2020-10-06 14:11:57 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
// Package oidc contains common OIDC functionality needed by Pinniped.
|
|
|
|
package oidc
|
|
|
|
|
2020-11-04 23:04:50 +00:00
|
|
|
import (
|
2020-11-20 20:45:29 +00:00
|
|
|
"time"
|
|
|
|
|
2020-11-04 23:04:50 +00:00
|
|
|
"github.com/ory/fosite"
|
|
|
|
"github.com/ory/fosite/compose"
|
2020-11-13 23:59:51 +00:00
|
|
|
|
2020-11-16 19:41:00 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/csrftoken"
|
2020-12-03 20:34:58 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/jwks"
|
2020-11-13 23:59:51 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/provider"
|
2020-11-20 23:13:25 +00:00
|
|
|
"go.pinniped.dev/pkg/oidcclient/nonce"
|
|
|
|
"go.pinniped.dev/pkg/oidcclient/pkce"
|
2020-11-04 23:04:50 +00:00
|
|
|
)
|
|
|
|
|
2020-10-06 14:11:57 +00:00
|
|
|
const (
|
2020-10-08 18:28:21 +00:00
|
|
|
WellKnownEndpointPath = "/.well-known/openid-configuration"
|
|
|
|
AuthorizationEndpointPath = "/oauth2/authorize"
|
|
|
|
TokenEndpointPath = "/oauth2/token" //nolint:gosec // ignore lint warning that this is a credential
|
2020-11-20 15:42:43 +00:00
|
|
|
CallbackEndpointPath = "/callback"
|
2020-10-08 18:28:21 +00:00
|
|
|
JWKSEndpointPath = "/jwks.json"
|
2020-10-06 14:11:57 +00:00
|
|
|
)
|
2020-11-04 23:04:50 +00:00
|
|
|
|
2020-11-16 16:47:49 +00:00
|
|
|
const (
|
2020-11-16 19:41:00 +00:00
|
|
|
// Just in case we need to make a breaking change to the format of the upstream state param,
|
|
|
|
// we are including a format version number. This gives the opportunity for a future version of Pinniped
|
|
|
|
// to have the consumer of this format decide to reject versions that it doesn't understand.
|
|
|
|
UpstreamStateParamFormatVersion = "1"
|
|
|
|
|
|
|
|
// The `name` passed to the encoder for encoding the upstream state param value. This name is short
|
|
|
|
// because it will be encoded into the upstream state param value and we're trying to keep that small.
|
|
|
|
UpstreamStateParamEncodingName = "s"
|
|
|
|
|
2020-11-16 16:47:49 +00:00
|
|
|
// CSRFCookieName is the name of the browser cookie which shall hold our CSRF value.
|
2020-12-01 22:53:22 +00:00
|
|
|
// The `__Host` prefix has a special meaning. See:
|
2020-11-16 16:47:49 +00:00
|
|
|
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Cookie_prefixes.
|
|
|
|
CSRFCookieName = "__Host-pinniped-csrf"
|
|
|
|
|
|
|
|
// CSRFCookieEncodingName is the `name` passed to the encoder for encoding and decoding the CSRF
|
|
|
|
// cookie contents.
|
|
|
|
CSRFCookieEncodingName = "csrf"
|
|
|
|
)
|
|
|
|
|
2020-11-16 19:41:00 +00:00
|
|
|
// Encoder is the encoding side of the securecookie.Codec interface.
|
|
|
|
type Encoder interface {
|
|
|
|
Encode(name string, value interface{}) (string, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decoder is the decoding side of the securecookie.Codec interface.
|
|
|
|
type Decoder interface {
|
|
|
|
Decode(name, value string, into interface{}) error
|
|
|
|
}
|
|
|
|
|
|
|
|
// Codec is both the encoding and decoding sides of the securecookie.Codec interface. It is
|
|
|
|
// interface'd here so that we properly wrap the securecookie dependency.
|
|
|
|
type Codec interface {
|
|
|
|
Encoder
|
|
|
|
Decoder
|
|
|
|
}
|
|
|
|
|
|
|
|
// UpstreamStateParamData is the format of the state parameter that we use when we communicate to an
|
|
|
|
// upstream OIDC provider.
|
|
|
|
//
|
|
|
|
// Keep the JSON to a minimal size because the upstream provider could impose size limitations on
|
|
|
|
// the state param.
|
|
|
|
type UpstreamStateParamData struct {
|
|
|
|
AuthParams string `json:"p"`
|
2020-11-20 21:14:45 +00:00
|
|
|
UpstreamName string `json:"u"`
|
2020-11-16 19:41:00 +00:00
|
|
|
Nonce nonce.Nonce `json:"n"`
|
|
|
|
CSRFToken csrftoken.CSRFToken `json:"c"`
|
|
|
|
PKCECode pkce.Code `json:"k"`
|
|
|
|
FormatVersion string `json:"v"`
|
|
|
|
}
|
|
|
|
|
2020-11-04 23:04:50 +00:00
|
|
|
func PinnipedCLIOIDCClient() *fosite.DefaultOpenIDConnectClient {
|
|
|
|
return &fosite.DefaultOpenIDConnectClient{
|
|
|
|
DefaultClient: &fosite.DefaultClient{
|
|
|
|
ID: "pinniped-cli",
|
|
|
|
Public: true,
|
|
|
|
RedirectURIs: []string{"http://127.0.0.1/callback"},
|
|
|
|
ResponseTypes: []string{"code"},
|
|
|
|
GrantTypes: []string{"authorization_code"},
|
|
|
|
Scopes: []string{"openid", "profile", "email"},
|
|
|
|
},
|
2020-12-01 21:25:12 +00:00
|
|
|
TokenEndpointAuthMethod: "none",
|
2020-11-04 23:04:50 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-12-01 21:25:12 +00:00
|
|
|
func FositeOauth2Helper(
|
2020-12-03 16:14:37 +00:00
|
|
|
oauthStore interface{},
|
|
|
|
issuer string,
|
2020-12-01 21:25:12 +00:00
|
|
|
hmacSecretOfLengthAtLeast32 []byte,
|
2020-12-03 20:34:58 +00:00
|
|
|
jwksProvider jwks.DynamicJWKSProvider,
|
2020-12-01 21:25:12 +00:00
|
|
|
) fosite.OAuth2Provider {
|
2020-11-04 23:04:50 +00:00
|
|
|
oauthConfig := &compose.Config{
|
2020-11-20 20:45:29 +00:00
|
|
|
AuthorizeCodeLifespan: 3 * time.Minute, // seems more than long enough to exchange a code
|
|
|
|
|
|
|
|
IDTokenLifespan: 5 * time.Minute, // match clientCertificateTTL since it has similar properties to this token
|
|
|
|
AccessTokenLifespan: 5 * time.Minute, // match clientCertificateTTL since it has similar properties to this token
|
|
|
|
|
|
|
|
RefreshTokenLifespan: 16 * time.Hour, // long enough for a single workday
|
|
|
|
|
2020-11-20 23:50:26 +00:00
|
|
|
IDTokenIssuer: issuer,
|
2020-11-20 20:45:29 +00:00
|
|
|
TokenURL: "", // TODO set once we have this endpoint written
|
|
|
|
|
|
|
|
ScopeStrategy: fosite.ExactScopeStrategy, // be careful and only support exact string matching for scopes
|
|
|
|
AudienceMatchingStrategy: nil, // I believe the default is fine
|
|
|
|
EnforcePKCE: true, // follow current set of best practices and always require PKCE
|
|
|
|
AllowedPromptValues: []string{"none"}, // TODO unclear what we should set here
|
|
|
|
|
|
|
|
RefreshTokenScopes: nil, // TODO decide what makes sense when we add refresh token support
|
|
|
|
MinParameterEntropy: 32, // 256 bits seems about right
|
2020-11-04 23:04:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return compose.Compose(
|
|
|
|
oauthConfig,
|
|
|
|
oauthStore,
|
|
|
|
&compose.CommonStrategy{
|
2020-11-05 01:06:47 +00:00
|
|
|
// Note that Fosite requires the HMAC secret to be at least 32 bytes.
|
2020-12-01 21:25:12 +00:00
|
|
|
CoreStrategy: compose.NewOAuth2HMACStrategy(oauthConfig, hmacSecretOfLengthAtLeast32, nil),
|
2020-12-04 01:16:08 +00:00
|
|
|
OpenIDConnectTokenStrategy: newDynamicOpenIDConnectECDSAStrategy(oauthConfig, jwksProvider),
|
2020-12-03 20:34:58 +00:00
|
|
|
// OpenIDConnectTokenStrategy: compose.NewOpenIDConnectECDSAStrategy(oauthConfig, jwtSigningKey),
|
2020-11-04 23:04:50 +00:00
|
|
|
},
|
|
|
|
nil, // hasher, defaults to using BCrypt when nil. Used for hashing client secrets.
|
|
|
|
compose.OAuth2AuthorizeExplicitFactory,
|
|
|
|
// compose.OAuth2RefreshTokenGrantFactory,
|
2020-11-06 22:44:58 +00:00
|
|
|
compose.OpenIDConnectExplicitFactory,
|
2020-11-04 23:04:50 +00:00
|
|
|
// compose.OpenIDConnectRefreshFactory,
|
|
|
|
compose.OAuth2PKCEFactory,
|
|
|
|
)
|
|
|
|
}
|
2020-11-13 23:59:51 +00:00
|
|
|
|
|
|
|
type IDPListGetter interface {
|
2020-11-18 21:38:13 +00:00
|
|
|
GetIDPList() []provider.UpstreamOIDCIdentityProviderI
|
2020-11-13 23:59:51 +00:00
|
|
|
}
|