From 4cbce04a5653334f463c095b2a00bc5fa0d99ef8 Mon Sep 17 00:00:00 2001 From: Paul Swartz Date: Fri, 22 Dec 2023 19:58:28 -0500 Subject: [PATCH] feat: Demonstrating Proof of Posession (DPoP) (#315) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: include token type in `#oidcc_token_access` record We'll need this for DPoP bound tokens, which use the `DPoP` type. * feat: DPoP * doc: fix autolinking of `Oidcc.Token.Access` Co-authored-by: Jonatan Männchen * fixup! doc: fix autolinking of `Oidcc.Token.Access` * fixup! feat: DPoP * fixup! feat: DPoP * fixup! feat: DPoP * fixup! feat: DPoP --------- Co-authored-by: Jonatan Männchen --- README.md | 1 + include/oidcc_client_registration.hrl | 2 + include/oidcc_token.hrl | 6 +- lib/oidcc/client_registration.ex | 1 + lib/oidcc/token/access.ex | 30 +- src/oidcc_auth_util.erl | 105 +++++ src/oidcc_authorization.erl | 25 +- src/oidcc_client_registration.erl | 2 + src/oidcc_http_util.erl | 10 +- src/oidcc_jwt_util.erl | 18 +- src/oidcc_token.erl | 97 ++++- src/oidcc_token_introspection.erl | 29 +- src/oidcc_userinfo.erl | 60 ++- test/oidcc_authorization_test.erl | 35 ++ test/oidcc_token_test.erl | 573 +++++++++++++++++++++++++- test/oidcc_userinfo_test.erl | 393 +++++++++++++++++- 16 files changed, 1349 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index 559af38..d4eb447 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,7 @@ The refactoring for `v3` and the certification is funded as an * [Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) * Logout * [RP-Initiated](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) +* [Demonstrating Proof of Possession (DPoP)](https://www.rfc-editor.org/rfc/rfc9449) ## Setup diff --git a/include/oidcc_client_registration.hrl b/include/oidcc_client_registration.hrl index db96c94..2f3f5ec 100644 --- a/include/oidcc_client_registration.hrl +++ b/include/oidcc_client_registration.hrl @@ -67,6 +67,8 @@ post_logout_redirect_uris = undefined :: [uri_string:uri_string()] | undefined, %% OAuth 2.0 Pushed Authorization Requests require_pushed_authorization_requests = false :: boolean(), + %% OAuth 2.0 Demonstrating Proof of Possession (DPoP) + dpop_bound_access_tokens = false :: boolean(), %% Unknown Fields extra_fields = #{} :: #{binary() => term()} }). diff --git a/include/oidcc_token.hrl b/include/oidcc_token.hrl index 08ad0f1..9ce7f76 100644 --- a/include/oidcc_token.hrl +++ b/include/oidcc_token.hrl @@ -1,7 +1,11 @@ -ifndef(OIDCC_TOKEN_HRL). -record(oidcc_token_id, {token :: binary(), claims :: oidcc_jwt_util:claims()}). --record(oidcc_token_access, {token :: binary(), expires = undefined :: pos_integer() | undefined}). +-record(oidcc_token_access, { + token :: binary(), + expires = undefined :: pos_integer() | undefined, + type = <<"Bearer">> :: binary() +}). -record(oidcc_token_refresh, {token :: binary()}). -record(oidcc_token, { id :: oidcc_token:id() | none, diff --git a/lib/oidcc/client_registration.ex b/lib/oidcc/client_registration.ex index 3b413e8..58dcd68 100644 --- a/lib/oidcc/client_registration.ex +++ b/lib/oidcc/client_registration.ex @@ -81,6 +81,7 @@ defmodule Oidcc.ClientRegistration do request_uris: [:uri_string.uri_string()] | :undefined, post_logout_redirect_uris: [:uri_string.uri_string()] | :undefined, require_pushed_authorization_requests: boolean(), + dpop_bound_access_tokens: boolean(), extra_fields: %{String.t() => term()} } diff --git a/lib/oidcc/token/access.ex b/lib/oidcc/token/access.ex index c48fd3d..f362d3b 100644 --- a/lib/oidcc/token/access.ex +++ b/lib/oidcc/token/access.ex @@ -6,6 +6,8 @@ defmodule Oidcc.Token.Access do """ @moduledoc since: "3.0.0" + alias Oidcc.ClientContext + use Oidcc.RecordStruct, internal_name: :token, record_name: :oidcc_token_access, @@ -16,6 +18,32 @@ defmodule Oidcc.Token.Access do @typedoc since: "3.0.0" @type t() :: %__MODULE__{ token: String.t(), - expires: pos_integer() | :undefined + expires: pos_integer() | :undefined, + type: String.t() } + + @doc """ + Generate a map of authorization headers to use when using the given + `Oidcc.Token.Access` struct to access an API endpoint. + """ + @doc since: "3.2.0" + @spec authorization_headers( + access_token :: t(), + method :: :get | :post, + endpoint :: String.t(), + client_context :: ClientContext.t() + ) :: %{String.t() => String.t()} + def authorization_headers( + access_token, + method, + endpoint, + client_context + ), + do: + :oidcc_token.authorization_headers( + struct_to_record(access_token), + method, + endpoint, + ClientContext.struct_to_record(client_context) + ) end diff --git a/src/oidcc_auth_util.erl b/src/oidcc_auth_util.erl index 5dbabd1..264fd66 100644 --- a/src/oidcc_auth_util.erl +++ b/src/oidcc_auth_util.erl @@ -19,6 +19,8 @@ -type error() :: no_supported_auth_method. -export([add_client_authentication/6]). +-export([add_dpop_proof_header/5]). +-export([add_authorization_header/6]). %% @private -spec add_client_authentication( @@ -251,6 +253,109 @@ add_jwt_bearer_assertion(ClientAssertion, Body, Header, ClientContext) -> Header }. +%% @private +-spec add_dpop_proof_header(Header, Method, Endpoint, Opts, ClientContext) -> Header when + Header :: [oidcc_http_util:http_header()], + Method :: post | get, + Endpoint :: uri_string:uri_string(), + Opts :: #{nonce => binary()}, + ClientContext :: oidcc_client_context:t(). +add_dpop_proof_header(Header, Method, Endpoint, Opts, ClientContext) -> + Claims = + case Opts of + #{nonce := Nonce} -> + #{<<"nonce">> => Nonce}; + _ -> + #{} + end, + case dpop_proof(Method, Endpoint, Claims, ClientContext) of + {ok, SignedRequestObject} -> + [{"dpop", SignedRequestObject} | Header]; + error -> + Header + end. + +%% @private +-spec add_authorization_header( + AccessToken, AccessTokenType, Method, Endpoint, Opts, ClientContext +) -> + Header +when + AccessToken :: binary(), + AccessTokenType :: binary(), + Method :: post | get, + Endpoint :: uri_string:uri_string(), + Opts :: #{dpop_nonce => binary()}, + ClientContext :: oidcc_client_context:t(), + Header :: [oidcc_http_util:http_header()]. +add_authorization_header( + AccessToken, AccessTokenType, Method, Endpoint, Opts, ClientContext +) -> + maybe + true ?= string:casefold(<<"dpop">>) =:= string:casefold(AccessTokenType), + Claims0 = + case Opts of + #{dpop_nonce := Nonce} -> + #{<<"nonce">> => Nonce}; + _ -> + #{} + end, + Claims = Claims0#{ + <<"ath">> => base64:encode(crypto:hash(sha256, AccessToken), #{ + mode => urlsafe, padding => false + }) + }, + {ok, SignedRequestObject} ?= dpop_proof(Method, Endpoint, Claims, ClientContext), + [ + {"authorization", [AccessTokenType, <<" ">>, AccessToken]}, + {"dpop", SignedRequestObject} + ] + else + _ -> + [oidcc_http_util:bearer_auth_header(AccessToken)] + end. + +-spec dpop_proof(Method, Endpoint, Claims, ClientContext) -> {ok, binary()} | error when + Method :: post | get, + Endpoint :: uri_string:uri_string(), + Claims :: map(), + ClientContext :: oidcc_client_context:t(). +dpop_proof(Method, Endpoint, Claims0, #oidcc_client_context{ + client_jwks = #jose_jwk{} = ClientJwks, + provider_configuration = #oidcc_provider_configuration{ + dpop_signing_alg_values_supported = [_ | _] = SigningAlgSupported + } +}) -> + MaxClockSkew = + case application:get_env(oidcc, max_clock_skew) of + undefined -> 0; + {ok, ClockSkew} -> ClockSkew + end, + HtmClaim = string:uppercase(atom_to_binary(Method, utf8)), + Claims = Claims0#{ + <<"jti">> => random_string(32), + <<"htm">> => HtmClaim, + <<"htu">> => iolist_to_binary(Endpoint), + <<"iat">> => os:system_time(seconds), + <<"exp">> => os:system_time(seconds) + 30, + <<"nbf">> => os:system_time(seconds) - MaxClockSkew + }, + Jwt = jose_jwt:from(Claims), + {_, PublicJwk} = jose_jwk:to_public_map(ClientJwks), + + case + oidcc_jwt_util:sign(Jwt, ClientJwks, SigningAlgSupported, #{ + <<"typ">> => <<"dpop+jwt">>, <<"jwk">> => PublicJwk + }) + of + {ok, SignedRequestObject} -> + {ok, SignedRequestObject}; + {error, no_supported_alg_or_key} -> + error + end; +dpop_proof(_Method, _Endpoint, _Claims, _ClientContext) -> + error. + -spec random_string(Bytes :: pos_integer()) -> binary(). random_string(Bytes) -> base64:encode(crypto:strong_rand_bytes(Bytes), #{mode => urlsafe, padding => false}). diff --git a/src/oidcc_authorization.erl b/src/oidcc_authorization.erl index 0ebac26..747cabd 100644 --- a/src/oidcc_authorization.erl +++ b/src/oidcc_authorization.erl @@ -110,8 +110,9 @@ redirect_params(#oidcc_client_context{client_id = ClientId} = ClientContext, Opt QueryParams4 = oidcc_scope:query_append_scope( maps:get(scopes, Opts, [openid]), QueryParams3 ), - QueryParams5 = attempt_request_object(QueryParams4, ClientContext), - attempt_par(QueryParams5, ClientContext, Opts). + QueryParams5 = maybe_append_dpop_jkt(QueryParams4, ClientContext), + QueryParams6 = attempt_request_object(QueryParams5, ClientContext), + attempt_par(QueryParams6, ClientContext, Opts). -spec append_code_challenge(PkceVerifier, QueryParams, ClientContext) -> oidcc_http_util:query_params() @@ -164,6 +165,26 @@ maybe_append(_Key, undefined, QueryParams) -> maybe_append(Key, Value, QueryParams) -> [{Key, Value} | QueryParams]. +-spec maybe_append_dpop_jkt(QueryParams, ClientContext) -> + QueryParams +when + ClientContext :: oidcc_client_context:t(), + QueryParams :: oidcc_http_util:query_params(). +maybe_append_dpop_jkt( + QueryParams, + #oidcc_client_context{ + client_jwks = #jose_jwk{}, + provider_configuration = #oidcc_provider_configuration{ + dpop_signing_alg_values_supported = [_ | _] + } + } = ClientContext +) -> + #oidcc_client_context{client_jwks = ClientJwks} = ClientContext, + Thumbprint = jose_jwk:thumbprint(ClientJwks), + [{"dpop_jkt", Thumbprint} | QueryParams]; +maybe_append_dpop_jkt(QueryParams, _ClientContext) -> + QueryParams. + -spec attempt_request_object(QueryParams, ClientContext) -> QueryParams when QueryParams :: oidcc_http_util:query_params(), ClientContext :: oidcc_client_context:t(). diff --git a/src/oidcc_client_registration.erl b/src/oidcc_client_registration.erl index a3c9b12..2c3d1f5 100644 --- a/src/oidcc_client_registration.erl +++ b/src/oidcc_client_registration.erl @@ -110,6 +110,8 @@ post_logout_redirect_uris :: [uri_string:uri_string()] | undefined, %% OAuth 2.0 Pushed Authorization Requests require_pushed_authorization_requests :: boolean(), + %% OAuth 2.0 Demonstrating Proof of Possession (DPoP) + dpop_bound_access_tokens :: boolean(), %% Unknown Fields extra_fields :: #{binary() => term()} }. diff --git a/src/oidcc_http_util.erl b/src/oidcc_http_util.erl index 1ee2493..55d44b9 100644 --- a/src/oidcc_http_util.erl +++ b/src/oidcc_http_util.erl @@ -19,7 +19,8 @@ -type http_header() :: {Field :: [byte()] | binary(), Value :: iodata()}. %% See {@link httpc:request/5} -type error() :: - {http_error, StatusCode :: pos_integer(), HttpBodyResult :: binary()} + {http_error, StatusCode :: pos_integer(), HttpBodyResult :: binary() | map()} + | {use_dpop_nonce, Nonce :: binary(), HttpBodyResult :: binary() | map()} | invalid_content_type | httpc_error(). -type httpc_error() :: term(). @@ -147,7 +148,12 @@ extract_successful_response({{_HttpVersion, StatusCode, _HttpStatusName}, Header unknown -> HttpBodyResult end, - {error, {http_error, StatusCode, Body}}. + case proplists:lookup("dpop-nonce", Headers) of + {"dpop-nonce", DpopNonce} -> + {error, {use_dpop_nonce, DpopNonce, Body}}; + _ -> + {error, {http_error, StatusCode, Body}} + end. -spec fetch_content_type(Headers) -> json | jwt | unknown when Headers :: [http_header()]. fetch_content_type(Headers) -> diff --git a/src/oidcc_jwt_util.erl b/src/oidcc_jwt_util.erl index 2713587..5c53bcd 100644 --- a/src/oidcc_jwt_util.erl +++ b/src/oidcc_jwt_util.erl @@ -16,6 +16,7 @@ -export([merge_jwks/2]). -export([refresh_jwks_fun/1]). -export([sign/3]). +-export([sign/4]). -export([verify_claims/2]). -export([verify_signature/3]). @@ -172,11 +173,20 @@ merge_jwks(Left, Right) -> %% @private -spec sign(Jwt :: #jose_jwt{}, Jwk :: jose_jwk:key(), SupportedAlgorithms :: [binary()]) -> {ok, binary()} | {error, no_supported_alg_or_key}. -sign(_Jwt, _Jwk, []) -> +sign(Jwt, Jwk, SupportedAlgorithms) -> + sign(Jwt, Jwk, SupportedAlgorithms, #{}). + +%% @private +-spec sign( + Jwt :: #jose_jwt{}, Jwk :: jose_jwk:key(), SupportedAlgorithms :: [binary()], JwsFields :: map() +) -> + {ok, binary()} | {error, no_supported_alg_or_key}. +sign(_Jwt, _Jwk, [], _JwsFields) -> {error, no_supported_alg_or_key}; -sign(Jwt, Jwk, [Algorithm | RestAlgorithms]) -> +sign(Jwt, Jwk, [Algorithm | RestAlgorithms], JwsFields0) -> maybe - #jose_jws{fields = JwsFields} = Jws0 ?= jose_jws:from_map(#{<<"alg">> => Algorithm}), + #jose_jws{fields = JwsFields} = + Jws0 ?= jose_jws:from_map(JwsFields0#{<<"alg">> => Algorithm}), SigningCallback = fun (#jose_jwk{fields = #{<<"use">> := <<"sig">>} = Fields} = Key) -> %% add the kid field to the JWS signature if present @@ -205,7 +215,7 @@ sign(Jwt, Jwk, [Algorithm | RestAlgorithms]) -> {ok, Token} ?= evaluate_for_all_keys(Jwk, SigningCallback), {ok, Token} else - _ -> sign(Jwt, Jwk, RestAlgorithms) + _ -> sign(Jwt, Jwk, RestAlgorithms, JwsFields0) end. %% @private diff --git a/src/oidcc_token.erl b/src/oidcc_token.erl index 51e25e9..7fe4b16 100644 --- a/src/oidcc_token.erl +++ b/src/oidcc_token.erl @@ -32,6 +32,8 @@ -export([refresh/3]). -export([retrieve/3]). -export([validate_id_token/3]). +-export([authorization_headers/4]). +-export([authorization_headers/5]). -export_type([access/0]). -export_type([client_credentials_opts/0]). @@ -56,7 +58,7 @@ %% -type access() :: - #oidcc_token_access{token :: binary(), expires :: pos_integer() | undefined}. + #oidcc_token_access{token :: binary(), expires :: pos_integer() | undefined, type :: binary()}. %% Access Token Wrapper %% %%

Fields

@@ -103,7 +105,8 @@ redirect_uri := uri_string:uri_string(), request_opts => oidcc_http_util:request_opts(), url_extension => oidcc_http_util:query_params(), - body_extension => oidcc_http_util:query_params() + body_extension => oidcc_http_util:query_params(), + dpop_nonce => binary() }. %% Options for retrieving a token %% @@ -120,6 +123,8 @@ %%
  • `refresh_jwks' - How to handle tokens with an unknown `kid'. %% See {@link oidcc_jwt_util:refresh_jwks_for_unknown_kid_fun()}
  • %%
  • `redirect_uri' - Redirect uri given to {@link oidcc_authorization:create_redirect_url/2}
  • +%%
  • `dpop_nonce' - if using DPoP, the `nonce' value to use in the +%% proof claim
  • %% -type refresh_opts_no_sub() :: @@ -665,7 +670,8 @@ extract_access_token(TokenMap, Expiry) -> none -> {ok, none}; Token when is_binary(Token) -> - {ok, #oidcc_token_access{token = Token, expires = Expiry}}; + TokenType = maps:get(<<"token_type">>, TokenMap, <<"Bearer">>), + {ok, #oidcc_token_access{token = Token, expires = Expiry, type = TokenType}}; Other -> {error, {invalid_property, {access_token, Other}}} end. @@ -732,7 +738,7 @@ verify_access_token_map_hash(#oidcc_token{}) -> %% @doc Validate ID Token %% %% Usually the id token is validated using {@link retrieve/3}. -%% If you gget the token passed from somewhere else, this function can validate it. +%% If you get the token passed from somewhere else, this function can validate it. %% %%

    Examples

    %% @@ -814,6 +820,57 @@ validate_id_token(IdToken, ClientContext, Nonce) -> end end. +%% @doc Authorization headers +%% +%% Generate a map of authorization headers to use when using the given +%% access token to access an API endpoint. +%% +%%

    Examples

    +%% +%% ``` +%% {ok, ClientContext} = +%% oidcc_client_context:from_configuration_worker(provider_name, +%% <<"client_id">>, +%% <<"client_secret">>), +%% +%% %% Get Access Token record from somewhere +%% +%% Headers = +%% oidcc:authorization_headers(AccessTokenRecord, :get, Url, ClientContext). +%% ''' +%% @end +%% @since 3.2.0 +-spec authorization_headers(AccessTokenRecord, Method, Endpoint, ClientContext) -> HeaderMap when + AccessTokenRecord :: access(), + Method :: post | get, + Endpoint :: uri_string:uri_string(), + ClientContext :: oidcc_client_context:t(), + HeaderMap :: #{binary() => binary()}. +-spec authorization_headers(AccessTokenRecord, Method, Endpoint, ClientContext, Opts) -> + HeaderMap +when + AccessTokenRecord :: access(), + Method :: post | get, + Endpoint :: uri_string:uri_string(), + ClientContext :: oidcc_client_context:t(), + Opts :: #{dpop_nonce => binary()}, + HeaderMap :: #{binary() => binary()}. +authorization_headers(AccessTokenRecord, Method, Endpoint, ClientContext) -> + authorization_headers(AccessTokenRecord, Method, Endpoint, ClientContext, #{}). + +authorization_headers( + #oidcc_token_access{} = AccessTokenRecord, + Method, + Endpoint, + #oidcc_client_context{} = ClientContext, + Opts +) -> + #oidcc_token_access{token = AccessToken, type = AccessTokenType} = AccessTokenRecord, + Header = oidcc_auth_util:add_authorization_header( + AccessToken, AccessTokenType, Method, Endpoint, Opts, ClientContext + ), + maps:from_list([{list_to_binary(Key), list_to_binary([Value])} || {Key, Value} <- Header]). + -spec verify_aud_claim(Claims, ClientId) -> ok | {error, error()} when Claims :: oidcc_jwt_util:claims(), ClientId :: binary(). verify_aud_claim(#{<<"aud">> := Audience} = Claims, ClientId) when is_list(Audience) -> @@ -831,7 +888,7 @@ verify_aud_claim(Claims, ClientId) -> verify_azp_claim(#{<<"azp">> := ClientId}, ClientId) -> ok; verify_azp_claim(#{<<"azp">> := _Azp} = Claims, ClientId) -> - {missing_claim, {<<"azp">>, ClientId}, Claims}; + {error, {missing_claim, {<<"azp">>, ClientId}, Claims}}; verify_azp_claim(_Claims, _ClientId) -> ok. @@ -845,7 +902,9 @@ verify_exp_claim(#{<<"exp">> := Expiry}) -> case erlang:system_time(second) > Expiry + MaxClockSkew of true -> {error, token_expired}; false -> ok - end. + end; +verify_exp_claim(Claims) -> + {error, {missing_claim, <<"exp">>, Claims}}. -spec verify_nbf_claim(Claims) -> ok | {error, error()} when Claims :: oidcc_jwt_util:claims(). verify_nbf_claim(#{<<"nbf">> := Expiry}) -> @@ -913,17 +972,41 @@ retrieve_a_token(QsBodyIn, PkceVerifier, ClientContext, Opts, TelemetryOpts, Aut false -> [<<"none">>] end, + DpopOpts = + case Opts of + #{dpop_nonce := DpopNonce} -> + #{nonce => DpopNonce}; + _ -> + #{} + end, maybe - {ok, {Body, Header}} ?= + {ok, {Body, Header1}} ?= oidcc_auth_util:add_client_authentication( QsBody, Header0, SupportedAuthMethods, SigningAlgs, Opts, ClientContext ), + Header = oidcc_auth_util:add_dpop_proof_header( + Header1, post, Endpoint, DpopOpts, ClientContext + ), Request = {Endpoint, Header, "application/x-www-form-urlencoded", uri_string:compose_query(Body)}, RequestOpts = maps:get(request_opts, Opts, #{}), {ok, {{json, TokenResponse}, _Headers}} ?= oidcc_http_util:request(post, Request, TelemetryOpts, RequestOpts), {ok, TokenResponse} + else + {error, {use_dpop_nonce, NewDpopNonce, _}} when DpopOpts =:= #{} -> + %% only retry automatically if we didn't use a nonce the first time + %% (to avoid infinite loops) + retrieve_a_token( + QsBodyIn, + PkceVerifier, + ClientContext, + Opts#{dpop_nonce => NewDpopNonce}, + TelemetryOpts, + AuthenticateClient + ); + {error, Reason} -> + {error, Reason} end. -spec add_pkce_verifier(QueryList, PkceVerifier) -> oidcc_http_util:query_params() when diff --git a/src/oidcc_token_introspection.erl b/src/oidcc_token_introspection.erl index a28336e..2be4985 100644 --- a/src/oidcc_token_introspection.erl +++ b/src/oidcc_token_introspection.erl @@ -45,7 +45,8 @@ -type opts() :: #{ preferred_auth_methods => [oidcc_auth_util:auth_method(), ...], - request_opts => oidcc_http_util:request_opts() + request_opts => oidcc_http_util:request_opts(), + dpop_nonce => binary() }. -type error() :: client_id_mismatch | introspection_not_supported | oidcc_http_util:error(). @@ -131,18 +132,40 @@ introspect(AccessToken, ClientContext, Opts) -> topic => [oidcc, introspect_token], extra_meta => #{issuer => Issuer, client_id => ClientId} }, - + DpopOpts = + case Opts of + #{dpop_nonce := DpopNonce} -> + #{nonce => DpopNonce}; + _ -> + #{} + end, maybe - {ok, {Body, Header}} ?= + {ok, {Body, Header1}} ?= oidcc_auth_util:add_client_authentication( Body0, Header0, SupportedAuthMethods, AllowAlgorithms, Opts, ClientContext ), + Header = oidcc_auth_util:add_dpop_proof_header( + Header1, post, Endpoint, DpopOpts, ClientContext + ), Request = {Endpoint, Header, "application/x-www-form-urlencoded", uri_string:compose_query(Body)}, {ok, {{json, Token}, _Headers}} ?= oidcc_http_util:request(post, Request, TelemetryOpts, RequestOpts), extract_response(Token, ClientContext) + else + {error, {use_dpop_nonce, NewDpopNonce, _}} when + DpopOpts =:= #{} + -> + %% only retry automatically if we didn't use a nonce the first time + %% (to avoid infinite loops) + introspect( + AccessToken, + ClientContext, + Opts#{dpop_nonce => NewDpopNonce} + ); + {error, Reason} -> + {error, Reason} end end. diff --git a/src/oidcc_userinfo.erl b/src/oidcc_userinfo.erl index 0269685..f063826 100644 --- a/src/oidcc_userinfo.erl +++ b/src/oidcc_userinfo.erl @@ -27,13 +27,17 @@ -export_type([retrieve_opts_no_sub/0]). -type retrieve_opts_no_sub() :: - #{refresh_jwks => oidcc_jwt_util:refresh_jwks_for_unknown_kid_fun()}. + #{ + refresh_jwks => oidcc_jwt_util:refresh_jwks_for_unknown_kid_fun(), + dpop_nonce => binary() + }. %% See {@link retrieve_opts()} -type retrieve_opts() :: #{ refresh_jwks => oidcc_jwt_util:refresh_jwks_for_unknown_kid_fun(), - expected_subject := binary() | any + expected_subject => binary() | any, + dpop_nonce => binary() }. %% Configure userinfo request %% @@ -46,10 +50,13 @@ %% See {@link oidcc_jwt_util:refresh_jwks_for_unknown_kid_fun()} %%
  • `expected_subject' - expected subject for the userinfo %% (`sub' from id token)
  • +%%
  • `dpop_nonce' - if using DPoP, the `nonce' value to use in the +%% proof claim
  • %% -type error() :: {distributed_claim_not_found, {ClaimSource :: binary(), ClaimName :: binary()}} + | no_access_token | invalid_content_type | bad_subject | oidcc_jwt_util:error() @@ -103,19 +110,23 @@ ClientContext :: oidcc_client_context:t(), Opts :: retrieve_opts_no_sub(); (Token, ClientContext, Opts) -> {ok, oidcc_jwt_util:claims()} | {error, error()} when - Token :: binary(), + Token :: oidcc_token:access() | binary(), ClientContext :: oidcc_client_context:t(), Opts :: retrieve_opts(). -retrieve(#oidcc_token{} = Token, ClientContext, Opts) -> - #oidcc_token{access = AccessTokenRecord, id = IdTokenRecord} = Token, - #oidcc_token_access{token = AccessToken} = AccessTokenRecord, +retrieve( + #oidcc_token{access = #oidcc_token_access{} = AccessTokenRecord, id = IdTokenRecord}, + ClientContext, + Opts +) -> #oidcc_token_id{claims = #{<<"sub">> := ExpectedSubject}} = IdTokenRecord, retrieve( - AccessToken, + AccessTokenRecord, ClientContext, maps:put(expected_subject, ExpectedSubject, Opts) ); -retrieve(AccessToken, ClientContext, Opts) when is_binary(AccessToken) -> +retrieve(#oidcc_token{access = none}, #oidcc_client_context{}, _Opts) -> + {error, no_access_token}; +retrieve(#oidcc_token_access{} = AccessTokenRecord, #oidcc_client_context{} = ClientContext, Opts) -> #oidcc_client_context{ provider_configuration = Configuration, client_id = ClientId @@ -124,8 +135,16 @@ retrieve(AccessToken, ClientContext, Opts) when is_binary(AccessToken) -> userinfo_endpoint = Endpoint, issuer = Issuer } = Configuration, + #oidcc_token_access{token = AccessToken, type = AccessTokenType} = AccessTokenRecord, - Header = [oidcc_http_util:bearer_auth_header(AccessToken)], + %% Dialyzer gets confused about the type of Opts here (thinking that it + %% loses the expected_subject key), so we perform a no-op map operation to + %% separate the two. + %% + AuthorizationOpts = Opts#{}, + Header = oidcc_auth_util:add_authorization_header( + AccessToken, AccessTokenType, get, Endpoint, AuthorizationOpts, ClientContext + ), Request = {Endpoint, Header}, RequestOpts = maps:get(request_opts, Opts, #{}), @@ -134,23 +153,32 @@ retrieve(AccessToken, ClientContext, Opts) when is_binary(AccessToken) -> extra_meta => #{issuer => Issuer, client_id => ClientId} }, + HasDpopNonce = maps:is_key(dpop_nonce, AuthorizationOpts), + maybe {ok, {UserinfoResponse, _Headers}} ?= oidcc_http_util:request(get, Request, TelemetryOpts, RequestOpts), {ok, Claims} ?= validate_userinfo_body(UserinfoResponse, ClientContext, Opts), lookup_distributed_claims(Claims, ClientContext, Opts) - end. + else + {error, {use_dpop_nonce, DpopNonce, _}} when + HasDpopNonce =:= false + -> + %% retry once if we didn't provide a nonce the first time + retrieve(AccessTokenRecord, ClientContext, Opts#{dpop_nonce => DpopNonce}); + {error, Reason} -> + {error, Reason} + end; +retrieve(AccessToken, #oidcc_client_context{} = ClientContext, Opts) when is_binary(AccessToken) -> + AccessTokenRecord = #oidcc_token_access{token = AccessToken}, + retrieve(AccessTokenRecord, ClientContext, Opts). -spec validate_userinfo_body(Body, ClientContext, Opts) -> {ok, Claims} | {error, error()} when Body :: {json, map()} | {jwt, binary()}, ClientContext :: oidcc_client_context:t(), - Opts :: - #{ - refresh_jwks => oidcc_jwt_util:refresh_jwks_for_unknown_kid_fun(), - expected_subject := binary() - }, + Opts :: retrieve_opts(), Claims :: oidcc_jwt_util:claims(). validate_userinfo_body({json, Userinfo}, _ClientContext, Opts) -> ExpectedSubject = maps:get(expected_subject, Opts), @@ -188,7 +216,7 @@ when Opts :: #{ refresh_jwks => oidcc_jwt_util:refresh_jwks_for_unknown_kid_fun(), - expected_subject := binary(), + expected_subject => binary(), expected_claims => [{binary(), term()}] }, Claims :: oidcc_jwt_util:claims(). diff --git a/test/oidcc_authorization_test.erl b/test/oidcc_authorization_test.erl index 2227f9c..24dcfb6 100644 --- a/test/oidcc_authorization_test.erl +++ b/test/oidcc_authorization_test.erl @@ -1006,3 +1006,38 @@ create_redirect_url_with_par_client_secret_jwt_request_object_test() -> ), ok. + +create_redirect_url_private_key_jwt_test() -> + PrivDir = code:priv_dir(oidcc), + + {ok, ValidConfigString} = file:read_file(PrivDir ++ "/test/fixtures/example-metadata.json"), + {ok, Configuration0} = oidcc_provider_configuration:decode_configuration( + jose:decode(ValidConfigString) + ), + Configuration = Configuration0#oidcc_provider_configuration{ + token_endpoint_auth_methods_supported = [<<"private_key_jwt">>], + dpop_signing_alg_values_supported = [<<"RS256">>] + }, + + Jwks = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + + ClientId = <<"client_id">>, + RedirectUri = <<"https://my.server/return">>, + + ClientContext = + oidcc_client_context:from_manual(Configuration, Jwks, ClientId, <<"client_secret">>, #{ + client_jwks => Jwks + }), + + Opts = + #{ + redirect_uri => RedirectUri + }, + + {ok, Url} = oidcc_authorization:create_redirect_url(ClientContext, Opts), + + ExpUrl = + <<"https://my.provider/auth?dpop_jkt=7jnO2y748F6HEP7WtfubjBQWOgKUuMBQoYLyyc1fe-Q&scope=openid&response_type=code&client_id=client_id&redirect_uri=https%3A%2F%2Fmy.server%2Freturn">>, + ?assertEqual(ExpUrl, iolist_to_binary(Url)), + + ok. diff --git a/test/oidcc_token_test.erl b/test/oidcc_token_test.erl index 61f2d76..9135b48 100644 --- a/test/oidcc_token_test.erl +++ b/test/oidcc_token_test.erl @@ -537,7 +537,7 @@ auth_method_client_secret_jwt_test() -> ?assertMatch( {ok, #oidcc_token{ id = #oidcc_token_id{token = Token, claims = Claims}, - access = #oidcc_token_access{token = AccessToken}, + access = #oidcc_token_access{token = AccessToken, type = <<"Bearer">>}, refresh = #oidcc_token_refresh{token = RefreshToken}, scope = [<<"profile">>, <<"openid">>] }}, @@ -893,6 +893,460 @@ auth_method_private_key_jwt_test() -> ok. +auth_method_private_key_jwt_with_dpop_test() -> + PrivDir = code:priv_dir(oidcc), + + {ok, _} = application:ensure_all_started(oidcc), + + {ok, ConfigurationBinary} = file:read_file(PrivDir ++ "/test/fixtures/example-metadata.json"), + {ok, Configuration0} = oidcc_provider_configuration:decode_configuration( + jose:decode(ConfigurationBinary) + ), + + #oidcc_provider_configuration{token_endpoint = TokenEndpoint, issuer = Issuer} = + Configuration = Configuration0#oidcc_provider_configuration{ + token_endpoint_auth_methods_supported = [<<"private_key_jwt">>], + token_endpoint_auth_signing_alg_values_supported = [<<"RS256">>], + dpop_signing_alg_values_supported = [<<"RS256">>] + }, + + ClientId = <<"client_id">>, + ClientSecret = <<"client_secret">>, + LocalEndpoint = <<"https://my.server/auth">>, + AuthCode = <<"1234567890">>, + AccessToken = <<"access_token">>, + RefreshToken = <<"refresh_token">>, + Claims = + #{ + <<"iss">> => Issuer, + <<"sub">> => <<"sub">>, + <<"aud">> => ClientId, + <<"iat">> => erlang:system_time(second), + <<"exp">> => erlang:system_time(second) + 10, + <<"at_hash">> => <<"hrOQHuo3oE6FR82RIiX1SA">> + }, + + Jwk = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + + Jwt = jose_jwt:from(Claims), + Jws = #{<<"alg">> => <<"RS256">>}, + {_Jws, Token} = + jose_jws:compact( + jose_jwt:sign(Jwk, Jws, Jwt) + ), + + TokenData = + jsx:encode(#{ + <<"access_token">> => AccessToken, + <<"token_type">> => <<"Bearer">>, + <<"id_token">> => Token, + <<"scope">> => <<"profile openid">>, + <<"refresh_token">> => RefreshToken + }), + + ClientJwk0 = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + ClientJwk = ClientJwk0#jose_jwk{ + fields = #{<<"kid">> => <<"private_kid">>, <<"use">> => <<"sig">>} + }, + + ClientContext = oidcc_client_context:from_manual(Configuration, Jwk, ClientId, ClientSecret, #{ + client_jwks => ClientJwk + }), + + ok = meck:new(httpc, [no_link]), + HttpFun = + fun( + post, + {ReqTokenEndpoint, Header, "application/x-www-form-urlencoded", Body}, + _HttpOpts, + _Opts + ) -> + TokenEndpoint = ReqTokenEndpoint, + ?assertMatch(none, proplists:lookup("authorization", Header)), + BodyMap = maps:from_list(uri_string:dissect_query(Body)), + + ?assertMatch( + #{ + <<"grant_type">> := <<"authorization_code">>, + <<"code">> := AuthCode, + <<"client_id">> := ClientId, + <<"client_assertion_type">> := + <<"urn:ietf:params:oauth:client-assertion-type:jwt-bearer">>, + <<"client_assertion">> := _ + }, + BodyMap + ), + + ClientAssertion = maps:get(<<"client_assertion">>, BodyMap), + + {true, ClientAssertionJwt, ClientAssertionJws} = jose_jwt:verify( + ClientJwk, ClientAssertion + ), + + ?assertMatch( + #jose_jws{alg = {_, 'RS256'}}, ClientAssertionJws + ), + + #jose_jws{fields = ClientAssertionJwsFields} = ClientAssertionJws, + ?assertMatch( + #{ + <<"kid">> := <<"private_kid">> + }, + ClientAssertionJwsFields + ), + + ?assertMatch( + #jose_jwt{ + fields = #{ + <<"aud">> := TokenEndpoint, + <<"exp">> := _, + <<"iat">> := _, + <<"iss">> := ClientId, + <<"jti">> := _, + <<"nbf">> := _, + <<"sub">> := ClientId + } + }, + ClientAssertionJwt + ), + + {_, DpopProof} = proplists:lookup("dpop", Header), + + {true, DpopJwt, DpopJws} = jose_jwt:verify( + ClientJwk, DpopProof + ), + + ?assertMatch( + #jose_jws{alg = {_, 'RS256'}}, DpopJws + ), + + #jose_jws{fields = DpopJwsFields} = DpopJws, + ?assertMatch( + #{ + <<"kid">> := <<"private_kid">>, + <<"typ">> := <<"dpop+jwt">>, + <<"jwk">> := _ + }, + DpopJwsFields + ), + + #{<<"jwk">> := DpopPublicKeyMap} = DpopJwsFields, + ?assertEqual( + DpopPublicKeyMap, + element(2, jose_jwk:to_public_map(ClientJwk)) + ), + + ?assertMatch( + #jose_jwt{ + fields = #{ + <<"exp">> := _, + <<"iat">> := _, + <<"jti">> := _, + <<"htm">> := <<"POST">>, + <<"htu">> := TokenEndpoint + } + }, + DpopJwt + ), + + {ok, {{"HTTP/1.1", 200, "OK"}, [{"content-type", "application/json"}], TokenData}} + end, + ok = meck:expect(httpc, request, HttpFun), + + ?assertMatch( + {ok, #oidcc_token{ + id = #oidcc_token_id{token = Token, claims = Claims}, + access = #oidcc_token_access{token = AccessToken}, + refresh = #oidcc_token_refresh{token = RefreshToken}, + scope = [<<"profile">>, <<"openid">>] + }}, + oidcc_token:retrieve( + AuthCode, + ClientContext, + #{redirect_uri => LocalEndpoint} + ) + ), + + true = meck:validate(httpc), + + meck:unload(httpc), + + ok. + +auth_method_private_key_jwt_with_dpop_and_nonce_test() -> + PrivDir = code:priv_dir(oidcc), + + {ok, _} = application:ensure_all_started(oidcc), + + {ok, ConfigurationBinary} = file:read_file(PrivDir ++ "/test/fixtures/example-metadata.json"), + {ok, Configuration0} = oidcc_provider_configuration:decode_configuration( + jose:decode(ConfigurationBinary) + ), + + #oidcc_provider_configuration{token_endpoint = TokenEndpoint, issuer = Issuer} = + Configuration = Configuration0#oidcc_provider_configuration{ + token_endpoint_auth_methods_supported = [<<"private_key_jwt">>], + token_endpoint_auth_signing_alg_values_supported = [<<"RS256">>], + dpop_signing_alg_values_supported = [<<"RS256">>] + }, + + ClientId = <<"client_id">>, + ClientSecret = <<"client_secret">>, + LocalEndpoint = <<"https://my.server/auth">>, + AuthCode = <<"1234567890">>, + AccessToken = <<"access_token">>, + RefreshToken = <<"refresh_token">>, + DpopNonce = <<"dpop_nonce">>, + Claims = + #{ + <<"iss">> => Issuer, + <<"sub">> => <<"sub">>, + <<"aud">> => ClientId, + <<"iat">> => erlang:system_time(second), + <<"exp">> => erlang:system_time(second) + 10, + <<"at_hash">> => <<"hrOQHuo3oE6FR82RIiX1SA">> + }, + + Jwk = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + + Jwt = jose_jwt:from(Claims), + Jws = #{<<"alg">> => <<"RS256">>}, + {_Jws, Token} = + jose_jws:compact( + jose_jwt:sign(Jwk, Jws, Jwt) + ), + + TokenData = + jsx:encode(#{ + <<"access_token">> => AccessToken, + <<"token_type">> => <<"Bearer">>, + <<"id_token">> => Token, + <<"scope">> => <<"profile openid">>, + <<"refresh_token">> => RefreshToken + }), + + DpopNonceError = jsx:encode(#{ + <<"error">> => <<"use_dpop_nonce">>, + <<"error_description">> => + <<"Authorization server requires nonce in DPoP proof">> + }), + + ClientJwk0 = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + ClientJwk = ClientJwk0#jose_jwk{ + fields = #{<<"kid">> => <<"private_kid">>, <<"use">> => <<"sig">>} + }, + + ClientContext = oidcc_client_context:from_manual(Configuration, Jwk, ClientId, ClientSecret, #{ + client_jwks => ClientJwk + }), + + ok = meck:new(httpc, [no_link]), + HttpFun = + fun( + post, + {ReqTokenEndpoint, Header, "application/x-www-form-urlencoded", Body}, + _HttpOpts, + _Opts + ) -> + TokenEndpoint = ReqTokenEndpoint, + ?assertMatch(none, proplists:lookup("authorization", Header)), + BodyMap = maps:from_list(uri_string:dissect_query(Body)), + + ?assertMatch( + #{ + <<"grant_type">> := <<"authorization_code">>, + <<"code">> := AuthCode, + <<"client_id">> := ClientId, + <<"client_assertion_type">> := + <<"urn:ietf:params:oauth:client-assertion-type:jwt-bearer">>, + <<"client_assertion">> := _ + }, + BodyMap + ), + + ClientAssertion = maps:get(<<"client_assertion">>, BodyMap), + + {true, ClientAssertionJwt, ClientAssertionJws} = jose_jwt:verify( + ClientJwk, ClientAssertion + ), + + ?assertMatch( + #jose_jws{alg = {_, 'RS256'}}, ClientAssertionJws + ), + + #jose_jws{fields = ClientAssertionJwsFields} = ClientAssertionJws, + ?assertMatch( + #{ + <<"kid">> := <<"private_kid">> + }, + ClientAssertionJwsFields + ), + + ?assertMatch( + #jose_jwt{ + fields = #{ + <<"aud">> := TokenEndpoint, + <<"exp">> := _, + <<"iat">> := _, + <<"iss">> := ClientId, + <<"jti">> := _, + <<"nbf">> := _, + <<"sub">> := ClientId + } + }, + ClientAssertionJwt + ), + + {_, DpopProof} = proplists:lookup("dpop", Header), + + {true, DpopJwt, DpopJws} = jose_jwt:verify( + ClientJwk, DpopProof + ), + + ?assertMatch( + #jose_jws{alg = {_, 'RS256'}}, DpopJws + ), + + #jose_jws{fields = DpopJwsFields} = DpopJws, + ?assertMatch( + #{ + <<"kid">> := <<"private_kid">>, + <<"typ">> := <<"dpop+jwt">>, + <<"jwk">> := _ + }, + DpopJwsFields + ), + + #{<<"jwk">> := DpopPublicKeyMap} = DpopJwsFields, + ?assertEqual( + DpopPublicKeyMap, + element(2, jose_jwk:to_public_map(ClientJwk)) + ), + + ?assertMatch( + #jose_jwt{ + fields = #{ + <<"exp">> := _, + <<"iat">> := _, + <<"jti">> := _, + <<"htm">> := <<"POST">>, + <<"htu">> := TokenEndpoint + } + }, + DpopJwt + ), + + case DpopJwt of + #jose_jwt{ + fields = #{ + <<"nonce">> := DpopNonce + } + } -> + {ok, { + {"HTTP/1.1", 200, "OK"}, [{"content-type", "application/json"}], TokenData + }}; + _ -> + {ok, { + {"HTTP/1.1", 400, "OK"}, + [{"content-type", "application/json"}, {"dpop-nonce", DpopNonce}], + DpopNonceError + }} + end + end, + ok = meck:expect(httpc, request, HttpFun), + + ?assertMatch( + {ok, #oidcc_token{ + id = #oidcc_token_id{token = Token, claims = Claims}, + access = #oidcc_token_access{token = AccessToken}, + refresh = #oidcc_token_refresh{token = RefreshToken}, + scope = [<<"profile">>, <<"openid">>] + }}, + oidcc_token:retrieve( + AuthCode, + ClientContext, + #{redirect_uri => LocalEndpoint} + ) + ), + + true = meck:validate(httpc), + + meck:unload(httpc), + + ok. + +auth_method_private_key_jwt_with_invalid_dpop_nonce_test() -> + PrivDir = code:priv_dir(oidcc), + + {ok, _} = application:ensure_all_started(oidcc), + + {ok, ConfigurationBinary} = file:read_file(PrivDir ++ "/test/fixtures/example-metadata.json"), + {ok, Configuration0} = oidcc_provider_configuration:decode_configuration( + jose:decode(ConfigurationBinary) + ), + + Configuration = Configuration0#oidcc_provider_configuration{ + token_endpoint_auth_methods_supported = [<<"private_key_jwt">>], + token_endpoint_auth_signing_alg_values_supported = [<<"RS256">>], + dpop_signing_alg_values_supported = [<<"RS256">>] + }, + + ClientId = <<"client_id">>, + ClientSecret = <<"client_secret">>, + LocalEndpoint = <<"https://my.server/auth">>, + AuthCode = <<"1234567890">>, + DpopNonce = <<"dpop_nonce">>, + Jwk = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + + DpopNonceError = jsx:encode(#{ + <<"error">> => <<"use_dpop_nonce">>, + <<"error_description">> => + <<"Authorization server requires nonce in DPoP proof">> + }), + + ClientJwk0 = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + ClientJwk = ClientJwk0#jose_jwk{ + fields = #{<<"kid">> => <<"private_kid">>, <<"use">> => <<"sig">>} + }, + + ClientContext = oidcc_client_context:from_manual(Configuration, Jwk, ClientId, ClientSecret, #{ + client_jwks => ClientJwk + }), + + ok = meck:new(httpc, [no_link]), + HttpFun = + fun( + post, + {_Endpoint, _Header, "application/x-www-form-urlencoded", _Body}, + _HttpOpts, + _Opts + ) -> + {ok, { + {"HTTP/1.1", 400, "OK"}, + [{"content-type", "application/json"}, {"dpop-nonce", DpopNonce}], + DpopNonceError + }} + end, + ok = meck:expect(httpc, request, HttpFun), + + ?assertMatch( + {error, _}, + oidcc_token:retrieve( + AuthCode, + ClientContext, + #{ + redirect_uri => LocalEndpoint, + dpop_nonce => <<"invalid_nonce">> + } + ) + ), + + true = meck:validate(httpc), + + meck:unload(httpc), + + ok. + auth_method_client_secret_jwt_no_alg_test() -> PrivDir = code:priv_dir(oidcc), @@ -1030,3 +1484,120 @@ preferred_auth_methods_test() -> meck:unload(httpc), ok. + +authorization_headers_test() -> + PrivDir = code:priv_dir(oidcc), + + {ok, ConfigurationBinary} = file:read_file(PrivDir ++ "/test/fixtures/example-metadata.json"), + {ok, Configuration0} = oidcc_provider_configuration:decode_configuration( + jose:decode(ConfigurationBinary) + ), + + SigningAlg = [<<"RS256">>], + + Configuration = Configuration0#oidcc_provider_configuration{ + dpop_signing_alg_values_supported = SigningAlg + }, + + Jwk = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + ClientJwk0 = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + ClientJwk = ClientJwk0#jose_jwk{ + fields = #{<<"kid">> => <<"private_kid">>, <<"use">> => <<"sig">>} + }, + {_, ClientPublicJwk} = jose_jwk:to_public_map(ClientJwk), + + ClientId = <<"client_id">>, + ClientSecret = <<"client_secret">>, + Endpoint = <<"https://my.server/auth">>, + AccessToken = <<"access_token">>, + AccessTokenHash = base64:encode(crypto:hash(sha256, AccessToken), #{ + mode => urlsafe, padding => false + }), + + ClientContext = oidcc_client_context:from_manual(Configuration, Jwk, ClientId, ClientSecret, #{ + client_jwks => ClientJwk + }), + + AccessTokenRecord = #oidcc_token_access{token = AccessToken, type = <<"DPoP">>}, + + HeaderMap = oidcc_token:authorization_headers(AccessTokenRecord, get, Endpoint, ClientContext), + HeaderMapWithNonce = oidcc_token:authorization_headers( + AccessTokenRecord, post, Endpoint, ClientContext, #{dpop_nonce => <<"dpop_nonce">>} + ), + + ?assertMatch( + #{ + <<"authorization">> := <<"DPoP access_token">>, + <<"dpop">> := _ + }, + HeaderMap + ), + + ?assertMatch( + #{ + <<"authorization">> := <<"DPoP access_token">>, + <<"dpop">> := _ + }, + HeaderMapWithNonce + ), + + #{<<"dpop">> := DpopProof} = HeaderMap, + #{<<"dpop">> := DpopProofWithNonce} = HeaderMapWithNonce, + + ?assertMatch( + {ok, _}, + oidcc_jwt_util:verify_signature(DpopProof, SigningAlg, ClientJwk) + ), + ?assertMatch( + {ok, _}, + oidcc_jwt_util:verify_signature(DpopProofWithNonce, SigningAlg, ClientJwk) + ), + + {ok, {DpopJwt, DpopJws}} = oidcc_jwt_util:verify_signature(DpopProof, SigningAlg, ClientJwk), + {ok, {DpopJwtWithNonce, DpopJwsWithNonce}} = oidcc_jwt_util:verify_signature( + DpopProofWithNonce, SigningAlg, ClientJwk + ), + + ?assertMatch( + #jose_jws{ + fields = #{ + <<"typ">> := <<"dpop+jwt">>, + <<"kid">> := <<"private_kid">>, + <<"jwk">> := ClientPublicJwk + } + }, + DpopJws + ), + ?assertEqual( + DpopJws, + DpopJwsWithNonce + ), + + ?assertMatch( + #jose_jwt{ + fields = #{ + <<"jti">> := _, + <<"htm">> := <<"GET">>, + <<"htu">> := Endpoint, + <<"iat">> := _, + <<"exp">> := _, + <<"ath">> := AccessTokenHash + } + }, + DpopJwt + ), + ?assertMatch( + #jose_jwt{ + fields = #{ + <<"jti">> := _, + <<"htm">> := <<"POST">>, + <<"htu">> := Endpoint, + <<"iat">> := _, + <<"exp">> := _, + <<"ath">> := AccessTokenHash, + <<"nonce">> := <<"dpop_nonce">> + } + }, + DpopJwtWithNonce + ), + ok. diff --git a/test/oidcc_userinfo_test.erl b/test/oidcc_userinfo_test.erl index b29a9c9..2aa3bb9 100644 --- a/test/oidcc_userinfo_test.erl +++ b/test/oidcc_userinfo_test.erl @@ -2,6 +2,8 @@ -include_lib("eunit/include/eunit.hrl"). -include_lib("jose/include/jose_jwk.hrl"). +-include_lib("jose/include/jose_jws.hrl"). +-include_lib("jose/include/jose_jwt.hrl"). -include_lib("oidcc/include/oidcc_provider_configuration.hrl"). -include_lib("oidcc/include/oidcc_token.hrl"). @@ -34,7 +36,7 @@ json_test() -> AccessToken = <<"opensesame">>, GoodToken = #oidcc_token{ - access = #oidcc_token_access{token = AccessToken}, + access = AccessTokenRecord = #oidcc_token_access{token = AccessToken}, id = #oidcc_token_id{ token = "id_token", @@ -55,6 +57,12 @@ json_test() -> {ok, #{<<"name">> := <<"joe">>}}, oidcc_userinfo:retrieve(GoodToken, ClientContext, #{}) ), + ?assertMatch( + {ok, #{<<"name">> := <<"joe">>}}, + oidcc_userinfo:retrieve(AccessTokenRecord, ClientContext, #{ + expected_subject => GoodSub + }) + ), ?assertMatch( {ok, #{<<"name">> := <<"joe">>}}, oidcc_userinfo:retrieve( @@ -533,3 +541,386 @@ distributed_claims_invalid_source_mapping_test() -> meck:unload(oidcc_http_util), ok. + +dpop_proof_test() -> + PrivDir = code:priv_dir(oidcc), + + {ok, ConfigurationBinary} = file:read_file(PrivDir ++ "/test/fixtures/example-metadata.json"), + {ok, #oidcc_provider_configuration{userinfo_endpoint = UserInfoEndpoint} = Configuration0} = + oidcc_provider_configuration:decode_configuration(jose:decode(ConfigurationBinary)), + + Configuration = Configuration0#oidcc_provider_configuration{ + dpop_signing_alg_values_supported = [<<"RS256">>] + }, + Jwks = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + + ClientJwk = Jwks#jose_jwk{ + fields = #{<<"kid">> => <<"private_kid">>, <<"use">> => <<"sig">>} + }, + + ClientId = <<"client_id">>, + ClientSecret = <<"client_secret">>, + + ClientContext = oidcc_client_context:from_manual( + Configuration, Jwks, ClientId, ClientSecret, #{client_jwks => ClientJwk} + ), + + HttpBody = <<"{\"name\":\"joe\", \"sub\":\"123456\"}">>, + Sub = <<"123456">>, + AccessToken = <<"opensesame">>, + AccessTokenHash = base64:encode( + crypto:hash(sha256, AccessToken), + #{mode => urlsafe, padding => false} + ), + + HttpFun = + fun(get, {Url, Header}, _HttpOpts, _Opts) -> + Url = UserInfoEndpoint, + {_, Authorization} = + proplists:lookup("authorization", Header), + ?assertEqual( + list_to_binary(Authorization), + list_to_binary([<<"DPoP ">>, AccessToken]) + ), + {_, DpopProof} = proplists:lookup("dpop", Header), + {true, DpopJwt, DpopJws} = jose_jwt:verify( + ClientJwk, DpopProof + ), + + ?assertMatch( + #jose_jws{alg = {_, 'RS256'}}, DpopJws + ), + + #jose_jws{fields = DpopJwsFields} = DpopJws, + ?assertMatch( + #{ + <<"kid">> := <<"private_kid">>, + <<"typ">> := <<"dpop+jwt">>, + <<"jwk">> := _ + }, + DpopJwsFields + ), + + #{<<"jwk">> := DpopPublicKeyMap} = DpopJwsFields, + ?assertEqual( + DpopPublicKeyMap, + element(2, jose_jwk:to_public_map(ClientJwk)) + ), + + ?assertMatch( + #jose_jwt{ + fields = #{ + <<"exp">> := _, + <<"iat">> := _, + <<"jti">> := _, + <<"htm">> := <<"GET">>, + <<"htu">> := UserInfoEndpoint, + <<"ath">> := AccessTokenHash + } + }, + DpopJwt + ), + + {ok, {{"HTTP/1.1", 200, "OK"}, [{"content-type", "application/json"}], HttpBody}} + end, + ok = meck:new(httpc), + ok = meck:expect(httpc, request, HttpFun), + + Token = + #oidcc_token{ + access = + #oidcc_token_access{token = AccessToken, type = <<"DPoP">>}, + id = + #oidcc_token_id{ + token = "id_token", + claims = #{<<"sub">> => Sub} + } + }, + + ?assertMatch( + {ok, #{<<"name">> := <<"joe">>}}, + oidcc_userinfo:retrieve(Token, ClientContext, #{}) + ), + + true = meck:validate(httpc), + meck:unload(httpc), + + ok. + +dpop_proof_case_insensitive_token_type_test() -> + PrivDir = code:priv_dir(oidcc), + + {ok, ConfigurationBinary} = file:read_file(PrivDir ++ "/test/fixtures/example-metadata.json"), + {ok, #oidcc_provider_configuration{userinfo_endpoint = UserInfoEndpoint} = Configuration0} = + oidcc_provider_configuration:decode_configuration(jose:decode(ConfigurationBinary)), + + Configuration = Configuration0#oidcc_provider_configuration{ + dpop_signing_alg_values_supported = [<<"RS256">>] + }, + Jwks = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + + ClientJwk = Jwks#jose_jwk{ + fields = #{<<"kid">> => <<"private_kid">>, <<"use">> => <<"sig">>} + }, + + ClientId = <<"client_id">>, + ClientSecret = <<"client_secret">>, + + ClientContext = oidcc_client_context:from_manual( + Configuration, Jwks, ClientId, ClientSecret, #{client_jwks => ClientJwk} + ), + + HttpBody = <<"{\"name\":\"joe\", \"sub\":\"123456\"}">>, + Sub = <<"123456">>, + AccessToken = <<"opensesame">>, + + HttpFun = + fun(get, {Url, Header}, _HttpOpts, _Opts) -> + Url = UserInfoEndpoint, + {_, Authorization} = + proplists:lookup("authorization", Header), + ?assertEqual( + list_to_binary(Authorization), + list_to_binary([<<"dpOp ">>, AccessToken]) + ), + ?assertMatch({_, _}, proplists:lookup("dpop", Header)), + + {ok, {{"HTTP/1.1", 200, "OK"}, [{"content-type", "application/json"}], HttpBody}} + end, + ok = meck:new(httpc), + ok = meck:expect(httpc, request, HttpFun), + + Token = + #oidcc_token{ + access = + #oidcc_token_access{token = AccessToken, type = <<"dpOp">>}, + id = + #oidcc_token_id{ + token = "id_token", + claims = #{<<"sub">> => Sub} + } + }, + + ?assertMatch( + {ok, #{<<"name">> := <<"joe">>}}, + oidcc_userinfo:retrieve(Token, ClientContext, #{}) + ), + + true = meck:validate(httpc), + meck:unload(httpc), + + ok. + +dpop_proof_with_nonce_test() -> + PrivDir = code:priv_dir(oidcc), + + {ok, ConfigurationBinary} = file:read_file(PrivDir ++ "/test/fixtures/example-metadata.json"), + {ok, #oidcc_provider_configuration{userinfo_endpoint = UserInfoEndpoint} = Configuration0} = + oidcc_provider_configuration:decode_configuration(jose:decode(ConfigurationBinary)), + + Configuration = Configuration0#oidcc_provider_configuration{ + dpop_signing_alg_values_supported = [<<"RS256">>] + }, + Jwks = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + + ClientJwk = Jwks#jose_jwk{ + fields = #{<<"kid">> => <<"private_kid">>, <<"use">> => <<"sig">>} + }, + + ClientId = <<"client_id">>, + ClientSecret = <<"client_secret">>, + + ClientContext = oidcc_client_context:from_manual( + Configuration, Jwks, ClientId, ClientSecret, #{client_jwks => ClientJwk} + ), + + HttpBody = <<"{\"name\":\"joe\", \"sub\":\"123456\"}">>, + Sub = <<"123456">>, + AccessToken = <<"opensesame">>, + AccessTokenHash = base64:encode( + crypto:hash(sha256, AccessToken), + #{mode => urlsafe, padding => false} + ), + DpopNonce = <<"dpop_nonce">>, + DpopNonceError = jsx:encode(#{ + <<"error">> => <<"use_dpop_nonce">>, + <<"error_description">> => + <<"Authorization server requires nonce in DPoP proof">> + }), + + HttpFun = + fun(get, {Url, Header}, _HttpOpts, _Opts) -> + Url = UserInfoEndpoint, + {_, Authorization} = + proplists:lookup("authorization", Header), + ?assertEqual( + list_to_binary(Authorization), + list_to_binary([<<"DPoP ">>, AccessToken]) + ), + {_, DpopProof} = proplists:lookup("dpop", Header), + {true, DpopJwt, DpopJws} = jose_jwt:verify( + ClientJwk, DpopProof + ), + + ?assertMatch( + #jose_jws{alg = {_, 'RS256'}}, DpopJws + ), + + #jose_jws{fields = DpopJwsFields} = DpopJws, + ?assertMatch( + #{ + <<"kid">> := <<"private_kid">>, + <<"typ">> := <<"dpop+jwt">>, + <<"jwk">> := _ + }, + DpopJwsFields + ), + + #{<<"jwk">> := DpopPublicKeyMap} = DpopJwsFields, + ?assertEqual( + DpopPublicKeyMap, + element(2, jose_jwk:to_public_map(ClientJwk)) + ), + + ?assertMatch( + #jose_jwt{ + fields = #{ + <<"exp">> := _, + <<"iat">> := _, + <<"jti">> := _, + <<"htm">> := <<"GET">>, + <<"htu">> := UserInfoEndpoint, + <<"ath">> := AccessTokenHash + } + }, + DpopJwt + ), + + case DpopJwt of + #jose_jwt{fields = #{<<"nonce">> := DpopNonce}} -> + {ok, { + {"HTTP/1.1", 200, "OK"}, [{"content-type", "application/json"}], HttpBody + }}; + _ -> + {ok, { + {"HTTP/1.1", 400, "Bad Request"}, + [{"content-type", "application/json"}, {"dpop-nonce", DpopNonce}], + DpopNonceError + }} + end + end, + ok = meck:new(httpc), + ok = meck:expect(httpc, request, HttpFun), + + Token = + #oidcc_token{ + access = + #oidcc_token_access{token = AccessToken, type = <<"DPoP">>}, + id = + #oidcc_token_id{ + token = "id_token", + claims = #{<<"sub">> => Sub} + } + }, + + ?assertMatch( + {ok, #{<<"name">> := <<"joe">>}}, + oidcc_userinfo:retrieve(Token, ClientContext, #{}) + ), + + true = meck:validate(httpc), + meck:unload(httpc), + + ok. + +dpop_proof_with_invalid_nonce_test() -> + PrivDir = code:priv_dir(oidcc), + + {ok, ConfigurationBinary} = file:read_file(PrivDir ++ "/test/fixtures/example-metadata.json"), + {ok, Configuration0} = + oidcc_provider_configuration:decode_configuration(jose:decode(ConfigurationBinary)), + + Configuration = Configuration0#oidcc_provider_configuration{ + dpop_signing_alg_values_supported = [<<"RS256">>] + }, + Jwks = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + + ClientJwk = Jwks#jose_jwk{ + fields = #{<<"kid">> => <<"private_kid">>, <<"use">> => <<"sig">>} + }, + + ClientId = <<"client_id">>, + ClientSecret = <<"client_secret">>, + + ClientContext = oidcc_client_context:from_manual( + Configuration, Jwks, ClientId, ClientSecret, #{client_jwks => ClientJwk} + ), + + Sub = <<"123456">>, + AccessToken = <<"opensesame">>, + DpopNonce = <<"dpop_nonce">>, + DpopNonceError = jsx:encode(#{ + <<"error">> => <<"use_dpop_nonce">>, + <<"error_description">> => + <<"Authorization server requires nonce in DPoP proof">> + }), + + HttpFun = + fun(get, _UrlHeader, _HttpOpts, _Opts) -> + {ok, { + {"HTTP/1.1", 400, "Bad Request"}, + [{"content-type", "application/json"}, {"dpop-nonce", DpopNonce}], + DpopNonceError + }} + end, + ok = meck:new(httpc), + ok = meck:expect(httpc, request, HttpFun), + + Token = + #oidcc_token{ + access = + #oidcc_token_access{token = AccessToken, type = <<"DPoP">>}, + id = + #oidcc_token_id{ + token = "id_token", + claims = #{<<"sub">> => Sub} + } + }, + + ?assertMatch( + {error, _}, + oidcc_userinfo:retrieve(Token, ClientContext, #{dpop_nonce => <<"invalid_nonce">>}) + ), + + true = meck:validate(httpc), + meck:unload(httpc), + + ok. + +retrieve_no_access_token_test() -> + PrivDir = code:priv_dir(oidcc), + + {ok, ConfigurationBinary} = file:read_file(PrivDir ++ "/test/fixtures/example-metadata.json"), + {ok, Configuration} = + oidcc_provider_configuration:decode_configuration(jose:decode(ConfigurationBinary)), + + Jwks = jose_jwk:from_pem_file(PrivDir ++ "/test/fixtures/jwk.pem"), + + ClientId = <<"client_id">>, + ClientSecret = <<"client_secret">>, + + ClientContext = oidcc_client_context:from_manual( + Configuration, Jwks, ClientId, ClientSecret + ), + + Token = #oidcc_token{ + access = none, + id = #oidcc_token_id{} + }, + + ?assertMatch( + {error, no_access_token}, + oidcc_userinfo:retrieve(Token, ClientContext, #{}) + ), + + ok.