From 1d583e53670557d7972ec65b46bc3ce5b4fd8a68 Mon Sep 17 00:00:00 2001
From: Juliusz Chroboczek <jch@irif.fr>
Date: Fri, 18 Feb 2022 19:21:02 +0100
Subject: [PATCH] Don't verify token issuer.

This makes it possible to use token authentication without
an authentication server.
---
 group/group.go      |  5 ++---
 token/token.go      |  7 +------
 token/token_test.go | 31 +++++--------------------------
 3 files changed, 8 insertions(+), 35 deletions(-)

diff --git a/group/group.go b/group/group.go
index 42b21ec..4c3c8fa 100644
--- a/group/group.go
+++ b/group/group.go
@@ -1097,10 +1097,9 @@ func (desc *Description) GetPermission(group string, creds ClientCredentials) (C
 		return p, ErrNotAuthorised
 	}
 
-	if desc.AuthServer != "" && creds.Token != "" {
+	if creds.Token != "" {
 		aud, perms, err := token.Valid(
-			creds.Username, creds.Token,
-			desc.AuthKeys, desc.AuthServer,
+			creds.Username, creds.Token, desc.AuthKeys,
 		)
 		if err != nil {
 			log.Printf("Token authentication: %v", err)
diff --git a/token/token.go b/token/token.go
index 90fc3d1..5d7455a 100644
--- a/token/token.go
+++ b/token/token.go
@@ -11,7 +11,6 @@ import (
 )
 
 var ErrUnexpectedSub = errors.New("unexpected 'sub' field")
-var ErrUnexpectedIss = errors.New("unexpected 'iss' field")
 
 func parseBase64(k string, d map[string]interface{}) ([]byte, error) {
 	v, ok := d[k].(string)
@@ -106,7 +105,7 @@ func getKey(header map[string]interface{}, keys []map[string]interface{}) (inter
 	return nil, errors.New("key not found")
 }
 
-func Valid(username, token string, keys []map[string]interface{}, issuer string) ([]string, map[string]interface{}, error) {
+func Valid(username, token string, keys []map[string]interface{}) ([]string, map[string]interface{}, error) {
 	tok, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
 		return getKey(t.Header, keys)
 	})
@@ -119,10 +118,6 @@ func Valid(username, token string, keys []map[string]interface{}, issuer string)
 	if !ok || sub != username {
 		return nil, nil, ErrUnexpectedSub
 	}
-	iss, ok := claims["iss"].(string)
-	if !ok || iss != issuer {
-		return nil, nil, ErrUnexpectedIss
-	}
 	aud, ok := claims["aud"]
 	var res []string
 	if ok {
diff --git a/token/token_test.go b/token/token_test.go
index 65911e1..360f822 100644
--- a/token/token_test.go
+++ b/token/token_test.go
@@ -75,9 +75,7 @@ func TestValid(t *testing.T) {
 
 	goodToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1MzkxLCJleHAiOjIyNzU5MTUzOTEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.PMgfwYwSLSFIfcNJdOEfHEZ41HM2CzbATuS1fTxncbaGyX-xXq7d9V04enXpLOMGnAlsZpOJvd7eJN2mngJMAg"
 
-	aud, perms, err := Valid(
-		"john", goodToken, keys, "http://localhost:1234/",
-	)
+	aud, perms, err := Valid("john", goodToken, keys)
 
 	if err != nil {
 		t.Errorf("Token invalid: %v", err)
@@ -92,26 +90,14 @@ func TestValid(t *testing.T) {
 		}
 	}
 
-	aud, perms, err = Valid(
-		"jack", goodToken, keys, "http://localhost:1234/",
-	)
+	aud, perms, err = Valid("jack", goodToken, keys)
 	if err != ErrUnexpectedSub {
 		t.Errorf("Token should have bad username")
 	}
 
-	aud, perms, err = Valid(
-		"john", goodToken, keys, "http://localhost:4567/",
-	)
-	if err != ErrUnexpectedIss {
-		t.Errorf("Token should have bad issuer")
-	}
-
 	badToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk2MDE5LCJleHAiOjIyNjAzNjQwMTksImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.4TN5zxzuKeNIw0rX0yirEkVYF1d0FHI_Lezmsa27ayi0R4ocSgTZ3q2bmlACXvyuoBqEEbuP4e77BUbGCHmpSg"
 
-	_, _, err = Valid(
-		"john", badToken, keys,
-		"https://localhost:1234/group/auth/",
-	)
+	_, _, err = Valid("john", badToken, keys)
 
 	var verr *jwt.ValidationError
 	if !errors.As(err, &verr) {
@@ -120,10 +106,7 @@ func TestValid(t *testing.T) {
 
 	expiredToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NTY3LCJleHAiOjE2NDUxOTU1OTcsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.GXcLeyNVr5cnZjIECENyjMLH1HyNKWKkHMc9onvqA_RVYMyDLeeR_3NKH9Y7eKSXWC8jhatDWtH7Ed3KdsSxAA"
 
-	_, _, err = Valid(
-		"john", expiredToken, keys,
-		"https://localhost:1234/group/auth/",
-	)
+	_, _, err = Valid("john", expiredToken, keys)
 
 	if !errors.As(err, &verr) {
 		t.Errorf("Token should be expired")
@@ -131,11 +114,7 @@ func TestValid(t *testing.T) {
 
 	noneToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NzgyLCJleHAiOjIyNjAzNjM3ODIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ."
 
-	_, _, err = Valid(
-		"john", noneToken, keys,
-		"https://localhost:1234/group/auth/",
-	)
-
+	_, _, err = Valid("john", noneToken, keys)
 	if err == nil {
 		t.Errorf("Unsigned token should fail")
 	}