compose: Expose token entropy setting (#342)

Signed-off-by: nerocrux <nerocrux@gmail.com>

compose/compose_strategy.go

@@ -41,6 +41,7 @@ func NewOAuth2HMACStrategy(config *Config, secret []byte, rotatedSecrets [][]byt
 		Enigma: &hmac.HMACStrategy{
 			GlobalSecret:         secret,
 			RotatedGlobalSecrets: rotatedSecrets,
+			TokenEntropy:         config.GetTokenEntropy(),
 		},
 		AccessTokenLifespan:   config.GetAccessTokenLifespan(),
 		AuthorizeCodeLifespan: config.GetAuthorizeCodeLifespan(),

compose/config.go

@@ -78,6 +78,10 @@ type Config struct {
 	// JWKSFetcherStrategy is responsible for fetching JSON Web Keys from remote URLs. This is required when the private_key_jwt
 	// client authentication method is used. Defaults to fosite.DefaultJWKSFetcherStrategy.
 	JWKSFetcher fosite.JWKSFetcherStrategy
+
+	// TokenEntropy indicates the entropy of the random string, used as the "message" part of the HMAC token.
+	// Defaults to 32.
+	TokenEntropy int
 }
 
 // GetScopeStrategy returns the scope strategy to be used. Defaults to glob scope strategy.
@@ -144,3 +148,11 @@ func (c *Config) GetJWKSFetcherStrategy() fosite.JWKSFetcherStrategy {
 	}
 	return c.JWKSFetcher
 }
+
+// GetTokenEntropy returns the entropy of the "message" part of a HMAC Token. Defaults to 32.
+func (c *Config) GetTokenEntropy() int {
+	if c.TokenEntropy == 0 {
+		return 32
+	}
+	return c.TokenEntropy
+}

token/hmac/hmacsha.go

@@ -39,7 +39,7 @@ import (
 
 // HMACStrategy is responsible for generating and validating challenges.
 type HMACStrategy struct {
-	AuthCodeEntropy      int
+	TokenEntropy         int
 	GlobalSecret         []byte
 	RotatedGlobalSecrets [][]byte
 	sync.Mutex
@@ -68,8 +68,8 @@ func (c *HMACStrategy) Generate() (string, string, error) {
 	var signingKey [32]byte
 	copy(signingKey[:], c.GlobalSecret)
 
-	if c.AuthCodeEntropy < minimumEntropy {
-		c.AuthCodeEntropy = minimumEntropy
+	if c.TokenEntropy < minimumEntropy {
+		c.TokenEntropy = minimumEntropy
 	}
 
 	// When creating secrets not intended for usage by human users (e.g.,
@@ -79,7 +79,7 @@ func (c *HMACStrategy) Generate() (string, string, error) {
 	// constructed from a cryptographically strong random or pseudo-random
 	// number sequence (see [RFC4086] for best current practice) generated
 	// by the authorization server.
-	tokenKey, err := RandomBytes(c.AuthCodeEntropy)
+	tokenKey, err := RandomBytes(c.TokenEntropy)
 	if err != nil {
 		return "", "", errors.WithStack(err)
 	}

token/hmac/hmacsha_test.go

@@ -37,25 +37,40 @@ func TestGenerateFailsWithShortCredentials(t *testing.T) {
 }
 
 func TestGenerate(t *testing.T) {
-	cg := HMACStrategy{
-		GlobalSecret: []byte("1234567890123456789012345678901234567890"),
+	for _, c := range []struct {
+		globalSecret []byte
+		tokenEntropy int
+	}{
+		{
+			globalSecret: []byte("1234567890123456789012345678901234567890"),
+			tokenEntropy: 32,
+		},
+		{
+			globalSecret: []byte("1234567890123456789012345678901234567890"),
+			tokenEntropy: 64,
+		},
+	} {
+		cg := HMACStrategy{
+			GlobalSecret: c.globalSecret,
+			TokenEntropy: c.tokenEntropy,
+		}
+
+		token, signature, err := cg.Generate()
+		require.NoError(t, err)
+		require.NotEmpty(t, token)
+		require.NotEmpty(t, signature)
+		t.Logf("Token: %s\n Signature: %s", token, signature)
+
+		err = cg.Validate(token)
+		require.NoError(t, err)
+
+		validateSignature := cg.Signature(token)
+		assert.Equal(t, signature, validateSignature)
+
+		cg.GlobalSecret = []byte("baz")
+		err = cg.Validate(token)
+		require.Error(t, err)
 	}
-
-	token, signature, err := cg.Generate()
-	require.NoError(t, err)
-	require.NotEmpty(t, token)
-	require.NotEmpty(t, signature)
-	t.Logf("Token: %s\n Signature: %s", token, signature)
-
-	err = cg.Validate(token)
-	require.NoError(t, err)
-
-	validateSignature := cg.Signature(token)
-	assert.Equal(t, signature, validateSignature)
-
-	cg.GlobalSecret = []byte("baz")
-	err = cg.Validate(token)
-	require.Error(t, err)
 }
 
 func TestValidateSignatureRejects(t *testing.T) {