Add asymmetric JWT signing (#16010)

* Added asymmetric token signing. * Load signing key from settings. * Added optional kid parameter. * Updated documentation. * Add "kid" to token header.
2021-06-17 23:56:46 +02:00 · 2021-06-17 23:56:46 +02:00 · 29695cd6d5
commit 29695cd6d5
parent f7cd394680
13 changed files with 481 additions and 47 deletions
--- a/routers/install/install.go
+++ b/routers/install/install.go
@ -343,7 +343,7 @@ func SubmitInstall(ctx *context.Context) {
 		cfg.Section("server").Key("LFS_START_SERVER").SetValue("true")
 		cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath)
 		var secretKey string
-		if secretKey, err = generate.NewJwtSecret(); err != nil {
+		if secretKey, err = generate.NewJwtSecretBase64(); err != nil {
 			ctx.RenderWithErr(ctx.Tr("install.lfs_jwt_secret_failed", err), tplInstall, &form)
 			return
 		}
--- a/routers/web/user/oauth.go
+++ b/routers/web/user/oauth.go
@ -13,6 +13,7 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/auth/oauth2"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
@ -24,6 +25,7 @@ import (

 	"gitea.com/go-chi/binding"
 	"github.com/dgrijalva/jwt-go"
+	jsoniter "github.com/json-iterator/go"
 )

 const (
@ -131,7 +133,7 @@ type AccessTokenResponse struct {
 	IDToken      string    `json:"id_token,omitempty"`
 }

-func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*AccessTokenResponse, *AccessTokenError) {
+func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) {
 	if setting.OAuth2.InvalidateRefreshTokens {
 		if err := grant.IncreaseCounter(); err != nil {
 			return nil, &AccessTokenError{
@ -223,7 +225,7 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
 			idToken.EmailVerified = app.User.IsActive
 		}

-		signedIDToken, err = idToken.SignToken(clientSecret)
+		signedIDToken, err = idToken.SignToken(signingKey)
 		if err != nil {
 			return nil, &AccessTokenError{
 				ErrorCode:        AccessTokenErrorCodeInvalidRequest,
@ -480,12 +482,37 @@ func GrantApplicationOAuth(ctx *context.Context) {
 func OIDCWellKnown(ctx *context.Context) {
 	t := ctx.Render.TemplateLookup("user/auth/oidc_wellknown")
 	ctx.Resp.Header().Set("Content-Type", "application/json")
+	ctx.Data["SigningKey"] = oauth2.DefaultSigningKey
 	if err := t.Execute(ctx.Resp, ctx.Data); err != nil {
 		log.Error("%v", err)
 		ctx.Error(http.StatusInternalServerError)
 	}
 }

+// OIDCKeys generates the JSON Web Key Set
+func OIDCKeys(ctx *context.Context) {
+	jwk, err := oauth2.DefaultSigningKey.ToJWK()
+	if err != nil {
+		log.Error("Error converting signing key to JWK: %v", err)
+		ctx.Error(http.StatusInternalServerError)
+		return
+	}
+
+	jwk["use"] = "sig"
+
+	jwks := map[string][]map[string]string{
+		"keys": {
+			jwk,
+		},
+	}
+
+	ctx.Resp.Header().Set("Content-Type", "application/json")
+	enc := jsoniter.NewEncoder(ctx.Resp)
+	if err := enc.Encode(jwks); err != nil {
+		log.Error("Failed to encode representation as json. Error: %v", err)
+	}
+}
+
 // AccessTokenOAuth manages all access token requests by the client
 func AccessTokenOAuth(ctx *context.Context) {
 	form := *web.GetForm(ctx).(*forms.AccessTokenForm)
@ -513,13 +540,25 @@ func AccessTokenOAuth(ctx *context.Context) {
 			form.ClientSecret = pair[1]
 		}
 	}
+
+	signingKey := oauth2.DefaultSigningKey
+	if signingKey.IsSymmetric() {
+		clientKey, err := oauth2.CreateJWTSingingKey(signingKey.SigningMethod().Alg(), []byte(form.ClientSecret))
+		if err != nil {
+			handleAccessTokenError(ctx, AccessTokenError{
+				ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+				ErrorDescription: "Error creating signing key",
+			})
+			return
+		}
+		signingKey = clientKey
+	}
+
 	switch form.GrantType {
 	case "refresh_token":
-		handleRefreshToken(ctx, form)
-		return
+		handleRefreshToken(ctx, form, signingKey)
 	case "authorization_code":
-		handleAuthorizationCode(ctx, form)
-		return
+		handleAuthorizationCode(ctx, form, signingKey)
 	default:
 		handleAccessTokenError(ctx, AccessTokenError{
 			ErrorCode:        AccessTokenErrorCodeUnsupportedGrantType,
@ -528,7 +567,7 @@ func AccessTokenOAuth(ctx *context.Context) {
 	}
 }

-func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm) {
+func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, signingKey oauth2.JWTSigningKey) {
 	token, err := models.ParseOAuth2Token(form.RefreshToken)
 	if err != nil {
 		handleAccessTokenError(ctx, AccessTokenError{
@ -556,7 +595,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm) {
 		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)
 		return
 	}
-	accessToken, tokenErr := newAccessTokenResponse(grant, form.ClientSecret)
+	accessToken, tokenErr := newAccessTokenResponse(grant, signingKey)
 	if tokenErr != nil {
 		handleAccessTokenError(ctx, *tokenErr)
 		return
@ -564,7 +603,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm) {
 	ctx.JSON(http.StatusOK, accessToken)
 }

-func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm) {
+func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, signingKey oauth2.JWTSigningKey) {
 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)
 	if err != nil {
 		handleAccessTokenError(ctx, AccessTokenError{
@ -618,7 +657,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm) {
 			ErrorDescription: "cannot proceed your request",
 		})
 	}
-	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, form.ClientSecret)
+	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, signingKey)
 	if tokenErr != nil {
 		handleAccessTokenError(ctx, *tokenErr)
 		return
--- a/routers/web/web.go
+++ b/routers/web/web.go
@ -295,6 +295,7 @@ func RegisterRoutes(m *web.Route) {
 	}, ignSignInAndCsrf, reqSignIn)
 	m.Get("/login/oauth/userinfo", ignSignInAndCsrf, user.InfoOAuth)
 	m.Post("/login/oauth/access_token", CorsHandler(), bindIgnErr(forms.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth)
+	m.Get("/login/oauth/keys", ignSignInAndCsrf, user.OIDCKeys)

 	m.Group("/user/settings", func() {
 		m.Get("", userSetting.Profile)