1
Fork 0
mirror of https://github.com/jech/galene.git synced 2024-12-22 07:15:47 +01:00

More JWT paranoia.

This commit is contained in:
Juliusz Chroboczek 2024-05-11 22:45:52 +02:00
parent 4eaf6d058a
commit d9e956be48
3 changed files with 14 additions and 6 deletions

5
README
View file

@ -301,8 +301,9 @@ existing authentication and authorisation infrastructure, such as LDAP,
OAuth2 or even Unix passwords.
When an authorisation server is used, the group configuration file
specifies one or more public keys in JWK format. In addition, it may
specify either an authorisation server or an authorisation portal.
specifies one or more public keys in JWK format (with the restriction that
the "alg" key must be specified). In addition, it may specify either an
authorisation server or an authorisation portal.
{
"authKeys": [{

View file

@ -581,7 +581,7 @@ func SetWildcardUser(group string, user *UserDescription) error {
func SetKeys(group string, keys []map[string]any) error {
if keys != nil {
_, err := token.ParseKeys(keys, "")
_, err := token.ParseKeys(keys, "", "")
if err != nil {
return err
}

View file

@ -96,10 +96,13 @@ func ParseKey(key map[string]any) (any, error) {
}
}
func ParseKeys(keys []map[string]any, kid string) ([]jwt.VerificationKey, error) {
func ParseKeys(keys []map[string]any, alg, kid string) ([]jwt.VerificationKey, error) {
ks := make([]jwt.VerificationKey, 0, len(keys))
for _, ky := range keys {
// return all keys if kid is not specified
// return all keys if alg and kid are not specified
if alg != "" && ky["alg"] != alg {
continue
}
if kid != "" && ky["kid"] != kid {
continue
}
@ -135,8 +138,12 @@ func parseJWT(token string, keys []map[string]any) (*JWT, error) {
t, err := jwt.Parse(
token,
func(t *jwt.Token) (any, error) {
alg, _ := t.Header["alg"].(string)
if alg == "" {
return nil, errors.New("alg not found")
}
kid, _ := t.Header["kid"].(string)
ks, err := ParseKeys(keys, kid)
ks, err := ParseKeys(keys, alg, kid)
if err != nil {
return nil, err
}