From 790afc80bff8d76555448773e021386d8e6d1586 Mon Sep 17 00:00:00 2001 From: jwijenbergh Date: Thu, 7 Dec 2023 15:12:37 +0100 Subject: OAuth: Remove ISS check Too many issues with upstream servers. Needs disco v3 changes --- internal/oauth/oauth.go | 17 +---------------- internal/oauth/oauth_test.go | 6 +----- internal/server/instituteaccess.go | 2 +- internal/server/secureinternet.go | 2 +- 4 files changed, 4 insertions(+), 23 deletions(-) (limited to 'internal') diff --git a/internal/oauth/oauth.go b/internal/oauth/oauth.go index f2e7719..80aac73 100644 --- a/internal/oauth/oauth.go +++ b/internal/oauth/oauth.go @@ -2,7 +2,6 @@ // However, we try to follow some recommendations from the v2.1 oauth draft RFC // Some specific things we implement here: // - PKCE (RFC 7636) -// - ISS (RFC 9207) package oauth import ( @@ -82,9 +81,6 @@ type OAuth struct { // The HTTP client that is used httpClient *httpw.Client - // ISS indicates the issuer identifier of the authorization server as defined in RFC 9207 - ISS string `json:"iss"` - // BaseAuthorizationURL is the URL where authorization should take place BaseAuthorizationURL string `json:"base_authorization_url"` @@ -104,9 +100,6 @@ type exchangeSession struct { // ClientID is the ID of the OAuth client ClientID string - // ISS indicates the issuer identifier - ISS string - // State is the expected URL state parameter State string @@ -365,12 +358,7 @@ func writeResponseHTML(w http.ResponseWriter, title string, message string) erro // Authcode gets the authorization code from the url // It returns the code and an error if there is one func (s *exchangeSession) Authcode(url *url.URL) (string, error) { - // ISS: https://www.rfc-editor.org/rfc/rfc9207.html q := url.Query() - iss := q.Get("iss") - if s.ISS != iss { - return "", errors.Errorf("failed matching ISS; expected '%s' got '%s'", s.ISS, iss) - } // Make sure the state is present and matches to protect against cross-site request forgeries // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.15 @@ -423,11 +411,9 @@ func (oauth *OAuth) Handler(w http.ResponseWriter, req *http.Request) { } // Init initializes OAuth with the following parameters: -// - OAuth server issuer identification // - The URL used for authorization // - The URL to obtain new tokens. -func (oauth *OAuth) Init(iss string, baseAuthorizationURL string, tokenURL string) { - oauth.ISS = iss +func (oauth *OAuth) Init(baseAuthorizationURL string, tokenURL string) { oauth.BaseAuthorizationURL = baseAuthorizationURL oauth.TokenURL = tokenURL } @@ -464,7 +450,6 @@ func (oauth *OAuth) AuthURL(name string, postProcessAuth func(string) string) (s // Fill the struct with the necessary fields filled for the next call to getting the HTTP client oauth.session = exchangeSession{ ClientID: name, - ISS: oauth.ISS, State: state, Verifier: v, ErrChan: make(chan error), diff --git a/internal/oauth/oauth_test.go b/internal/oauth/oauth_test.go index 8f5f04c..d46df4a 100644 --- a/internal/oauth/oauth_test.go +++ b/internal/oauth/oauth_test.go @@ -159,11 +159,10 @@ func Test_secretJSON(t *testing.T) { } func Test_AuthURL(t *testing.T) { - iss := "local" auth := "https://127.0.0.1/auth" token := "https://127.0.0.1/token" id := "client_id" - o := OAuth{ISS: iss, BaseAuthorizationURL: auth, TokenURL: token} + o := OAuth{BaseAuthorizationURL: auth, TokenURL: token} s, err := o.AuthURL(id, func(s string) string { // We do nothing here are this function is for skipping WAYF return s @@ -176,9 +175,6 @@ func Test_AuthURL(t *testing.T) { if o.session.ClientID != id { t.Fatalf("OAuth ClientID not equal, want: %v, got: %v", o.session.ClientID, id) } - if o.session.ISS != iss { - t.Fatalf("OAuth ISS not equal, want: %v, got: %v", o.session.ISS, iss) - } if o.session.State == "" { t.Fatal("No OAuth session state paremeter found") } diff --git a/internal/server/instituteaccess.go b/internal/server/instituteaccess.go index a51409f..f77e64a 100644 --- a/internal/server/instituteaccess.go +++ b/internal/server/instituteaccess.go @@ -109,6 +109,6 @@ func (ias *InstituteAccessServer) init( return err } API := ias.Basic.Endpoints.API.V3 - ias.Auth.Init(url, API.Authorization, API.Token) + ias.Auth.Init(API.Authorization, API.Token) return nil } diff --git a/internal/server/secureinternet.go b/internal/server/secureinternet.go index 3c40253..6c9520f 100644 --- a/internal/server/secureinternet.go +++ b/internal/server/secureinternet.go @@ -134,7 +134,7 @@ func (s *SecureInternetHomeServer) init( } // Make sure oauth contains our endpoints - s.Auth.Init(b.URL, b.Endpoints.API.V3.Authorization, b.Endpoints.API.V3.Token) + s.Auth.Init(b.Endpoints.API.V3.Authorization, b.Endpoints.API.V3.Token) return nil } -- cgit v1.2.3