Check OpenID request parameters
This commit is contained in:
parent
51e52e5ed7
commit
c4bc559b4d
@ -41,3 +41,6 @@ pub const FAIL_LOGIN_ATTEMPT_CLEANUP_INTERVAL: Duration = Duration::from_secs(60
|
|||||||
|
|
||||||
/// Temporary password length
|
/// Temporary password length
|
||||||
pub const TEMPORARY_PASSWORDS_LEN: usize = 20;
|
pub const TEMPORARY_PASSWORDS_LEN: usize = 20;
|
||||||
|
|
||||||
|
/// Open ID routes
|
||||||
|
pub const AUTHORIZE_URI: &str = "/openid/authorize";
|
@ -1,12 +1,17 @@
|
|||||||
use actix_web::{HttpResponse, Responder, web};
|
use actix_web::{HttpResponse, Responder, web};
|
||||||
|
use askama::Template;
|
||||||
|
|
||||||
|
use crate::constants::AUTHORIZE_URI;
|
||||||
|
use crate::controllers::base_controller::FatalErrorPage;
|
||||||
use crate::data::app_config::AppConfig;
|
use crate::data::app_config::AppConfig;
|
||||||
|
use crate::data::client::{ClientID, ClientManager};
|
||||||
|
use crate::data::current_user::CurrentUser;
|
||||||
use crate::data::openid_config::OpenIDConfig;
|
use crate::data::openid_config::OpenIDConfig;
|
||||||
|
|
||||||
pub async fn get_configuration(app_conf: web::Data<AppConfig>) -> impl Responder {
|
pub async fn get_configuration(app_conf: web::Data<AppConfig>) -> impl Responder {
|
||||||
HttpResponse::Ok().json(OpenIDConfig {
|
HttpResponse::Ok().json(OpenIDConfig {
|
||||||
issuer: app_conf.full_url("/"),
|
issuer: app_conf.full_url("/"),
|
||||||
authorization_endpoint: app_conf.full_url("openid/authorize"),
|
authorization_endpoint: app_conf.full_url(AUTHORIZE_URI),
|
||||||
token_endpoint: app_conf.full_url("openid/token"),
|
token_endpoint: app_conf.full_url("openid/token"),
|
||||||
userinfo_endpoint: app_conf.full_url("openid/userinfo"),
|
userinfo_endpoint: app_conf.full_url("openid/userinfo"),
|
||||||
jwks_uri: app_conf.full_url("openid/jwks_uri"),
|
jwks_uri: app_conf.full_url("openid/jwks_uri"),
|
||||||
@ -14,6 +19,90 @@ pub async fn get_configuration(app_conf: web::Data<AppConfig>) -> impl Responder
|
|||||||
response_types_supported: vec!["code", "id_token", "token id_token"],
|
response_types_supported: vec!["code", "id_token", "token id_token"],
|
||||||
subject_types_supported: vec!["public"],
|
subject_types_supported: vec!["public"],
|
||||||
id_token_signing_alg_values_supported: vec!["RS256"],
|
id_token_signing_alg_values_supported: vec!["RS256"],
|
||||||
claims_supported: vec!["sub", "exp", "name", "given_name", "family_name", "email"]
|
claims_supported: vec!["sub", "exp", "name", "given_name", "family_name", "email"],
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[derive(serde::Deserialize)]
|
||||||
|
pub struct AuthorizeQuery {
|
||||||
|
/// REQUIRED. OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored. See Sections 5.4 and 11 for additional scope values defined by this specification.
|
||||||
|
scope: String,
|
||||||
|
|
||||||
|
/// REQUIRED. OAuth 2.0 Response Type value that determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is code.
|
||||||
|
response_type: String,
|
||||||
|
|
||||||
|
/// REQUIRED. OAuth 2.0 Client Identifier valid at the Authorization Server.
|
||||||
|
client_id: ClientID,
|
||||||
|
|
||||||
|
/// REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.
|
||||||
|
redirect_uri: String,
|
||||||
|
|
||||||
|
/// RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.
|
||||||
|
state: String,
|
||||||
|
|
||||||
|
/// OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values.
|
||||||
|
nonce: Option<String>,
|
||||||
|
|
||||||
|
/// OPTIONAL - https://ldapwiki.com/wiki/Code_challenge_method
|
||||||
|
code_challenge: Option<String>,
|
||||||
|
code_challenge_method: Option<String>,
|
||||||
|
}
|
||||||
|
|
||||||
|
fn error_redirect(query: &AuthorizeQuery, error: &str, description: &str) -> HttpResponse {
|
||||||
|
HttpResponse::Found()
|
||||||
|
.append_header(
|
||||||
|
("Location", format!(
|
||||||
|
"{}?error={}?error_description={}&state={}",
|
||||||
|
query.redirect_uri,
|
||||||
|
urlencoding::encode(error),
|
||||||
|
urlencoding::encode(description),
|
||||||
|
urlencoding::encode(&query.state)
|
||||||
|
))
|
||||||
|
)
|
||||||
|
.finish()
|
||||||
|
}
|
||||||
|
|
||||||
|
pub async fn authorize(user: CurrentUser, query: web::Query<AuthorizeQuery>,
|
||||||
|
clients: web::Data<ClientManager>) -> impl Responder {
|
||||||
|
let client = match clients.find_by_id(&query.client_id) {
|
||||||
|
None => {
|
||||||
|
return HttpResponse::BadRequest().body(FatalErrorPage {
|
||||||
|
message: "Client is invalid!"
|
||||||
|
}.render().unwrap());
|
||||||
|
}
|
||||||
|
Some(c) => c
|
||||||
|
};
|
||||||
|
|
||||||
|
let redirect_uri = query.redirect_uri.trim().to_string();
|
||||||
|
if client.redirect_uri != redirect_uri {
|
||||||
|
return HttpResponse::BadRequest().body(FatalErrorPage {
|
||||||
|
message: "Redirect URI is invalid!"
|
||||||
|
}.render().unwrap());
|
||||||
|
}
|
||||||
|
|
||||||
|
let scopes = query.scope.split(' ').collect::<Vec<_>>();
|
||||||
|
if !scopes.contains(&"openid") {
|
||||||
|
return error_redirect(&query, "invalid_request", "openid scope missing!");
|
||||||
|
}
|
||||||
|
|
||||||
|
if !query.response_type.eq("code") {
|
||||||
|
return error_redirect(&query, "invalid_request", "Only code response type is supported!");
|
||||||
|
}
|
||||||
|
|
||||||
|
if query.state.is_empty() {
|
||||||
|
return error_redirect(&query, "invalid_request", "State is empty!");
|
||||||
|
}
|
||||||
|
|
||||||
|
let code_challenge = match (query.0.code_challenge.clone(), query.0.code_challenge_method.clone()) {
|
||||||
|
(Some(chal), Some(meth)) => {
|
||||||
|
if !meth.eq("S256") {
|
||||||
|
return error_redirect(&query, "invalid_request",
|
||||||
|
"Only S256 code challenge is supported!");
|
||||||
|
}
|
||||||
|
Some((chal, meth))
|
||||||
|
}
|
||||||
|
(_, _) => None
|
||||||
|
};
|
||||||
|
|
||||||
|
HttpResponse::Ok().json("You did it")
|
||||||
|
}
|
@ -8,6 +8,8 @@ pub struct Client {
|
|||||||
pub id: ClientID,
|
pub id: ClientID,
|
||||||
pub name: String,
|
pub name: String,
|
||||||
pub description: String,
|
pub description: String,
|
||||||
|
pub secret: String,
|
||||||
|
pub redirect_uri: String,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl PartialEq for Client {
|
impl PartialEq for Client {
|
||||||
|
@ -124,8 +124,9 @@ async fn main() -> std::io::Result<()> {
|
|||||||
.route("/admin/api/find_username", web::post().to(admin_api::find_username))
|
.route("/admin/api/find_username", web::post().to(admin_api::find_username))
|
||||||
.route("/admin/api/delete_user", web::post().to(admin_api::delete_user))
|
.route("/admin/api/delete_user", web::post().to(admin_api::delete_user))
|
||||||
|
|
||||||
// OpenID specs
|
// OpenID routes
|
||||||
.route(".well-known/openid-configuration", web::get().to(openid_controller::get_configuration))
|
.route("/.well-known/openid-configuration", web::get().to(openid_controller::get_configuration))
|
||||||
|
.route("/openid/authorize", web::get().to(openid_controller::authorize))
|
||||||
})
|
})
|
||||||
.bind(listen_address)?
|
.bind(listen_address)?
|
||||||
.run()
|
.run()
|
||||||
|
@ -13,7 +13,7 @@ use actix_web::body::EitherBody;
|
|||||||
use actix_web::http::{header, Method};
|
use actix_web::http::{header, Method};
|
||||||
use askama::Template;
|
use askama::Template;
|
||||||
|
|
||||||
use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES};
|
use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES, AUTHORIZE_URI};
|
||||||
use crate::controllers::base_controller::{FatalErrorPage, redirect_user_for_login};
|
use crate::controllers::base_controller::{FatalErrorPage, redirect_user_for_login};
|
||||||
use crate::data::app_config::AppConfig;
|
use crate::data::app_config::AppConfig;
|
||||||
use crate::data::session_identity::{SessionIdentity, SessionIdentityData, SessionStatus};
|
use crate::data::session_identity::{SessionIdentity, SessionIdentityData, SessionStatus};
|
||||||
@ -131,9 +131,9 @@ impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
|
|||||||
// Redirect user to login page
|
// Redirect user to login page
|
||||||
if !session.is_auth()
|
if !session.is_auth()
|
||||||
&& (req.path().starts_with(ADMIN_ROUTES)
|
&& (req.path().starts_with(ADMIN_ROUTES)
|
||||||
|| req.path().starts_with(AUTHENTICATED_ROUTES))
|
|| req.path().starts_with(AUTHENTICATED_ROUTES) || req.path().eq(AUTHORIZE_URI))
|
||||||
{
|
{
|
||||||
let path = req.path().to_string();
|
let path = req.uri().to_string();
|
||||||
return Ok(req
|
return Ok(req
|
||||||
.into_response(redirect_user_for_login(path))
|
.into_response(redirect_user_for_login(path))
|
||||||
.map_into_right_body());
|
.map_into_right_body());
|
||||||
|
Loading…
Reference in New Issue
Block a user