extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-05-22 09:21:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

Check multiple audience values (#781)

Browse Source 
Some IDP use different audience for different clients. 
This update checks HTTP and Device authorization flow audience values.



---------

Co-authored-by: Givi Khojanashvili <gigovich@gmail.com>
This commit is contained in:
Maycon Santos 2023-04-04 16:40:56 +02:00 committed by GitHub
parent f14f34cf2b
commit fe1ea4a2d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
management/cmd/management.go
View File

@ -184,7 +184,7 @@ var (
jwtValidator, err := jwtclaims.NewJWTValidator( jwtValidator, err := jwtclaims.NewJWTValidator(
config.HttpConfig.AuthIssuer, config.HttpConfig.AuthIssuer,
config.HttpConfig.AuthAudience, config.GetAuthAudiences(),
config.HttpConfig.AuthKeysLocation, config.HttpConfig.AuthKeysLocation,
) )
if err != nil { if err != nil {

10
management/server/config.go
View File

@ -39,6 +39,16 @@ type Config struct {
DeviceAuthorizationFlow *DeviceAuthorizationFlow DeviceAuthorizationFlow *DeviceAuthorizationFlow
} }
// GetAuthAudiences returns the audience from the http config and device authorization flow config
func (c Config) GetAuthAudiences() []string {
audiences := []string{c.HttpConfig.AuthAudience}
if c.DeviceAuthorizationFlow != nil && c.DeviceAuthorizationFlow.ProviderConfig.Audience != "" {
audiences = append(audiences, c.DeviceAuthorizationFlow.ProviderConfig.Audience)
}
return audiences
}
// TURNConfig is a config of the TURNCredentialsManager // TURNConfig is a config of the TURNCredentialsManager
type TURNConfig struct { type TURNConfig struct {
TimeBasedCredentials bool TimeBasedCredentials bool

2
management/server/grpcserver.go
View File

@ -51,7 +51,7 @@ func NewServer(config *Config, accountManager AccountManager, peersUpdateManager
if config.HttpConfig != nil && config.HttpConfig.AuthIssuer != "" && config.HttpConfig.AuthAudience != "" && validateURL(config.HttpConfig.AuthKeysLocation) { if config.HttpConfig != nil && config.HttpConfig.AuthIssuer != "" && config.HttpConfig.AuthAudience != "" && validateURL(config.HttpConfig.AuthKeysLocation) {
jwtValidator, err = jwtclaims.NewJWTValidator( jwtValidator, err = jwtclaims.NewJWTValidator(
config.HttpConfig.AuthIssuer, config.HttpConfig.AuthIssuer,
config.HttpConfig.AuthAudience, config.GetAuthAudiences(),
config.HttpConfig.AuthKeysLocation) config.HttpConfig.AuthKeysLocation)
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "unable to create new jwt middleware, err: %v", err) return nil, status.Errorf(codes.Internal, "unable to create new jwt middleware, err: %v", err)

10
management/server/jwtclaims/jwtValidator.go
View File

@ -64,7 +64,7 @@ type JWTValidator struct {
} }
// NewJWTValidator constructor // NewJWTValidator constructor
func NewJWTValidator(issuer string, audience string, keysLocation string) (*JWTValidator, error) { func NewJWTValidator(issuer string, audienceList []string, keysLocation string) (*JWTValidator, error) {
keys, err := getPemKeys(keysLocation) keys, err := getPemKeys(keysLocation)
if err != nil { if err != nil {
return nil, err return nil, err
@ -73,7 +73,13 @@ func NewJWTValidator(issuer string, audience string, keysLocation string) (*JWTV
options := Options{ options := Options{
ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) { ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) {
// Verify 'aud' claim // Verify 'aud' claim
checkAud := token.Claims.(jwt.MapClaims).VerifyAudience(audience, false) var checkAud bool
for _, audience := range audienceList {
checkAud = token.Claims.(jwt.MapClaims).VerifyAudience(audience, false)
if checkAud {
break
}
}
if !checkAud { if !checkAud {
return token, errors.New("invalid audience") return token, errors.New("invalid audience")
} }