mirror of
https://github.com/jech/galene.git
synced 2024-12-22 07:15:47 +01:00
More JWT paranoia.
This commit is contained in:
parent
4eaf6d058a
commit
d9e956be48
3 changed files with 14 additions and 6 deletions
5
README
5
README
|
@ -301,8 +301,9 @@ existing authentication and authorisation infrastructure, such as LDAP,
|
|||
OAuth2 or even Unix passwords.
|
||||
|
||||
When an authorisation server is used, the group configuration file
|
||||
specifies one or more public keys in JWK format. In addition, it may
|
||||
specify either an authorisation server or an authorisation portal.
|
||||
specifies one or more public keys in JWK format (with the restriction that
|
||||
the "alg" key must be specified). In addition, it may specify either an
|
||||
authorisation server or an authorisation portal.
|
||||
|
||||
{
|
||||
"authKeys": [{
|
||||
|
|
|
@ -581,7 +581,7 @@ func SetWildcardUser(group string, user *UserDescription) error {
|
|||
|
||||
func SetKeys(group string, keys []map[string]any) error {
|
||||
if keys != nil {
|
||||
_, err := token.ParseKeys(keys, "")
|
||||
_, err := token.ParseKeys(keys, "", "")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
13
token/jwt.go
13
token/jwt.go
|
@ -96,10 +96,13 @@ func ParseKey(key map[string]any) (any, error) {
|
|||
}
|
||||
}
|
||||
|
||||
func ParseKeys(keys []map[string]any, kid string) ([]jwt.VerificationKey, error) {
|
||||
func ParseKeys(keys []map[string]any, alg, kid string) ([]jwt.VerificationKey, error) {
|
||||
ks := make([]jwt.VerificationKey, 0, len(keys))
|
||||
for _, ky := range keys {
|
||||
// return all keys if kid is not specified
|
||||
// return all keys if alg and kid are not specified
|
||||
if alg != "" && ky["alg"] != alg {
|
||||
continue
|
||||
}
|
||||
if kid != "" && ky["kid"] != kid {
|
||||
continue
|
||||
}
|
||||
|
@ -135,8 +138,12 @@ func parseJWT(token string, keys []map[string]any) (*JWT, error) {
|
|||
t, err := jwt.Parse(
|
||||
token,
|
||||
func(t *jwt.Token) (any, error) {
|
||||
alg, _ := t.Header["alg"].(string)
|
||||
if alg == "" {
|
||||
return nil, errors.New("alg not found")
|
||||
}
|
||||
kid, _ := t.Header["kid"].(string)
|
||||
ks, err := ParseKeys(keys, kid)
|
||||
ks, err := ParseKeys(keys, alg, kid)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue