JWT support for userinfo

2022-01-19 17:07:55 +00:00 · 2022-01-19 17:07:55 +00:00 · 5c0b748373
commit 5c0b748373
parent bd3d2e8a1e
4 changed files with 129 additions and 40 deletions
--- a/src/axum_lib.rs
+++ b/src/axum_lib.rs
@ -18,11 +18,11 @@ use figment::{
 use headers::{
    self,
    authorization::{Basic, Bearer},
-    Authorization,
+    Authorization, ContentType, Header,
 };
 use openidconnect::core::{
    CoreClientMetadata, CoreClientRegistrationResponse, CoreJsonWebKeySet, CoreProviderMetadata,
-    CoreResponseType, CoreTokenResponse, CoreUserInfoClaims,
+    CoreResponseType, CoreTokenResponse, CoreUserInfoClaims, CoreUserInfoJsonWebToken,
 };
 use rand::rngs::OsRng;
 use rsa::{
@ -221,20 +221,64 @@ async fn register(
    Ok((StatusCode::CREATED, registration.into()))
 }

+struct UserInfoResponseJWT(Json<CoreUserInfoJsonWebToken>);
+
+impl IntoResponse for UserInfoResponseJWT {
+    fn into_response(self) -> response::Response {
+        response::Response::builder()
+            .status(StatusCode::OK)
+            .header(ContentType::name(), "application/jwt")
+            .body(
+                serde_json::to_string(&self.0 .0)
+                    .unwrap()
+                    .replace('"', "")
+                    .into_response()
+                    .into_body(),
+            )
+            .unwrap()
+    }
+}
+
+enum UserInfoResponse {
+    Json(Json<CoreUserInfoClaims>),
+    Jwt(UserInfoResponseJWT),
+}
+
+impl IntoResponse for UserInfoResponse {
+    fn into_response(self) -> response::Response {
+        match self {
+            UserInfoResponse::Json(j) => j.into_response(),
+            UserInfoResponse::Jwt(j) => j.into_response(),
+        }
+    }
+}
+
 // TODO CORS
 // TODO need validation of the token
 async fn userinfo(
+    Extension(private_key): Extension<RsaPrivateKey>,
+    Extension(config): Extension<config::Config>,
    payload: Option<Form<oidc::UserInfoPayload>>,
    bearer: Option<TypedHeader<Authorization<Bearer>>>, // TODO maybe go through FromRequest https://github.com/tokio-rs/axum/blob/main/examples/jwt/src/main.rs
    Extension(redis_client): Extension<RedisClient>,
-) -> Result<Json<CoreUserInfoClaims>, CustomError> {
+) -> Result<UserInfoResponse, CustomError> {
    let payload = if let Some(Form(p)) = payload {
        p
    } else {
        oidc::UserInfoPayload { access_token: None }
    };
-    let claims = oidc::userinfo(bearer.map(|b| b.0 .0), payload, &redis_client).await?;
-    Ok(claims.into())
+    let claims = oidc::userinfo(
+        config.base_url,
+        private_key,
+        bearer.map(|b| b.0 .0),
+        payload,
+        &redis_client,
+    )
+    .await?;
+    Ok(match claims {
+        oidc::UserInfoResponse::Json(c) => UserInfoResponse::Json(c.into()),
+        oidc::UserInfoResponse::Jwt(c) => UserInfoResponse::Jwt(UserInfoResponseJWT(c.into())),
+    })
 }

 async fn healthcheck() {}
@ -253,16 +297,16 @@ pub async fn main() {

    let redis_client = RedisClient { pool };

-    for (id, secret) in &config.default_clients.clone() {
-        let client_entry = ClientEntry {
-            secret: secret.to_string(),
-            redirect_uris: vec![],
-        };
-        redis_client
-            .set_client(id.to_string(), client_entry)
-            .await
-            .unwrap(); // TODO
-    }
+    // for (id, secret) in &config.default_clients.clone() {
+    //     let client_entry = ClientEntry {
+    //         secret: secret.to_string(),
+    //         redirect_uris: vec![],
+    //     };
+    //     redis_client
+    //         .set_client(id.to_string(), client_entry)
+    //         .await
+    //         .unwrap(); // TODO
+    // }

    let private_key = if let Some(key) = &config.rsa_pem {
        RsaPrivateKey::from_pkcs1_pem(key)
--- a/src/db/mod.rs
+++ b/src/db/mod.rs
@ -1,7 +1,7 @@
 use anyhow::Result;
 use async_trait::async_trait;
 use chrono::{offset::Utc, DateTime};
-use openidconnect::{Nonce, RedirectUrl};
+use openidconnect::{core::CoreClientMetadata, Nonce};
 use serde::{Deserialize, Serialize};

 #[cfg(not(target_arch = "wasm32"))]
@ -28,7 +28,7 @@ pub struct CodeEntry {
 #[derive(Clone, Serialize, Deserialize)]
 pub struct ClientEntry {
    pub secret: String,
-    pub redirect_uris: Vec<RedirectUrl>,
+    pub metadata: CoreClientMetadata,
 }

 // Using a trait to easily pass async functions with async_trait
--- a/src/oidc.rs
+++ b/src/oidc.rs
@ -10,6 +10,7 @@ use openidconnect::{
        CoreIdToken, CoreIdTokenClaims, CoreIdTokenFields, CoreJsonWebKeySet,
        CoreJwsSigningAlgorithm, CoreProviderMetadata, CoreResponseType, CoreRsaPrivateSigningKey,
        CoreSubjectIdentifierType, CoreTokenResponse, CoreTokenType, CoreUserInfoClaims,
+        CoreUserInfoJsonWebToken,
    },
    registration::{EmptyAdditionalClientMetadata, EmptyAdditionalClientRegistrationResponse},
    url::Url,
@ -32,6 +33,7 @@ use super::db::*;
 #[cfg(not(target_arch = "wasm32"))]
 use siwe_oidc::db::*;

+const SIGNING_ALG: [CoreJwsSigningAlgorithm; 1] = [CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha256];
 const KID: &str = "key1";
 pub const METADATA_PATH: &str = "/.well-known/openid-configuration";
 pub const JWK_PATH: &str = "/jwk";
@ -67,16 +69,17 @@ pub enum CustomError {
    Other(#[from] anyhow::Error),
 }

-pub fn jwks(private_key: RsaPrivateKey) -> Result<CoreJsonWebKeySet, CustomError> {
+fn jwk(private_key: RsaPrivateKey) -> Result<CoreRsaPrivateSigningKey> {
    let pem = private_key
        .to_pkcs1_pem()
        .map_err(|e| anyhow!("Failed to serialise key as PEM: {}", e))?;
-    let jwks = CoreJsonWebKeySet::new(vec![CoreRsaPrivateSigningKey::from_pem(
-        &pem,
-        Some(JsonWebKeyId::new(KID.to_string())),
-    )
-    .map_err(|e| anyhow!("Invalid RSA private key: {}", e))?
-    .as_verification_key()]);
+    CoreRsaPrivateSigningKey::from_pem(&pem, Some(JsonWebKeyId::new(KID.to_string())))
+        .map_err(|e| anyhow!("Invalid RSA private key: {}", e))
+}
+
+pub fn jwks(private_key: RsaPrivateKey) -> Result<CoreJsonWebKeySet, CustomError> {
+    let signing_key = jwk(private_key)?;
+    let jwks = CoreJsonWebKeySet::new(vec![signing_key.as_verification_key()]);
    Ok(jwks)
 }

@ -98,7 +101,7 @@ pub fn metadata(base_url: Url) -> Result<CoreProviderMetadata, CustomError> {
            ResponseTypes::new(vec![CoreResponseType::Token, CoreResponseType::IdToken]),
        ],
        vec![CoreSubjectIdentifierType::Pairwise],
-        vec![CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha256],
+        SIGNING_ALG.to_vec(),
        EmptyAdditionalProviderMetadata {},
    )
    .set_token_endpoint(Some(TokenUrl::from_url(
@ -111,6 +114,7 @@ pub fn metadata(base_url: Url) -> Result<CoreProviderMetadata, CustomError> {
            .join(USERINFO_PATH)
            .map_err(|e| anyhow!("Unable to join URL: {}", e))?,
    )))
+    .set_userinfo_signing_alg_values_supported(Some(SIGNING_ALG.to_vec()))
    .set_scopes_supported(Some(vec![
        Scope::new("openid".to_string()),
        // Scope::new("email".to_string()),
@ -138,6 +142,7 @@ pub fn metadata(base_url: Url) -> Result<CoreProviderMetadata, CustomError> {
    .set_token_endpoint_auth_methods_supported(Some(vec![
        CoreClientAuthMethod::ClientSecretBasic,
        CoreClientAuthMethod::ClientSecretPost,
+        CoreClientAuthMethod::PrivateKeyJwt,
    ]));

    Ok(pm)
@ -274,7 +279,9 @@ pub async fn authorize(
    r_u.set_query(None);
    let mut r_us: Vec<Url> = client_entry
        .unwrap()
-        .redirect_uris
+        .metadata
+        .redirect_uris()
+        .clone()
        .iter_mut()
        .map(|u| u.url().clone())
        .collect();
@ -343,12 +350,7 @@ pub async fn authorize(
    };
    Ok(format!(
        "/?nonce={}&domain={}&redirect_uri={}&state={}&client_id={}{}",
-        nonce,
-        domain,
-        params.redirect_uri.to_string(),
-        state,
-        params.client_id,
-        oidc_nonce_param
+        nonce, domain, *params.redirect_uri, state, params.client_id, oidc_nonce_param
    ))
 }

@ -484,15 +486,17 @@ pub async fn register(
    let id = Uuid::new_v4();
    let secret = Uuid::new_v4();

+    let redirect_uris = payload.redirect_uris().to_vec();
+
    let entry = ClientEntry {
        secret: secret.to_string(),
-        redirect_uris: payload.redirect_uris().to_vec(),
+        metadata: payload,
    };
    db_client.set_client(id.to_string(), entry).await?;

    Ok(CoreClientRegistrationResponse::new(
        ClientId::new(id.to_string()),
-        payload.redirect_uris().to_vec(),
+        redirect_uris,
        EmptyAdditionalClientMetadata::default(),
        EmptyAdditionalClientRegistrationResponse::default(),
    )
@ -504,11 +508,18 @@ pub struct UserInfoPayload {
    pub access_token: Option<String>,
 }

+pub enum UserInfoResponse {
+    Json(CoreUserInfoClaims),
+    Jwt(CoreUserInfoJsonWebToken),
+}
+
 pub async fn userinfo(
+    base_url: Url,
+    private_key: RsaPrivateKey,
    bearer: Option<Bearer>,
    payload: UserInfoPayload,
    db_client: &DBClientType,
-) -> Result<CoreUserInfoClaims, CustomError> {
+) -> Result<UserInfoResponse, CustomError> {
    let code = if let Some(b) = bearer {
        b.token().to_string()
    } else if let Some(c) = payload.access_token {
@ -522,8 +533,26 @@ pub async fn userinfo(
        return Err(CustomError::BadRequest("Unknown code.".to_string()));
    };

-    Ok(CoreUserInfoClaims::new(
+    let client_entry = if let Some(c) = db_client.get_client(code_entry.client_id.clone()).await? {
+        c
+    } else {
+        return Err(CustomError::BadRequest("Unknown client.".to_string()));
+    };
+
+    let response = CoreUserInfoClaims::new(
        StandardClaims::new(SubjectIdentifier::new(code_entry.address)),
        EmptyAdditionalClaims::default(),
-    ))
+    )
+    .set_issuer(Some(IssuerUrl::from_url(base_url.clone())))
+    .set_audiences(Some(vec![Audience::new(code_entry.client_id)]));
+    match client_entry.metadata.userinfo_signed_response_alg() {
+        None => Ok(UserInfoResponse::Json(response)),
+        Some(alg) => {
+            let signing_key = jwk(private_key)?;
+            Ok(UserInfoResponse::Jwt(
+                CoreUserInfoJsonWebToken::new(response, &signing_key, alg.clone())
+                    .map_err(|_| anyhow!("Error signing response."))?,
+            ))
+        }
+    }
 }
--- a/src/worker_lib.rs
+++ b/src/worker_lib.rs
@ -2,7 +2,7 @@ use anyhow::anyhow;
 use headers::{
    self,
    authorization::{Basic, Bearer, Credentials},
-    Authorization, Header, HeaderValue,
+    Authorization, ContentType, Header, HeaderValue,
 };
 use rand::{distributions::Alphanumeric, Rng};
 use rsa::{pkcs1::FromRsaPrivateKey, RsaPrivateKey};
@ -57,10 +57,26 @@ pub async fn main(req: Request, env: Env) -> Result<Response> {
        } else {
            UserInfoPayload { access_token: None }
        };
+        let base_url = ctx.var(BASE_URL_KEY)?.to_string().parse().unwrap();
+        let private_key = RsaPrivateKey::from_pkcs1_pem(&ctx.secret(RSA_PEM_KEY)?.to_string())
+            .map_err(|e| anyhow!("Failed to load private key: {}", e))
+            .unwrap();
        let url = req.url()?;
        let db_client = CFClient { ctx, url };
-        match oidc::userinfo(bearer, payload, &db_client).await {
-            Ok(r) => Ok(Response::from_json(&r)?),
+        match oidc::userinfo(base_url, private_key, bearer, payload, &db_client).await {
+            Ok(oidc::UserInfoResponse::Json(r)) => Ok(Response::from_json(&r)?),
+            Ok(oidc::UserInfoResponse::Jwt(r)) => {
+                let mut headers = Headers::new();
+                headers.append(&ContentType::name().to_string(), "application/jwt")?;
+                Ok(Response::from_bytes(
+                    serde_json::to_string(&r)
+                        .unwrap()
+                        .replace('"', "")
+                        .as_bytes()
+                        .to_vec(),
+                )?
+                .with_headers(headers))
+            }
            Err(e) => e.into(),
        }
    };