djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed error handling for token exchange when openid scope missing

Browse Source 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
Ryan Richard 2020-12-09 15:15:50 -08:00 committed by Margo Crawford
parent 0abadddb1a
commit 5b7c510577
2 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
internal/oidc/token/token_handler_test.go
View File

@ -753,7 +753,7 @@ func TestTokenExchange(t *testing.T) {
wantResponseBodyContains: `invalid subject_token`, wantResponseBodyContains: `invalid subject_token`,
}, },
{ {
name: "access token missing required scopes", name: "access token missing pinniped.sts.unrestricted scope",
authcodeExchange: authcodeExchangeInputs{ authcodeExchange: authcodeExchangeInputs{
modifyAuthRequest: func(authRequest *http.Request) { modifyAuthRequest: func(authRequest *http.Request) {
authRequest.Form.Set("scope", "openid") authRequest.Form.Set("scope", "openid")
@ -769,6 +769,23 @@ func TestTokenExchange(t *testing.T) {
wantStatus: http.StatusForbidden, wantStatus: http.StatusForbidden,
wantResponseBodyContains: `missing the \"pinniped.sts.unrestricted\" scope`, wantResponseBodyContains: `missing the \"pinniped.sts.unrestricted\" scope`,
}, },
{
name: "access token missing openid scope",
authcodeExchange: authcodeExchangeInputs{
modifyAuthRequest: func(authRequest *http.Request) {
authRequest.Form.Set("scope", "pinniped.sts.unrestricted")
},
want: tokenEndpointResponseExpectedValues{
wantStatus: http.StatusOK,
wantSuccessBodyFields: []string{"access_token", "token_type", "expires_in", "scope"},
wantRequestedScopes: []string{"pinniped.sts.unrestricted"},
wantGrantedScopes: []string{"pinniped.sts.unrestricted"},
},
},
requestedAudience: "some-workload-cluster",
wantStatus: http.StatusForbidden,
wantResponseBodyContains: `missing the \"openid\" scope`,
},
{ {
name: "token minting failure", name: "token minting failure",
authcodeExchange: authcodeExchangeInputs{ authcodeExchange: authcodeExchangeInputs{

7
internal/oidc/token_exchange.go
View File

@ -65,10 +65,13 @@ func (t *TokenExchangeHandler) PopulateTokenEndpointResponse(ctx context.Context
return errors.WithStack(err) return errors.WithStack(err)
} }
// Require that the incoming access token has the STS and OpenID scopes . // Require that the incoming access token has the STS and OpenID scopes.
if !originalRequester.GetGrantedScopes().Has(pinnipedTokenExchangeScope, oidc.ScopeOpenID) { if !originalRequester.GetGrantedScopes().Has(pinnipedTokenExchangeScope) {
return errors.WithStack(fosite.ErrAccessDenied.WithHintf("missing the %q scope", pinnipedTokenExchangeScope)) return errors.WithStack(fosite.ErrAccessDenied.WithHintf("missing the %q scope", pinnipedTokenExchangeScope))
} }
if !originalRequester.GetGrantedScopes().Has(oidc.ScopeOpenID) {
return errors.WithStack(fosite.ErrAccessDenied.WithHintf("missing the %q scope", oidc.ScopeOpenID))
}
// Use the original authorize request information, along with the requested audience, to mint a new JWT. // Use the original authorize request information, along with the requested audience, to mint a new JWT.
responseToken, err := t.mintJWT(ctx, originalRequester, params.requestedAudience) responseToken, err := t.mintJWT(ctx, originalRequester, params.requestedAudience)