2022-01-12 13:22:04 +01:00
|
|
|
package oidc
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
2024-08-23 15:43:46 +03:00
|
|
|
"slices"
|
2023-11-21 14:11:38 +02:00
|
|
|
"sync"
|
2024-01-29 17:11:52 +02:00
|
|
|
"sync/atomic"
|
2022-01-12 13:22:04 +01:00
|
|
|
"time"
|
|
|
|
|
|
2024-04-15 12:17:36 +03:00
|
|
|
"github.com/go-jose/go-jose/v4"
|
2023-11-21 14:11:38 +02:00
|
|
|
"github.com/jonboulle/clockwork"
|
2023-10-19 12:34:00 +02:00
|
|
|
"github.com/zitadel/oidc/v3/pkg/op"
|
2022-01-12 13:22:04 +01:00
|
|
|
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
2024-08-23 15:43:46 +03:00
|
|
|
http_util "github.com/zitadel/zitadel/internal/api/http"
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
2023-12-08 16:30:55 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
2022-01-12 13:22:04 +01:00
|
|
|
)
|
|
|
|
|
|
2024-08-23 15:43:46 +03:00
|
|
|
var supportedWebKeyAlgs = []string{
|
|
|
|
|
string(jose.EdDSA),
|
|
|
|
|
string(jose.RS256),
|
|
|
|
|
string(jose.RS384),
|
|
|
|
|
string(jose.RS512),
|
|
|
|
|
string(jose.ES256),
|
|
|
|
|
string(jose.ES384),
|
|
|
|
|
string(jose.ES512),
|
|
|
|
|
}
|
|
|
|
|
|
2025-06-26 19:17:45 +03:00
|
|
|
func supportedSigningAlgs() []string {
|
|
|
|
|
return supportedWebKeyAlgs
|
2024-08-23 15:43:46 +03:00
|
|
|
}
|
|
|
|
|
|
2024-01-29 17:11:52 +02:00
|
|
|
type cachedPublicKey struct {
|
|
|
|
|
lastUse atomic.Int64 // unix micro time.
|
2024-08-23 15:43:46 +03:00
|
|
|
expiry *time.Time // expiry may be nil if the key does not expire.
|
|
|
|
|
webKey *jose.JSONWebKey
|
2024-01-29 17:11:52 +02:00
|
|
|
}
|
|
|
|
|
|
2024-08-23 15:43:46 +03:00
|
|
|
func newCachedPublicKey(key *jose.JSONWebKey, expiry *time.Time, now time.Time) *cachedPublicKey {
|
2024-01-29 17:11:52 +02:00
|
|
|
cachedKey := &cachedPublicKey{
|
2024-08-23 15:43:46 +03:00
|
|
|
expiry: expiry,
|
|
|
|
|
webKey: key,
|
2024-01-29 17:11:52 +02:00
|
|
|
}
|
|
|
|
|
cachedKey.setLastUse(now)
|
|
|
|
|
return cachedKey
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *cachedPublicKey) setLastUse(now time.Time) {
|
|
|
|
|
c.lastUse.Store(now.UnixMicro())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *cachedPublicKey) getLastUse() time.Time {
|
|
|
|
|
return time.UnixMicro(c.lastUse.Load())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *cachedPublicKey) expired(now time.Time, validity time.Duration) bool {
|
|
|
|
|
return c.getLastUse().Add(validity).Before(now)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// publicKeyCache caches public keys in a 2-dimensional map of Instance ID and Key ID.
|
2023-11-21 14:11:38 +02:00
|
|
|
// When a key is not present the queryKey function is called to obtain the key
|
|
|
|
|
// from the database.
|
2024-01-29 17:11:52 +02:00
|
|
|
type publicKeyCache struct {
|
2023-11-21 14:11:38 +02:00
|
|
|
mtx sync.RWMutex
|
2024-01-29 17:11:52 +02:00
|
|
|
instanceKeys map[string]map[string]*cachedPublicKey
|
2024-08-23 15:43:46 +03:00
|
|
|
|
|
|
|
|
// queryKey returns a public web key.
|
|
|
|
|
// If the key does not have expiry, Time may be nil.
|
|
|
|
|
queryKey func(ctx context.Context, keyID string) (*jose.JSONWebKey, *time.Time, error)
|
|
|
|
|
clock clockwork.Clock
|
2023-11-21 14:11:38 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-29 17:11:52 +02:00
|
|
|
// newPublicKeyCache initializes a keySetCache starts a purging Go routine.
|
|
|
|
|
// The purge routine deletes all public keys that are older than maxAge.
|
2023-11-21 14:11:38 +02:00
|
|
|
// When the passed context is done, the purge routine will terminate.
|
2024-08-23 15:43:46 +03:00
|
|
|
func newPublicKeyCache(background context.Context, maxAge time.Duration, queryKey func(ctx context.Context, keyID string) (*jose.JSONWebKey, *time.Time, error)) *publicKeyCache {
|
2024-01-29 17:11:52 +02:00
|
|
|
k := &publicKeyCache{
|
|
|
|
|
instanceKeys: make(map[string]map[string]*cachedPublicKey),
|
2023-11-21 14:11:38 +02:00
|
|
|
queryKey: queryKey,
|
|
|
|
|
clock: clockwork.FromContext(background), // defaults to real clock
|
|
|
|
|
}
|
2024-01-29 17:11:52 +02:00
|
|
|
go k.purgeOnInterval(background, k.clock.NewTicker(maxAge/5), maxAge)
|
2023-11-21 14:11:38 +02:00
|
|
|
return k
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-29 17:11:52 +02:00
|
|
|
func (k *publicKeyCache) purgeOnInterval(background context.Context, ticker clockwork.Ticker, maxAge time.Duration) {
|
2023-11-21 14:11:38 +02:00
|
|
|
defer ticker.Stop()
|
|
|
|
|
for {
|
|
|
|
|
select {
|
|
|
|
|
case <-background.Done():
|
|
|
|
|
return
|
|
|
|
|
case <-ticker.Chan():
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// do the actual purging
|
|
|
|
|
k.mtx.Lock()
|
|
|
|
|
for instanceID, keys := range k.instanceKeys {
|
|
|
|
|
for keyID, key := range keys {
|
2024-01-29 17:11:52 +02:00
|
|
|
if key.expired(k.clock.Now(), maxAge) {
|
2023-11-21 14:11:38 +02:00
|
|
|
delete(keys, keyID)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if len(keys) == 0 {
|
|
|
|
|
delete(k.instanceKeys, instanceID)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
k.mtx.Unlock()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-29 17:11:52 +02:00
|
|
|
func (k *publicKeyCache) setKey(instanceID, keyID string, cachedKey *cachedPublicKey) {
|
2023-11-21 14:11:38 +02:00
|
|
|
k.mtx.Lock()
|
|
|
|
|
defer k.mtx.Unlock()
|
|
|
|
|
|
|
|
|
|
if keys, ok := k.instanceKeys[instanceID]; ok {
|
2024-01-29 17:11:52 +02:00
|
|
|
keys[keyID] = cachedKey
|
2023-11-21 14:11:38 +02:00
|
|
|
return
|
|
|
|
|
}
|
2024-01-29 17:11:52 +02:00
|
|
|
k.instanceKeys[instanceID] = map[string]*cachedPublicKey{keyID: cachedKey}
|
2023-11-21 14:11:38 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-29 17:11:52 +02:00
|
|
|
func (k *publicKeyCache) getKey(ctx context.Context, keyID string) (_ *cachedPublicKey, err error) {
|
2023-11-21 14:11:38 +02:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
|
|
|
|
|
instanceID := authz.GetInstance(ctx).InstanceID()
|
|
|
|
|
|
|
|
|
|
k.mtx.RLock()
|
|
|
|
|
key, ok := k.instanceKeys[instanceID][keyID]
|
|
|
|
|
k.mtx.RUnlock()
|
|
|
|
|
|
|
|
|
|
if ok {
|
2024-01-29 17:11:52 +02:00
|
|
|
key.setLastUse(k.clock.Now())
|
|
|
|
|
} else {
|
2024-08-23 15:43:46 +03:00
|
|
|
newKey, expiry, err := k.queryKey(ctx, keyID)
|
2024-01-29 17:11:52 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2023-11-21 14:11:38 +02:00
|
|
|
}
|
2024-08-23 15:43:46 +03:00
|
|
|
key = newCachedPublicKey(newKey, expiry, k.clock.Now())
|
2024-01-29 17:11:52 +02:00
|
|
|
k.setKey(instanceID, keyID, key)
|
2023-11-21 14:11:38 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-29 17:11:52 +02:00
|
|
|
return key, nil
|
2023-11-21 14:11:38 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-29 17:11:52 +02:00
|
|
|
func (k *publicKeyCache) verifySignature(ctx context.Context, jws *jose.JSONWebSignature, checkKeyExpiry bool) (_ []byte, err error) {
|
2023-11-21 14:11:38 +02:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
2024-01-18 08:10:49 +02:00
|
|
|
defer func() {
|
|
|
|
|
err = oidcError(err)
|
|
|
|
|
span.EndWithError(err)
|
|
|
|
|
}()
|
2023-11-21 14:11:38 +02:00
|
|
|
|
|
|
|
|
if len(jws.Signatures) != 1 {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "OIDC-Gid9s", "Errors.Token.Invalid")
|
2023-11-21 14:11:38 +02:00
|
|
|
}
|
|
|
|
|
key, err := k.getKey(ctx, jws.Signatures[0].Header.KeyID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2024-08-23 15:43:46 +03:00
|
|
|
if checkKeyExpiry && key.expiry != nil && key.expiry.Before(k.clock.Now()) {
|
2024-01-29 17:11:52 +02:00
|
|
|
return nil, zerrors.ThrowInvalidArgument(err, "QUERY-ciF4k", "Errors.Key.ExpireBeforeNow")
|
|
|
|
|
}
|
2024-08-23 15:43:46 +03:00
|
|
|
return jws.Verify(key.webKey)
|
2024-01-29 17:11:52 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type oidcKeySet struct {
|
|
|
|
|
*publicKeyCache
|
|
|
|
|
|
|
|
|
|
keyExpiryCheck bool
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// newOidcKeySet returns an oidc.KeySet implementation around the passed cache.
|
|
|
|
|
// It is advised to reuse the same cache if different key set configurations are required.
|
|
|
|
|
func newOidcKeySet(cache *publicKeyCache, opts ...keySetOption) *oidcKeySet {
|
|
|
|
|
k := &oidcKeySet{
|
|
|
|
|
publicKeyCache: cache,
|
|
|
|
|
}
|
|
|
|
|
for _, opt := range opts {
|
|
|
|
|
opt(k)
|
|
|
|
|
}
|
|
|
|
|
return k
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// VerifySignature implements the oidc.KeySet interface.
|
|
|
|
|
func (k *oidcKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (_ []byte, err error) {
|
|
|
|
|
return k.verifySignature(ctx, jws, k.keyExpiryCheck)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type keySetOption func(*oidcKeySet)
|
|
|
|
|
|
|
|
|
|
// withKeyExpiryCheck forces VerifySignature to check the expiry of the public key.
|
|
|
|
|
// Note that public key expiry is not part of the standard,
|
|
|
|
|
// but is currently established behavior of zitadel.
|
|
|
|
|
// We might want to remove this check in the future.
|
|
|
|
|
func withKeyExpiryCheck(check bool) keySetOption {
|
|
|
|
|
return func(k *oidcKeySet) {
|
|
|
|
|
k.keyExpiryCheck = check
|
|
|
|
|
}
|
2023-11-21 14:11:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// keySetMap is a mapping of key IDs to public key data.
|
|
|
|
|
type keySetMap map[string][]byte
|
|
|
|
|
|
|
|
|
|
// getKey finds the keyID and parses the public key data
|
|
|
|
|
// into a JSONWebKey.
|
|
|
|
|
func (k keySetMap) getKey(keyID string) (*jose.JSONWebKey, error) {
|
|
|
|
|
pubKey, err := crypto.BytesToPublicKey(k[keyID])
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return &jose.JSONWebKey{
|
|
|
|
|
Key: pubKey,
|
|
|
|
|
KeyID: keyID,
|
2024-08-14 17:18:14 +03:00
|
|
|
Use: crypto.KeyUsageSigning.String(),
|
2023-11-21 14:11:38 +02:00
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// VerifySignature implements the oidc.KeySet interface.
|
|
|
|
|
func (k keySetMap) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error) {
|
|
|
|
|
if len(jws.Signatures) != 1 {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowInvalidArgument(nil, "OIDC-Eeth6", "Errors.Token.Invalid")
|
2023-11-21 14:11:38 +02:00
|
|
|
}
|
|
|
|
|
key, err := k.getKey(jws.Signatures[0].Header.KeyID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return jws.Verify(key)
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-12 13:22:04 +01:00
|
|
|
const (
|
|
|
|
|
signingKey = "signing_key"
|
2022-04-25 10:01:17 +02:00
|
|
|
oidcUser = "OIDC"
|
|
|
|
|
|
|
|
|
|
retryBackoff = 500 * time.Millisecond
|
|
|
|
|
retryCount = 3
|
|
|
|
|
lockDuration = retryCount * retryBackoff * 5
|
|
|
|
|
gracefulPeriod = 10 * time.Minute
|
2022-01-12 13:22:04 +01:00
|
|
|
)
|
|
|
|
|
|
2022-10-20 13:36:52 +01:00
|
|
|
// SigningKey wraps the query.PrivateKey to implement the op.SigningKey interface
|
2022-04-25 10:01:17 +02:00
|
|
|
type SigningKey struct {
|
|
|
|
|
algorithm jose.SignatureAlgorithm
|
|
|
|
|
id string
|
|
|
|
|
key interface{}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *SigningKey) SignatureAlgorithm() jose.SignatureAlgorithm {
|
|
|
|
|
return s.algorithm
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *SigningKey) Key() interface{} {
|
|
|
|
|
return s.key
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *SigningKey) ID() string {
|
|
|
|
|
return s.id
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-20 13:36:52 +01:00
|
|
|
// KeySet implements the op.Storage interface
|
2022-04-25 10:01:17 +02:00
|
|
|
func (o *OPStorage) KeySet(ctx context.Context) (keys []op.Key, err error) {
|
2025-06-26 19:17:45 +03:00
|
|
|
panic(o.panicErr("KeySet"))
|
2022-01-12 13:22:04 +01:00
|
|
|
}
|
|
|
|
|
|
2022-10-20 13:36:52 +01:00
|
|
|
// SignatureAlgorithms implements the op.Storage interface
|
2022-04-25 10:01:17 +02:00
|
|
|
func (o *OPStorage) SignatureAlgorithms(ctx context.Context) ([]jose.SignatureAlgorithm, error) {
|
2025-06-26 19:17:45 +03:00
|
|
|
panic(o.panicErr("SignatureAlgorithms"))
|
2022-04-25 10:01:17 +02:00
|
|
|
}
|
|
|
|
|
|
2022-10-20 13:36:52 +01:00
|
|
|
// SigningKey implements the op.Storage interface
|
2022-04-25 10:01:17 +02:00
|
|
|
func (o *OPStorage) SigningKey(ctx context.Context) (key op.SigningKey, err error) {
|
2025-06-26 19:17:45 +03:00
|
|
|
panic(o.panicErr("SigningKey"))
|
2022-04-25 10:01:17 +02:00
|
|
|
}
|
2024-08-23 15:43:46 +03:00
|
|
|
|
|
|
|
|
func (s *Server) Keys(ctx context.Context, r *op.Request[struct{}]) (_ *op.Response, err error) {
|
|
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
|
|
|
|
|
keyset, err := s.query.GetWebKeySet(ctx)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resp := op.NewResponse(keyset)
|
|
|
|
|
if s.jwksCacheControlMaxAge != 0 {
|
|
|
|
|
resp.Header.Set(http_util.CacheControl,
|
|
|
|
|
fmt.Sprintf("max-age=%d, must-revalidate", int(s.jwksCacheControlMaxAge/time.Second)),
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
return resp, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func appendPublicKeysToWebKeySet(keyset *jose.JSONWebKeySet, pubkeys *query.PublicKeys) {
|
|
|
|
|
if pubkeys == nil || len(pubkeys.Keys) == 0 {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
keyset.Keys = slices.Grow(keyset.Keys, len(pubkeys.Keys))
|
|
|
|
|
|
|
|
|
|
for _, key := range pubkeys.Keys {
|
|
|
|
|
keyset.Keys = append(keyset.Keys, jose.JSONWebKey{
|
|
|
|
|
Key: key.Key(),
|
|
|
|
|
KeyID: key.ID(),
|
|
|
|
|
Algorithm: key.Algorithm(),
|
|
|
|
|
Use: key.Use().String(),
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func queryKeyFunc(q *query.Queries) func(ctx context.Context, keyID string) (*jose.JSONWebKey, *time.Time, error) {
|
|
|
|
|
return func(ctx context.Context, keyID string) (*jose.JSONWebKey, *time.Time, error) {
|
2025-06-26 19:17:45 +03:00
|
|
|
webKey, err := q.GetPublicWebKeyByID(ctx, keyID)
|
2024-08-23 15:43:46 +03:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
2025-06-26 19:17:45 +03:00
|
|
|
return webKey, nil, nil
|
2024-08-23 15:43:46 +03:00
|
|
|
}
|
|
|
|
|
}
|
