From 0feda696cd34988efab5ec36032af7d57c2bb1f2 Mon Sep 17 00:00:00 2001 From: vdbulcke Date: Thu, 2 Jun 2022 11:08:03 +0200 Subject: [PATCH] fix: Refresh/Access token jwt decode swap (#20) --- go.mod | 26 +++++++++++++++++++++----- go.sum | 4 ++-- oidc-client/config.go | 2 +- oidc-client/refresh_token.go | 25 ++++++++++++------------- 4 files changed, 36 insertions(+), 21 deletions(-) diff --git a/go.mod b/go.mod index 6e65ec9..1d1a3c5 100644 --- a/go.mod +++ b/go.mod @@ -1,18 +1,34 @@ module github.com/vdbulcke/oidc-client-demo -go 1.16 +go 1.18 require ( github.com/coreos/go-oidc/v3 v3.1.0 - github.com/go-playground/universal-translator v0.18.0 // indirect github.com/go-playground/validator v9.31.0+incompatible github.com/hashicorp/go-hclog v1.0.0 - github.com/leodido/go-urn v1.2.1 // indirect github.com/spf13/cobra v1.3.0 + golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 + gopkg.in/yaml.v3 v3.0.1 +) + +require ( + github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect + github.com/fatih/color v1.13.0 // indirect + github.com/go-playground/locales v0.14.0 // indirect + github.com/go-playground/universal-translator v0.18.0 // indirect + github.com/golang/protobuf v1.5.2 // indirect + github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/leodido/go-urn v1.2.1 // indirect + github.com/mattn/go-colorable v0.1.12 // indirect + github.com/mattn/go-isatty v0.0.14 // indirect + github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/spf13/pflag v1.0.5 // indirect golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898 // indirect golang.org/x/net v0.0.0-20220105145211-5b0dc2dfae98 // indirect - golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.27.1 // indirect gopkg.in/go-playground/assert.v1 v1.2.1 // indirect - gopkg.in/yaml.v2 v2.4.0 + gopkg.in/square/go-jose.v2 v2.5.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index 9618157..79d602b 100644 --- a/go.sum +++ b/go.sum @@ -450,7 +450,6 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220105145211-5b0dc2dfae98 h1:+6WJMRLHlD7X7frgp7TUZ36RnQzSf9wVVTNakEp+nqY= golang.org/x/net v0.0.0-20220105145211-5b0dc2dfae98/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -786,8 +785,9 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/oidc-client/config.go b/oidc-client/config.go index 0b2f077..d645996 100644 --- a/oidc-client/config.go +++ b/oidc-client/config.go @@ -6,7 +6,7 @@ import ( "os" "github.com/go-playground/validator" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" "github.com/vdbulcke/oidc-client-demo/oidc-client/internal" ) diff --git a/oidc-client/refresh_token.go b/oidc-client/refresh_token.go index 28d5b13..866faf7 100644 --- a/oidc-client/refresh_token.go +++ b/oidc-client/refresh_token.go @@ -51,7 +51,7 @@ func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerificati c.logger.Error("no ID Token Found") } else if !skipIdTokenVerification { // verify and print idToken - _, err = c.processIdToken( idTokenRaw) + _, err = c.processIdToken(idTokenRaw) if err != nil { return err } @@ -61,14 +61,15 @@ func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerificati // Validate Access Token if JWT // and print claims if c.config.AccessTokenJwt { - refreshTokenRaw := accessTokenResponse.RefreshToken - if refreshTokenRaw == "" { - c.logger.Error("no Refresh Token Found") + // try to parse access token as JWT + accessTokenRaw := accessTokenResponse.AccessToken + if accessTokenRaw == "" { + c.logger.Error("no Access Token Found") } else { // validate signature against the JWK - _, err := c.processRefreshToken(c.ctx, refreshTokenRaw) + _, err := c.processAccessToken(c.ctx, accessTokenRaw) if err != nil { - c.logger.Error("Refresh Token validation failed", "err", err) + c.logger.Error("Access Token validation failed", "err", err) return err } } @@ -77,15 +78,14 @@ func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerificati // Validate Access Token if JWT // and print claims if c.config.RefreshTokenJwt { - // try to parse access token as JWT - accessTokenRaw := accessTokenResponse.AccessToken - if accessTokenRaw == "" { - c.logger.Error("no Access Token Found") + refreshTokenRaw := accessTokenResponse.RefreshToken + if refreshTokenRaw == "" { + c.logger.Error("no Refresh Token Found") } else { // validate signature against the JWK - _, err := c.processAccessToken(c.ctx, accessTokenRaw) + _, err := c.processRefreshToken(c.ctx, refreshTokenRaw) if err != nil { - c.logger.Error("Access Token validation failed", "err", err) + c.logger.Error("Refresh Token validation failed", "err", err) return err } } @@ -101,7 +101,6 @@ func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerificati } - // processAccessToken Handle accessToken JWT validation func (c *OIDCClient) processAccessToken(ctx context.Context, accessTokenRaw string) (*oidc.IDToken, error) { return c.processGenericToken(ctx, accessTokenRaw, "Access")