oauth2-proxy/pkg/oidc/verify.go

package oidc

import (
	"context"
	"fmt"
	"reflect"

	"github.com/coreos/go-oidc/v3/oidc"
)

// IDTokenVerifier Used to verify an ID Token and extends oidc.IDTokenVerifier from the underlying oidc library
type IDTokenVerifier struct {
	*oidc.IDTokenVerifier
	*IDTokenVerificationOptions
	allowedAudiences map[string]struct{}
}

// IDTokenVerificationOptions options for the oidc.IDTokenVerifier that are required to verify an ID Token
type IDTokenVerificationOptions struct {
	AudienceClaims []string
	ClientID       string
	ExtraAudiences []string
}

// NewVerifier constructs a new IDTokenVerifier
func NewVerifier(iv *oidc.IDTokenVerifier, vo *IDTokenVerificationOptions) *IDTokenVerifier {
	allowedAudiences := make(map[string]struct{})
	allowedAudiences[vo.ClientID] = struct{}{}
	for _, extraAudience := range vo.ExtraAudiences {
		allowedAudiences[extraAudience] = struct{}{}
	}
	return &IDTokenVerifier{iv, vo, allowedAudiences}
}

// Verify verifies incoming ID Token
func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error) {
	token, err := v.IDTokenVerifier.Verify(ctx, rawIDToken)
	if err != nil {
		return nil, fmt.Errorf("failed to verify token: %v", err)
	}

	claims := map[string]interface{}{}
	if err := token.Claims(&claims); err != nil {
		return nil, fmt.Errorf("failed to parse default id_token claims: %v", err)
	}

	if isValidAudience, err := v.verifyAudience(token, claims); !isValidAudience {
		return nil, err
	}

	return token, err
}

func (v *IDTokenVerifier) verifyAudience(token *oidc.IDToken, claims map[string]interface{}) (bool, error) {
	for _, audienceClaim := range v.AudienceClaims {
		if audienceClaimValue, audienceClaimExists := claims[audienceClaim]; audienceClaimExists {

			// audience claim value can be either interface{} or []interface{},
			// as per spec `aud` can be either a string or a list of strings
			switch audienceClaimValueType := audienceClaimValue.(type) {
			case []interface{}:
				token.Audience = v.interfaceSliceToString(audienceClaimValue)
			case interface{}:
				token.Audience = []string{audienceClaimValue.(string)}
			default:
				return false, fmt.Errorf("audience claim %s holds unsupported type %T",
					audienceClaim, audienceClaimValueType)
			}

			return v.isValidAudience(audienceClaim, token.Audience, v.allowedAudiences)
		}
	}

	return false, fmt.Errorf("audience claims %v do not exist in claims: %v",
		v.AudienceClaims, claims)
}

func (v *IDTokenVerifier) isValidAudience(claim string, audience []string, allowedAudiences map[string]struct{}) (bool, error) {
	for _, aud := range audience {
		if _, allowedAudienceExists := allowedAudiences[aud]; allowedAudienceExists {
			return true, nil
		}
	}

	return false, fmt.Errorf(
		"audience from claim %s with value %s does not match with any of allowed audiences %v",
		claim, audience, allowedAudiences)
}

func (v *IDTokenVerifier) interfaceSliceToString(slice interface{}) []string {
	s := reflect.ValueOf(slice)
	if s.Kind() != reflect.Slice {
		panic(fmt.Sprintf("given a non-slice type %s", s.Kind()))
	}
	var strings []string
	for i := 0; i < s.Len(); i++ {
		strings = append(strings, s.Index(i).Interface().(string))
	}
	return strings
}
improved audience handling to support client credentials access tokens without aud claims (#1204) * implementation draft * add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options * refactor configs, added logging and add additional claim verification * simplify logic by just having one configuration similar to oidc-email-claim * added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers * refactored verification to reduce complexity * refactored verification to reduce complexity * added docs * adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options * extend unit tests and ensure that audience is set with the value of aud claim configuration * revert filemodes and update docs * update docs * remove unneccesary logging, refactor audience existence check and added additional unit tests * fix linting issues after rebase on origin/main * cleanup: use new imports for migrated libraries after rebase on origin/main * adapt mock in keycloak_oidc_test.go * allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation * fixed formatting issue * do not pass the whole options struct to minimize complexity and dependency to the configuration structure * added changelog entry * update docs Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com> Co-authored-by: Christian Zenker <christian.zenker@aoe.com> 2022-02-15 17:12:22 +01:00			`package oidc`

			`import (`
			`"context"`
			`"fmt"`
			`"reflect"`

			`"github.com/coreos/go-oidc/v3/oidc"`
			`)`

			`// IDTokenVerifier Used to verify an ID Token and extends oidc.IDTokenVerifier from the underlying oidc library`
			`type IDTokenVerifier struct {`
			`*oidc.IDTokenVerifier`
			`*IDTokenVerificationOptions`
			`allowedAudiences map[string]struct{}`
			`}`

			`// IDTokenVerificationOptions options for the oidc.IDTokenVerifier that are required to verify an ID Token`
			`type IDTokenVerificationOptions struct {`
			`AudienceClaims []string`
			`ClientID string`
			`ExtraAudiences []string`
			`}`

			`// NewVerifier constructs a new IDTokenVerifier`
			`func NewVerifier(iv oidc.IDTokenVerifier, vo IDTokenVerificationOptions) *IDTokenVerifier {`
			`allowedAudiences := make(map[string]struct{})`
			`allowedAudiences[vo.ClientID] = struct{}{}`
			`for _, extraAudience := range vo.ExtraAudiences {`
			`allowedAudiences[extraAudience] = struct{}{}`
			`}`
			`return &IDTokenVerifier{iv, vo, allowedAudiences}`
			`}`

			`// Verify verifies incoming ID Token`
			`func (v IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (oidc.IDToken, error) {`
			`token, err := v.IDTokenVerifier.Verify(ctx, rawIDToken)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to verify token: %v", err)`
			`}`

			`claims := map[string]interface{}{}`
			`if err := token.Claims(&claims); err != nil {`
			`return nil, fmt.Errorf("failed to parse default id_token claims: %v", err)`
			`}`

			`if isValidAudience, err := v.verifyAudience(token, claims); !isValidAudience {`
			`return nil, err`
			`}`

			`return token, err`
			`}`

			`func (v IDTokenVerifier) verifyAudience(token oidc.IDToken, claims map[string]interface{}) (bool, error) {`
			`for _, audienceClaim := range v.AudienceClaims {`
			`if audienceClaimValue, audienceClaimExists := claims[audienceClaim]; audienceClaimExists {`

			`// audience claim value can be either interface{} or []interface{},`
			// as per spec `aud` can be either a string or a list of strings
			`switch audienceClaimValueType := audienceClaimValue.(type) {`
			`case []interface{}:`
			`token.Audience = v.interfaceSliceToString(audienceClaimValue)`
			`case interface{}:`
			`token.Audience = []string{audienceClaimValue.(string)}`
			`default:`
			`return false, fmt.Errorf("audience claim %s holds unsupported type %T",`
			`audienceClaim, audienceClaimValueType)`
			`}`

			`return v.isValidAudience(audienceClaim, token.Audience, v.allowedAudiences)`
			`}`
			`}`

			`return false, fmt.Errorf("audience claims %v do not exist in claims: %v",`
			`v.AudienceClaims, claims)`
			`}`

			`func (v *IDTokenVerifier) isValidAudience(claim string, audience []string, allowedAudiences map[string]struct{}) (bool, error) {`
			`for _, aud := range audience {`
			`if _, allowedAudienceExists := allowedAudiences[aud]; allowedAudienceExists {`
			`return true, nil`
			`}`
			`}`

			`return false, fmt.Errorf(`
			`"audience from claim %s with value %s does not match with any of allowed audiences %v",`
			`claim, audience, allowedAudiences)`
			`}`

			`func (v *IDTokenVerifier) interfaceSliceToString(slice interface{}) []string {`
			`s := reflect.ValueOf(slice)`
			`if s.Kind() != reflect.Slice {`
			`panic(fmt.Sprintf("given a non-slice type %s", s.Kind()))`
			`}`
			`var strings []string`
			`for i := 0; i < s.Len(); i++ {`
			`strings = append(strings, s.Index(i).Interface().(string))`
			`}`
			`return strings`
			`}`