feat(core): handle dpop and client certificate for token exchange

logto-io · Jul 10, 2024 · 0e31d23 · 0e31d23
1 parent 223d7d6
commit 0e31d23
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 75 deletions.
diff --git a/packages/core/src/oidc/grants/client-credentials.ts b/packages/core/src/oidc/grants/client-credentials.ts
@@ -23,8 +23,6 @@ import { buildOrganizationUrn } from '@logto/core-kit';
 import { cond } from '@silverhand/essentials';
 import type Provider from 'oidc-provider';
 import { errors } from 'oidc-provider';
-import epochTime from 'oidc-provider/lib/helpers/epoch_time.js';
-import dpopValidate from 'oidc-provider/lib/helpers/validate_dpop.js';
 import instance from 'oidc-provider/lib/helpers/weak_cache.js';
 import checkResource from 'oidc-provider/lib/shared/check_resource.js';
 
@@ -34,6 +32,8 @@ import assertThat from '#src/utils/assert-that.js';
 
 import { getSharedResourceServerData, reversedResourceAccessTokenTtl } from '../resource.js';
 
+import { handleClientCertificate, handleDPoP } from './utils.js';
+
 const { AccessDenied, InvalidClient, InvalidGrant, InvalidScope, InvalidTarget } = errors;
 
 /**
@@ -51,7 +51,7 @@ export const buildHandler: (
  // eslint-disable-next-line complexity
 ) => Parameters<Provider['registerGrantType']>[1] = (envSet, queries) => async (ctx, next) => {
  const { client, params } = ctx.oidc;
- const { ClientCredentials, ReplayDetection } = ctx.oidc.provider;
+ const { ClientCredentials } = ctx.oidc.provider;
 
  assertThat(client, new InvalidClient('client must be available'));
 
@@ -62,8 +62,6 @@ export const buildHandler: (
  scopes: statics,
  } = instance(ctx.oidc.provider).configuration();
 
- const dPoP = await dpopValidate(ctx);
-
  /* === RFC 0006 === */
  // The value type is `unknown`, which will swallow other type inferences. So we have to cast it
  // to `Boolean` first.
@@ -166,23 +164,8 @@ export const buildHandler: (
  token.setThumbprint('x5t', cert);
  }
 
- if (dPoP) {
- // @ts-expect-error -- code from oidc-provider
- // eslint-disable-next-line @typescript-eslint/no-unsafe-call
- const unique: unknown = await ReplayDetection.unique(
- client.clientId,
- dPoP.jti,
- epochTime() + 300
- );
-
- assertThat(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
-
- // @ts-expect-error -- code from oidc-provider
- // eslint-disable-next-line @typescript-eslint/no-unsafe-call
- token.setThumbprint('jkt', dPoP.thumbprint);
- } else if (ctx.oidc.client?.dpopBoundAccessTokens) {
- throw new InvalidGrant('DPoP proof JWT not provided');
- }
+ await handleDPoP(ctx, token);
+ await handleClientCertificate(ctx, token);
 
  ctx.oidc.entity('ClientCredentials', token);
  const value = await token.save();

diff --git a/packages/core/src/oidc/grants/refresh-token.ts b/packages/core/src/oidc/grants/refresh-token.ts
@@ -19,19 +19,14 @@
  * The commit hash of the original file is `cf2069cbb31a6a855876e95157372d25dde2511c`.
  */
 
-import { type X509Certificate } from 'node:crypto';
-
 import { UserScope, buildOrganizationUrn } from '@logto/core-kit';
-import { type Optional, isKeyInObject, cond } from '@silverhand/essentials';
+import { isKeyInObject, cond } from '@silverhand/essentials';
 import type Provider from 'oidc-provider';
 import { errors } from 'oidc-provider';
 import difference from 'oidc-provider/lib/helpers/_/difference.js';
-import certificateThumbprint from 'oidc-provider/lib/helpers/certificate_thumbprint.js';
-import epochTime from 'oidc-provider/lib/helpers/epoch_time.js';
 import filterClaims from 'oidc-provider/lib/helpers/filter_claims.js';
 import resolveResource from 'oidc-provider/lib/helpers/resolve_resource.js';
 import revoke from 'oidc-provider/lib/helpers/revoke.js';
-import dpopValidate from 'oidc-provider/lib/helpers/validate_dpop.js';
 import validatePresence from 'oidc-provider/lib/helpers/validate_presence.js';
 import instance from 'oidc-provider/lib/helpers/weak_cache.js';
 
@@ -46,6 +41,8 @@ import {
  isOrganizationConsentedToApplication,
 } from '../resource.js';
 
+import { handleClientCertificate, handleDPoP } from './utils.js';
+
 const { InvalidClient, InvalidGrant, InvalidScope, InsufficientScope, AccessDenied } = errors;
 
 /** The grant type name. `gty` follows the name in oidc-provider. */
@@ -93,8 +90,6 @@ export const buildHandler: (
  },
  } = providerInstance.configuration();
 
- const dPoP = await dpopValidate(ctx);
-
  // @gao: I believe the presence of the param is validated by required parameters of this grant.
  // Add `String` to make TS happy.
  let refreshTokenValue = String(params.refresh_token);
@@ -112,23 +107,6 @@ export const buildHandler: (
  throw new InvalidGrant('refresh token is expired');
  }
 
- let cert: Optional<string | X509Certificate>;
- // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing -- the original code uses `||`
- if (client.tlsClientCertificateBoundAccessTokens || refreshToken['x5t#S256']) {
- cert = getCertificate(ctx);
- if (!cert) {
- throw new InvalidGrant('mutual TLS client certificate not provided');
- }
- }
-
- if (!dPoP && client.dpopBoundAccessTokens) {
- throw new InvalidGrant('DPoP proof JWT not provided');
- }
-
- if (refreshToken['x5t#S256'] && refreshToken['x5t#S256'] !== certificateThumbprint(cert!)) {
- throw new InvalidGrant('failed x5t#S256 verification');
- }
-
  /* === RFC 0001 === */
  // The value type is `unknown`, which will swallow other type inferences. So we have to cast it
  // to `Boolean` first.
@@ -177,22 +155,6 @@ export const buildHandler: (
  }
  }
 
- if (dPoP) {
- // @ts-expect-error -- code from oidc-provider
- // eslint-disable-next-line @typescript-eslint/no-unsafe-call
- const unique: unknown = await ReplayDetection.unique(
- client.clientId,
- dPoP.jti,
- epochTime() + 300
- );
-
- assertThat(unique, new errors.InvalidGrant('DPoP proof JWT Replay detected'));
- }
-
- if (refreshToken.jkt && (!dPoP || refreshToken.jkt !== dPoP.thumbprint)) {
- throw new InvalidGrant('failed jkt verification');
- }
-
  ctx.oidc.entity('RefreshToken', refreshToken);
  ctx.oidc.entity('Grant', grant);
 
@@ -304,17 +266,8 @@ export const buildHandler: (
  scope: undefined!,
  });
 
- if (client.tlsClientCertificateBoundAccessTokens) {
- // @ts-expect-error -- code from oidc-provider
- // eslint-disable-next-line @typescript-eslint/no-unsafe-call
- at.setThumbprint('x5t', cert);
- }
-
- if (dPoP) {
- // @ts-expect-error -- code from oidc-provider
- // eslint-disable-next-line @typescript-eslint/no-unsafe-call
- at.setThumbprint('jkt', dPoP.thumbprint);
- }
+ await handleDPoP(ctx, at, refreshToken);
+ await handleClientCertificate(ctx, at, refreshToken);
 
  if (at.gty && !at.gty.endsWith(gty)) {
  at.gty = `${at.gty} ${gty}`;

diff --git a/packages/core/src/oidc/grants/token-exchange/index.ts b/packages/core/src/oidc/grants/token-exchange/index.ts
@@ -22,6 +22,7 @@ import {
  getSharedResourceServerData,
  reversedResourceAccessTokenTtl,
 } from '../../resource.js';
+import { handleClientCertificate, handleDPoP } from '../utils.js';
 
 import { handleActorToken } from './actor-token.js';
 import { TokenExchangeTokenType, type TokenExchangeAct } from './types.js';
@@ -93,7 +94,6 @@ export const buildHandler: (
  throw new InvalidGrant('refresh token invalid (referenced account not found)');
  }
 
- // TODO: (LOG-9501) Implement general security checks like dPop
  ctx.oidc.entity('Account', account);
 
  /* === RFC 0001 === */
@@ -137,6 +137,9 @@ export const buildHandler: (
  scope: undefined!,
  });
 
+ await handleDPoP(ctx, accessToken);
+ await handleClientCertificate(ctx, accessToken);
+
  /** The scopes requested by the client. If not provided, use the scopes from the refresh token. */
  const scope = requestParamScopes;
  const resource = await resolveResource(

diff --git a/packages/core/src/oidc/grants/utils.ts b/packages/core/src/oidc/grants/utils.ts
@@ -0,0 +1,81 @@
+import type Provider from 'oidc-provider';
+import { errors, type KoaContextWithOIDC } from 'oidc-provider';
+import certificateThumbprint from 'oidc-provider/lib/helpers/certificate_thumbprint.js';
+import epochTime from 'oidc-provider/lib/helpers/epoch_time.js';
+import dpopValidate from 'oidc-provider/lib/helpers/validate_dpop.js';
+import instance from 'oidc-provider/lib/helpers/weak_cache.js';
+
+import assertThat from '#src/utils/assert-that.js';
+
+const { InvalidGrant, InvalidClient } = errors;
+
+/**
+ * Handle DPoP bound access tokens.
+ */
+export const handleDPoP = async (
+ ctx: KoaContextWithOIDC,
+ token: InstanceType<Provider['AccessToken']> | InstanceType<Provider['ClientCredentials']>,
+ originalToken?: InstanceType<Provider['RefreshToken']>
+) => {
+ const { client } = ctx.oidc;
+ assertThat(client, new InvalidClient('client must be available'));
+
+ const dPoP = await dpopValidate(ctx);
+
+ if (dPoP) {
+ // @ts-expect-error -- code from oidc-provider
+ // eslint-disable-next-line @typescript-eslint/no-unsafe-call
+ const unique: unknown = await ReplayDetection.unique(
+ client.clientId,
+ dPoP.jti,
+ epochTime() + 300
+ );
+
+ assertThat(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
+
+ // @ts-expect-error -- code from oidc-provider
+ // eslint-disable-next-line @typescript-eslint/no-unsafe-call
+ token.setThumbprint('jkt', dPoP.thumbprint);
+ } else if (client.dpopBoundAccessTokens) {
+ throw new InvalidGrant('DPoP proof JWT not provided');
+ }
+
+ if (originalToken?.jkt && (!dPoP || originalToken.jkt !== dPoP.thumbprint)) {
+ throw new InvalidGrant('failed jkt verification');
+ }
+};
+
+/**
+ * Handle client certificate bound access tokens.
+ */
+export const handleClientCertificate = async (
+ ctx: KoaContextWithOIDC,
+ token: InstanceType<Provider['AccessToken']> | InstanceType<Provider['ClientCredentials']>,
+ originalToken?: InstanceType<Provider['RefreshToken']>
+) => {
+ const { client, provider } = ctx.oidc;
+ assertThat(client, new InvalidClient('client must be available'));
+
+ const providerInstance = instance(provider);
+ const {
+ features: {
+ mTLS: { getCertificate },
+ },
+ } = providerInstance.configuration();
+
+ // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
+ if (client.tlsClientCertificateBoundAccessTokens || originalToken?.['x5t#S256']) {
+ const cert = getCertificate(ctx);
+
+ if (!cert) {
+ throw new InvalidGrant('mutual TLS client certificate not provided');
+ }
+ // @ts-expect-error -- code from oidc-provider
+ // eslint-disable-next-line @typescript-eslint/no-unsafe-call
+ token.setThumbprint('x5t', cert);
+
+ if (originalToken?.['x5t#S256'] && originalToken['x5t#S256'] !== certificateThumbprint(cert)) {
+ throw new InvalidGrant('failed x5t#S256 verification');
+ }
+ }
+};