ExternalVendorCode/ZeroTierOne
1
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-02 15:30:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Enable validation of token hashes as part of the oidc process

Browse Source
This commit is contained in:
Grant Limberg 2021-12-16 18:44:36 -08:00
parent 2435ab70ab
commit 8fccf3136c
No known key found for this signature in database
GPG Key ID: 2BA62CCABBB4095A
1 changed files with 145 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
zeroidc/src/lib.rs
View File

@ -7,9 +7,10 @@ extern crate time;
extern crate url;
use bytes::Bytes;
use jsonwebtoken::{dangerous_insecure_decode};use openidconnect::core::{CoreClient, CoreProviderMetadata, CoreResponseType};
use jsonwebtoken::{dangerous_insecure_decode};
use openidconnect::core::{CoreClient, CoreProviderMetadata, CoreResponseType};
use openidconnect::reqwest::http_client;
use openidconnect::{AccessToken, AuthorizationCode, AuthenticationFlow, ClientId, CsrfToken, IssuerUrl, Nonce, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope, TokenResponse};
use openidconnect::{AccessToken, AccessTokenHash, AuthorizationCode, AuthenticationFlow, ClientId, CsrfToken, IssuerUrl, Nonce, NonceVerifier, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope, TokenResponse};
use serde::{Deserialize, Serialize};
use std::str::from_utf8;
use std::sync::{Arc, Mutex};
@ -168,19 +169,66 @@ impl ZeroIDC {
let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone();
if let Some(refresh_token) = refresh_token {
if now >= (exp - Duration::from_secs(30)) {
let nonce = (*inner_local.lock().unwrap()).nonce.clone();
let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
let res = c.exchange_refresh_token(&refresh_token)
.request(http_client);
res
});
if let Some(res) = token_response {
match res {
Ok(res) => {
let n = match nonce {
Some(n) => n,
None => {
return None;
}
};
let id = match res.id_token() {
Some(t) => t,
None => {
return None;
}
};
let claims = match id.claims(&c.id_token_verifier(), &n) {
Ok(c) => c,
Err(_e) => {
return None;
}
};
let signing_algo = match id.signing_alg() {
Ok(s) => s,
Err(_) => {
return None;
}
};
if let Some(expected_hash) = claims.access_token_hash() {
let actual_hash = match AccessTokenHash::from_token(res.access_token(), &signing_algo) {
Ok(h) => h,
Err(e) => {
println!("Error hashing access token: {}", e);
return None;
}
};
if actual_hash != *expected_hash {
println!("token hash error");
return None;
}
}
return Some(res);
},
Err(_e) => {
return None;
}
};
});
if let Some(Some(res)) = token_response{
match res.id_token() {
Some(id_token) => {
let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())];
#[cfg(debug_assertions)] {
println!("New ID token: {}", id_token.to_string());
@ -233,12 +281,7 @@ impl ZeroIDC {
}
},
None => {
println!("No id token???");
}
}
},
Err(e) => {
println!("Error posting refresh token: {}", e)
println!("no id token?!?");
}
}
}
@ -367,7 +410,49 @@ impl ZeroIDC {
.request(http_client);
match r {
Ok(res) =>{
return Some(res);
let n = match i.nonce.clone() {
Some(n) => n,
None => {
return None;
}
};
let id = match res.id_token() {
Some(t) => t,
None => {
return None;
}
};
let claims = match id.claims(&c.id_token_verifier(), &n) {
Ok(c) => c,
Err(_e) => {
return None;
}
};
let signing_algo = match id.signing_alg() {
Ok(s) => s,
Err(_) => {
return None;
}
};
if let Some(expected_hash) = claims.access_token_hash() {
let actual_hash = match AccessTokenHash::from_token(res.access_token(), &signing_algo) {
Ok(h) => h,
Err(e) => {
println!("Error hashing access token: {}", e);
return None;
}
};
if actual_hash != *expected_hash {
println!("token hash error");
return None;
}
}
Some(res)
},
Err(_e) => {
#[cfg(debug_assertions)] {