mirror of https://github.com/jech/galene.git
Honour the kid field in JWT if present.
This commit is contained in:
Juliusz Chroboczek
parent
6c01925342
commit
969354e9e5
5
README
5
README
|
|
@ -319,8 +319,9 @@ specify either an authorisation server or an authorisation portal.
|
|||
"authServer": "https://auth.example.org",
|
||||
}
|
||||
|
||||
If multiple keys are provided, then they will all be tried in turn (the
|
||||
kid field, if provided, is ignored).
|
||||
If multiple keys are provided, then they will all be tried in turn, unless
|
||||
the token includes the "kid" header field, in which case only the
|
||||
specified key will be used.
|
||||
|
||||
If an authorisation server is specified, then the default client, after it
|
||||
prompts for a password, will request a token from the authorisation server
|
||||
|
|
|
|||
|
|
@ -581,7 +581,7 @@ func SetWildcardUser(group string, user *UserDescription) error {
|
|||
|
||||
func SetKeys(group string, keys []map[string]any) error {
|
||||
if keys != nil {
|
||||
_, err := token.ParseKeys(keys)
|
||||
_, err := token.ParseKeys(keys, "")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
20
token/jwt.go
20
token/jwt.go
|
|
@ -96,14 +96,18 @@ func ParseKey(key map[string]any) (any, error) {
|
|||
}
|
||||
}
|
||||
|
||||
func ParseKeys(keys []map[string]any) ([]jwt.VerificationKey, error) {
|
||||
ks := make([]jwt.VerificationKey, len(keys))
|
||||
for i, ky := range keys {
|
||||
func ParseKeys(keys []map[string]any, kid string) ([]jwt.VerificationKey, error) {
|
||||
ks := make([]jwt.VerificationKey, 0, len(keys))
|
||||
for _, ky := range keys {
|
||||
// return all keys if kid is not specified
|
||||
if kid != "" && ky["kid"] != kid {
|
||||
continue
|
||||
}
|
||||
k, err := ParseKey(ky)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ks[i] = k
|
||||
ks = append(ks, k)
|
||||
}
|
||||
return ks, nil
|
||||
}
|
||||
|
|
@ -130,11 +134,15 @@ func toStringArray(a interface{}) ([]string, bool) {
|
|||
func parseJWT(token string, keys []map[string]any) (*JWT, error) {
|
||||
t, err := jwt.Parse(
|
||||
token,
|
||||
func(t *jwt.Token) (interface{}, error) {
|
||||
ks, err := ParseKeys(keys)
|
||||
func(t *jwt.Token) (any, error) {
|
||||
kid, _ := t.Header["kid"].(string)
|
||||
ks, err := ParseKeys(keys, kid)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if len(ks) == 1 {
|
||||
return ks[0], nil
|
||||
}
|
||||
return jwt.VerificationKeySet{Keys: ks}, nil
|
||||
},
|
||||
jwt.WithExpirationRequired(),
|
||||
|
|
|
|||
Loading…
Reference in New Issue