fix: bearer token encryption (#1524)

* fix: bearer token encryption * remove some todos
2025-08-12 07:57:32 +00:00 · 2021-04-06 08:31:18 +02:00
parent 18aec74222
commit 27fcf4739d
9 changed files with 26 additions and 21 deletions
--- a/internal/api/oidc/op.go
+++ b/internal/api/oidc/op.go
@@ -12,6 +12,7 @@ import (
 	"github.com/caos/zitadel/internal/auth/repository"
 	"github.com/caos/zitadel/internal/command"
 	"github.com/caos/zitadel/internal/config/types"
+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/id"
 	"github.com/caos/zitadel/internal/query"
 	"github.com/caos/zitadel/internal/telemetry/metrics"
@@ -57,9 +58,16 @@ type OPStorage struct {
 	signingKeyAlgorithm        string
 }

-func NewProvider(ctx context.Context, config OPHandlerConfig, command *command.Commands, query *query.Queries, repo repository.Repository, localDevMode bool) op.OpenIDProvider {
+func NewProvider(ctx context.Context, config OPHandlerConfig, command *command.Commands, query *query.Queries, repo repository.Repository, keyConfig *crypto.KeyConfig, localDevMode bool) op.OpenIDProvider {
 	cookieHandler, err := middleware.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator, localDevMode)
 	logging.Log("OIDC-sd4fd").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Panic("cannot user agent handler")
+	tokenKey, err := crypto.LoadKey(keyConfig, keyConfig.EncryptionKeyID)
+	logging.Log("OIDC-ADvbv").OnError(err).Panic("cannot load OP crypto key")
+	cryptoKey := []byte(tokenKey)
+	if len(cryptoKey) != 32 {
+		logging.Log("OIDC-Dsfds").Panic("OP crypto key must be exactly 32 bytes")
+	}
+	copy(config.OPConfig.CryptoKey[:], cryptoKey)
 	config.OPConfig.CodeMethodS256 = true
 	metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount}
 	provider, err := op.NewOpenIDProvider(
--- a/internal/auth/repository/eventsourcing/eventstore/key.go
+++ b/internal/auth/repository/eventsourcing/eventstore/key.go
@@ -131,7 +131,8 @@ func (k *KeyRepository) refreshSigningKey(ctx context.Context, key *model.KeyVie
 	}
 	signingKey, err := model.SigningKeyFromKeyView(key, k.KeyAlgorithm)
 	if err != nil {
-		return false, err
+		logging.Log("EVENT-HJd92").WithError(err).Error("signing key cannot be decrypted -> immediate refresh")
+		return k.refreshSigningKey(ctx, nil, keyCh, algorithm)
 	}
 	k.currentKeyID = signingKey.ID
 	k.currentKeyExpiration = key.Expiry
--- a/internal/auth/repository/eventsourcing/repository.go
+++ b/internal/auth/repository/eventsourcing/repository.go
@@ -107,7 +107,8 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, co
 			IAMID:                      systemDefaults.IamID,
 		},
 		eventstore.TokenRepo{
-			View: view,
+			View:       view,
+			Eventstore: es,
 		},
 		eventstore.KeyRepository{
 			View:                     view,
--- a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
+++ b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
@@ -26,7 +26,7 @@ import (
 )

 type TokenVerifierRepo struct {
-	TokenVerificationKey [32]byte
+	TokenVerificationKey crypto.EncryptionAlgorithm
 	IAMID                string
 	Eventstore           v1.Eventstore
 	View                 *view.View
@@ -68,8 +68,7 @@ func (repo *TokenVerifierRepo) TokenByID(ctx context.Context, tokenID, userID st
 func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, clientID string) (userID string, agentID string, prefLang, resourceOwner string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	//TODO: use real key
-	tokenIDSubject, err := crypto.DecryptAESString(tokenString, string(repo.TokenVerificationKey[:32]))
+	tokenIDSubject, err := repo.TokenVerificationKey.DecryptString([]byte(tokenString), repo.TokenVerificationKey.EncryptionKeyID())
 	if err != nil {
 		return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-8EF0zZ", "invalid token")
 	}
--- a/internal/authz/repository/eventsourcing/repository.go
+++ b/internal/authz/repository/eventsourcing/repository.go
@@ -3,6 +3,7 @@ package eventsourcing
 import (
 	"context"

+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/eventstore/v1"

 	"github.com/caos/zitadel/internal/query"
@@ -49,6 +50,11 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, qu

 	spool := spooler.StartSpooler(conf.Spooler, es, view, sqlClient, systemDefaults)

+	keyAlgorithm, err := crypto.NewAESCrypto(systemDefaults.KeyConfig.EncryptionConfig)
+	if err != nil {
+		return nil, err
+	}
+
 	return &EsRepository{
 		spool,
 		eventstore.UserGrantRepo{
@@ -62,10 +68,10 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, qu
 			IAMV2Query: queries,
 		},
 		eventstore.TokenVerifierRepo{
-			//TODO: Add Token Verification Key
-			Eventstore: es,
-			IAMID:      systemDefaults.IamID,
-			View:       view,
+			TokenVerificationKey: keyAlgorithm,
+			Eventstore:           es,
+			IAMID:                systemDefaults.IamID,
+			View:                 view,
 		},
 	}, nil
 }