-
-
Notifications
You must be signed in to change notification settings - Fork 364
/
validator.go
160 lines (132 loc) · 6.83 KB
/
validator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
// Copyright © 2024 Ory Corp
// SPDX-License-Identifier: Apache-2.0
package openid
import (
"context"
"strconv"
"strings"
"time"
"github.com/ory/x/errorsx"
"github.com/pkg/errors"
"github.com/ory/fosite"
"github.com/ory/fosite/token/jwt"
"github.com/ory/go-convenience/stringslice"
)
var defaultPrompts = []string{"login", "none", "consent", "select_account"}
type openIDConnectRequestValidatorConfigProvider interface {
fosite.RedirectSecureCheckerProvider
fosite.AllowedPromptsProvider
}
type OpenIDConnectRequestValidator struct {
Strategy jwt.Signer
Config openIDConnectRequestValidatorConfigProvider
}
func NewOpenIDConnectRequestValidator(strategy jwt.Signer, config openIDConnectRequestValidatorConfigProvider) *OpenIDConnectRequestValidator {
return &OpenIDConnectRequestValidator{
Strategy: strategy,
Config: config,
}
}
func (v *OpenIDConnectRequestValidator) ValidatePrompt(ctx context.Context, req fosite.AuthorizeRequester) error {
// prompt is case sensitive!
requiredPrompt := fosite.RemoveEmpty(strings.Split(req.GetRequestForm().Get("prompt"), " "))
if req.GetClient().IsPublic() {
// Threat: Malicious Client Obtains Existing Authorization by Fraud
// https://tools.ietf.org/html/rfc6819#section-4.2.3
//
// Authorization servers should not automatically process repeat
// authorizations to public clients unless the client is validated
// using a pre-registered redirect URI
// Client Impersonation
// https://tools.ietf.org/html/rfc8252#section-8.6#
//
// As stated in Section 10.2 of OAuth 2.0 [RFC6749], the authorization
// server SHOULD NOT process authorization requests automatically
// without user consent or interaction, except when the identity of the
// client can be assured. This includes the case where the user has
// previously approved an authorization request for a given client id --
// unless the identity of the client can be proven, the request SHOULD
// be processed as if no previous request had been approved.
checker := v.Config.GetRedirectSecureChecker(ctx)
if stringslice.Has(requiredPrompt, "none") {
if !checker(ctx, req.GetRedirectURI()) {
return errorsx.WithStack(fosite.ErrConsentRequired.WithHint("OAuth 2.0 Client is marked public and redirect uri is not considered secure (https missing), but \"prompt=none\" was requested."))
}
}
}
availablePrompts := v.Config.GetAllowedPrompts(ctx)
if len(availablePrompts) == 0 {
availablePrompts = defaultPrompts
}
if !isWhitelisted(requiredPrompt, availablePrompts) {
return errorsx.WithStack(fosite.ErrInvalidRequest.WithHintf("Used unknown value '%s' for prompt parameter", requiredPrompt))
}
if stringslice.Has(requiredPrompt, "none") && len(requiredPrompt) > 1 {
// If this parameter contains none with any other value, an error is returned.
return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("Parameter 'prompt' was set to 'none', but contains other values as well which is not allowed."))
}
maxAge, err := strconv.ParseInt(req.GetRequestForm().Get("max_age"), 10, 64)
if err != nil {
maxAge = 0
}
session, ok := req.GetSession().(Session)
if !ok {
return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because session is not of type fosite/handler/openid.Session."))
}
claims := session.IDTokenClaims()
if claims.Subject == "" {
return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because session subject is empty."))
}
// Adds a bit of wiggle room for timing issues
if claims.AuthTime.After(time.Now().UTC().Add(time.Second * 5)) {
return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because authentication time is in the future."))
}
if maxAge > 0 {
if claims.AuthTime.IsZero() {
return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because authentication time claim is required when max_age is set."))
} else if claims.RequestedAt.IsZero() {
return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because requested at claim is required when max_age is set."))
} else if claims.AuthTime.Add(time.Second * time.Duration(maxAge)).Before(claims.RequestedAt) {
return errorsx.WithStack(fosite.ErrLoginRequired.WithDebug("Failed to validate OpenID Connect request because authentication time does not satisfy max_age time."))
}
}
if stringslice.Has(requiredPrompt, "none") {
if claims.AuthTime.IsZero() {
return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because because auth_time is missing from session."))
}
if !claims.AuthTime.Equal(claims.RequestedAt) && claims.AuthTime.After(claims.RequestedAt) {
// !claims.AuthTime.Truncate(time.Second).Equal(claims.RequestedAt) && claims.AuthTime.Truncate(time.Second).Before(claims.RequestedAt) {
return errorsx.WithStack(fosite.ErrLoginRequired.WithHintf("Failed to validate OpenID Connect request because prompt was set to 'none' but auth_time ('%s') happened after the authorization request ('%s') was registered, indicating that the user was logged in during this request which is not allowed.", claims.AuthTime, claims.RequestedAt))
}
}
if stringslice.Has(requiredPrompt, "login") {
if claims.AuthTime.Before(claims.RequestedAt) {
return errorsx.WithStack(fosite.ErrLoginRequired.WithHintf("Failed to validate OpenID Connect request because prompt was set to 'login' but auth_time ('%s') happened before the authorization request ('%s') was registered, indicating that the user was not re-authenticated which is forbidden.", claims.AuthTime, claims.RequestedAt))
}
}
idTokenHint := req.GetRequestForm().Get("id_token_hint")
if idTokenHint == "" {
return nil
}
tokenHint, err := v.Strategy.Decode(ctx, idTokenHint)
var ve *jwt.ValidationError
if errors.As(err, &ve) && ve.Has(jwt.ValidationErrorExpired) {
// Expired tokens are ok
} else if err != nil {
return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("Failed to validate OpenID Connect request as decoding id token from id_token_hint parameter failed.").WithWrap(err).WithDebug(err.Error()))
}
if hintSub, _ := tokenHint.Claims["sub"].(string); hintSub == "" {
return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("Failed to validate OpenID Connect request because provided id token from id_token_hint does not have a subject."))
} else if hintSub != claims.Subject {
return errorsx.WithStack(fosite.ErrLoginRequired.WithHint("Failed to validate OpenID Connect request because the subject from provided id token from id_token_hint does not match the current session's subject."))
}
return nil
}
func isWhitelisted(items []string, whiteList []string) bool {
for _, item := range items {
if !stringslice.Has(whiteList, item) {
return false
}
}
return true
}