1
Fork 0
mirror of https://github.com/jech/galene.git synced 2024-11-12 19:55:59 +01:00

Honour the kid field in JWT if present.

This commit is contained in:
Juliusz Chroboczek 2024-05-11 12:29:30 +02:00
parent 6c01925342
commit 969354e9e5
3 changed files with 18 additions and 9 deletions

5
README
View file

@ -319,8 +319,9 @@ specify either an authorisation server or an authorisation portal.
"authServer": "https://auth.example.org",
}
If multiple keys are provided, then they will all be tried in turn (the
kid field, if provided, is ignored).
If multiple keys are provided, then they will all be tried in turn, unless
the token includes the "kid" header field, in which case only the
specified key will be used.
If an authorisation server is specified, then the default client, after it
prompts for a password, will request a token from the authorisation server

View file

@ -581,7 +581,7 @@ func SetWildcardUser(group string, user *UserDescription) error {
func SetKeys(group string, keys []map[string]any) error {
if keys != nil {
_, err := token.ParseKeys(keys)
_, err := token.ParseKeys(keys, "")
if err != nil {
return err
}

View file

@ -96,14 +96,18 @@ func ParseKey(key map[string]any) (any, error) {
}
}
func ParseKeys(keys []map[string]any) ([]jwt.VerificationKey, error) {
ks := make([]jwt.VerificationKey, len(keys))
for i, ky := range keys {
func ParseKeys(keys []map[string]any, kid string) ([]jwt.VerificationKey, error) {
ks := make([]jwt.VerificationKey, 0, len(keys))
for _, ky := range keys {
// return all keys if kid is not specified
if kid != "" && ky["kid"] != kid {
continue
}
k, err := ParseKey(ky)
if err != nil {
return nil, err
}
ks[i] = k
ks = append(ks, k)
}
return ks, nil
}
@ -130,11 +134,15 @@ func toStringArray(a interface{}) ([]string, bool) {
func parseJWT(token string, keys []map[string]any) (*JWT, error) {
t, err := jwt.Parse(
token,
func(t *jwt.Token) (interface{}, error) {
ks, err := ParseKeys(keys)
func(t *jwt.Token) (any, error) {
kid, _ := t.Header["kid"].(string)
ks, err := ParseKeys(keys, kid)
if err != nil {
return nil, err
}
if len(ks) == 1 {
return ks[0], nil
}
return jwt.VerificationKeySet{Keys: ks}, nil
},
jwt.WithExpirationRequired(),