2024-05-16 05:07:56 +00:00
|
|
|
package oidc
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/go-jose/go-jose/v4"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/op"
|
|
|
|
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
|
|
)
|
|
|
|
|
|
|
|
func (s *Server) JWTProfile(ctx context.Context, r *op.Request[oidc.JWTProfileGrantRequest]) (_ *op.Response, err error) {
|
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
defer func() {
|
|
|
|
span.EndWithError(err)
|
|
|
|
err = oidcError(err)
|
|
|
|
}()
|
|
|
|
|
2024-09-11 09:04:09 +00:00
|
|
|
user, err := s.verifyJWTProfile(ctx, r.Data)
|
2024-05-16 05:07:56 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
client := &clientCredentialsClient{
|
2024-09-11 09:04:09 +00:00
|
|
|
clientID: user.Username,
|
|
|
|
userID: user.UserID,
|
|
|
|
resourceOwner: user.ResourceOwner,
|
|
|
|
tokenType: user.TokenType,
|
2024-05-16 05:07:56 +00:00
|
|
|
}
|
|
|
|
scope, err := op.ValidateAuthReqScopes(client, r.Data.Scope)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2024-09-11 09:04:09 +00:00
|
|
|
scope, err = s.checkOrgScopes(ctx, client.resourceOwner, scope)
|
2024-05-16 05:07:56 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
session, err := s.command.CreateOIDCSession(ctx,
|
2024-09-11 09:04:09 +00:00
|
|
|
client.userID,
|
|
|
|
client.resourceOwner,
|
|
|
|
client.clientID,
|
2024-10-31 14:57:17 +00:00
|
|
|
"", // backChannelLogoutURI not needed for service user session
|
2024-05-16 05:07:56 +00:00
|
|
|
scope,
|
|
|
|
domain.AddAudScopeToAudience(ctx, nil, r.Data.Scope),
|
2024-05-23 05:35:10 +00:00
|
|
|
[]domain.UserAuthMethodType{domain.UserAuthMethodTypePrivateKey},
|
2024-05-16 05:07:56 +00:00
|
|
|
time.Now(),
|
|
|
|
"",
|
|
|
|
nil,
|
|
|
|
nil,
|
2024-05-23 05:35:10 +00:00
|
|
|
domain.TokenReasonJWTProfile,
|
2024-05-16 05:07:56 +00:00
|
|
|
nil,
|
|
|
|
false,
|
2024-09-03 13:19:00 +00:00
|
|
|
"",
|
2024-11-12 15:20:48 +00:00
|
|
|
domain.OIDCResponseTypeUnspecified,
|
2024-05-16 05:07:56 +00:00
|
|
|
)
|
2024-06-12 06:42:50 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2024-09-11 04:45:59 +00:00
|
|
|
return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, true, false))
|
2024-05-16 05:07:56 +00:00
|
|
|
}
|
|
|
|
|
2024-09-11 09:04:09 +00:00
|
|
|
func (s *Server) verifyJWTProfile(ctx context.Context, req *oidc.JWTProfileGrantRequest) (_ *query.AuthNKeyUser, err error) {
|
2024-05-16 05:07:56 +00:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
2024-09-11 09:04:09 +00:00
|
|
|
storage := &jwtProfileKeyStorage{query: s.query}
|
2024-05-16 05:07:56 +00:00
|
|
|
verifier := op.NewJWTProfileVerifier(
|
2024-09-11 09:04:09 +00:00
|
|
|
storage, op.IssuerFromContext(ctx),
|
2024-05-16 05:07:56 +00:00
|
|
|
time.Hour, time.Second,
|
|
|
|
)
|
2024-09-11 09:04:09 +00:00
|
|
|
_, err = op.VerifyJWTAssertion(ctx, req.Assertion, verifier)
|
2024-05-16 05:07:56 +00:00
|
|
|
if err != nil {
|
2024-09-11 09:04:09 +00:00
|
|
|
return nil, err
|
2024-05-16 05:07:56 +00:00
|
|
|
}
|
2024-09-11 09:04:09 +00:00
|
|
|
return storage.user, nil
|
2024-05-16 05:07:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type jwtProfileKeyStorage struct {
|
|
|
|
query *query.Queries
|
2024-09-11 09:04:09 +00:00
|
|
|
user *query.AuthNKeyUser // only populated after GetKeyByIDAndClientID is called
|
2024-05-16 05:07:56 +00:00
|
|
|
}
|
|
|
|
|
2024-09-11 09:04:09 +00:00
|
|
|
func (s *jwtProfileKeyStorage) GetKeyByIDAndClientID(ctx context.Context, keyID, userID string) (_ *jose.JSONWebKey, err error) {
|
|
|
|
s.user, err = s.query.GetAuthNKeyUser(ctx, keyID, userID)
|
2024-05-16 05:07:56 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2024-09-11 09:04:09 +00:00
|
|
|
publicKey, err := crypto.BytesToPublicKey(s.user.PublicKey)
|
2024-05-16 05:07:56 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &jose.JSONWebKey{
|
|
|
|
KeyID: keyID,
|
|
|
|
Use: "sig",
|
|
|
|
Key: publicKey,
|
|
|
|
}, nil
|
|
|
|
}
|