From d7d7daab2d8ac34d52e8f3a1b16db0757a1027e3 Mon Sep 17 00:00:00 2001 From: Livio Amstutz Date: Fri, 5 Mar 2021 07:44:37 +0100 Subject: [PATCH 1/2] fix: encoding of basic auth header values --- pkg/client/rs/resource_server.go | 4 ++-- pkg/op/token_intospection.go | 9 +++++++++ pkg/utils/http.go | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/pkg/client/rs/resource_server.go b/pkg/client/rs/resource_server.go index f5dbe696..551fe888 100644 --- a/pkg/client/rs/resource_server.go +++ b/pkg/client/rs/resource_server.go @@ -37,11 +37,11 @@ func (r *resourceServer) AuthFn() (interface{}, error) { return r.authFn() } -func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option Option) (ResourceServer, error) { +func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option ...Option) (ResourceServer, error) { authorizer := func() (interface{}, error) { return utils.AuthorizeBasic(clientID, clientSecret), nil } - return newResourceServer(issuer, authorizer, option) + return newResourceServer(issuer, authorizer, option...) } func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...Option) (ResourceServer, error) { signer, err := client.NewSignerFromPrivateKeyByte(key, keyID) diff --git a/pkg/op/token_intospection.go b/pkg/op/token_intospection.go index 30d25442..e2ae0ad1 100644 --- a/pkg/op/token_intospection.go +++ b/pkg/op/token_intospection.go @@ -3,6 +3,7 @@ package op import ( "errors" "net/http" + "net/url" "github.com/caos/oidc/pkg/oidc" "github.com/caos/oidc/pkg/utils" @@ -68,6 +69,14 @@ func ParseTokenIntrospectionRequest(r *http.Request, introspector Introspector) } clientID, clientSecret, ok := r.BasicAuth() if ok { + clientID, err = url.QueryUnescape(clientID) + if err != nil { + return "", "", errors.New("invalid basic auth header") + } + clientSecret, err = url.QueryUnescape(clientSecret) + if err != nil { + return "", "", errors.New("invalid basic auth header") + } if err := introspector.Storage().AuthorizeClientIDSecret(r.Context(), clientID, clientSecret); err != nil { return "", "", err } diff --git a/pkg/utils/http.go b/pkg/utils/http.go index fa518153..6632053d 100644 --- a/pkg/utils/http.go +++ b/pkg/utils/http.go @@ -30,7 +30,7 @@ type RequestAuthorization func(*http.Request) func AuthorizeBasic(user, password string) RequestAuthorization { return func(req *http.Request) { - req.SetBasicAuth(user, password) + req.SetBasicAuth(url.QueryEscape(user), url.QueryEscape(password)) } } From 8f6e2c59742f25aea2e8672c6e5454045c930d7a Mon Sep 17 00:00:00 2001 From: Livio Amstutz Date: Fri, 5 Mar 2021 07:53:35 +0100 Subject: [PATCH 2/2] chore: improve signer log messages --- pkg/op/signer.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pkg/op/signer.go b/pkg/op/signer.go index 939fe13b..d59ea8e3 100644 --- a/pkg/op/signer.go +++ b/pkg/op/signer.go @@ -51,9 +51,18 @@ func (s *tokenSigner) refreshSigningKey(ctx context.Context, keyCh <-chan jose.S return case key := <-keyCh: s.alg = key.Algorithm + if key.Algorithm == "" || key.Key == nil { + s.signer = nil + logging.Log("OP-DAvt4").Warn("signer has no key") + continue + } var err error s.signer, err = jose.NewSigner(key, &jose.SignerOptions{}) - logging.Log("OP-pf32aw").OnError(err).Error("error creating signer") + if err != nil { + logging.Log("OP-pf32aw").WithError(err).Error("error creating signer") + continue + } + logging.Log("OP-agRf2").Info("signer exchanged signing key") } } }