feat: authentication flows now accepts client assertions

apps/authenticator/lib/sessions/commands/inputs/get_session.ex

@@ -38,6 +38,6 @@ defmodule Authenticator.Sessions.Commands.Inputs.GetSession do
   end
 
   defp validate_emptiness(%{valid?: false} = changeset), do: changeset
-  defp validate_emptiness(%{valid?: true, changes: c} = set) when map_size(c) > 0, do: set
+  defp validate_emptiness(%{changes: chg} = changeset) when map_size(chg) > 0, do: changeset
   defp validate_emptiness(changeset), do: add_error(changeset, :jti, "All input fields are empty")
 end

apps/authenticator/lib/sessions/schemas/session.ex

@@ -75,7 +75,6 @@ defmodule Authenticator.Sessions.Schemas.Session do
   #################
 
   defp custom_query(query, {:ids, ids}), do: where(query, [c], c.id in ^ids)
-
   defp custom_query(query, {:created_after, date}), do: where(query, [c], c.inserted_at > ^date)
   defp custom_query(query, {:created_before, date}), do: where(query, [c], c.inserted_at < ^date)
   defp custom_query(query, {:expires_after, date}), do: where(query, [c], c.expires_at > ^date)

apps/authenticator/lib/sessions/tokens/access_token.ex

@@ -9,7 +9,7 @@ defmodule Authenticator.Sessions.Tokens.AccessToken do
   add_hook Authenticator.Sessions.Tokens.Hooks.ValidateUUID, ~w(sub aud)
 
   # Two hours in seconds
-  @max_expiration 60 * 60 * 2
+  @max_exp 60 * 60 * 2
 
   @default_issuer "WatcherEx"
   @default_type "Bearer"
@@ -29,7 +29,7 @@ defmodule Authenticator.Sessions.Tokens.AccessToken do
     |> add_claim("scope", nil, &is_binary/1)
   end
 
-  defp gen_ttl, do: @max_expiration
-  defp gen_exp, do: Joken.current_time() + @max_expiration
-  defp valid_expiration?(exp), do: exp >= Joken.current_time()
+  defp gen_ttl, do: @max_exp
+  defp gen_exp, do: current_time() + @max_exp
+  defp valid_expiration?(exp), do: exp >= current_time() && exp <= current_time() + @max_exp
 end

apps/authenticator/lib/sessions/tokens/client_assertion.ex

@@ -0,0 +1,29 @@
+defmodule Authenticator.Sessions.Tokens.ClientAssertion do
+  @moduledoc """
+  Client assertion token configurations.
+  """
+
+  use Joken.Config
+
+  add_hook Joken.Hooks.RequiredClaims, ~w(exp iat nbf iss aud jti typ)
+  add_hook Authenticator.Sessions.Tokens.Hooks.ValidateUUID, ~w(iss)
+
+  # Two hours in seconds
+  @max_exp 60 * 60 * 2
+
+  @default_audience "WatcherEx"
+  @default_type "Bearer"
+
+  @impl true
+  def token_config do
+    [skip: [:iss, :aud, :exp]]
+    |> default_claims()
+    |> add_claim("iss", & &1, fn value, _, ctx -> value == ctx.client_id end)
+    |> add_claim("aud", & &1, fn value, _, _ -> value == @default_audience end)
+    |> add_claim("exp", &gen_exp/0, fn exp, _, _ -> is_integer(exp) and valid_expiration?(exp) end)
+    |> add_claim("typ", nil, fn value, _, _ -> value == @default_type end)
+  end
+
+  defp gen_exp, do: current_time() + @max_exp
+  defp valid_expiration?(exp), do: exp >= current_time() && exp <= current_time() + @max_exp
+end

apps/authenticator/lib/sessions/tokens/refresh_token.ex

@@ -9,7 +9,7 @@ defmodule Authenticator.Sessions.Tokens.RefreshToken do
   add_hook Authenticator.Sessions.Tokens.Hooks.ValidateUUID, ~w(aud)
 
   # Thirty days in seconds
-  @max_expiration 60 * 60 * 24 * 30
+  @max_exp 60 * 60 * 24 * 30
 
   @default_issuer "WatcherEx"
   @default_type "Bearer"
@@ -25,7 +25,7 @@ defmodule Authenticator.Sessions.Tokens.RefreshToken do
     |> add_claim("ati", nil, &is_binary/1)
   end
 
-  defp gen_ttl, do: @max_expiration
-  defp gen_exp, do: Joken.current_time() + @max_expiration
-  defp valid_expiration?(exp), do: exp > Joken.current_time()
+  defp gen_ttl, do: @max_exp
+  defp gen_exp, do: current_time() + @max_exp
+  defp valid_expiration?(exp), do: exp >= current_time() && exp <= current_time() + @max_exp
 end

apps/authenticator/lib/sign_in/commands/client_credentials.ex

@@ -6,6 +6,9 @@ defmodule Authenticator.SignIn.Commands.ClientCredentials do
   secret (or client assertion) directly and we use it to authenticate before generating
   the access token.
 
+  When a public key is registered for the client application this flow will require that
+  an assertion is passed instead of the raw secret to avoid sending it on requests.
+
   This flow is used in machine-to-machine authentication and when the application already
   has user's permission or it's not required to access an specific data.
   """
@@ -14,7 +17,7 @@ defmodule Authenticator.SignIn.Commands.ClientCredentials do
 
   alias Authenticator.Ports.ResourceManager, as: Port
   alias Authenticator.Sessions
-  alias Authenticator.Sessions.Tokens.{AccessToken, RefreshToken}
+  alias Authenticator.Sessions.Tokens.{AccessToken, ClientAssertion, RefreshToken}
   alias Authenticator.SignIn.Inputs.ClientCredentials, as: Input
   alias ResourceManager.Permissions.Scopes
 
@@ -25,6 +28,9 @@ defmodule Authenticator.SignIn.Commands.ClientCredentials do
 
   The application has to be active, using openid-connect protocol in order to use this flow.
 
+  When the client application has a public_key saved on database we force the use of
+  client_assertions on input to avoid passing it's secret open on requests.
+
   If we fail in some step before verifying user password we have to fake it's verification
   to avoid exposing identity existance and time attacks.
   """
@@ -33,7 +39,7 @@ defmodule Authenticator.SignIn.Commands.ClientCredentials do
     with {:app, {:ok, app}} <- {:app, Port.get_identity(%{client_id: client_id})},
          {:flow_enabled?, true} <- {:flow_enabled?, "client_credentials" in app.grant_flows},
          {:app_active?, true} <- {:app_active?, app.status == "active"},
-         {:secret_matches?, true} <- {:secret_matches?, app.secret == input.client_secret},
+         {:secret_matches?, true} <- {:secret_matches?, secret_matches?(app, input)},
          {:valid_protocol?, true} <- {:valid_protocol?, app.protocol == "openid-connect"},
          {:ok, access_token, claims} <- generate_access_token(app, scope),
          {:ok, refresh_token, _} <- generate_refresh_token(app, claims),
@@ -53,7 +59,7 @@ defmodule Authenticator.SignIn.Commands.ClientCredentials do
         {:error, :unauthenticated}
 
       {:secret_matches?, false} ->
-        Logger.info("Client application #{client_id} secret do not match any credential")
+        Logger.info("Client application #{client_id} credential didn't matches")
         {:error, :unauthenticated}
 
       {:confidential?, false} ->
@@ -90,6 +96,27 @@ defmodule Authenticator.SignIn.Commands.ClientCredentials do
 
   def execute(_any), do: {:error, :invalid_params}
 
+  defp secret_matches?(%{client_id: id, public_key: public_key}, %{client_assertion: assertion})
+       when is_binary(assertion) do
+    signer = get_signer(public_key)
+
+    assertion
+    |> ClientAssertion.verify_and_validate(signer, %{client_id: id})
+    |> case do
+      {:ok, _claims} -> true
+      {:error, _reason} -> false
+    end
+  end
+
+  defp secret_matches?(%{public_key: nil, secret: app_secret}, %{client_secret: input_secret})
+       when is_binary(app_secret) and is_binary(input_secret),
+       do: app_secret == input_secret
+
+  defp secret_matches?(_application, _input), do: false
+
+  defp get_signer(%{value: pem, type: "rsa", format: "pem"}),
+    do: Joken.Signer.create("RS256", %{"pem" => pem})
+
   defp build_scope(application, scopes) do
     app_scopes = Enum.map(application.scopes, & &1.name)
 

apps/authenticator/lib/sign_in/commands/inputs/client_credentials.ex

@@ -14,21 +14,58 @@ defmodule Authenticator.SignIn.Inputs.ClientCredentials do
         }
 
   @possible_grant_type ~w(client_credentials)
+  @acceptable_assertion_types ~w(urn:ietf:params:oauth:client-assertion-type:jwt-bearer)
 
-  @required [:client_id, :client_secret, :grant_type, :scope]
+  @required [:client_id, :grant_type, :scope]
+  @optional [:client_secret, :client_assertion, :client_assertion_type]
   embedded_schema do
     field :client_id, Ecto.UUID
-    field :client_secret, :string
     field :grant_type, :string
     field :scope, :string
+
+    # Application credentials
+    field :client_secret, :string
+    field :client_assertion, :string
+    field :client_assertion_type, :string
   end
 
   @doc false
   def changeset(params) when is_map(params) do
     %__MODULE__{}
-    |> cast(params, @required)
+    |> cast(params, @required ++ @optional)
     |> validate_length(:client_secret, min: 1)
     |> validate_inclusion(:grant_type, @possible_grant_type)
     |> validate_required(@required)
+    |> validate_assertion_type()
+    |> validate_assertion()
+  end
+
+  defp validate_assertion_type(%{changes: %{client_assertion_type: assertion_type}} = changeset) do
+    if assertion_type in @acceptable_assertion_types do
+      changeset
+    else
+      opts = [enum: [@acceptable_assertion_types]]
+      add_error(changeset, :client_assertion_type, "invalid assertion type", opts)
+    end
+  end
+
+  defp validate_assertion_type(changeset), do: changeset
+
+  defp validate_assertion(%{changes: changes} = changeset) do
+    case changes do
+      %{client_assertion_type: _, client_assertion: _} ->
+        changeset
+
+      %{client_secret: _} ->
+        changeset
+
+      %{client_assertion_type: _} ->
+        add_error(changeset, :client_assertion, "can't be blank", validation: :required)
+
+      _any ->
+        changeset
+        |> add_error(:client_assertion, "can't be blank", validation: :required)
+        |> add_error(:client_assertion_type, "can't be blank", validation: :required)
+    end
   end
 end

apps/authenticator/lib/sign_in/commands/inputs/resource_owner.ex

@@ -16,27 +16,64 @@ defmodule Authenticator.SignIn.Inputs.ResourceOwner do
         }
 
   @possible_grant_type ~w(password)
+  @acceptable_assertion_types ~w(urn:ietf:params:oauth:client-assertion-type:jwt-bearer)
 
-  @required [:username, :password, :client_id, :client_secret, :scope, :grant_type]
+  @required [:username, :password, :client_id, :scope, :grant_type]
+  @optional [:client_secret, :client_assertion, :client_assertion_type]
   embedded_schema do
     field :username, :string
     field :password, :string
     field :grant_type, :string
     field :scope, :string
     field :client_id, :string
+
+    # Application credentials
     field :client_secret, :string
+    field :client_assertion, :string
+    field :client_assertion_type, :string
   end
 
   @doc false
   def changeset(params) when is_map(params) do
     %__MODULE__{}
-    |> cast(params, @required)
+    |> cast(params, @required ++ @optional)
     |> validate_length(:username, min: 1)
     |> validate_length(:password, min: 1)
     |> validate_inclusion(:grant_type, @possible_grant_type)
     |> validate_length(:scope, min: 1)
     |> validate_length(:client_id, min: 1)
     |> validate_length(:client_secret, min: 1)
     |> validate_required(@required)
+    |> validate_assertion_type()
+    |> validate_assertion()
+  end
+
+  defp validate_assertion_type(%{changes: %{client_assertion_type: assertion_type}} = changeset) do
+    if assertion_type in @acceptable_assertion_types do
+      changeset
+    else
+      opts = [enum: [@acceptable_assertion_types]]
+      add_error(changeset, :client_assertion_type, "invalid assertion type", opts)
+    end
+  end
+
+  defp validate_assertion_type(changeset), do: changeset
+
+  defp validate_assertion(%{changes: changes} = changeset) do
+    case changes do
+      %{client_assertion_type: _, client_assertion: _} ->
+        changeset
+
+      %{client_secret: _} ->
+        changeset
+
+      %{client_assertion_type: _} ->
+        add_error(changeset, :client_assertion, "can't be blank", validation: :required)
+
+      _any ->
+        changeset
+        |> add_error(:client_assertion, "can't be blank", validation: :required)
+        |> add_error(:client_assertion_type, "can't be blank", validation: :required)
+    end
   end
 end

apps/authenticator/lib/sign_in/commands/resource_owner.ex

@@ -5,8 +5,11 @@ defmodule Authenticator.SignIn.Commands.ResourceOwner do
   With the resource owner password credentials grant type, the user provides their
   username and password directly and we uses it to authenticates then.
 
-  The Client application should pass their secret in order to be authorized to exchange
-  the credentials for an access_token.
+  The Client application should pass their secret (or client assertion) in order to be authorized
+  to exchange the credentials for an access_token.
+
+  When a public key is registered for the client application this flow will require that
+  an assertion is passed instead of the raw secret to avoid sending it on requests.
 
   This grant type should only be enabled on the authorization server if other flows are not viable and
   should also only be used if the identity owner trusts in the application.
@@ -17,7 +20,7 @@ defmodule Authenticator.SignIn.Commands.ResourceOwner do
   alias Authenticator.Crypto.Commands.{FakeVerifyHash, VerifyHash}
   alias Authenticator.Ports.ResourceManager, as: Port
   alias Authenticator.Sessions
-  alias Authenticator.Sessions.Tokens.{AccessToken, RefreshToken}
+  alias Authenticator.Sessions.Tokens.{AccessToken, ClientAssertion, RefreshToken}
   alias Authenticator.SignIn.Inputs.ResourceOwner, as: Input
   alias ResourceManager.Permissions.Scopes
 
@@ -29,6 +32,9 @@ defmodule Authenticator.SignIn.Commands.ResourceOwner do
   The application has to be active, using openid-connect protocol and with access_type
   confidential in order to use this flow.
 
+  When the client application has a public_key saved on database we force the use of
+  client_assertions on input to avoid passing it's secret open on requests.
+
   If we fail in some step before verifying user password we have to fake it's verification
   to avoid exposing identity existance and time attacks.
   """
@@ -37,7 +43,7 @@ defmodule Authenticator.SignIn.Commands.ResourceOwner do
     with {:app, {:ok, app}} <- {:app, Port.get_identity(%{client_id: client_id})},
          {:flow_enabled?, true} <- {:flow_enabled?, "resource_owner" in app.grant_flows},
          {:app_active?, true} <- {:app_active?, app.status == "active"},
-         {:secret_matches?, true} <- {:secret_matches?, app.secret == input.client_secret},
+         {:secret_matches?, true} <- {:secret_matches?, secret_matches?(app, input)},
          {:confidential?, true} <- {:confidential?, app.access_type == "confidential"},
          {:valid_protocol?, true} <- {:valid_protocol?, app.protocol == "openid-connect"},
          {:user, {:ok, user}} <- {:user, Port.get_identity(%{username: username})},
@@ -64,7 +70,7 @@ defmodule Authenticator.SignIn.Commands.ResourceOwner do
         {:error, :unauthenticated}
 
       {:secret_matches?, false} ->
-        Logger.info("Client application #{client_id} secret do not match any credential")
+        Logger.info("Client application #{client_id} credential didn't matches")
         FakeVerifyHash.execute(:argon2)
         {:error, :unauthenticated}
 
@@ -118,6 +124,27 @@ defmodule Authenticator.SignIn.Commands.ResourceOwner do
 
   def execute(_any), do: {:error, :invalid_params}
 
+  defp secret_matches?(%{client_id: id, public_key: public_key}, %{client_assertion: assertion})
+       when is_binary(assertion) do
+    signer = get_signer_context(public_key)
+
+    assertion
+    |> ClientAssertion.verify_and_validate(signer, %{client_id: id})
+    |> case do
+      {:ok, _claims} -> true
+      {:error, _reason} -> false
+    end
+  end
+
+  defp secret_matches?(%{public_key: nil, secret: app_secret}, %{client_secret: input_secret})
+       when is_binary(app_secret) and is_binary(input_secret),
+       do: app_secret == input_secret
+
+  defp secret_matches?(_application, _input), do: false
+
+  defp get_signer_context(%{value: pem, type: "rsa", format: "pem"}),
+    do: Joken.Signer.create("RS256", %{"pem" => pem})
+
   defp build_scope(user, application, scopes) do
     user_scopes = Enum.map(user.scopes, & &1.name)
     app_scopes = Enum.map(application.scopes, & &1.name)