Check OpenID request parameters

This commit is contained in:
Pierre HUBERT 2022-04-09 11:30:23 +02:00
parent 51e52e5ed7
commit c4bc559b4d
5 changed files with 103 additions and 8 deletions

View File

@ -40,4 +40,7 @@ pub const MAX_FAILED_LOGIN_ATTEMPTS: usize = 15;
pub const FAIL_LOGIN_ATTEMPT_CLEANUP_INTERVAL: Duration = Duration::from_secs(60);
/// Temporary password length
pub const TEMPORARY_PASSWORDS_LEN: usize = 20;
pub const TEMPORARY_PASSWORDS_LEN: usize = 20;
/// Open ID routes
pub const AUTHORIZE_URI: &str = "/openid/authorize";

View File

@ -1,12 +1,17 @@
use actix_web::{HttpResponse, Responder, web};
use askama::Template;
use crate::constants::AUTHORIZE_URI;
use crate::controllers::base_controller::FatalErrorPage;
use crate::data::app_config::AppConfig;
use crate::data::client::{ClientID, ClientManager};
use crate::data::current_user::CurrentUser;
use crate::data::openid_config::OpenIDConfig;
pub async fn get_configuration(app_conf: web::Data<AppConfig>) -> impl Responder {
HttpResponse::Ok().json(OpenIDConfig {
issuer: app_conf.full_url("/"),
authorization_endpoint: app_conf.full_url("openid/authorize"),
authorization_endpoint: app_conf.full_url(AUTHORIZE_URI),
token_endpoint: app_conf.full_url("openid/token"),
userinfo_endpoint: app_conf.full_url("openid/userinfo"),
jwks_uri: app_conf.full_url("openid/jwks_uri"),
@ -14,6 +19,90 @@ pub async fn get_configuration(app_conf: web::Data<AppConfig>) -> impl Responder
response_types_supported: vec!["code", "id_token", "token id_token"],
subject_types_supported: vec!["public"],
id_token_signing_alg_values_supported: vec!["RS256"],
claims_supported: vec!["sub", "exp", "name", "given_name", "family_name", "email"]
claims_supported: vec!["sub", "exp", "name", "given_name", "family_name", "email"],
})
}
#[derive(serde::Deserialize)]
pub struct AuthorizeQuery {
/// REQUIRED. OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored. See Sections 5.4 and 11 for additional scope values defined by this specification.
scope: String,
/// REQUIRED. OAuth 2.0 Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.
response_type: String,
/// REQUIRED. OAuth 2.0 Client Identifier valid at the Authorization Server.
client_id: ClientID,
/// REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.
redirect_uri: String,
/// RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.
state: String,
/// OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values.
nonce: Option<String>,
/// OPTIONAL - https://ldapwiki.com/wiki/Code_challenge_method
code_challenge: Option<String>,
code_challenge_method: Option<String>,
}
fn error_redirect(query: &AuthorizeQuery, error: &str, description: &str) -> HttpResponse {
HttpResponse::Found()
.append_header(
("Location", format!(
"{}?error={}?error_description={}&state={}",
query.redirect_uri,
urlencoding::encode(error),
urlencoding::encode(description),
urlencoding::encode(&query.state)
))
)
.finish()
}
pub async fn authorize(user: CurrentUser, query: web::Query<AuthorizeQuery>,
clients: web::Data<ClientManager>) -> impl Responder {
let client = match clients.find_by_id(&query.client_id) {
None => {
return HttpResponse::BadRequest().body(FatalErrorPage {
message: "Client is invalid!"
}.render().unwrap());
}
Some(c) => c
};
let redirect_uri = query.redirect_uri.trim().to_string();
if client.redirect_uri != redirect_uri {
return HttpResponse::BadRequest().body(FatalErrorPage {
message: "Redirect URI is invalid!"
}.render().unwrap());
}
let scopes = query.scope.split(' ').collect::<Vec<_>>();
if !scopes.contains(&"openid") {
return error_redirect(&query, "invalid_request", "openid scope missing!");
}
if !query.response_type.eq("code") {
return error_redirect(&query, "invalid_request", "Only code response type is supported!");
}
if query.state.is_empty() {
return error_redirect(&query, "invalid_request", "State is empty!");
}
let code_challenge = match (query.0.code_challenge.clone(), query.0.code_challenge_method.clone()) {
(Some(chal), Some(meth)) => {
if !meth.eq("S256") {
return error_redirect(&query, "invalid_request",
"Only S256 code challenge is supported!");
}
Some((chal, meth))
}
(_, _) => None
};
HttpResponse::Ok().json("You did it")
}

View File

@ -8,6 +8,8 @@ pub struct Client {
pub id: ClientID,
pub name: String,
pub description: String,
pub secret: String,
pub redirect_uri: String,
}
impl PartialEq for Client {

View File

@ -124,8 +124,9 @@ async fn main() -> std::io::Result<()> {
.route("/admin/api/find_username", web::post().to(admin_api::find_username))
.route("/admin/api/delete_user", web::post().to(admin_api::delete_user))
// OpenID specs
.route(".well-known/openid-configuration", web::get().to(openid_controller::get_configuration))
// OpenID routes
.route("/.well-known/openid-configuration", web::get().to(openid_controller::get_configuration))
.route("/openid/authorize", web::get().to(openid_controller::authorize))
})
.bind(listen_address)?
.run()

View File

@ -13,7 +13,7 @@ use actix_web::body::EitherBody;
use actix_web::http::{header, Method};
use askama::Template;
use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES};
use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES, AUTHORIZE_URI};
use crate::controllers::base_controller::{FatalErrorPage, redirect_user_for_login};
use crate::data::app_config::AppConfig;
use crate::data::session_identity::{SessionIdentity, SessionIdentityData, SessionStatus};
@ -131,9 +131,9 @@ impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
// Redirect user to login page
if !session.is_auth()
&& (req.path().starts_with(ADMIN_ROUTES)
|| req.path().starts_with(AUTHENTICATED_ROUTES))
|| req.path().starts_with(AUTHENTICATED_ROUTES) || req.path().eq(AUTHORIZE_URI))
{
let path = req.path().to_string();
let path = req.uri().to_string();
return Ok(req
.into_response(redirect_user_for_login(path))
.map_into_right_body());