15 00:03:19 +00:00
|
|
|
Key: keyECDSAP521,
|
|
|
|
CertificateChain: certECDSAP521,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, tc := range testCases {
|
|
|
|
t.Run(tc.have.KeyID, func(t *testing.T) {
|
|
|
|
t.Run("Generating", func(t *testing.T) {
|
|
|
|
var (
|
2023-05-15 00:32:10 +00:00
|
|
|
jwk *oidc.JWK
|
2023-05-15 00:03:19 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
jwk = oidc.NewJWK(tc.have)
|
2023-05-15 00:03:19 +00:00
|
|
|
|
|
|
|
signer := jwk.Strategy()
|
|
|
|
|
|
|
|
claims := fjwt.MapClaims{}
|
|
|
|
header := &fjwt.Headers{
|
|
|
|
Extra: map[string]any{
|
2023-05-15 00:32:10 +00:00
|
|
|
oidc.JWTHeaderKeyIdentifier: jwk.KeyID(),
|
2023-05-15 00:03:19 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
tokenString, sig, err := signer.Generate(ctx, nil, nil)
|
|
|
|
assert.EqualError(t, err, "either claims or header is nil")
|
|
|
|
assert.Equal(t, "", tokenString)
|
|
|
|
assert.Equal(t, "", sig)
|
2023-05-15 00:03:19 +00:00
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
tokenString, sig, err = signer.Generate(ctx, claims, header)
|
2023-05-15 00:03:19 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.NotEqual(t, "", tokenString)
|
|
|
|
assert.NotEqual(t, "", sig)
|
|
|
|
|
|
|
|
sigd, err := signer.GetSignature(ctx, tokenString)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, sig, sigd)
|
|
|
|
|
|
|
|
token, err := signer.Decode(ctx, tokenString)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.NotNil(t, token)
|
|
|
|
fmt.Println(tokenString)
|
|
|
|
|
|
|
|
assert.True(t, token.Valid())
|
2023-05-15 00:32:10 +00:00
|
|
|
assert.Equal(t, jwk.GetSigningMethod().Alg(), string(token.Method))
|
2023-05-15 00:03:19 +00:00
|
|
|
|
|
|
|
sigv, err := signer.Validate(ctx, tokenString)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Equal(t, sig, sigv)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("Marshalling", func(t *testing.T) {
|
|
|
|
var (
|
2023-05-15 00:32:10 +00:00
|
|
|
jwk *oidc.JWK
|
2023-05-15 00:03:19 +00:00
|
|
|
out jose.JSONWebKey
|
|
|
|
data []byte
|
|
|
|
err error
|
|
|
|
)
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
jwk = oidc.NewJWK(tc.have)
|
2023-05-15 00:03:19 +00:00
|
|
|
|
|
|
|
strategy := jwk.Strategy()
|
|
|
|
|
|
|
|
assert.NotNil(t, strategy)
|
|
|
|
|
2023-05-15 00:32:10 +00:00
|
|
|
signer, ok := strategy.(*oidc.Signer)
|
2023-05-15 00:03:19 +00:00
|
|
|
|
|
|
|
require.True(t, ok)
|
|
|
|
|
|
|
|
assert.NotNil(t, signer)
|
|
|
|
|
|
|
|
key, err := signer.GetPublicKey(context.Background())
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.NotNil(t, key)
|
|
|
|
|
|
|
|
key, err = jwk.GetPrivateKey(context.Background())
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.NotNil(t, key)
|
|
|
|
|
|
|
|
data, err = json.Marshal(jwk.JWK())
|
|
|
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
require.NotNil(t, data)
|
|
|
|
|
|
|
|
assert.NoError(t, json.Unmarshal(data, &out))
|
|
|
|
|
|
|
|
assert.True(t, out.IsPublic())
|
|
|
|
assert.Equal(t, tc.have.KeyID, out.KeyID)
|
|
|
|
assert.Equal(t, tc.have.KeyID, jwk.KeyID())
|
|
|
|
assert.Equal(t, tc.have.Use, out.Use)
|
|
|
|
assert.Equal(t, tc.have.Algorithm, out.Algorithm)
|
|
|
|
assert.NotNil(t, out.Key)
|
|
|
|
assert.NotNil(t, out.Certificates)
|
|
|
|
assert.NotNil(t, out.CertificateThumbprintSHA1)
|
|
|
|
assert.NotNil(t, out.CertificateThumbprintSHA256)
|
|
|
|
assert.True(t, out.Valid())
|
|
|
|
|
|
|
|
data, err = json.Marshal(jwk.PrivateJWK())
|
|
|
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
require.NotNil(t, data)
|
|
|
|
assert.NoError(t, json.Unmarshal(data, &out))
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
|
2023-05-15 00:03:19 +00:00
|
|
|
assert.False(t, out.IsPublic())
|
|
|
|
assert.Equal(t, tc.have.KeyID, out.KeyID)
|
|
|
|
assert.Equal(t, tc.have.Use, out.Use)
|
|
|
|
assert.Equal(t, tc.have.Algorithm, out.Algorithm)
|
|
|
|
assert.NotNil(t, out.Key)
|
|
|
|
assert.NotNil(t, out.Certificates)
|
|
|
|
assert.NotNil(t, out.CertificateThumbprintSHA1)
|
|
|
|
assert.NotNil(t, out.CertificateThumbprintSHA256)
|
|
|
|
assert.True(t, out.Valid())
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
}
|