diff options
| author | jwijenbergh <jeroenwijenbergh@protonmail.com> | 2023-12-07 15:12:37 +0100 |
|---|---|---|
| committer | Jeroen Wijenbergh <46386452+jwijenbergh@users.noreply.github.com> | 2023-12-08 19:25:42 +0100 |
| commit | 790afc80bff8d76555448773e021386d8e6d1586 (patch) | |
| tree | 9d8ace9ab69fcd92de08e43192e5e1e77d7acfad | |
| parent | 7f2fed4ead6ebdcd3c05d1d3f76b92abd6c3c917 (diff) | |
OAuth: Remove ISS check
Too many issues with upstream servers. Needs disco v3 changes
| -rw-r--r-- | client/client_test.go | 8 | ||||
| -rw-r--r-- | internal/oauth/oauth.go | 17 | ||||
| -rw-r--r-- | internal/oauth/oauth_test.go | 6 | ||||
| -rw-r--r-- | internal/server/instituteaccess.go | 2 | ||||
| -rw-r--r-- | internal/server/secureinternet.go | 2 |
5 files changed, 5 insertions, 30 deletions
diff --git a/client/client_test.go b/client/client_test.go index b39b289..15b81a1 100644 --- a/client/client_test.go +++ b/client/client_test.go @@ -191,7 +191,6 @@ func TestConnectOAuthParameters(t *testing.T) { const ( callbackParameterErrorPrefix = "failed retrieving parameter '" callbackStateMatchErrorPrefix = "failed matching state" - callbackISSMatchErrorPrefix = "failed matching ISS" ) serverURI := getServerURI(t) @@ -208,12 +207,7 @@ func TestConnectOAuthParameters(t *testing.T) { // invalid state { callbackStateMatchErrorPrefix, - httpw.URLParameters{"iss": iss, "code": "42", "state": "21"}, - }, - // invalid iss - { - callbackISSMatchErrorPrefix, - httpw.URLParameters{"iss": "37", "code": "42", "state": "21"}, + httpw.URLParameters{"code": "42", "state": "21"}, }, } diff --git a/internal/oauth/oauth.go b/internal/oauth/oauth.go index f2e7719..80aac73 100644 --- a/internal/oauth/oauth.go +++ b/internal/oauth/oauth.go @@ -2,7 +2,6 @@ // However, we try to follow some recommendations from the v2.1 oauth draft RFC // Some specific things we implement here: // - PKCE (RFC 7636) -// - ISS (RFC 9207) package oauth import ( @@ -82,9 +81,6 @@ type OAuth struct { // The HTTP client that is used httpClient *httpw.Client - // ISS indicates the issuer identifier of the authorization server as defined in RFC 9207 - ISS string `json:"iss"` - // BaseAuthorizationURL is the URL where authorization should take place BaseAuthorizationURL string `json:"base_authorization_url"` @@ -104,9 +100,6 @@ type exchangeSession struct { // ClientID is the ID of the OAuth client ClientID string - // ISS indicates the issuer identifier - ISS string - // State is the expected URL state parameter State string @@ -365,12 +358,7 @@ func writeResponseHTML(w http.ResponseWriter, title string, message string) erro // Authcode gets the authorization code from the url // It returns the code and an error if there is one func (s *exchangeSession) Authcode(url *url.URL) (string, error) { - // ISS: https://www.rfc-editor.org/rfc/rfc9207.html q := url.Query() - iss := q.Get("iss") - if s.ISS != iss { - return "", errors.Errorf("failed matching ISS; expected '%s' got '%s'", s.ISS, iss) - } // Make sure the state is present and matches to protect against cross-site request forgeries // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.15 @@ -423,11 +411,9 @@ func (oauth *OAuth) Handler(w http.ResponseWriter, req *http.Request) { } // Init initializes OAuth with the following parameters: -// - OAuth server issuer identification // - The URL used for authorization // - The URL to obtain new tokens. -func (oauth *OAuth) Init(iss string, baseAuthorizationURL string, tokenURL string) { - oauth.ISS = iss +func (oauth *OAuth) Init(baseAuthorizationURL string, tokenURL string) { oauth.BaseAuthorizationURL = baseAuthorizationURL oauth.TokenURL = tokenURL } @@ -464,7 +450,6 @@ func (oauth *OAuth) AuthURL(name string, postProcessAuth func(string) string) (s // Fill the struct with the necessary fields filled for the next call to getting the HTTP client oauth.session = exchangeSession{ ClientID: name, - ISS: oauth.ISS, State: state, Verifier: v, ErrChan: make(chan error), diff --git a/internal/oauth/oauth_test.go b/internal/oauth/oauth_test.go index 8f5f04c..d46df4a 100644 --- a/internal/oauth/oauth_test.go +++ b/internal/oauth/oauth_test.go @@ -159,11 +159,10 @@ func Test_secretJSON(t *testing.T) { } func Test_AuthURL(t *testing.T) { - iss := "local" auth := "https://127.0.0.1/auth" token := "https://127.0.0.1/token" id := "client_id" - o := OAuth{ISS: iss, BaseAuthorizationURL: auth, TokenURL: token} + o := OAuth{BaseAuthorizationURL: auth, TokenURL: token} s, err := o.AuthURL(id, func(s string) string { // We do nothing here are this function is for skipping WAYF return s @@ -176,9 +175,6 @@ func Test_AuthURL(t *testing.T) { if o.session.ClientID != id { t.Fatalf("OAuth ClientID not equal, want: %v, got: %v", o.session.ClientID, id) } - if o.session.ISS != iss { - t.Fatalf("OAuth ISS not equal, want: %v, got: %v", o.session.ISS, iss) - } if o.session.State == "" { t.Fatal("No OAuth session state paremeter found") } diff --git a/internal/server/instituteaccess.go b/internal/server/instituteaccess.go index a51409f..f77e64a 100644 --- a/internal/server/instituteaccess.go +++ b/internal/server/instituteaccess.go @@ -109,6 +109,6 @@ func (ias *InstituteAccessServer) init( return err } API := ias.Basic.Endpoints.API.V3 - ias.Auth.Init(url, API.Authorization, API.Token) + ias.Auth.Init(API.Authorization, API.Token) return nil } diff --git a/internal/server/secureinternet.go b/internal/server/secureinternet.go index 3c40253..6c9520f 100644 --- a/internal/server/secureinternet.go +++ b/internal/server/secureinternet.go @@ -134,7 +134,7 @@ func (s *SecureInternetHomeServer) init( } // Make sure oauth contains our endpoints - s.Auth.Init(b.URL, b.Endpoints.API.V3.Authorization, b.Endpoints.API.V3.Token) + s.Auth.Init(b.Endpoints.API.V3.Authorization, b.Endpoints.API.V3.Token) return nil } |