2023-01-23 07:11:40 +00:00
|
|
|
package jwt
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2023-02-28 20:20:58 +00:00
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/http"
|
|
|
|
|
"time"
|
2023-01-23 07:11:40 +00:00
|
|
|
|
2023-02-28 20:20:58 +00:00
|
|
|
"github.com/zitadel/logging"
|
|
|
|
|
"github.com/zitadel/oidc/v2/pkg/client/rp"
|
2023-01-23 07:11:40 +00:00
|
|
|
"github.com/zitadel/oidc/v2/pkg/oidc"
|
|
|
|
|
"golang.org/x/text/language"
|
|
|
|
|
|
2023-03-14 19:20:38 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
2023-01-23 07:11:40 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/idp"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var _ idp.Session = (*Session)(nil)
|
|
|
|
|
|
2023-02-28 20:20:58 +00:00
|
|
|
var (
|
|
|
|
|
ErrNoTokens = errors.New("no tokens provided")
|
|
|
|
|
ErrInvalidToken = errors.New("invalid tokens provided")
|
|
|
|
|
)
|
|
|
|
|
|
2023-01-23 07:11:40 +00:00
|
|
|
// Session is the [idp.Session] implementation for the JWT provider
|
|
|
|
|
type Session struct {
|
2023-02-28 20:20:58 +00:00
|
|
|
*Provider
|
2023-01-23 07:11:40 +00:00
|
|
|
AuthURL string
|
2023-03-28 11:28:56 +00:00
|
|
|
Tokens *oidc.Tokens[*oidc.IDTokenClaims]
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetAuthURL implements the [idp.Session] interface
|
|
|
|
|
func (s *Session) GetAuthURL() string {
|
|
|
|
|
return s.AuthURL
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// FetchUser implements the [idp.Session] interface.
|
|
|
|
|
// It will map the received idToken into an [idp.User].
|
|
|
|
|
func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
|
|
|
|
|
if s.Tokens == nil {
|
|
|
|
|
return nil, ErrNoTokens
|
|
|
|
|
}
|
2023-02-28 20:20:58 +00:00
|
|
|
s.Tokens.IDTokenClaims, err = s.validateToken(ctx, s.Tokens.IDToken)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2023-01-23 07:11:40 +00:00
|
|
|
return &User{s.Tokens.IDTokenClaims}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-28 11:28:56 +00:00
|
|
|
func (s *Session) validateToken(ctx context.Context, token string) (*oidc.IDTokenClaims, error) {
|
2023-02-28 20:20:58 +00:00
|
|
|
logging.Debug("begin token validation")
|
|
|
|
|
// TODO: be able to specify them in the template: https://github.com/zitadel/zitadel/issues/5322
|
|
|
|
|
offset := 3 * time.Second
|
|
|
|
|
maxAge := time.Hour
|
2023-03-28 11:28:56 +00:00
|
|
|
claims := new(oidc.IDTokenClaims)
|
2023-02-28 20:20:58 +00:00
|
|
|
payload, err := oidc.ParseToken(token, claims)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("%w: malformed jwt payload: %v", ErrInvalidToken, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err = oidc.CheckIssuer(claims, s.Provider.issuer); err != nil {
|
|
|
|
|
return nil, fmt.Errorf("%w: invalid issuer: %v", ErrInvalidToken, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
logging.Debug("begin signature validation")
|
|
|
|
|
keySet := rp.NewRemoteKeySet(http.DefaultClient, s.Provider.keysEndpoint)
|
|
|
|
|
if err = oidc.CheckSignature(ctx, token, payload, claims, nil, keySet); err != nil {
|
|
|
|
|
return nil, fmt.Errorf("%w: invalid signature: %v", ErrInvalidToken, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !claims.GetExpiration().IsZero() {
|
|
|
|
|
if err = oidc.CheckExpiration(claims, offset); err != nil {
|
|
|
|
|
return nil, fmt.Errorf("%w: expired: %v", ErrInvalidToken, err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !claims.GetIssuedAt().IsZero() {
|
|
|
|
|
if err = oidc.CheckIssuedAt(claims, maxAge, offset); err != nil {
|
|
|
|
|
return nil, fmt.Errorf("%w: %v", ErrInvalidToken, err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return claims, nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-23 07:11:40 +00:00
|
|
|
type User struct {
|
2023-03-28 11:28:56 +00:00
|
|
|
*oidc.IDTokenClaims
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (u *User) GetID() string {
|
2023-03-28 11:28:56 +00:00
|
|
|
return u.Subject
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (u *User) GetFirstName() string {
|
2023-03-28 11:28:56 +00:00
|
|
|
return u.GivenName
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (u *User) GetLastName() string {
|
2023-03-28 11:28:56 +00:00
|
|
|
return u.FamilyName
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (u *User) GetDisplayName() string {
|
2023-03-28 11:28:56 +00:00
|
|
|
return u.Name
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (u *User) GetNickname() string {
|
2023-03-28 11:28:56 +00:00
|
|
|
return u.Nickname
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (u *User) GetPreferredUsername() string {
|
|
|
|
|
return u.PreferredUsername
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (u *User) GetEmail() domain.EmailAddress {
|
|
|
|
|
return domain.EmailAddress(u.Email)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (u *User) IsEmailVerified() bool {
|
|
|
|
|
return bool(u.EmailVerified)
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
2023-03-14 19:20:38 +00:00
|
|
|
func (u *User) GetPhone() domain.PhoneNumber {
|
2023-03-28 11:28:56 +00:00
|
|
|
return domain.PhoneNumber(u.IDTokenClaims.PhoneNumber)
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (u *User) IsPhoneVerified() bool {
|
2023-03-28 11:28:56 +00:00
|
|
|
return u.PhoneNumberVerified
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (u *User) GetPreferredLanguage() language.Tag {
|
2023-03-28 11:28:56 +00:00
|
|
|
return u.Locale.Tag()
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (u *User) GetAvatarURL() string {
|
2023-03-28 11:28:56 +00:00
|
|
|
return u.Picture
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
2023-03-14 19:20:38 +00:00
|
|
|
|
2023-03-28 11:28:56 +00:00
|
|
|
func (u *User) GetProfile() string {
|
|
|
|
|
return u.Profile
|
2023-03-14 19:20:38 +00:00
|
|
|
}
|
