forked from ory/fosite
-
Notifications
You must be signed in to change notification settings - Fork 0
/
validator.go
167 lines (141 loc) · 7.06 KB
/
validator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
/*
* Copyright © 2017-2018 Aeneas Rekkas <aeneas+oss@aeneas.io>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* @author Aeneas Rekkas <aeneas+oss@aeneas.io>
* @Copyright 2017-2018 Aeneas Rekkas <aeneas+oss@aeneas.io>
* @license Apache-2.0
*
*/
package openid
import (
"strconv"
"time"
jwtgo "github.com/dgrijalva/jwt-go"
"github.com/ory/fosite"
"github.com/ory/fosite/token/jwt"
"github.com/ory/go-convenience/stringslice"
"github.com/ory/go-convenience/stringsx"
"github.com/pkg/errors"
)
type OpenIDConnectRequestValidator struct {
AllowedPrompt []string
Strategy jwt.JWTStrategy
}
func NewOpenIDConnectRequestValidator(prompt []string, strategy jwt.JWTStrategy) *OpenIDConnectRequestValidator {
if len(prompt) == 0 {
prompt = []string{"login", "none", "consent", "select_account"}
}
return &OpenIDConnectRequestValidator{
AllowedPrompt: prompt,
Strategy: strategy,
}
}
func (v *OpenIDConnectRequestValidator) ValidatePrompt(req fosite.AuthorizeRequester) error {
// prompt is case sensitive!
prompt := stringsx.Splitx(req.GetRequestForm().Get("prompt"), " ")
if req.GetClient().IsPublic() {
// Threat: Malicious Client Obtains Existing Authorization by Fraud
// https://tools.ietf.org/html/rfc6819#section-4.2.3
//
// Authorization servers should not automatically process repeat
// authorizations to public clients unless the client is validated
// using a pre-registered redirect URI
// Client Impersonation
// https://tools.ietf.org/html/rfc8252#section-8.6#
//
// As stated in Section 10.2 of OAuth 2.0 [RFC6749], the authorization
// server SHOULD NOT process authorization requests automatically
// without user consent or interaction, except when the identity of the
// client can be assured. This includes the case where the user has
// previously approved an authorization request for a given client id --
// unless the identity of the client can be proven, the request SHOULD
// be processed as if no previous request had been approved.
// To make sure that we are not vulnerable to this type of attack, we will always require consent for public
// clients.
// If prompt is none - meaning that no consent should be requested, we must terminate with an error.
if stringslice.Has(prompt, "none") {
return errors.WithStack(fosite.ErrConsentRequired.WithHint("OAuth 2.0 Client is marked public and requires end-user consent, but \"prompt=none\" was requested."))
}
}
if !isWhitelisted(prompt, v.AllowedPrompt) {
return errors.WithStack(fosite.ErrInvalidRequest.WithHintf(`Used unknown value "%s" for prompt parameter`, prompt))
}
if stringslice.Has(prompt, "none") && len(prompt) > 1 {
// If this parameter contains none with any other value, an error is returned.
return errors.WithStack(fosite.ErrInvalidRequest.WithHint("Parameter \"prompt\" was set to \"none\", but contains other values as well which is not allowed."))
}
maxAge, err := strconv.ParseInt(req.GetRequestForm().Get("max_age"), 10, 64)
if err != nil {
maxAge = 0
}
session, ok := req.GetSession().(Session)
if !ok {
return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because session is not of type fosite/handler/openid.Session."))
}
claims := session.IDTokenClaims()
if claims.Subject == "" {
return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because session subject is empty."))
}
// Adds a bit of wiggle room for timing issues
if claims.AuthTime.After(time.Now().UTC().Add(time.Second * 5)) {
return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because authentication time is in the future."))
}
if maxAge > 0 {
if claims.AuthTime.IsZero() {
return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because authentication time claim is required when max_age is set."))
} else if claims.RequestedAt.IsZero() {
return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because requested at claim is required when max_age is set."))
} else if claims.AuthTime.Add(time.Second * time.Duration(maxAge)).Before(claims.RequestedAt) {
return errors.WithStack(fosite.ErrLoginRequired.WithDebug("Failed to validate OpenID Connect request because authentication time does not satisfy max_age time."))
}
}
if stringslice.Has(prompt, "none") {
if claims.AuthTime.IsZero() {
return errors.WithStack(fosite.ErrServerError.WithDebug("Failed to validate OpenID Connect request because because auth_time is missing from session."))
}
if claims.AuthTime.After(claims.RequestedAt) {
return errors.WithStack(fosite.ErrLoginRequired.WithHint("Failed to validate OpenID Connect request because prompt was set to \"none\" but auth_time happened after the authorization request was registered, indicating that the user was logged in during this request which is not allowed."))
}
}
if stringslice.Has(prompt, "login") {
if claims.AuthTime.Before(claims.RequestedAt) {
return errors.WithStack(fosite.ErrLoginRequired.WithHint("Failed to validate OpenID Connect request because prompt was set to \"login\" but auth_time happened before the authorization request was registered, indicating that the user was not re-authenticated which is forbidden."))
}
}
idTokenHint := req.GetRequestForm().Get("id_token_hint")
if idTokenHint == "" {
return nil
}
tokenHint, err := v.Strategy.Decode(idTokenHint)
if err != nil {
return errors.WithStack(fosite.ErrInvalidRequest.WithHintf("Failed to validate OpenID Connect request as decoding id token from id_token_hint parameter failed because %s.", err.Error()))
}
if hintClaims, ok := tokenHint.Claims.(jwtgo.MapClaims); !ok {
return errors.WithStack(fosite.ErrInvalidRequest.WithHint("Failed to validate OpenID Connect request as decoding id token from id_token_hint to *jwt.StandardClaims failed."))
} else if hintSub, _ := hintClaims["sub"].(string); hintSub == "" {
return errors.WithStack(fosite.ErrInvalidRequest.WithHint("Failed to validate OpenID Connect request because provided id token from id_token_hint does not have a subject."))
} else if hintSub != claims.Subject || hintSub != session.GetSubject() {
return errors.WithStack(fosite.ErrLoginRequired.WithHintf("Failed to validate OpenID Connect request because subject from session does not subject from id_token_hint."))
}
return nil
}
func isWhitelisted(items []string, whiteList []string) bool {
for _, item := range items {
if !stringslice.Has(whiteList, item) {
return false
}
}
return true
}