Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require authentication for OAuth token refresh #21421

Merged
merged 7 commits into from
Oct 23, 2022
Merged

Require authentication for OAuth token refresh #21421

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
4aeb963
Require authentication for OAuth token refresh
hickford Oct 12, 2022
4d77d33
Update routers/web/auth/oauth.go
hickford Oct 21, 2022
77c921b
Merge branch 'main' into oauth-authenticate-refresh
lunny Oct 22, 2022
15770eb
Merge branch 'main' into oauth-authenticate-refresh
lunny Oct 22, 2022
1784a7c
Merge branch 'main' into oauth-authenticate-refresh
lunny Oct 22, 2022
c5814e5
Merge branch 'main' into oauth-authenticate-refresh
lunny Oct 23, 2022
28afda6
Merge branch 'main' into oauth-authenticate-refresh
lunny Oct 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions routers/web/auth/oauth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ const (
// TODO move error and responses to SDK or models

// AuthorizeErrorCode represents an error code specified in RFC 6749
// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1
type AuthorizeErrorCode string

const (
Expand All @@ -68,6 +69,7 @@ const (
)

// AuthorizeError represents an error type specified in RFC 6749
// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1
type AuthorizeError struct {
ErrorCode AuthorizeErrorCode `json:"error" form:"error"`
ErrorDescription string
Expand All @@ -80,6 +82,7 @@ func (err AuthorizeError) Error() string {
}

// AccessTokenErrorCode represents an error code specified in RFC 6749
// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
type AccessTokenErrorCode string

const (
Expand All @@ -98,6 +101,7 @@ const (
)

// AccessTokenError represents an error response specified in RFC 6749
// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
type AccessTokenError struct {
ErrorCode AccessTokenErrorCode `json:"error" form:"error"`
ErrorDescription string `json:"error_description"`
Expand Down Expand Up @@ -129,6 +133,7 @@ const (
)

// AccessTokenResponse represents a successful access token response
// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2
type AccessTokenResponse struct {
AccessToken string `json:"access_token"`
TokenType TokenType `json:"token_type"`
Expand Down Expand Up @@ -663,6 +668,30 @@ func AccessTokenOAuth(ctx *context.Context) {
}

func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID)
if err != nil {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidClient,
ErrorDescription: fmt.Sprintf("cannot load client with client id: %q", form.ClientID),
})
return
}
// "The authorization server MUST ... require client authentication for confidential clients"
// https://datatracker.ietf.org/doc/html/rfc6749#section-6
if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
errorDescription := "invalid client secret"
if form.ClientSecret == "" {
errorDescription = "invalid empty client secret"
}
// "invalid_client ... Client authentication failed"
// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidClient,
ErrorDescription: errorDescription,
})
return
}

token, err := oauth2.ParseToken(form.RefreshToken, serverKey)
if err != nil {
handleAccessTokenError(ctx, AccessTokenError{
Expand Down
51 changes: 39 additions & 12 deletions tests/integration/oauth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -299,10 +299,11 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) {
"client_secret": "inconsistent",
})
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
resp = MakeRequest(t, req, http.StatusBadRequest)
parsedError = new(auth.AccessTokenError)
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "invalid_request", string(parsedError.ErrorCode))
assert.Equal(t, "client_id in request body inconsistent with Authorization header", parsedError.ErrorDescription)
assert.Equal(t, "client_secret in request body inconsistent with Authorization header", parsedError.ErrorDescription)
}

func TestRefreshTokenInvalidation(t *testing.T) {
Expand All @@ -329,32 +330,58 @@ func TestRefreshTokenInvalidation(t *testing.T) {
// test without invalidation
setting.OAuth2.InvalidateRefreshTokens = false

refreshReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "refresh_token",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
// omit secret
"redirect_uri": "a",
"refresh_token": parsed.RefreshToken,
})
resp = MakeRequest(t, req, http.StatusBadRequest)
parsedError := new(auth.AccessTokenError)
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "invalid_client", string(parsedError.ErrorCode))
assert.Equal(t, "invalid empty client secret", parsedError.ErrorDescription)

req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "refresh_token",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"refresh_token": "UNEXPECTED",
})
resp = MakeRequest(t, req, http.StatusBadRequest)
parsedError = new(auth.AccessTokenError)
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
assert.Equal(t, "unable to parse refresh token", parsedError.ErrorDescription)

req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "refresh_token",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"refresh_token": parsed.RefreshToken,
})

bs, err := io.ReadAll(refreshReq.Body)
bs, err := io.ReadAll(req.Body)
assert.NoError(t, err)

refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
MakeRequest(t, refreshReq, http.StatusOK)
req.Body = io.NopCloser(bytes.NewReader(bs))
MakeRequest(t, req, http.StatusOK)

refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
MakeRequest(t, refreshReq, http.StatusOK)
req.Body = io.NopCloser(bytes.NewReader(bs))
MakeRequest(t, req, http.StatusOK)

// test with invalidation
setting.OAuth2.InvalidateRefreshTokens = true
refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
MakeRequest(t, refreshReq, http.StatusOK)
req.Body = io.NopCloser(bytes.NewReader(bs))
MakeRequest(t, req, http.StatusOK)

// repeat request should fail
refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
resp = MakeRequest(t, refreshReq, http.StatusBadRequest)
parsedError := new(auth.AccessTokenError)
req.Body = io.NopCloser(bytes.NewReader(bs))
resp = MakeRequest(t, req, http.StatusBadRequest)
parsedError = new(auth.AccessTokenError)
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
assert.Equal(t, "token was already used", parsedError.ErrorDescription)
Expand Down