oauth2: Introduce audience capabilities

This patch allows clients to whitelist audiences and request that audiences are set for oauth2 access and refresh tokens Closes #326 Signed-off-by: arekkas <aeneas@ory.am>
ory · Oct 29, 2018 · 891c4a8 · 891c4a8
1 parent 799fc70
commit 891c4a8
Show file tree

Hide file tree

Showing 47 changed files with 485 additions and 133 deletions.
diff --git a/access_request_handler.go b/access_request_handler.go
@@ -72,6 +72,7 @@ func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session
 	}
 
 	accessRequest.SetRequestedScopes(removeEmpty(strings.Split(r.PostForm.Get("scope"), " ")))
+	accessRequest.SetRequestedAudience(removeEmpty(strings.Split(r.PostForm.Get("audience"), " ")))
 	accessRequest.GrantTypes = removeEmpty(strings.Split(r.PostForm.Get("grant_type"), " "))
 	if len(accessRequest.GrantTypes) < 1 {
 		return accessRequest, errors.WithStack(ErrInvalidRequest.WithHint(`Request parameter "grant_type"" is missing`))

diff --git a/access_request_handler_test.go b/access_request_handler_test.go
@@ -46,7 +46,7 @@ func TestNewAccessRequest(t *testing.T) {
 	defer ctrl.Finish()
 
 	client := &DefaultClient{}
-	fosite := &Fosite{Store: store, Hasher: hasher}
+	fosite := &Fosite{Store: store, Hasher: hasher, AudienceMatchingStrategy:DefaultAudienceMatchingStrategy}
 	for k, c := range []struct {
 		header    http.Header
 		form      url.Values

diff --git a/access_request_test.go b/access_request_test.go
@@ -32,8 +32,12 @@ func TestAccessRequest(t *testing.T) {
 	ar.GrantTypes = Arguments{"foobar"}
 	ar.Client = &DefaultClient{}
 	ar.GrantScope("foo")
+	ar.SetRequestedAudience(Arguments{"foo", "foo", "bar"})
+	ar.SetRequestedScopes(Arguments{"foo", "foo", "bar"})
 	assert.True(t, ar.GetGrantedScopes().Has("foo"))
 	assert.NotNil(t, ar.GetRequestedAt())
 	assert.Equal(t, ar.GrantTypes, ar.GetGrantTypes())
+	assert.Equal(t, Arguments{"foo", "bar"}, ar.Audience)
+	assert.Equal(t, Arguments{"foo", "bar"}, ar.Scopes)
 	assert.Equal(t, ar.Client, ar.GetClient())
 }
diff --git a/audience_strategy.go b/audience_strategy.go
@@ -0,0 +1,59 @@
+package fosite
+
+import (
+	"github.com/ory/go-convenience/stringsx"
+	"github.com/pkg/errors"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type AudienceMatchingStrategy func(haystack []string, needle []string) error
+
+func DefaultAudienceMatchingStrategy(haystack []string, needle []string) error {
+	if len(needle) == 0 {
+		return nil
+	}
+
+	for _, n := range needle {
+		nu, err := url.Parse(n)
+		if err != nil {
+			return errors.WithStack(ErrInvalidRequest.WithHintf(`Unable to parse requested audience "%s".`, n).WithDebug(err.Error()))
+		}
+
+		var found bool
+		for _, h := range haystack {
+			hu, err := url.Parse(h)
+			if err != nil {
+				return errors.WithStack(ErrInvalidRequest.WithHintf(`Unable to parse whitelisted audience "%s".`, h).WithDebug(err.Error()))
+			}
+
+			allowedPath := strings.TrimRight(hu.Path, "/")
+			if nu.Scheme == hu.Scheme &&
+				nu.Host == hu.Host &&
+				(
+					nu.Path == hu.Path ||
+						nu.Path == allowedPath ||
+						len(nu.Path) > len(allowedPath) &&  strings.TrimRight(nu.Path[:len(allowedPath)+1], "/") + "/" == allowedPath+"/") {
+				found = true
+			}
+		}
+
+		if !found {
+			return errors.WithStack(ErrInvalidRequest.WithHintf(`Requested audience "%s" has not been whitelisted by the OAuth 2.0 Client.`, n))
+		}
+	}
+
+	return nil
+}
+
+func (f *Fosite) validateAuthorizeAudience(r *http.Request, request *AuthorizeRequest) (error) {
+	audience := stringsx.Splitx(request.Form.Get("audience"), " ")
+
+	if err := f.AudienceMatchingStrategy(request.Client.GetAudience(), audience); err != nil {
+		return err
+	}
+
+	request.SetRequestedAudience(Arguments(audience))
+	return nil
+}
diff --git a/audience_strategy_test.go b/audience_strategy_test.go
@@ -0,0 +1,95 @@
+package fosite
+
+import (
+	"fmt"
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestDefaultAudienceMatchingStrategy(t *testing.T) {
+	for k, tc := range []struct {
+		h   []string
+		n   []string
+		err bool
+	}{
+		{
+			h:   []string{},
+			n:   []string{},
+			err: false,
+		},
+		{
+			h:   []string{"http://foo/bar"},
+			n:   []string{},
+			err: false,
+		},
+		{
+			h:   []string{},
+			n:   []string{"http://foo/bar"},
+			err: true,
+		},
+		{
+			h:   []string{"https://cloud.ory.sh/api/users"},
+			n:   []string{"https://cloud.ory.sh/api/users"},
+			err: false,
+		},
+		{
+			h:   []string{"https://cloud.ory.sh/api/users"},
+			n:   []string{"https://cloud.ory.sh/api/users/"},
+			err: false,
+		},
+		{
+			h:   []string{"https://cloud.ory.sh/api/users/"},
+			n:   []string{"https://cloud.ory.sh/api/users/"},
+			err: false,
+		},
+		{
+			h:   []string{"https://cloud.ory.sh/api/users/"},
+			n:   []string{"https://cloud.ory.sh/api/users"},
+			err: false,
+		},
+		{
+			h:   []string{"https://cloud.ory.sh/api/users"},
+			n:   []string{"https://cloud.ory.sh/api/users/1234"},
+			err: false,
+		},
+		{
+			h:   []string{"https://cloud.ory.sh/api/users"},
+			n:   []string{"https://cloud.ory.sh/api/users", "https://cloud.ory.sh/api/users/", "https://cloud.ory.sh/api/users/1234"},
+			err: false,
+		},
+		{
+			h:   []string{"https://cloud.ory.sh/api/users", "https://cloud.ory.sh/api/tenants"},
+			n:   []string{"https://cloud.ory.sh/api/users", "https://cloud.ory.sh/api/users/", "https://cloud.ory.sh/api/users/1234", "https://cloud.ory.sh/api/tenants"},
+			err: false,
+		},
+		{
+			h:   []string{"https://cloud.ory.sh/api/users"},
+			n:   []string{"https://cloud.ory.sh/api/users1234"},
+			err: true,
+		},
+		{
+			h:   []string{"https://cloud.ory.sh/api/users"},
+			n:   []string{"http://cloud.ory.sh/api/users"},
+			err: true,
+		},
+		{
+			h:   []string{"https://cloud.ory.sh/api/users"},
+			n:   []string{"https://cloud.ory.sh:8000/api/users"},
+			err: true,
+		},
+		{
+			h:   []string{"https://cloud.ory.sh/api/users"},
+			n:   []string{"https://cloud.ory.xyz/api/users"},
+			err: true,
+		},
+	} {
+		t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
+			err := DefaultAudienceMatchingStrategy(tc.h, tc.n)
+			if tc.err {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
diff --git a/authorize_request_handler.go b/authorize_request_handler.go
@@ -175,7 +175,7 @@ func (f *Fosite) validateAuthorizeRedirectURI(r *http.Request, request *Authoriz
 }
 
 func (f *Fosite) validateAuthorizeScope(r *http.Request, request *AuthorizeRequest) error {
-	scope := removeEmpty(strings.Split(request.Form.Get("scope"), " "))
+	scope := stringsx.Splitx(request.Form.Get("scope"), " ")
 	for _, permission := range scope {
 		if !f.ScopeStrategy(request.Client.GetScopes(), permission) {
 			return errors.WithStack(ErrInvalidScope.WithHintf(`The OAuth 2.0 Client is not allowed to request scope "%s".`, permission))
@@ -243,6 +243,10 @@ func (f *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (Auth
 		return request, err
 	}
 
+	if err := f.validateAuthorizeAudience(r, request); err != nil {
+		return request, err
+	}
+
 	if len(request.Form.Get("registration")) > 0 {
 		return request, errors.WithStack(ErrRegistrationNotSupported)
 	}

diff --git a/authorize_request_handler_test.go b/authorize_request_handler_test.go
@@ -61,7 +61,7 @@ func TestNewAuthorizeRequest(t *testing.T) {
 		/* empty request */
 		{
 			desc:          "empty request fails",
-			conf:          &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy},
+			conf:          &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy},
 			r:             &http.Request{},
 			expectedError: ErrInvalidClient,
 			mock: func() {
@@ -71,7 +71,7 @@ func TestNewAuthorizeRequest(t *testing.T) {
 		/* invalid redirect uri */
 		{
 			desc:          "invalid redirect uri fails",
-			conf:          &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy},
+			conf:          &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy},
 			query:         url.Values{"redirect_uri": []string{"invalid"}},
 			expectedError: ErrInvalidClient,
 			mock: func() {
@@ -81,7 +81,7 @@ func TestNewAuthorizeRequest(t *testing.T) {
 		/* invalid client */
 		{
 			desc:          "invalid client fails",
-			conf:          &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy},
+			conf:          &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy},
 			query:         url.Values{"redirect_uri": []string{"https://foo.bar/cb"}},
 			expectedError: ErrInvalidClient,
 			mock: func() {
@@ -91,7 +91,7 @@ func TestNewAuthorizeRequest(t *testing.T) {
 		/* redirect client mismatch */
 		{
 			desc: "client and request redirects mismatch",
-			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy},
+			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy},
 			query: url.Values{
 				"client_id": []string{"1234"},
 			},
@@ -103,7 +103,7 @@ func TestNewAuthorizeRequest(t *testing.T) {
 		/* redirect client mismatch */
 		{
 			desc: "client and request redirects mismatch",
-			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy},
+			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy},
 			query: url.Values{
 				"redirect_uri": []string{""},
 				"client_id":    []string{"1234"},
@@ -116,7 +116,7 @@ func TestNewAuthorizeRequest(t *testing.T) {
 		/* redirect client mismatch */
 		{
 			desc: "client and request redirects mismatch",
-			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy},
+			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy},
 			query: url.Values{
 				"redirect_uri": []string{"https://foo.bar/cb"},
 				"client_id":    []string{"1234"},
@@ -129,7 +129,7 @@ func TestNewAuthorizeRequest(t *testing.T) {
 		/* no state */
 		{
 			desc: "no state",
-			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy},
+			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy},
 			query: url.Values{
 				"redirect_uri":  []string{"https://foo.bar/cb"},
 				"client_id":     []string{"1234"},
@@ -143,7 +143,7 @@ func TestNewAuthorizeRequest(t *testing.T) {
 		/* short state */
 		{
 			desc: "short state",
-			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy},
+			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy},
 			query: url.Values{
 				"redirect_uri":  {"https://foo.bar/cb"},
 				"client_id":     {"1234"},
@@ -158,7 +158,7 @@ func TestNewAuthorizeRequest(t *testing.T) {
 		/* fails because scope not given */
 		{
 			desc: "should fail because client does not have scope baz",
-			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy},
+			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy},
 			query: url.Values{
 				"redirect_uri":  {"https://foo.bar/cb"},
 				"client_id":     {"1234"},
@@ -171,27 +171,58 @@ func TestNewAuthorizeRequest(t *testing.T) {
 			},
 			expectedError: ErrInvalidScope,
 		},
+		/* fails because scope not given */
+		{
+			desc: "should fail because client does not have scope baz",
+			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy},
+			query: url.Values{
+				"redirect_uri":  {"https://foo.bar/cb"},
+				"client_id":     {"1234"},
+				"response_type": {"code token"},
+				"state":         {"strong-state"},
+				"scope":         {"foo bar"},
+				"audience":      {"https://cloud.ory.sh/api https://www.ory.sh/api"},
+			},
+			mock: func() {
+				store.EXPECT().GetClient(gomock.Any(), "1234").Return(&DefaultClient{
+					RedirectURIs: []string{"https://foo.bar/cb"}, Scopes: []string{"foo", "bar"},
+					Audience: []string{"https://cloud.ory.sh/api"},
+				}, nil)
+			},
+			expectedError: ErrInvalidRequest,
+		},
 		/* success case */
 		{
 			desc: "should pass",
-			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy},
+			conf: &Fosite{Store: store, ScopeStrategy: ExactScopeStrategy, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy},
 			query: url.Values{
 				"redirect_uri":  {"https://foo.bar/cb"},
 				"client_id":     {"1234"},
 				"response_type": {"code token"},
 				"state":         {"strong-state"},
 				"scope":         {"foo bar"},
+				"audience":      {"https://cloud.ory.sh/api https://www.ory.sh/api"},
 			},
 			mock: func() {
-				store.EXPECT().GetClient(gomock.Any(), "1234").Return(&DefaultClient{ResponseTypes: []string{"code token"}, RedirectURIs: []string{"https://foo.bar/cb"}, Scopes: []string{"foo", "bar"}}, nil)
+				store.EXPECT().GetClient(gomock.Any(), "1234").Return(&DefaultClient{
+					ResponseTypes: []string{"code token"},
+					RedirectURIs:  []string{"https://foo.bar/cb"},
+					Scopes:        []string{"foo", "bar"},
+					Audience:      []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+				}, nil)
 			},
 			expect: &AuthorizeRequest{
 				RedirectURI:   redir,
 				ResponseTypes: []string{"code", "token"},
 				State:         "strong-state",
 				Request: Request{
-					Client: &DefaultClient{ResponseTypes: []string{"code token"}, RedirectURIs: []string{"https://foo.bar/cb"}, Scopes: []string{"foo", "bar"}},
-					Scopes: []string{"foo", "bar"},
+					Client: &DefaultClient{
+						ResponseTypes: []string{"code token"}, RedirectURIs: []string{"https://foo.bar/cb"},
+						Scopes:   []string{"foo", "bar"},
+						Audience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					},
+					Scopes:   []string{"foo", "bar"},
+					Audience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
 				},
 			},
 		},
@@ -210,7 +241,7 @@ func TestNewAuthorizeRequest(t *testing.T) {
 				assert.EqualError(t, errors.Cause(err), c.expectedError.Error())
 			} else {
 				require.NoError(t, err)
-				AssertObjectKeysEqual(t, c.expect, ar, "ResponseTypes", "Scopes", "Client", "RedirectURI", "State")
+				AssertObjectKeysEqual(t, c.expect, ar, "ResponseTypes", "Audience", "Scopes", "Client", "RedirectURI", "State")
 				assert.NotNil(t, ar.GetRequestedAt())
 			}
 		})