From f16db6ba3add05080d249da9d7f1e8276d4d4c2e Mon Sep 17 00:00:00 2001 From: Mateusz Bilski Date: Tue, 12 Sep 2023 13:27:30 +0200 Subject: [PATCH] Parse signing key and encryption key only if JARM response is present (#71) --- internal/oauth2/oauth2.go | 44 ++++++++++++++++++++++---------------- internal/oauth2/request.go | 32 +++++++++++++-------------- 2 files changed, 41 insertions(+), 35 deletions(-) diff --git a/internal/oauth2/oauth2.go b/internal/oauth2/oauth2.go index cf36f64..5671ce3 100644 --- a/internal/oauth2/oauth2.go +++ b/internal/oauth2/oauth2.go @@ -190,28 +190,17 @@ func RequestPAR( func WaitForCallback(clientConfig ClientConfig, serverConfig ServerConfig, hc *http.Client) (request Request, err error) { var ( - srv = http.Server{} - redirectURL *url.URL - signingKey jose.JSONWebKey - encryptionKey jose.JSONWebKey - done = make(chan struct{}) + srv = http.Server{} + redirectURL *url.URL + done = make(chan struct{}) ) if redirectURL, err = url.Parse(clientConfig.RedirectURL); err != nil { return request, errors.Wrapf(err, "failed to parse redirect url: %s", clientConfig.RedirectURL) } - if signingKey, err = ReadKey(SigningKey, serverConfig.JWKsURI, hc); err != nil { - return request, errors.Wrapf(err, "failed to read signing key from %s", serverConfig.JWKsURI) - } - - if clientConfig.EncryptionKey != "" { - if encryptionKey, err = ReadKey(EncryptionKey, clientConfig.EncryptionKey, hc); err != nil { - return request, errors.Wrapf(err, "failed to read encryption key from %s", clientConfig.EncryptionKey) - } - } - srv.Addr = redirectURL.Host + if redirectURL.Path == "" { redirectURL.Path = "/" } @@ -234,9 +223,28 @@ func WaitForCallback(clientConfig ClientConfig, serverConfig ServerConfig, hc *h request.URL = r.URL request.Form = r.PostForm - if err = request.ParseJARM(signingKey, encryptionKey); err != nil { - log.Fatal(err) - return + if request.Get("response") != "" { + var ( + signingKey jose.JSONWebKey + encryptionKey jose.JSONWebKey + ) + + if signingKey, err = ReadKey(SigningKey, serverConfig.JWKsURI, hc); err != nil { + log.Fatal(err) + return + } + + if clientConfig.EncryptionKey != "" { + if encryptionKey, err = ReadKey(EncryptionKey, clientConfig.EncryptionKey, hc); err != nil { + log.Fatal(err) + return + } + } + + if err = request.ParseJARM(signingKey, encryptionKey); err != nil { + log.Fatal(err) + return + } } w.Header().Add("Content-Type", "text/html") diff --git a/internal/oauth2/request.go b/internal/oauth2/request.go index 6fcebcb..a023c71 100644 --- a/internal/oauth2/request.go +++ b/internal/oauth2/request.go @@ -215,26 +215,24 @@ func (r *Request) ParseJARM(signingKey interface{}, encryptionKey interface{}) e r.JARM = map[string]interface{}{} - if response != "" { - if nestedToken, err = jwt.ParseSignedAndEncrypted(response); err != nil { - if token, err2 = jwt.ParseSigned(response); err2 != nil { - return errors.Wrapf(multierror.Append(err, err2), "failed to parse JARM response") - } - } else if encryptionKey != nil { - if token, err = nestedToken.Decrypt(encryptionKey); err != nil { - return errors.Wrapf(err, "failed to decrypt encrypted JARM response") - } - } else { - return errors.New("no encryption key path") + if nestedToken, err = jwt.ParseSignedAndEncrypted(response); err != nil { + if token, err2 = jwt.ParseSigned(response); err2 != nil { + return errors.Wrapf(multierror.Append(err, err2), "failed to parse JARM response") } - - if signingKey == nil { - return errors.New("no signing key path") + } else if encryptionKey != nil { + if token, err = nestedToken.Decrypt(encryptionKey); err != nil { + return errors.Wrapf(err, "failed to decrypt encrypted JARM response") } + } else { + return errors.New("no encryption key path") + } - if err = token.Claims(signingKey, &r.JARM); err != nil { - return err - } + if signingKey == nil { + return errors.New("no signing key path") + } + + if err = token.Claims(signingKey, &r.JARM); err != nil { + return err } return nil