Don't verify token issuer.

This makes it possible to use token authentication without an authentication server.
2024-11-09 02:05:59 +01:00 · 2022-02-18 19:21:02 +01:00 · 2022-02-18 19:21:02 +01:00 · 1d583e5367
commit 1d583e5367
parent 7784a2ac96
3 changed files with 8 additions and 35 deletions
--- a/group/group.go
+++ b/group/group.go
@ -1097,10 +1097,9 @@ func (desc *Description) GetPermission(group string, creds ClientCredentials) (C
 		return p, ErrNotAuthorised
 	}

-	if desc.AuthServer != "" && creds.Token != "" {
+	if creds.Token != "" {
 		aud, perms, err := token.Valid(
-			creds.Username, creds.Token,
-			desc.AuthKeys, desc.AuthServer,
+			creds.Username, creds.Token, desc.AuthKeys,
 		)
 		if err != nil {
 			log.Printf("Token authentication: %v", err)
--- a/token/token.go
+++ b/token/token.go
@ -11,7 +11,6 @@ import (
 )

 var ErrUnexpectedSub = errors.New("unexpected 'sub' field")
-var ErrUnexpectedIss = errors.New("unexpected 'iss' field")

 func parseBase64(k string, d map[string]interface{}) ([]byte, error) {
 	v, ok := d[k].(string)
@ -106,7 +105,7 @@ func getKey(header map[string]interface{}, keys []map[string]interface{}) (inter
 	return nil, errors.New("key not found")
 }

-func Valid(username, token string, keys []map[string]interface{}, issuer string) ([]string, map[string]interface{}, error) {
+func Valid(username, token string, keys []map[string]interface{}) ([]string, map[string]interface{}, error) {
 	tok, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
 		return getKey(t.Header, keys)
 	})
@ -119,10 +118,6 @@ func Valid(username, token string, keys []map[string]interface{}, issuer string)
 	if !ok || sub != username {
 		return nil, nil, ErrUnexpectedSub
 	}
-	iss, ok := claims["iss"].(string)
-	if !ok || iss != issuer {
-		return nil, nil, ErrUnexpectedIss
-	}
 	aud, ok := claims["aud"]
 	var res []string
 	if ok {
--- a/token/token_test.go
+++ b/token/token_test.go
@ -75,9 +75,7 @@ func TestValid(t *testing.T) {

 	goodToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1MzkxLCJleHAiOjIyNzU5MTUzOTEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.PMgfwYwSLSFIfcNJdOEfHEZ41HM2CzbATuS1fTxncbaGyX-xXq7d9V04enXpLOMGnAlsZpOJvd7eJN2mngJMAg"

-	aud, perms, err := Valid(
-		"john", goodToken, keys, "http://localhost:1234/",
-	)
+	aud, perms, err := Valid("john", goodToken, keys)

 	if err != nil {
 		t.Errorf("Token invalid: %v", err)
@ -92,26 +90,14 @@ func TestValid(t *testing.T) {
 		}
 	}

-	aud, perms, err = Valid(
-		"jack", goodToken, keys, "http://localhost:1234/",
-	)
+	aud, perms, err = Valid("jack", goodToken, keys)
 	if err != ErrUnexpectedSub {
 		t.Errorf("Token should have bad username")
 	}

-	aud, perms, err = Valid(
-		"john", goodToken, keys, "http://localhost:4567/",
-	)
-	if err != ErrUnexpectedIss {
-		t.Errorf("Token should have bad issuer")
-	}
-
 	badToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk2MDE5LCJleHAiOjIyNjAzNjQwMTksImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.4TN5zxzuKeNIw0rX0yirEkVYF1d0FHI_Lezmsa27ayi0R4ocSgTZ3q2bmlACXvyuoBqEEbuP4e77BUbGCHmpSg"

-	_, _, err = Valid(
-		"john", badToken, keys,
-		"https://localhost:1234/group/auth/",
-	)
+	_, _, err = Valid("john", badToken, keys)

 	var verr *jwt.ValidationError
 	if !errors.As(err, &verr) {
@ -120,10 +106,7 @@ func TestValid(t *testing.T) {

 	expiredToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NTY3LCJleHAiOjE2NDUxOTU1OTcsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.GXcLeyNVr5cnZjIECENyjMLH1HyNKWKkHMc9onvqA_RVYMyDLeeR_3NKH9Y7eKSXWC8jhatDWtH7Ed3KdsSxAA"

-	_, _, err = Valid(
-		"john", expiredToken, keys,
-		"https://localhost:1234/group/auth/",
-	)
+	_, _, err = Valid("john", expiredToken, keys)

 	if !errors.As(err, &verr) {
 		t.Errorf("Token should be expired")
@ -131,11 +114,7 @@ func TestValid(t *testing.T) {

 	noneToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NzgyLCJleHAiOjIyNjAzNjM3ODIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ."

-	_, _, err = Valid(
-		"john", noneToken, keys,
-		"https://localhost:1234/group/auth/",
-	)
-
+	_, _, err = Valid("john", noneToken, keys)
 	if err == nil {
 		t.Errorf("Unsigned token should fail")
 	}