func (l *TokenValidator) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
log.Info("validating")
rawToken, err := oidc.ExtractBearerToken(r)
if err != nil {
log.Error("token.go: failed to get jwt from header")
writeError(rw, http.StatusUnauthorized, "missing or invalid token")
return
}
jwt, err := jose.ParseJWT(rawToken)
if err != nil {
log.Error("token.go: failed to parse jwt")
writeError(rw, http.StatusUnauthorized, "missing or invalid token")
return
}
err = l.accounts.Oidc.VerifyJWT(jwt)
if err != nil {
log.Errorf("token.go: Failed to verify signature: %v", err)
writeError(rw, http.StatusUnauthorized, "invalid token")
}
claims, err := jwt.Claims()
if err != nil {
log.Error("token.go: failed to get claims", err)
writeError(rw, http.StatusUnauthorized, "missing or invalid token")
return
}
sub, ok, err := claims.StringClaim("sub")
if err != nil {
log.Errorf("token.go: failed to parse 'sub' claim: %v", err)
writeError(rw, http.StatusUnauthorized, "missing or invalid token")
return
}
if !ok || sub == "" {
log.Error("token.go: missing required 'sub' claim")
writeError(rw, http.StatusUnauthorized, "missing or invalid token")
return
}
fmt.Println("token.go: verified token for", sub)
r.Header.Set("sub", sub)
next(rw, r)
}
func (s *grpcServer) authToken(jwt jose.JWT) (string, *oidc.ClientMetadata, error) {
ciRepo := s.server.ClientIdentityRepo
keys, err := s.server.KeyManager.PublicKeys()
if err != nil {
log.Errorf("grpc.go: Failed to get keys: %v", err)
return "", nil, errors.New("errorAccessDenied")
}
if len(keys) == 0 {
log.Error("grpc.go: No keys available for verification client")
return "", nil, errors.New("errorAccessDenied")
}
ok, err := oidc.VerifySignature(jwt, keys)
if err != nil {
log.Errorf("grpc.go: Failed to verify signature: %v", err)
return "", nil, err
}
if !ok {
log.Info("grpc.go: token signature is not verified")
return "", nil, errors.New("invalid token")
}
clientID, err := oidc.VerifyClientClaims(jwt, s.server.IssuerURL.String())
if err != nil {
log.Errorf("grpc.go: Failed to verify JWT claims: %v", err)
return "", nil, errors.New("failed to verify jwt claims token")
}
md, err := ciRepo.Metadata(clientID)
if md == nil || err != nil {
log.Errorf("grpc.go: Failed to find clientID: %s, error=%v", clientID, err)
return "", nil, err
}
//client must be admin in order to use login and register grpc apis.
ok, err = ciRepo.IsDexAdmin(clientID)
if err != nil {
return "", nil, err
}
if !ok {
log.Infof("grpc.go: Client [%s] is not admin", clientID)
return "", nil, errors.New("errorAccessDenied")
}
log.Debugf("grpc.go: Authenticated token for client ID %s", clientID)
return clientID, md, nil
}
func (c *clientTokenMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
respondError := func() {
writeAPIError(w, http.StatusUnauthorized, newAPIError(errorAccessDenied, "missing or invalid token"))
}
if c.keysFunc == nil {
log.Errorf("Misconfigured clientTokenMiddleware, keysFunc is not set")
respondError()
return
}
if c.ciRepo == nil {
log.Errorf("Misconfigured clientTokenMiddleware, ClientIdentityRepo is not set")
respondError()
return
}
rawToken, err := oidc.ExtractBearerToken(r)
if err != nil {
log.Errorf("Failed to extract token from request: %v", err)
respondError()
return
}
jwt, err := jose.ParseJWT(rawToken)
if err != nil {
log.Errorf("Failed to parse JWT from token: %v", err)
respondError()
return
}
keys, err := c.keysFunc()
if err != nil {
log.Errorf("Failed to get keys: %v", err)
writeAPIError(w, http.StatusUnauthorized, newAPIError(errorAccessDenied, ""))
respondError()
return
} else if len(keys) == 0 {
log.Error("No keys available for verification in client token middleware")
writeAPIError(w, http.StatusUnauthorized, newAPIError(errorAccessDenied, ""))
respondError()
return
}
ok, err := oidc.VerifySignature(jwt, keys)
if err != nil {
log.Errorf("Failed to verify signature: %v", err)
respondError()
return
} else if !ok {
log.Info("Invalid token")
respondError()
return
}
clientID, err := oidc.VerifyClientClaims(jwt, c.issuerURL)
if err != nil {
log.Errorf("Failed to verify JWT claims: %v", err)
respondError()
return
}
md, err := c.ciRepo.Metadata(clientID)
if md == nil || err != nil {
log.Errorf("Failed to find clientID: %s, error=%v", clientID, err)
respondError()
return
}
log.Infof("Authenticated token for client ID %s", clientID)
c.next.ServeHTTP(w, r)
}
func handleAuthFunc(srv OIDCServer, baseURL url.URL, idpcs []connector.Connector, tpl *template.Template, registrationEnabled bool) http.HandlerFunc {
idx := makeConnectorMap(idpcs)
return func(w http.ResponseWriter, r *http.Request) {
if r.Method != "GET" {
w.Header().Set("Allow", "GET")
phttp.WriteError(w, http.StatusMethodNotAllowed, "GET only acceptable method")
return
}
q := r.URL.Query()
register := q.Get("register") == "1" && registrationEnabled
e := q.Get("error")
if e != "" {
sessionKey := q.Get("state")
if err := srv.KillSession(sessionKey); err != nil {
log.Errorf("Failed killing sessionKey %q: %v", sessionKey, err)
}
renderLoginPage(w, r, srv, idpcs, register, tpl)
return
}
connectorID := q.Get("connector_id")
idpc, ok := idx[connectorID]
if !ok {
renderLoginPage(w, r, srv, idpcs, register, tpl)
return
}
acr, err := oauth2.ParseAuthCodeRequest(q)
if err != nil {
log.Errorf("Invalid auth request: %v", err)
writeAuthError(w, err, acr.State)
return
}
cli, err := srv.Client(acr.ClientID)
if err != nil {
log.Errorf("Failed fetching client %q from repo: %v", acr.ClientID, err)
writeAuthError(w, oauth2.NewError(oauth2.ErrorServerError), acr.State)
return
}
if err == client.ErrorNotFound {
log.Errorf("Client %q not found", acr.ClientID)
writeAuthError(w, oauth2.NewError(oauth2.ErrorInvalidRequest), acr.State)
return
}
redirectURL, err := cli.ValidRedirectURL(acr.RedirectURL)
if err != nil {
switch err {
case (client.ErrorCantChooseRedirectURL):
log.Errorf("Request must provide redirect URL as client %q has registered many", acr.ClientID)
writeAuthError(w, oauth2.NewError(oauth2.ErrorInvalidRequest), acr.State)
return
case (client.ErrorInvalidRedirectURL):
log.Errorf("Request provided unregistered redirect URL: %s", acr.RedirectURL)
writeAuthError(w, oauth2.NewError(oauth2.ErrorInvalidRequest), acr.State)
return
case (client.ErrorNoValidRedirectURLs):
log.Errorf("There are no registered URLs for the requested client: %s", acr.RedirectURL)
writeAuthError(w, oauth2.NewError(oauth2.ErrorInvalidRequest), acr.State)
return
}
}
if acr.ResponseType != oauth2.ResponseTypeCode {
log.Errorf("unexpected ResponseType: %v: ", acr.ResponseType)
redirectAuthError(w, oauth2.NewError(oauth2.ErrorUnsupportedResponseType), acr.State, redirectURL)
return
}
// Check scopes.
if scopeErr := validateScopes(srv, acr.ClientID, acr.Scope); scopeErr != nil {
log.Error(scopeErr)
writeAuthError(w, scopeErr, acr.State)
return
}
nonce := q.Get("nonce")
key, err := srv.NewSession(connectorID, acr.ClientID, acr.State, redirectURL, nonce, register, acr.Scope)
if err != nil {
log.Errorf("Error creating new session: %v: ", err)
redirectAuthError(w, err, acr.State, redirectURL)
return
}
if register {
_, ok := idpc.(*connector.LocalConnector)
if ok {
q := url.Values{}
q.Set("code", key)
ru := path.Join(baseURL.Path, httpPathRegister) + "?" + q.Encode()
w.Header().Set("Location", ru)
w.WriteHeader(http.StatusFound)
return
}
}
var p string
if register {
p = "select_account consent"
}
if shouldReprompt(r) || register {
p = "select_account"
}
lu, err := idpc.LoginURL(key, p)
if err != nil {
log.Errorf("Connector.LoginURL failed: %v", err)
redirectAuthError(w, err, acr.State, redirectURL)
return
}
http.SetCookie(w, createLastSeenCookie())
w.Header().Set("Location", lu)
w.WriteHeader(http.StatusFound)
return
}
}
