mbess/minauthator
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Activity Actions

WIP: feat: support OIDC id_token

Browse source
This commit is contained in:
Matthieu Bessat 2024-12-12 01:12:40 +01:00
parent ca84a0f99f
commit af6904002b
23 changed files with 167 additions and 60 deletions
Download patch file Download diff file Expand all files Collapse all files

5
lib/http_server/src/controllers/api/oauth2/access_token.rs
View file

@ -6,7 +6,7 @@ use serde::{Deserialize, Serialize};
use kernel::{models::authorization::Authorization, repositories::users::get_user_by_id};
use crate::{
services::{app_session::AppClientSession, session::create_token}, token_claims::{AppUserTokenClaims, OAuth2AccessTokenClaims, OIDCIdTokenClaims}, AppState
services::{app_session::AppClientSession, session::create_token}, token_claims::{OAuth2AccessTokenClaims, OIDCIdTokenClaims}, AppState
};
const AUTHORIZATION_CODE_TTL_SECONDS: i64 = 120;
@ -81,16 +81,17 @@ pub async fn get_access_token(
// 3.1. Generate JWT for OAuth2 client user session
let access_token_jwt = create_token(
&app_state.config,
&app_state.secrets,
OAuth2AccessTokenClaims::new(
&app_state.config,
&app_client_session.client_id,
&user,
authorization.scopes.to_vec()
)
);
// 3.2. Generate id_token for OIDC client
let id_token_jwt = create_token(
&app_state.config,
&app_state.secrets,
OIDCIdTokenClaims::new(
&app_state.config,

50
lib/http_server/src/controllers/api/openid/keys.rs Normal file
View file

@ -0,0 +1,50 @@
use axum::{extract::State, response::IntoResponse, Json};
use fully_pub::fully_pub;
use kernel::models::authorization::AuthorizationScope;
use serde::Serialize;
use strum::IntoEnumIterator;
use crate::AppState;
/// JSON Web Key
/// @See https://www.rfc-editor.org/rfc/rfc7517.html
#[derive(Serialize)]
#[fully_pub]
struct JWK {
kty: String,
crv: String,
alg: String,
key_ops: Vec<String>
}
/// JSON Web Key set
/// @See https://www.rfc-editor.org/rfc/rfc7517.html
#[derive(Serialize)]
#[fully_pub]
struct JWKs {
keys: Vec<JWK>
}
pub async fn get_signing_public_key(
State(app_state): State<AppState>,
) -> impl IntoResponse {
let base_url = app_state.config.instance.base_uri;
Json(vec![
JWK {
}
])
// {"kty":"RSA",
// "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
// 4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
// tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
// QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
// SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
// w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
// "e":"AQAB",
// "alg":"RS256",
// "kid":"2011-04-29"}
}

1
lib/http_server/src/controllers/api/openid/mod.rs
View file

@ -1 +1,2 @@
pub mod well_known;
pub mod keys;

6
lib/http_server/src/controllers/api/openid/well_known.rs
View file

@ -18,7 +18,8 @@ struct WellKnownOpenIdConfiguration {
scopes_supported: Vec<String>,
response_types_supported: Vec<String>,
token_endpoint_auth_methods_supported: Vec<String>,
id_token_signing_alg_values_supported: Vec<String>
id_token_signing_alg_values_supported: Vec<String>,
jwks_uri: String
}
pub async fn get_well_known_openid_configuration(
@ -33,7 +34,8 @@ pub async fn get_well_known_openid_configuration(
scopes_supported: AuthorizationScope::iter().map(|v| v.to_string()).collect(),
response_types_supported: vec!["code".into()],
token_endpoint_auth_methods_supported: vec!["client_secret_basic".into()],
id_token_signing_alg_values_supported: vec!["HS256".into()],
id_token_signing_alg_values_supported: vec!["RS256".into()],
jwks_uri: format!("{}/.well-known/jwks", base_url)
// jwks_uri:
// subject_types_supported
})

6
lib/http_server/src/controllers/api/read_user.rs
View file

@ -2,7 +2,7 @@ use axum::{extract::State, response::IntoResponse, Extension, Json};
use fully_pub::fully_pub;
use serde::Serialize;
use crate::{token_claims::AppUserTokenClaims, AppState};
use crate::{token_claims::OAuth2AccessTokenClaims, AppState};
use kernel::models::user::User;
#[derive(Serialize)]
@ -18,11 +18,11 @@ struct ReadUserBasicExtract {
pub async fn read_user_basic(
State(app_state): State<AppState>,
Extension(token_claims): Extension<AppUserTokenClaims>,
Extension(token_claims): Extension<OAuth2AccessTokenClaims>,
) -> impl IntoResponse {
// 1. This handler require app user authentification (JWT)
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
.bind(&token_claims.user_id)
.bind(&token_claims.sub)
.fetch_one(&app_state.db.0)
.await
.expect("To get user from claim");

4
lib/http_server/src/controllers/ui/login.rs
View file

@ -91,8 +91,8 @@ pub async fn perform_login(
.await.unwrap();
let jwt_max_age = Duration::days(15);
let claims = UserTokenClaims::new(&user.id, jwt_max_age);
let jwt = create_token(&app_state.secrets, claims);
let claims = UserTokenClaims::new(&app_state.config, &user.id, jwt_max_age);
let jwt = create_token(&app_state.config, &app_state.secrets, claims);
// TODO: handle keep_session boolean from form and specify cookie max age only if this setting
// is true

20
lib/http_server/src/middlewares/app_auth.rs
View file

@ -9,7 +9,7 @@ use utils::parse_basic_auth;
use crate::{
services::{app_session::AppClientSession, session::verify_token},
token_claims::AppUserTokenClaims,
token_claims::OAuth2AccessTokenClaims,
AppState
};
@ -102,14 +102,16 @@ pub async fn enforce_jwt_auth_middleware(
);
}
};
let token_claims: AppUserTokenClaims = match verify_token(&app_state.secrets, jwt) {
Ok(val) => val,
Err(_e) => {
return Err(
(StatusCode::UNAUTHORIZED, Html("Unauthorized: The provided JWT is invalid."))
);
}
};
let token_claims: OAuth2AccessTokenClaims =
match verify_token(&app_state.config, &app_state.secrets, jwt) {
Ok(val) => val,
Err(_e) => {
dbg!(_e);
return Err(
(StatusCode::UNAUTHORIZED, Html("Unauthorized: The provided JWT is invalid."))
);
}
};
req.extensions_mut().insert(token_claims);
Ok(next.run(req).await)
}

26
lib/http_server/src/middlewares/user_auth.rs
View file

@ -28,18 +28,20 @@ pub async fn auth_middleware(
return Ok(next.run(req).await)
}
};
let token_claims: UserTokenClaims = match verify_token(&app_state.secrets, jwt) {
Ok(val) => val,
Err(_e) => {
// UserWebGUI: delete invalid JWT cookie
return Err(
(
cookies.remove(WEB_GUI_JWT_COOKIE_NAME),
Redirect::to(&original_uri.to_string())
)
);
}
};
let token_claims: UserTokenClaims =
match verify_token(&app_state.config, &app_state.secrets, jwt) {
Ok(val) => val,
Err(_e) => {
dbg!(&_e);
// UserWebGUI: delete invalid JWT cookie
return Err(
(
cookies.remove(WEB_GUI_JWT_COOKIE_NAME),
Redirect::to(&original_uri.to_string())
)
);
}
};
req.extensions_mut().insert(token_claims);
Ok(next.run(req).await)
}

3
lib/http_server/src/router.rs
View file

@ -51,7 +51,8 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
.route("/api/user-assets/:asset_id", get(api::public_assets::get_user_asset));
let well_known_routes = Router::new()
.route("/.well-known/openid-configuration", get(api::openid::well_known::get_well_known_openid_configuration));
.route("/.well-known/openid-configuration", get(api::openid::well_known::get_well_known_openid_configuration))
.route("/.well-known/jwks", get(api::openid::well_known::get_signing_public_key));
Router::new()
.merge(public_routes)

27
lib/http_server/src/services/session.rs
View file

@ -1,24 +1,37 @@
use anyhow::Result;
use serde::{de::DeserializeOwned, Serialize};
use jsonwebtoken::{encode, decode, Header, Algorithm, Validation, EncodingKey, DecodingKey};
use kernel::context::AppSecrets;
use kernel::{context::AppSecrets, models::config::Config};
pub fn create_token<T: Serialize>(secrets: &AppSecrets, claims: T) -> String {
pub fn create_token<T: Serialize>(
_config: &Config,
secrets: &AppSecrets,
claims: T
) -> String {
let token = encode(
&Header::default(),
&Header::new(Algorithm::RS256),
&claims,
&EncodingKey::from_secret(secrets.jwt_secret.as_bytes())
&EncodingKey::from_rsa_pem(&secrets.signing_keypair.1)
.expect("To build encoding key from signing key.")
).expect("Create token");
token
}
pub fn verify_token<T: DeserializeOwned>(secrets: &AppSecrets, jwt: &str) -> Result<T> {
pub fn verify_token<T: DeserializeOwned>(
config: &Config,
secrets: &AppSecrets,
jwt: &str
) -> Result<T> {
let mut validation = Validation::new(Algorithm::RS256);
validation.set_issuer(&[config.instance.base_uri.clone()]);
validation.set_audience(&[config.instance.base_uri.clone()]);
let token_data = decode::<T>(
jwt,
&DecodingKey::from_secret(secrets.jwt_secret.as_bytes()),
&Validation::new(Algorithm::HS256)
&DecodingKey::from_rsa_pem(&secrets.signing_keypair.0)
.expect("To build decoding key from signing key."),
&validation
)?;
Ok(token_data.claims)

15
lib/http_server/src/token_claims.rs
View file

@ -12,16 +12,19 @@ struct UserTokenClaims {
/// token expiration
exp: u64,
/// token issuer
iss: String
iss: String,
// TODO: add roles
/// token audience
aud: String
}
impl UserTokenClaims {
pub fn new(user_id: &str, max_age: Duration) -> Self {
pub fn new(config: &Config, user_id: &str, max_age: Duration) -> Self {
UserTokenClaims {
sub: user_id.into(),
exp: get_current_timestamp() + max_age.whole_seconds() as u64,
iss: "Minauthator".into()
iss: config.instance.base_uri.clone(),
aud: config.instance.base_uri.clone(),
}
}
}
@ -33,7 +36,7 @@ impl UserTokenClaims {
struct OAuth2AccessTokenClaims {
/// Token issuer (URI to the issuer)
iss: String,
/// Audiance (client_id)
/// Audiance (In this case, the audiance is equal to the issuer)
aud: String,
/// End-user id assigned by the issuer (user_id)
sub: String,
@ -44,10 +47,10 @@ struct OAuth2AccessTokenClaims {
}
impl OAuth2AccessTokenClaims {
pub fn new(config: &Config, client_id: &str, user: &User, scopes: Vec<AuthorizationScope>) -> Self {
pub fn new(config: &Config, user: &User, scopes: Vec<AuthorizationScope>) -> Self {
OAuth2AccessTokenClaims {
iss: config.instance.base_uri.clone(),
aud: client_id.into(),
aud: config.instance.base_uri.clone(),
sub: user.id.clone(),
exp: get_current_timestamp() + 86_000,
scopes,