Skip to content

Commit

Permalink
fixes #311 swt introspection to use request headers for clientId andd…
Browse files Browse the repository at this point in the history
… clientSecret (#312)
  • Loading branch information
stevehu committed Aug 2, 2023
1 parent b3f7535 commit c958fbf
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import com.networknt.security.SecurityConfig;
import com.networknt.utility.Constants;
import com.networknt.utility.ModuleRegistry;
import com.networknt.utility.StringUtils;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
Expand Down Expand Up @@ -136,7 +137,10 @@ public boolean handleSwt(HttpServerExchange exchange, String reqPath, List<Strin
if (logger.isTraceEnabled())
logger.trace("parsed swt from authorization = " + swt.substring(0, 10));
try {
Result<TokenInfo> tokenInfoResult = swtVerifier.verifySwt(swt, reqPath, jwkServiceIds);
String swtClientId = headerMap.getFirst(config.getSwtClientIdHeader());
String swtClientSecret = headerMap.getFirst(config.getSwtClientSecretHeader());
if(logger.isTraceEnabled()) logger.trace("header swtClientId = " + swtClientId + ", header swtClientSecret = " + StringUtils.maskHalfString(swtClientSecret));
Result<TokenInfo> tokenInfoResult = swtVerifier.verifySwt(swt, reqPath, jwkServiceIds, swtClientId, swtClientSecret);
if(tokenInfoResult.isFailure()) {
// return error status to the user.
setExchangeStatus(exchange, tokenInfoResult.getError());
Expand Down Expand Up @@ -326,7 +330,11 @@ protected boolean hasValidSecondaryScopes(HttpServerExchange exchange, String sc
if (logger.isTraceEnabled())
logger.trace("start verifying scope token = " + scopeSwt.substring(0, 10));
try {
Result<TokenInfo> scopeTokenInfo = swtVerifier.verifySwt(scopeSwt, reqPath, jwkServiceIds);
HeaderMap headerMap = exchange.getRequestHeaders();
String swtClientId = headerMap.getFirst(config.getSwtClientIdHeader());
String swtClientSecret = headerMap.getFirst(config.getSwtClientSecretHeader());
if(logger.isTraceEnabled()) logger.trace("header swtClientId = " + swtClientId + ", header swtClientSecret = " + StringUtils.maskHalfString(swtClientSecret));
Result<TokenInfo> scopeTokenInfo = swtVerifier.verifySwt(scopeSwt, reqPath, jwkServiceIds, swtClientId, swtClientSecret);
if(scopeTokenInfo.isFailure()) {
setExchangeStatus(exchange, scopeTokenInfo.getError());
exchange.endExchange();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@ enableVerifyJwt: ${openapi-security.enableVerifyJwt:true}
# request path prefix in skipPathPrefixes.
enableVerifySwt: ${openapi-security.enableVerifySwt:false}

# swt clientId header name. When light-gateway is used and the consumer app does not want to save
# the client secret in the configuration file, it can be passed in the header.
swtClientIdHeader: ${openapi-security.swtClientIdHeader:swt-client}
# swt clientSecret header name. When light-gateway is used and the consumer app does not want to save
# the client secret in the configuration file, it can be passed in the header.
swtClientSecretHeader: ${openapi-security.swtClientSecretHeader:swt-secret}

# Extract JWT scope token from the X-Scope-Token header and validate the JWT token
enableExtractScopeToken: ${openapi-security.enableExtractScopeToken:true}

Expand Down

0 comments on commit c958fbf

Please sign in to comment.