|
1
|
|
|
package openid // OpenID Connect authentication package |
|
2
|
|
|
import ( // Package imports |
|
3
|
|
|
"context" // Context for request cancellation and deadlines |
|
4
|
|
|
"encoding/json" |
|
5
|
|
|
"errors" |
|
6
|
|
|
"fmt" // formatting package for error messages |
|
7
|
|
|
"io" |
|
8
|
|
|
"log/slog" |
|
9
|
|
|
"net/http" // HTTP client and server implementations |
|
10
|
|
|
"strings" |
|
11
|
|
|
"sync" |
|
12
|
|
|
"time" |
|
13
|
|
|
|
|
14
|
|
|
// JWT package |
|
15
|
|
|
"github.com/golang-jwt/jwt/v4" |
|
16
|
|
|
grpcauth "github.com/grpc-ecosystem/go-grpc-middleware/auth" |
|
17
|
|
|
"github.com/hashicorp/go-retryablehttp" |
|
18
|
|
|
|
|
19
|
|
|
// JWT key sets |
|
20
|
|
|
"github.com/lestrrat-go/jwx/jwk" // JWT key sets |
|
21
|
|
|
// Internal packages |
|
22
|
|
|
"github.com/Permify/permify/internal/config" // internal configuration |
|
23
|
|
|
base "github.com/Permify/permify/pkg/pb/base/v1" // Base protobuf definitions |
|
24
|
|
|
) // End of imports |
|
25
|
|
|
|
|
26
|
|
|
type Authn struct { |
|
27
|
|
|
// URL of the issuer. This is typically the base URL of the identity provider. |
|
28
|
|
|
IssuerURL string |
|
29
|
|
|
// Audience for which the token is intended. It must match the audience in the JWT. |
|
30
|
|
|
Audience string |
|
31
|
|
|
// URL of the JSON Web Key Set (JWKS). This URL hosts public keys used to verify JWT signatures. |
|
32
|
|
|
JwksURI string |
|
33
|
|
|
// Pointer to an AutoRefresh object from the JWKS library. It helps in automatically refreshing the JWKS at predefined intervals. |
|
34
|
|
|
jwksSet *jwk.AutoRefresh |
|
35
|
|
|
// List of valid signing methods. Specifies which signing algorithms are considered valid for the JWTs. |
|
36
|
|
|
validMethods []string |
|
37
|
|
|
// Pointer to a JWT parser object. This is used to parse and validate the JWT tokens. |
|
38
|
|
|
jwtParser *jwt.Parser |
|
39
|
|
|
// Duration of the interval between retries for the backoff policy. |
|
40
|
|
|
backoffInterval time.Duration |
|
41
|
|
|
// Maximum number of retries for the backoff policy. |
|
42
|
|
|
backoffMaxRetries int |
|
43
|
|
|
|
|
44
|
|
|
backoffFrequency time.Duration |
|
45
|
|
|
|
|
46
|
|
|
// Global backoff state for tracking retry attempts across concurrent requests |
|
47
|
|
|
globalRetryCount int |
|
48
|
|
|
globalFirstSeen time.Time |
|
49
|
|
|
retriedKeys map[string]bool |
|
50
|
|
|
mutex sync.Mutex // protects concurrent access to retry state |
|
51
|
|
|
} // End of Authn struct |
|
52
|
|
|
// NewOidcAuthn creates a new OIDC authenticator |
|
53
|
|
|
// NewOidcAuthn initializes a new instance of the Authn struct with OpenID Connect (OIDC) configuration. |
|
54
|
|
|
|
|
55
|
|
|
// It takes in a context for managing cancellation and a configuration object. It returns a pointer to an Authn instance or an error. |
|
56
|
|
|
func NewOidcAuthn(ctx context.Context, conf config.Oidc) (*Authn, error) { |
|
57
|
|
|
// Create a new HTTP client with retry capabilities. This client is used for making HTTP requests, particularly for fetching OIDC configuration. |
|
58
|
|
|
client := retryablehttp.NewClient() |
|
59
|
|
|
client.Logger = SlogAdapter{Logger: slog.Default()} |
|
60
|
|
|
|
|
61
|
|
|
// Fetch the OIDC configuration from the issuer's well-known configuration endpoint. |
|
62
|
|
|
oidcConf, err := fetchOIDCConfiguration(client.StandardClient(), strings.TrimSuffix(conf.Issuer, "/")+"/.well-known/openid-configuration") |
|
63
|
|
|
if err != nil { |
|
64
|
|
|
// If there is an error fetching the OIDC configuration, return nil and the error. |
|
65
|
|
|
return nil, fmt.Errorf("failed to fetch OIDC configuration: %w", err) |
|
|
|
|
|
|
66
|
|
|
} |
|
67
|
|
|
|
|
68
|
|
|
// Set up automatic refresh of the JSON Web Key Set (JWKS) to ensure the public keys are always up-to-date. |
|
69
|
|
|
autoRefresh := jwk.NewAutoRefresh(ctx) // Create a new AutoRefresh instance for the JWKS. |
|
70
|
|
|
autoRefresh.Configure(oidcConf.JWKsURI, jwk.WithHTTPClient(client.StandardClient()), jwk.WithRefreshInterval(conf.RefreshInterval)) // Configure the auto-refresh parameters. |
|
71
|
|
|
|
|
72
|
|
|
// Validate and set backoffInterval, backoffMaxRetries, and backoffFrequency |
|
73
|
|
|
backoffInterval := conf.BackoffInterval |
|
74
|
|
|
if backoffInterval <= 0 { |
|
75
|
|
|
return nil, errors.New("invalid or missing backoffInterval") |
|
76
|
|
|
} |
|
77
|
|
|
|
|
78
|
|
|
backoffMaxRetries := conf.BackoffMaxRetries |
|
79
|
|
|
if backoffMaxRetries <= 0 { |
|
80
|
|
|
return nil, errors.New("invalid or missing backoffMaxRetries") |
|
81
|
|
|
} |
|
82
|
|
|
|
|
83
|
|
|
backoffFrequency := conf.BackoffFrequency |
|
84
|
|
|
if backoffFrequency <= 0 { |
|
85
|
|
|
return nil, errors.New("invalid or missing backoffFrequency") |
|
86
|
|
|
} |
|
87
|
|
|
|
|
88
|
|
|
// Initialize the Authn struct with the OIDC configuration details and other relevant settings. |
|
89
|
|
|
oidc := &Authn{ |
|
90
|
|
|
IssuerURL: conf.Issuer, // URL of the token issuer. |
|
91
|
|
|
Audience: conf.Audience, // Intended audience of the token. |
|
92
|
|
|
JwksURI: oidcConf.JWKsURI, // URL of the JWKS endpoint. |
|
93
|
|
|
validMethods: conf.ValidMethods, // List of acceptable signing methods for the tokens. |
|
94
|
|
|
jwtParser: jwt.NewParser(jwt.WithValidMethods(conf.ValidMethods)), // JWT parser configured with the valid signing methods. |
|
95
|
|
|
jwksSet: autoRefresh, // Set the JWKS auto-refresh instance. |
|
96
|
|
|
backoffInterval: backoffInterval, |
|
97
|
|
|
backoffMaxRetries: backoffMaxRetries, |
|
98
|
|
|
backoffFrequency: backoffFrequency, |
|
99
|
|
|
globalRetryCount: 0, |
|
100
|
|
|
retriedKeys: make(map[string]bool), |
|
101
|
|
|
globalFirstSeen: time.Time{}, |
|
102
|
|
|
mutex: sync.Mutex{}, |
|
103
|
|
|
} |
|
104
|
|
|
|
|
105
|
|
|
// Attempt to fetch the JWKS immediately to ensure it's available and valid. |
|
106
|
|
|
if _, err := oidc.jwksSet.Fetch(ctx, oidc.JwksURI); err != nil { |
|
107
|
|
|
// If there is an error fetching the JWKS, return nil and the error. |
|
108
|
|
|
return nil, fmt.Errorf("failed to fetch JWKS: %w", err) |
|
|
|
|
|
|
109
|
|
|
} // End of JWKS fetch error handling |
|
110
|
|
|
// Return the initialized OIDC authentication object and no error. |
|
111
|
|
|
|
|
112
|
|
|
return oidc, nil // Successfully initialized |
|
113
|
|
|
} // End of NewOidcAuthn |
|
114
|
|
|
// Authenticate validates the JWT token found in the authorization header of the incoming request. |
|
115
|
|
|
|
|
116
|
|
|
// It uses the OIDC configuration to validate the token against the issuer's public keys. |
|
117
|
|
|
func (oidc *Authn) Authenticate(ctx context.Context) error { |
|
118
|
|
|
// Extract the authorization header from the metadata of the incoming gRPC request. |
|
119
|
|
|
authHeader, err := grpcauth.AuthFromMD(ctx, "Bearer") |
|
120
|
|
|
if err != nil { // Check for authentication errors |
|
121
|
|
|
// Log the error if the authorization header is missing or does not start with "Bearer" |
|
122
|
|
|
slog.Error("failed to extract authorization header from gRPC request", "error", err) |
|
123
|
|
|
// Return an error indicating the missing or incorrect bearer token |
|
124
|
|
|
return errors.New(base.ErrorCode_ERROR_CODE_MISSING_BEARER_TOKEN.String()) |
|
125
|
|
|
} // End of auth header error handling |
|
126
|
|
|
// Log the successful extraction of the authorization header for debugging purposes. |
|
127
|
|
|
|
|
128
|
|
|
// Remember, do not log the actual content of authHeader as it might contain sensitive information. |
|
129
|
|
|
slog.Debug("Successfully extracted authorization header from gRPC request") |
|
130
|
|
|
|
|
131
|
|
|
// Parse and validate the JWT token extracted from the authorization header. |
|
132
|
|
|
parsedToken, err := oidc.jwtParser.Parse(authHeader, func(token *jwt.Token) (interface{}, error) { |
|
133
|
|
|
slog.Info("starting JWT parsing and validation.") |
|
134
|
|
|
|
|
135
|
|
|
// Retrieve the key ID from the JWT header and find the corresponding key in the JWKS. |
|
136
|
|
|
keyID, ok := token.Header["kid"].(string) |
|
137
|
|
|
if ok { // Key ID found in token header |
|
138
|
|
|
return oidc.getKeyWithRetry(ctx, keyID) |
|
139
|
|
|
} // End of key ID check |
|
140
|
|
|
slog.Error("jwt does not contain a key ID") |
|
141
|
|
|
// If the JWT does not contain a key ID, return an error. |
|
142
|
|
|
return nil, errors.New("kid must be specified in the token header") |
|
143
|
|
|
}) |
|
144
|
|
|
if err != nil { // Check for parsing errors |
|
145
|
|
|
// Log that the token parsing or validation failed |
|
146
|
|
|
slog.Error("token parsing or validation failed", "error", err) |
|
147
|
|
|
// If token parsing or validation fails, return an error indicating the token is invalid. |
|
148
|
|
|
return errors.New(base.ErrorCode_ERROR_CODE_INVALID_BEARER_TOKEN.String()) |
|
149
|
|
|
} |
|
150
|
|
|
|
|
151
|
|
|
// Ensure the token is valid. |
|
152
|
|
|
if !parsedToken.Valid { |
|
153
|
|
|
// Log that the parsed token was not valid |
|
154
|
|
|
slog.Warn("parsed token is invalid") |
|
155
|
|
|
// Return an error indicating the invalid token |
|
156
|
|
|
return errors.New(base.ErrorCode_ERROR_CODE_INVALID_BEARER_TOKEN.String()) |
|
157
|
|
|
} |
|
158
|
|
|
|
|
159
|
|
|
// Extract the claims from the token. |
|
160
|
|
|
claims, ok := parsedToken.Claims.(jwt.MapClaims) |
|
161
|
|
|
if !ok { |
|
162
|
|
|
// Log that the claims were in an incorrect format |
|
163
|
|
|
slog.Warn("token claims are in an incorrect format") |
|
164
|
|
|
// Return an error |
|
165
|
|
|
return errors.New(base.ErrorCode_ERROR_CODE_INVALID_CLAIMS.String()) |
|
166
|
|
|
} |
|
167
|
|
|
|
|
168
|
|
|
slog.Debug("extracted token claims", "claims", claims) |
|
169
|
|
|
|
|
170
|
|
|
// Verify the issuer of the token matches the expected issuer. |
|
171
|
|
|
if ok := claims.VerifyIssuer(oidc.IssuerURL, true); !ok { |
|
172
|
|
|
// Log that the issuer did not match the expected issuer |
|
173
|
|
|
slog.Warn("token issuer is invalid", "expected", oidc.IssuerURL, "actual", claims["iss"]) |
|
174
|
|
|
// Return an error |
|
175
|
|
|
return errors.New(base.ErrorCode_ERROR_CODE_INVALID_ISSUER.String()) |
|
176
|
|
|
} // End of issuer verification |
|
177
|
|
|
// Verify the audience of the token matches the expected audience. |
|
178
|
|
|
|
|
179
|
|
|
if ok := claims.VerifyAudience(oidc.Audience, true); !ok { |
|
180
|
|
|
// Log that the audience did not match the expected audience |
|
181
|
|
|
slog.Warn("token audience is invalid", "expected", oidc.Audience, "actual", claims["aud"]) |
|
182
|
|
|
// Return an error |
|
183
|
|
|
return errors.New(base.ErrorCode_ERROR_CODE_INVALID_AUDIENCE.String()) |
|
184
|
|
|
} // End of audience verification |
|
185
|
|
|
|
|
186
|
|
|
// Log that the token's issuer and audience were successfully validated |
|
187
|
|
|
slog.Info("token validation succeeded") |
|
188
|
|
|
|
|
189
|
|
|
// If all validations pass, return nil indicating the token is valid. |
|
190
|
|
|
return nil // Token is valid |
|
191
|
|
|
} // End of Authenticate |
|
192
|
|
|
// getKeyWithRetry attempts to retrieve the key for the given keyID with retries using a custom backoff strategy. |
|
193
|
|
|
|
|
194
|
|
|
// This function uses a global backoff strategy to prevent excessive retries across concurrent requests. |
|
195
|
|
|
func (oidc *Authn) getKeyWithRetry( |
|
196
|
|
|
ctx context.Context, |
|
197
|
|
|
keyID string, |
|
198
|
|
|
) (interface{}, error) { |
|
199
|
|
|
var raw interface{} |
|
200
|
|
|
var err error |
|
201
|
|
|
|
|
202
|
|
|
oidc.mutex.Lock() |
|
203
|
|
|
now := time.Now() |
|
204
|
|
|
|
|
205
|
|
|
// Reset global state if the interval has passed |
|
206
|
|
|
if oidc.globalFirstSeen.IsZero() || time.Since(oidc.globalFirstSeen) >= oidc.backoffInterval { |
|
207
|
|
|
slog.Info("resetting state as interval has passed or first seen is zero", "keyID", keyID) |
|
208
|
|
|
oidc.globalFirstSeen = now |
|
209
|
|
|
oidc.globalRetryCount = 0 |
|
210
|
|
|
oidc.retriedKeys = make(map[string]bool) |
|
211
|
|
|
} else if oidc.globalRetryCount >= oidc.backoffMaxRetries { |
|
212
|
|
|
// If max retries reached within the interval, unlock and check keyID once |
|
213
|
|
|
slog.Warn("max retries reached within interval, will check keyID once", "keyID", keyID) |
|
214
|
|
|
oidc.mutex.Unlock() |
|
215
|
|
|
|
|
216
|
|
|
// Try to fetch the keyID once |
|
217
|
|
|
raw, err = oidc.fetchKey(ctx, keyID) |
|
218
|
|
|
if err == nil { // Successfully fetched the key |
|
219
|
|
|
oidc.mutex.Lock() |
|
220
|
|
|
if _, wasRetried := oidc.retriedKeys[keyID]; wasRetried { |
|
221
|
|
|
// Reset global backoff state if a valid key is found and that key had been previously retried |
|
222
|
|
|
// Use case: prevents malicious keyIDs from blocking valid keyIDs |
|
223
|
|
|
// The valid KeyID should not reset counters for invalid keys |
|
224
|
|
|
slog.Info("valid key found in backoff period, resetting global state", "keyID", keyID) |
|
225
|
|
|
oidc.globalRetryCount = 0 // Reset retry counter |
|
226
|
|
|
oidc.globalFirstSeen = time.Time{} // Reset timestamp |
|
227
|
|
|
oidc.retriedKeys = make(map[string]bool) // Clear retried keys |
|
228
|
|
|
} // End of retried key check |
|
229
|
|
|
oidc.mutex.Unlock() // Release the lock |
|
230
|
|
|
return raw, nil |
|
231
|
|
|
} |
|
232
|
|
|
|
|
233
|
|
|
// Log the failure and return an error if keyID is not found |
|
234
|
|
|
slog.Error("failed to fetch key during backoff period", "keyID", keyID, "error", err) |
|
235
|
|
|
return nil, errors.New("too many attempts, backoff in effect") |
|
236
|
|
|
} |
|
237
|
|
|
oidc.mutex.Unlock() |
|
238
|
|
|
|
|
239
|
|
|
// Retry mechanism |
|
240
|
|
|
retries := 0 |
|
241
|
|
|
for retries <= oidc.backoffMaxRetries { |
|
242
|
|
|
raw, err = oidc.fetchKey(ctx, keyID) |
|
243
|
|
|
if err == nil { // Key successfully retrieved |
|
244
|
|
|
if retries != 0 { // Reset state if retry was successful |
|
245
|
|
|
oidc.mutex.Lock() |
|
246
|
|
|
oidc.globalRetryCount = 0 // Reset global counter |
|
247
|
|
|
oidc.globalFirstSeen = time.Time{} // Reset first seen time |
|
248
|
|
|
oidc.retriedKeys = make(map[string]bool) // Clear retry tracking |
|
249
|
|
|
oidc.mutex.Unlock() |
|
250
|
|
|
} // End of retry state reset |
|
251
|
|
|
return raw, nil // Return the successfully fetched key |
|
252
|
|
|
} // End of successful key retrieval |
|
253
|
|
|
oidc.mutex.Lock() |
|
254
|
|
|
snapshotCount := oidc.globalRetryCount |
|
255
|
|
|
oidc.retriedKeys[keyID] = true |
|
256
|
|
|
if oidc.globalRetryCount > oidc.backoffMaxRetries { // Check if max retries exceeded |
|
257
|
|
|
slog.Error("key ID not found in JWKS due to exceeding global retries", "keyID", keyID, "globalRetryCount", oidc.globalRetryCount) |
|
258
|
|
|
oidc.mutex.Unlock() // Unlock before returning |
|
259
|
|
|
return nil, errors.New("too many retry attempts, backoff policy active due to global retry limit") |
|
260
|
|
|
} // End of max retries check |
|
261
|
|
|
oidc.mutex.Unlock() // Release mutex |
|
262
|
|
|
if retries > 0 { // Wait before retry |
|
263
|
|
|
select { |
|
264
|
|
|
case <-time.After(oidc.backoffFrequency): |
|
265
|
|
|
// Log the wait before retrying |
|
266
|
|
|
slog.Info("waiting before retrying", "keyID", keyID, "retries", retries) |
|
267
|
|
|
case <-ctx.Done(): |
|
268
|
|
|
slog.Error("context cancelled during retry", "keyID", keyID) |
|
269
|
|
|
return nil, ctx.Err() |
|
270
|
|
|
} |
|
271
|
|
|
} |
|
272
|
|
|
|
|
273
|
|
|
oidc.mutex.Lock() |
|
274
|
|
|
if oidc.globalRetryCount > snapshotCount { // Another goroutine already refreshed |
|
275
|
|
|
// Another concurrent request in retry loop has already refreshed the JWKS |
|
276
|
|
|
retries++ // Increment local attempt counter |
|
277
|
|
|
slog.Warn("concurrent request has already refreshed JWKS, skipping refresh") |
|
278
|
|
|
oidc.mutex.Unlock() // Unlock and continue |
|
279
|
|
|
continue // Skip to next iteration |
|
280
|
|
|
} |
|
281
|
|
|
|
|
282
|
|
|
oidc.globalRetryCount++ // Increment the global retry counter |
|
283
|
|
|
slog.Warn("retrying to fetch JWKS due to error", "keyID", keyID, "retries", retries, "error", err) |
|
284
|
|
|
retries++ // Increment retry counter |
|
285
|
|
|
|
|
286
|
|
|
if _, err := oidc.jwksSet.Refresh(ctx, oidc.JwksURI); err != nil { |
|
287
|
|
|
oidc.mutex.Unlock() |
|
288
|
|
|
slog.Error("failed to refresh JWKS", "error", err) |
|
289
|
|
|
return nil, err |
|
290
|
|
|
} |
|
291
|
|
|
// Unlock after Refresh to prevent concurrent duplicate refresh calls |
|
292
|
|
|
oidc.mutex.Unlock() // Release lock after successful refresh |
|
293
|
|
|
} |
|
294
|
|
|
|
|
295
|
|
|
// Mark the global state to prevent further retries for the backoff interval |
|
296
|
|
|
oidc.mutex.Lock() |
|
297
|
|
|
if time.Since(oidc.globalFirstSeen) < oidc.backoffInterval { |
|
298
|
|
|
slog.Warn("marking state to prevent further retries", "keyID", keyID) |
|
299
|
|
|
oidc.globalRetryCount = oidc.backoffMaxRetries |
|
300
|
|
|
} |
|
301
|
|
|
oidc.mutex.Unlock() |
|
302
|
|
|
|
|
303
|
|
|
slog.Error("key ID not found in JWKS after retries", "keyID", keyID) |
|
304
|
|
|
return nil, errors.New("key ID not found in JWKS after retries") |
|
305
|
|
|
} |
|
306
|
|
|
|
|
307
|
|
|
// fetchKey attempts to fetch the JWKS and retrieve the key for the given keyID. |
|
308
|
|
|
// It fetches from the configured JWKS URI and looks up the key by its ID. |
|
309
|
|
|
func (oidc *Authn) fetchKey( |
|
310
|
|
|
ctx context.Context, |
|
311
|
|
|
keyID string, |
|
312
|
|
|
) (interface{}, error) { |
|
313
|
|
|
// Log the attempt to find the key in JWKS |
|
314
|
|
|
slog.DebugContext(ctx, "attempting to find key in JWKS", "kid", keyID) |
|
315
|
|
|
|
|
316
|
|
|
// Fetch the JWKS from the configured URI |
|
317
|
|
|
jwks, err := oidc.jwksSet.Fetch(ctx, oidc.JwksURI) |
|
318
|
|
|
if err != nil { // Check for fetch errors |
|
319
|
|
|
// Log an error and return if fetching fails |
|
320
|
|
|
slog.Error("failed to fetch JWKS", "uri", oidc.JwksURI, "error", err) |
|
321
|
|
|
return nil, fmt.Errorf("failed to fetch JWKS: %w", err) |
|
|
|
|
|
|
322
|
|
|
} |
|
323
|
|
|
|
|
324
|
|
|
// Log a successful fetch of the JWKS |
|
325
|
|
|
slog.InfoContext(ctx, "successfully fetched JWKS") |
|
326
|
|
|
|
|
327
|
|
|
// Attempt to find the key in the fetched JWKS using the key ID |
|
328
|
|
|
if key, found := jwks.LookupKeyID(keyID); found { |
|
329
|
|
|
var k interface{} // Variable to hold the raw key |
|
330
|
|
|
// Convert the key to a usable format |
|
331
|
|
|
if err := key.Raw(&k); err != nil { |
|
332
|
|
|
slog.ErrorContext(ctx, "failed to get raw public key", "kid", keyID, "error", err) |
|
333
|
|
|
return nil, fmt.Errorf("failed to get raw public key: %w", err) |
|
|
|
|
|
|
334
|
|
|
} |
|
335
|
|
|
// Log a successful retrieval of the raw public key |
|
336
|
|
|
slog.DebugContext(ctx, "successfully obtained raw public key", "key", k) |
|
337
|
|
|
return k, nil // Return the public key for JWT signature verification |
|
338
|
|
|
} |
|
339
|
|
|
// Log an error if the key ID is not found in the JWKS |
|
340
|
|
|
slog.ErrorContext(ctx, "key ID not found in JWKS", "kid", keyID) |
|
341
|
|
|
return nil, fmt.Errorf("kid %s not found", keyID) |
|
342
|
|
|
} |
|
343
|
|
|
|
|
344
|
|
|
// Config holds OpenID Connect (OIDC) configuration details. |
|
345
|
|
|
type Config struct { |
|
346
|
|
|
// Issuer is the OIDC provider's unique identifier URL. |
|
347
|
|
|
Issuer string `json:"issuer"` |
|
348
|
|
|
// JWKsURI is the URL to the JSON Web Key Set (JWKS) provided by the OIDC issuer. |
|
349
|
|
|
JWKsURI string `json:"jwks_uri"` |
|
350
|
|
|
} |
|
351
|
|
|
|
|
352
|
|
|
// fetchOIDCConfiguration sends an HTTP request to the given URL to fetch the OpenID Connect (OIDC) configuration. |
|
353
|
|
|
// It requires an HTTP client and the URL from which to fetch the configuration. |
|
354
|
|
|
func fetchOIDCConfiguration(client *http.Client, url string) (*Config, error) { |
|
355
|
|
|
// Send an HTTP GET request to the provided URL to fetch the OIDC configuration. |
|
356
|
|
|
// This typically points to the well-known configuration endpoint of the OIDC provider. |
|
357
|
|
|
body, err := doHTTPRequest(client, url) |
|
358
|
|
|
if err != nil { |
|
359
|
|
|
// If there is an error in fetching the configuration (network error, bad response, etc.), return nil and the error. |
|
360
|
|
|
return nil, err |
|
361
|
|
|
} // End of HTTP request error handling |
|
362
|
|
|
|
|
363
|
|
|
// Parse the JSON response body into an OIDC Config struct. |
|
364
|
|
|
// This involves unmarshalling the JSON into a struct that matches the expected fields of the OIDC configuration. |
|
365
|
|
|
oidcConfig, err := parseOIDCConfiguration(body) |
|
366
|
|
|
if err != nil { |
|
367
|
|
|
return nil, err |
|
368
|
|
|
} |
|
369
|
|
|
|
|
370
|
|
|
// Return the parsed OIDC configuration and nil as the error (indicating success). |
|
371
|
|
|
return oidcConfig, nil |
|
372
|
|
|
} |
|
373
|
|
|
|
|
374
|
|
|
// doHTTPRequest makes an HTTP GET request to the specified URL and returns the response body. |
|
375
|
|
|
// It handles HTTP errors and logs the request execution process. |
|
376
|
|
|
func doHTTPRequest(client *http.Client, url string) ([]byte, error) { |
|
377
|
|
|
// Log the attempt to create a new HTTP GET request |
|
378
|
|
|
slog.Debug("creating new HTTP GET request", "url", url) |
|
379
|
|
|
|
|
380
|
|
|
// Create a new HTTP GET request. |
|
381
|
|
|
req, err := http.NewRequest("GET", url, nil) |
|
382
|
|
|
if err != nil { |
|
383
|
|
|
slog.Error("failed to create HTTP request", "url", url, "error", err) |
|
384
|
|
|
return nil, fmt.Errorf("failed to create HTTP request for OIDC configuration: %w", err) |
|
|
|
|
|
|
385
|
|
|
} |
|
386
|
|
|
|
|
387
|
|
|
// Log the execution of the HTTP request |
|
388
|
|
|
slog.Debug("executing HTTP request", "url", url) |
|
389
|
|
|
|
|
390
|
|
|
// Send the request using the configured HTTP client. |
|
391
|
|
|
res, err := client.Do(req) |
|
392
|
|
|
if err != nil { |
|
393
|
|
|
// Log the error if executing the HTTP request fails |
|
394
|
|
|
slog.Error("failed to execute HTTP request", "url", url, "error", err) |
|
395
|
|
|
return nil, fmt.Errorf("failed to execute HTTP request for OIDC configuration: %w", err) |
|
|
|
|
|
|
396
|
|
|
} |
|
397
|
|
|
|
|
398
|
|
|
// Log the HTTP status code of the response |
|
399
|
|
|
slog.Debug("received HTTP response", "status_code", res.StatusCode, "url", url) |
|
400
|
|
|
|
|
401
|
|
|
// Ensure the response body is closed after reading. |
|
402
|
|
|
defer res.Body.Close() |
|
403
|
|
|
|
|
404
|
|
|
// Check if the HTTP status code indicates success. |
|
405
|
|
|
if res.StatusCode != http.StatusOK { |
|
406
|
|
|
slog.Warn("received unexpected status code", "status_code", res.StatusCode, "url", url) |
|
407
|
|
|
return nil, fmt.Errorf("received unexpected status code (%d) while fetching OIDC configuration", res.StatusCode) |
|
408
|
|
|
} |
|
409
|
|
|
|
|
410
|
|
|
// Log the attempt to read the response body |
|
411
|
|
|
slog.Debug("reading response body", "url", url) |
|
412
|
|
|
|
|
413
|
|
|
// Read the response body. |
|
414
|
|
|
body, err := io.ReadAll(res.Body) |
|
415
|
|
|
if err != nil { |
|
416
|
|
|
slog.Error("failed to read response body", "url", url, "error", err) |
|
417
|
|
|
return nil, fmt.Errorf("failed to read response body from OIDC configuration request: %w", err) |
|
|
|
|
|
|
418
|
|
|
} |
|
419
|
|
|
|
|
420
|
|
|
// Log the successful retrieval of the response body |
|
421
|
|
|
slog.Debug("successfully read response body", "url", url, "response_length", len(body)) |
|
422
|
|
|
|
|
423
|
|
|
// Return the response body. |
|
424
|
|
|
return body, nil |
|
425
|
|
|
} |
|
426
|
|
|
|
|
427
|
|
|
// parseOIDCConfiguration decodes the OIDC configuration from the given JSON body. |
|
428
|
|
|
// It validates that required fields like Issuer and JWKsURI are present. |
|
429
|
|
|
func parseOIDCConfiguration(body []byte) (*Config, error) { |
|
430
|
|
|
var oidcConfig Config |
|
431
|
|
|
// Attempt to unmarshal the JSON body into the oidcConfig struct. |
|
432
|
|
|
if err := json.Unmarshal(body, &oidcConfig); err != nil { |
|
433
|
|
|
slog.Error("failed to unmarshal OIDC configuration", "error", err) |
|
434
|
|
|
return nil, fmt.Errorf("failed to decode OIDC configuration: %w", err) |
|
|
|
|
|
|
435
|
|
|
} |
|
436
|
|
|
// Log the successful decoding of OIDC configuration |
|
437
|
|
|
slog.Debug("successfully decoded OIDC configuration") |
|
438
|
|
|
|
|
439
|
|
|
if oidcConfig.Issuer == "" { |
|
440
|
|
|
slog.Warn("missing issuer value in OIDC configuration") |
|
441
|
|
|
return nil, errors.New("issuer value is required but missing in OIDC configuration") |
|
442
|
|
|
} |
|
443
|
|
|
|
|
444
|
|
|
if oidcConfig.JWKsURI == "" { |
|
445
|
|
|
slog.Warn("missing JWKsURI value in OIDC configuration") |
|
446
|
|
|
return nil, errors.New("JWKsURI value is required but missing in OIDC configuration") |
|
447
|
|
|
} |
|
448
|
|
|
|
|
449
|
|
|
// Log the successful parsing of the OIDC configuration |
|
450
|
|
|
slog.Info("successfully parsed OIDC configuration", "issuer", oidcConfig.Issuer, "jwks_uri", oidcConfig.JWKsURI) |
|
451
|
|
|
|
|
452
|
|
|
// Return the successfully parsed configuration. |
|
453
|
|
|
return &oidcConfig, nil |
|
454
|
|
|
} |
|
455
|
|
|
|
Permify /
permify
Loading history...