From cbc8c58e85d5ade187fc821b69df4ae030875452 Mon Sep 17 00:00:00 2001 From: Steve0x2a Date: Mon, 21 Feb 2022 23:17:16 +0800 Subject: [PATCH] fix: oidc jwks endpoint only return default cert (#506) Signed-off-by: Steve0x2a --- authz/authz.go | 2 +- controllers/oidc_discovery.go | 6 +++--- object/oidc_discovery.go | 25 +++++++++++++------------ routers/router.go | 2 +- swagger/swagger.json | 31 +++++++++++++++++-------------- swagger/swagger.yml | 24 +++++++++++++----------- 6 files changed, 48 insertions(+), 42 deletions(-) diff --git a/authz/authz.go b/authz/authz.go index 818e9d80..445b2f3e 100644 --- a/authz/authz.go +++ b/authz/authz.go @@ -98,7 +98,7 @@ p, *, *, GET, /api/get-human-check, *, * p, *, *, POST, /api/reset-email-or-phone, *, * p, *, *, POST, /api/upload-resource, *, * p, *, *, GET, /.well-known/openid-configuration, *, * -p, *, *, *, /api/certs, *, * +p, *, *, *, /.well-known/jwks, *, * p, *, *, GET, /api/get-saml-login, *, * p, *, *, POST, /api/acs, *, * ` diff --git a/controllers/oidc_discovery.go b/controllers/oidc_discovery.go index 115b6f01..7bc45d63 100644 --- a/controllers/oidc_discovery.go +++ b/controllers/oidc_discovery.go @@ -25,10 +25,10 @@ func (c *RootController) GetOidcDiscovery() { c.ServeJSON() } -// @Title GetOidcCert +// @Title GetJwks // @Tag OIDC API -// @router /api/certs [get] -func (c *RootController) GetOidcCert() { +// @router /.well-known/jwks [get] +func (c *RootController) GetJwks() { jwks, err := object.GetJsonWebKeySet() if err != nil { c.ResponseError(err.Error()) diff --git a/object/oidc_discovery.go b/object/oidc_discovery.go index 51dddded..0c61f8ae 100644 --- a/object/oidc_discovery.go +++ b/object/oidc_discovery.go @@ -73,7 +73,7 @@ func GetOidcDiscovery(host string) OidcDiscovery { AuthorizationEndpoint: fmt.Sprintf("%s/login/oauth/authorize", originFrontend), TokenEndpoint: fmt.Sprintf("%s/api/login/oauth/access_token", originBackend), UserinfoEndpoint: fmt.Sprintf("%s/api/userinfo", originBackend), - JwksUri: fmt.Sprintf("%s/api/certs", originBackend), + JwksUri: fmt.Sprintf("%s/.well-known/jwks", originBackend), ResponseTypesSupported: []string{"id_token"}, ResponseModesSupported: []string{"login", "code", "link"}, GrantTypesSupported: []string{"password", "authorization_code"}, @@ -89,21 +89,22 @@ func GetOidcDiscovery(host string) OidcDiscovery { } func GetJsonWebKeySet() (jose.JSONWebKeySet, error) { - cert := GetDefaultCert() - + certs := GetCerts("admin") + jwks := jose.JSONWebKeySet{} //follows the protocol rfc 7517(draft) //link here: https://self-issued.info/docs/draft-ietf-jose-json-web-key.html //or https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key - certPemBlock := []byte(cert.PublicKey) - certDerBlock, _ := pem.Decode(certPemBlock) - x509Cert, _ := x509.ParseCertificate(certDerBlock.Bytes) + for _, cert := range certs { + certPemBlock := []byte(cert.PublicKey) + certDerBlock, _ := pem.Decode(certPemBlock) + x509Cert, _ := x509.ParseCertificate(certDerBlock.Bytes) - var jwk jose.JSONWebKey - jwk.Key = x509Cert.PublicKey - jwk.Certificates = []*x509.Certificate{x509Cert} - jwk.KeyID = cert.Name + var jwk jose.JSONWebKey + jwk.Key = x509Cert.PublicKey + jwk.Certificates = []*x509.Certificate{x509Cert} + jwk.KeyID = cert.Name + jwks.Keys = append(jwks.Keys, jwk) + } - var jwks jose.JSONWebKeySet - jwks.Keys = []jose.JSONWebKey{jwk} return jwks, nil } diff --git a/routers/router.go b/routers/router.go index 6d0f8e1c..1d1b5afb 100644 --- a/routers/router.go +++ b/routers/router.go @@ -159,5 +159,5 @@ func initAPI() { beego.Router("/api/send-sms", &controllers.ApiController{}, "POST:SendSms") beego.Router("/.well-known/openid-configuration", &controllers.RootController{}, "GET:GetOidcDiscovery") - beego.Router("/api/certs", &controllers.RootController{}, "*:GetOidcCert") + beego.Router("/.well-known/jwks", &controllers.RootController{}, "*:GetJwks") } diff --git a/swagger/swagger.json b/swagger/swagger.json index 99343fa1..ccd30f04 100644 --- a/swagger/swagger.json +++ b/swagger/swagger.json @@ -10,6 +10,14 @@ }, "basePath": "/", "paths": { + "/.well-known/jwks": { + "get": { + "tags": [ + "OIDC API" + ], + "operationId": "RootController.GetJwks" + } + }, "/.well-known/openid-configuration": { "get": { "tags": [ @@ -442,14 +450,6 @@ } } }, - "/api/certs": { - "get": { - "tags": [ - "OIDC API" - ], - "operationId": "RootController.GetOidcCert" - } - }, "/api/check-ldap-users-exist": { "post": { "tags": [ @@ -2476,11 +2476,11 @@ } }, "definitions": { - "1867.0xc0003b2ea0.false": { + "1867.0xc00029b560.false": { "title": "false", "type": "object" }, - "1901.0xc0003b2ed0.false": { + "1901.0xc00029b590.false": { "title": "false", "type": "object" }, @@ -2497,10 +2497,10 @@ "type": "object", "properties": { "data": { - "$ref": "#/definitions/1867.0xc0003b2ea0.false" + "$ref": "#/definitions/1867.0xc00029b560.false" }, "data2": { - "$ref": "#/definitions/1901.0xc0003b2ed0.false" + "$ref": "#/definitions/1901.0xc00029b590.false" }, "msg": { "type": "string" @@ -2521,10 +2521,10 @@ "type": "object", "properties": { "data": { - "$ref": "#/definitions/1867.0xc0003b2ea0.false" + "$ref": "#/definitions/1867.0xc00029b560.false" }, "data2": { - "$ref": "#/definitions/1901.0xc0003b2ed0.false" + "$ref": "#/definitions/1901.0xc00029b590.false" }, "msg": { "type": "string" @@ -3213,6 +3213,9 @@ "type": "string" } }, + "adfs": { + "type": "string" + }, "affiliation": { "type": "string" }, diff --git a/swagger/swagger.yml b/swagger/swagger.yml index 19644279..74330bc6 100644 --- a/swagger/swagger.yml +++ b/swagger/swagger.yml @@ -7,6 +7,11 @@ info: email: admin@casbin.org basePath: / paths: + /.well-known/jwks: + get: + tags: + - OIDC API + operationId: RootController.GetJwks /.well-known/openid-configuration: get: tags: @@ -286,11 +291,6 @@ paths: description: object schema: $ref: '#/definitions/Response' - /api/certs: - get: - tags: - - OIDC API - operationId: RootController.GetOidcCert /api/check-ldap-users-exist: post: tags: @@ -1620,10 +1620,10 @@ paths: schema: $ref: '#/definitions/object.Userinfo' definitions: - 1867.0xc0003b2ea0.false: + 1867.0xc00029b560.false: title: "false" type: object - 1901.0xc0003b2ed0.false: + 1901.0xc00029b590.false: title: "false" type: object RequestForm: @@ -1637,9 +1637,9 @@ definitions: type: object properties: data: - $ref: '#/definitions/1867.0xc0003b2ea0.false' + $ref: '#/definitions/1867.0xc00029b560.false' data2: - $ref: '#/definitions/1901.0xc0003b2ed0.false' + $ref: '#/definitions/1901.0xc00029b590.false' msg: type: string name: @@ -1653,9 +1653,9 @@ definitions: type: object properties: data: - $ref: '#/definitions/1867.0xc0003b2ea0.false' + $ref: '#/definitions/1867.0xc00029b560.false' data2: - $ref: '#/definitions/1901.0xc0003b2ed0.false' + $ref: '#/definitions/1901.0xc00029b590.false' msg: type: string name: @@ -2118,6 +2118,8 @@ definitions: type: array items: type: string + adfs: + type: string affiliation: type: string apple: