A collection of authentication Go packages related to OIDC, JWKs and Distributed Claims.

Overview

cap

cap (collection of authentication packages) provides a collection of related packages which enable support for OIDC, JWT Verification and Distributed Claims.

Please note: We take security and our users' trust very seriously. If you believe you have found a security issue, please responsibly disclose by contacting us at [email protected].

Contributing

Thank you for your interest in contributing! Please refer to CONTRIBUTING.md for guidance.


oidc package

Go Reference

A package for writing clients that integrate with OIDC Providers. Primary types provided by the package are:

  1. Request
  2. Token
  3. Config
  4. Provider

The package also provides callbacks (in the form of http.HandlerFunc) for handling OIDC provider responses to authorization code flow (with optional PKCE) and implicit flow authentication attempts.


Example of a provider using an authorization code flow:

// Create a new provider config
pc, err := oidc.NewConfig(
    "http://your-issuer.com/",
    "your_client_id",
    "your_client_secret",
    []oidc.Alg{oidc.RS256},
    []string{"https://your_redirect_url"},
)
if err != nil {
    // handle error
}

// Create a provider
p, err := oidc.NewProvider(pc)
if err != nil {
    // handle error
}
defer p.Done()


// Create a Request for a user's authorization code flow authentication attempt, 
// with a 2 min timeout for  completion. 
oidcRequest, err := oidc.NewRequest(2 * time.Minute, "https://your_redirect_url")
if err != nil {
    // handle error
}


// Create an auth URL
authURL, err := p.AuthURL(ctx, oidcRequest)
if err != nil {
    // handle error
}
fmt.Println("open url to kick-off authentication: ", authURL)

Create a http.Handler for OIDC authentication response redirects.

func NewHandler(ctx context.Context, p *oidc.Provider, r callback.RequestReader) (http.HandlerFunc, error)
    if p == nil { 
        // handle error
    }
    if rw == nil {
        // handle error
    }
    return func(w http.ResponseWriter, req *http.Request) {
        oidcRequest, err := rw.Read(ctx, req.FormValue("state"))
        if err != nil {
            // handle error
        }
        // Exchange(...) will verify the tokens before returning. 
        token, err := p.Exchange(ctx, oidcRequest, req.FormValue("state"), req.FormValue("code"))
        if err != nil {
            // handle error
        }
        var claims map[string]interface{}
        if err := token.IDToken().Claims(&claims); err != nil {
            // handle error
        }

        // Get the user's claims via the provider's UserInfo endpoint
        var infoClaims map[string]interface{}
        err = p.UserInfo(ctx, token.StaticTokenSource(), claims["sub"].(string), &infoClaims)
        if err != nil {
            // handle error
        }
        resp := struct {
		    IDTokenClaims  map[string]interface{}
		    UserInfoClaims map[string]interface{}
		}{claims, infoClaims}
		enc := json.NewEncoder(w)
		if err := enc.Encode(resp); err != nil {
			// handle error
        }
    }
}

jwt package

Go Reference

Package jwt provides signature verification and claims set validation for JSON Web Tokens (JWT) of the JSON Web Signature (JWS) form.

JWT claims set validation provided by the package includes the option to validate all registered claim names defined in rfc7519#section-4.1.

JOSE header validation provided by the the package includes the option to validate the "alg" (Algorithm) Header Parameter defined in rfc7515#section-4.1.

JWT signature verification is supported by providing keys from the following sources:

  • JSON Web Key Set (JWKS) URL
  • OIDC Discovery mechanism
  • Local public keys

JWT signature verification supports the following asymmetric algorithms defined in rfc7518.html#section-3.1:

Identifier Signing Algorithm
RS256 RSASSA-PKCS1-v1_5 using SHA-256
RS384 RSASSA-PKCS1-v1_5 using SHA-384
RS512 RSASSA-PKCS1-v1_5 using SHA-512
ES256 ECDSA using P-256 and SHA-256
ES384 ECDSA using P-384 and SHA-384
ES512 ECDSA using P-521 and SHA-512
PS256 RSASSA-PSS using SHA-256 and MGF1 with SHA-256
PS384 RSASSA-PSS using SHA-384 and MGF1 with SHA-384
PS512 RSASSA-PSS using SHA-512 and MGF1 with SHA-512
EdDSA Ed25519 using SHA-512

Example usage of JWT signature verification and claims set validation using keys from a JWKS URL:

ctx := context.Background()

keySet, err := jwt.NewJSONWebKeySet(ctx, "your_jwks_url", "your_jwks_ca_pem")
if err != nil {
	log.Fatal(err)
}

validator, err := jwt.NewValidator(keySet)
if err != nil {
	log.Fatal(err)
}

expected := jwt.Expected{
	Issuer:            "your_expected_issuer",
	Subject:           "your_expected_subject",
	ID:                "your_expected_jwt_id",
	Audiences:         []string{"your_expected_audiences"},
	SigningAlgorithms: []jwt.Alg{jwt.RS256},
}

token := "header.payload.signature"
claims, err := validator.Validate(ctx, token, expected)
if err != nil {
	log.Fatal(err)
}

For additional documentation and usage examples, see jwt/README.md.

Issues
  • Remove erroneous nil

    Remove erroneous nil

    While working on the Boundary TF provider this log line kept bothering me:

    2021-06-13T07:37:08.771Z [INFO]  dev-oidc: cleanup of cached codes shutting down: EXTRA_VALUE_AT_END=<nil>
    
    opened by louisruch 2
  • update coreos go-odic dependency to V3 resolve JWKs caching issue.

    update coreos go-odic dependency to V3 resolve JWKs caching issue.

    This PR for the go-oidc dependency resolves a caching issue for JWKs: https://github.com/coreos/go-oidc/pull/259

    I've also taken the opportunity to update all other dependencies to the latest versions except for golang.org/x/oauth2. It appears the etcd team is getting close to release v3.5.0 which would allow us to update that dependency as well in the near future.

    opened by jimlambrt 2
  • Adds tests and documentation to JWT package

    Adds tests and documentation to JWT package

    Description

    This PR adds tests and documentation to the JWT package.

    The tests that fetch JWKS keys via OIDC dicovery and JWKS URL take advantage of the TestProvider introduced in the OIDC package.

    The documentation aims to have a consistent format with the documentation introduced for the OIDC package.

    Testing

    Click to see test output
    ➜  jwt git:(jwt-test-docs) ✗ go test -v ./...
    === RUN   TestSupportedSigningAlgorithm
    === RUN   TestSupportedSigningAlgorithm/supported_signing_algorithms
    === RUN   TestSupportedSigningAlgorithm/unsupported_signing_algorithm_none
    --- PASS: TestSupportedSigningAlgorithm (0.00s)
        --- PASS: TestSupportedSigningAlgorithm/supported_signing_algorithms (0.00s)
        --- PASS: TestSupportedSigningAlgorithm/unsupported_signing_algorithm_none (0.00s)
    === RUN   TestValidator_Validate_Valid_JWT
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_with_assertion_on_issuer_claim
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_with_assertion_on_subject_claim
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_with_assertion_on_id_claim
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_with_assertion_on_audience_claim
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_with_assertion_on_algorithm_header_parameter
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_with_assertions_on_all_expected_claims
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_with_registered_claims_assertions_skipped_when_empty
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_exp_after_exp_leeway_set
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_nbf_after_nbf_leeway_set
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_nbf_after_clock_skew_leeway
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_exp_after_clock_skew_leeway
    === RUN   TestValidator_Validate_Valid_JWT/valid_jwt_iat_after_clock_skew_leeway
    --- PASS: TestValidator_Validate_Valid_JWT (0.21s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_with_assertion_on_issuer_claim (0.00s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_with_assertion_on_subject_claim (0.00s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_with_assertion_on_id_claim (0.00s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_with_assertion_on_audience_claim (0.00s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_with_assertion_on_algorithm_header_parameter (0.00s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_with_assertions_on_all_expected_claims (0.00s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_with_registered_claims_assertions_skipped_when_empty (0.00s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_exp_after_exp_leeway_set (0.00s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_nbf_after_nbf_leeway_set (0.00s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_nbf_after_clock_skew_leeway (0.00s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_exp_after_clock_skew_leeway (0.00s)
        --- PASS: TestValidator_Validate_Valid_JWT/valid_jwt_iat_after_clock_skew_leeway (0.00s)
    === RUN   TestValidator_Validate_Invalid_JWT
    === RUN   TestValidator_Validate_Invalid_JWT/invalid_jwt_with_assertion_on_issuer_claim
    === RUN   TestValidator_Validate_Invalid_JWT/invalid_jwt_with_assertion_on_subject_claim
    === RUN   TestValidator_Validate_Invalid_JWT/invalid_jwt_with_assertion_on_id_claim
    === RUN   TestValidator_Validate_Invalid_JWT/invalid_jwt_with_assertion_on_audience_claim
    === RUN   TestValidator_Validate_Invalid_JWT/invalid_jwt_with_assertion_on_algorithm_header_parameter
    === RUN   TestValidator_Validate_Invalid_JWT/invalid_jwt_from_failed_signature_verification
    === RUN   TestValidator_Validate_Invalid_JWT/invalid_jwt_with_missing_iat,_nbf,_and_exp_claims
    === RUN   TestValidator_Validate_Invalid_JWT/invalid_jwt_with_now_before_nbf
    === RUN   TestValidator_Validate_Invalid_JWT/invalid_jwt_with_now_after_exp
    === RUN   TestValidator_Validate_Invalid_JWT/invalid_jwt_with_now_before_iat
    === RUN   TestValidator_Validate_Invalid_JWT/invalid_malformed_jwt
    --- PASS: TestValidator_Validate_Invalid_JWT (0.41s)
        --- PASS: TestValidator_Validate_Invalid_JWT/invalid_jwt_with_assertion_on_issuer_claim (0.00s)
        --- PASS: TestValidator_Validate_Invalid_JWT/invalid_jwt_with_assertion_on_subject_claim (0.00s)
        --- PASS: TestValidator_Validate_Invalid_JWT/invalid_jwt_with_assertion_on_id_claim (0.00s)
        --- PASS: TestValidator_Validate_Invalid_JWT/invalid_jwt_with_assertion_on_audience_claim (0.00s)
        --- PASS: TestValidator_Validate_Invalid_JWT/invalid_jwt_with_assertion_on_algorithm_header_parameter (0.00s)
        --- PASS: TestValidator_Validate_Invalid_JWT/invalid_jwt_from_failed_signature_verification (0.20s)
        --- PASS: TestValidator_Validate_Invalid_JWT/invalid_jwt_with_missing_iat,_nbf,_and_exp_claims (0.00s)
        --- PASS: TestValidator_Validate_Invalid_JWT/invalid_jwt_with_now_before_nbf (0.00s)
        --- PASS: TestValidator_Validate_Invalid_JWT/invalid_jwt_with_now_after_exp (0.00s)
        --- PASS: TestValidator_Validate_Invalid_JWT/invalid_jwt_with_now_before_iat (0.00s)
        --- PASS: TestValidator_Validate_Invalid_JWT/invalid_malformed_jwt (0.00s)
    === RUN   TestNewValidator
    === RUN   TestNewValidator/new_validator_with_keySet
    === RUN   TestNewValidator/new_validator_with_nil_keySet
    --- PASS: TestNewValidator (0.00s)
        --- PASS: TestNewValidator/new_validator_with_keySet (0.00s)
        --- PASS: TestNewValidator/new_validator_with_nil_keySet (0.00s)
    === RUN   Test_validateAudience
    === RUN   Test_validateAudience/skip_validation_for_empty_audiences
    === RUN   Test_validateAudience/at_least_one_valid_audience
    === RUN   Test_validateAudience/no_valid_audience
    --- PASS: Test_validateAudience (0.00s)
        --- PASS: Test_validateAudience/skip_validation_for_empty_audiences (0.00s)
        --- PASS: Test_validateAudience/at_least_one_valid_audience (0.00s)
        --- PASS: Test_validateAudience/no_valid_audience (0.00s)
    === RUN   Test_validateSigningAlgorithm
    === RUN   Test_validateSigningAlgorithm/default_of_RS256_when_expected_algorithms_is_empty
    === RUN   Test_validateSigningAlgorithm/jwt_signed_with_at_least_one_expected_signing_algorithm
    === RUN   Test_validateSigningAlgorithm/jwt_signed_with_unexpected_algorithm
    === RUN   Test_validateSigningAlgorithm/unsupported_signing_algorithm
    === RUN   Test_validateSigningAlgorithm/jwt_missing_signature
    === RUN   Test_validateSigningAlgorithm/malformed_jwt
    --- PASS: Test_validateSigningAlgorithm (0.06s)
        --- PASS: Test_validateSigningAlgorithm/default_of_RS256_when_expected_algorithms_is_empty (0.00s)
        --- PASS: Test_validateSigningAlgorithm/jwt_signed_with_at_least_one_expected_signing_algorithm (0.00s)
        --- PASS: Test_validateSigningAlgorithm/jwt_signed_with_unexpected_algorithm (0.00s)
        --- PASS: Test_validateSigningAlgorithm/unsupported_signing_algorithm (0.00s)
        --- PASS: Test_validateSigningAlgorithm/jwt_missing_signature (0.00s)
        --- PASS: Test_validateSigningAlgorithm/malformed_jwt (0.00s)
    === RUN   Test_jsonWebKeySet_VerifySignature
    === RUN   Test_jsonWebKeySet_VerifySignature/verify_jwt_with_ES256_signature
    === RUN   Test_jsonWebKeySet_VerifySignature/verify_jwt_with_ES384_signature
    === RUN   Test_jsonWebKeySet_VerifySignature/verify_jwt_with_ES512_signature
    === RUN   Test_jsonWebKeySet_VerifySignature/verify_jwt_with_RS256_signature
    === RUN   Test_jsonWebKeySet_VerifySignature/verify_jwt_with_RS384_signature
    === RUN   Test_jsonWebKeySet_VerifySignature/verify_jwt_with_RS512_signature
    === RUN   Test_jsonWebKeySet_VerifySignature/verify_jwt_with_PS256_signature
    === RUN   Test_jsonWebKeySet_VerifySignature/verify_jwt_with_PS384_signature
    === RUN   Test_jsonWebKeySet_VerifySignature/verify_jwt_with_PS512_signature
    === RUN   Test_jsonWebKeySet_VerifySignature/verify_jwt_with_EdDSA_signature
    === RUN   Test_jsonWebKeySet_VerifySignature/fail_to_verify_jwt_signature_with_unrelated_public_and_private_key_pairs
    === RUN   Test_jsonWebKeySet_VerifySignature/fail_to_verify_jwt_signature_after_modifying_header
    === RUN   Test_jsonWebKeySet_VerifySignature/fail_to_verify_jwt_signature_after_modifying_payload
    === RUN   Test_jsonWebKeySet_VerifySignature/fail_to_verify_signature_of_malformed_jwt
    === RUN   Test_jsonWebKeySet_VerifySignature/fail_to_parse_malformed_JWKS_response
    === RUN   Test_jsonWebKeySet_VerifySignature/fail_request_for_keys_from_JWKS_URL_with_404
    --- PASS: Test_jsonWebKeySet_VerifySignature (2.45s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/verify_jwt_with_ES256_signature (0.00s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/verify_jwt_with_ES384_signature (0.02s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/verify_jwt_with_ES512_signature (0.03s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/verify_jwt_with_RS256_signature (0.07s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/verify_jwt_with_RS384_signature (0.38s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/verify_jwt_with_RS512_signature (0.26s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/verify_jwt_with_PS256_signature (0.06s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/verify_jwt_with_PS384_signature (0.36s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/verify_jwt_with_PS512_signature (1.25s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/verify_jwt_with_EdDSA_signature (0.00s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/fail_to_verify_jwt_signature_with_unrelated_public_and_private_key_pairs (0.00s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/fail_to_verify_jwt_signature_after_modifying_header (0.00s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/fail_to_verify_jwt_signature_after_modifying_payload (0.00s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/fail_to_verify_signature_of_malformed_jwt (0.00s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/fail_to_parse_malformed_JWKS_response (0.00s)
        --- PASS: Test_jsonWebKeySet_VerifySignature/fail_request_for_keys_from_JWKS_URL_with_404 (0.00s)
    === RUN   Test_staticKeySet_VerifySignature
    === RUN   Test_staticKeySet_VerifySignature/verify_jwt_with_ES256_signature
    === RUN   Test_staticKeySet_VerifySignature/verify_jwt_with_ES384_signature
    === RUN   Test_staticKeySet_VerifySignature/verify_jwt_with_ES512_signature
    === RUN   Test_staticKeySet_VerifySignature/verify_jwt_with_RS256_signature
    === RUN   Test_staticKeySet_VerifySignature/verify_jwt_with_RS384_signature
    === RUN   Test_staticKeySet_VerifySignature/verify_jwt_with_RS512_signature
    === RUN   Test_staticKeySet_VerifySignature/verify_jwt_with_PS256_signature
    === RUN   Test_staticKeySet_VerifySignature/verify_jwt_with_PS384_signature
    === RUN   Test_staticKeySet_VerifySignature/verify_jwt_with_PS512_signature
    === RUN   Test_staticKeySet_VerifySignature/verify_jwt_with_EdDSA_signature
    === RUN   Test_staticKeySet_VerifySignature/verify_jwt_signature_with_many_public_keys_of_different_types_provided
    === RUN   Test_staticKeySet_VerifySignature/fail_to_verify_jwt_signature_with_many_unrelated_public_and_private_key_pairs
    === RUN   Test_staticKeySet_VerifySignature/fail_to_verify_jwt_signature_with_unrelated_public_and_private_key_pairs
    === RUN   Test_staticKeySet_VerifySignature/fail_to_verify_jwt_signature_after_modifying_header
    === RUN   Test_staticKeySet_VerifySignature/fail_to_verify_jwt_signature_after_modifying_payload
    === RUN   Test_staticKeySet_VerifySignature/fail_to_verify_signature_of_malformed_jwt
    --- PASS: Test_staticKeySet_VerifySignature (5.12s)
        --- PASS: Test_staticKeySet_VerifySignature/verify_jwt_with_ES256_signature (0.00s)
        --- PASS: Test_staticKeySet_VerifySignature/verify_jwt_with_ES384_signature (0.02s)
        --- PASS: Test_staticKeySet_VerifySignature/verify_jwt_with_ES512_signature (0.03s)
        --- PASS: Test_staticKeySet_VerifySignature/verify_jwt_with_RS256_signature (0.04s)
        --- PASS: Test_staticKeySet_VerifySignature/verify_jwt_with_RS384_signature (0.61s)
        --- PASS: Test_staticKeySet_VerifySignature/verify_jwt_with_RS512_signature (2.76s)
        --- PASS: Test_staticKeySet_VerifySignature/verify_jwt_with_PS256_signature (0.05s)
        --- PASS: Test_staticKeySet_VerifySignature/verify_jwt_with_PS384_signature (0.98s)
        --- PASS: Test_staticKeySet_VerifySignature/verify_jwt_with_PS512_signature (0.38s)
        --- PASS: Test_staticKeySet_VerifySignature/verify_jwt_with_EdDSA_signature (0.00s)
        --- PASS: Test_staticKeySet_VerifySignature/verify_jwt_signature_with_many_public_keys_of_different_types_provided (0.07s)
        --- PASS: Test_staticKeySet_VerifySignature/fail_to_verify_jwt_signature_with_many_unrelated_public_and_private_key_pairs (0.19s)
        --- PASS: Test_staticKeySet_VerifySignature/fail_to_verify_jwt_signature_with_unrelated_public_and_private_key_pairs (0.00s)
        --- PASS: Test_staticKeySet_VerifySignature/fail_to_verify_jwt_signature_after_modifying_header (0.00s)
        --- PASS: Test_staticKeySet_VerifySignature/fail_to_verify_jwt_signature_after_modifying_payload (0.00s)
        --- PASS: Test_staticKeySet_VerifySignature/fail_to_verify_signature_of_malformed_jwt (0.00s)
    === RUN   TestNewJSONWebKeySet
    === RUN   TestNewJSONWebKeySet/valid_JWKS_URL
    === RUN   TestNewJSONWebKeySet/valid_JWKS_URL_and_CA_PEM
    === RUN   TestNewJSONWebKeySet/empty_JWKS_URL
    === RUN   TestNewJSONWebKeySet/malformed_JWKS_CA_PEM
    --- PASS: TestNewJSONWebKeySet (0.00s)
        --- PASS: TestNewJSONWebKeySet/valid_JWKS_URL (0.00s)
        --- PASS: TestNewJSONWebKeySet/valid_JWKS_URL_and_CA_PEM (0.00s)
        --- PASS: TestNewJSONWebKeySet/empty_JWKS_URL (0.00s)
        --- PASS: TestNewJSONWebKeySet/malformed_JWKS_CA_PEM (0.00s)
    === RUN   TestNewOIDCDiscoveryKeySet
    === RUN   TestNewOIDCDiscoveryKeySet/valid_issuer_and_CA_PEM
    === RUN   TestNewOIDCDiscoveryKeySet/empty_issuer_URL
    === RUN   TestNewOIDCDiscoveryKeySet/invalid_issuer_URL
    === RUN   TestNewOIDCDiscoveryKeySet/malformed_issuer_CA_PEM
    --- PASS: TestNewOIDCDiscoveryKeySet (0.00s)
        --- PASS: TestNewOIDCDiscoveryKeySet/valid_issuer_and_CA_PEM (0.00s)
        --- PASS: TestNewOIDCDiscoveryKeySet/empty_issuer_URL (0.00s)
        --- PASS: TestNewOIDCDiscoveryKeySet/invalid_issuer_URL (0.00s)
        --- PASS: TestNewOIDCDiscoveryKeySet/malformed_issuer_CA_PEM (0.00s)
    === RUN   TestNewStaticKeySet
    === RUN   TestNewStaticKeySet/valid_public_keys
    === RUN   TestNewStaticKeySet/empty_public_keys
    --- PASS: TestNewStaticKeySet (0.28s)
        --- PASS: TestNewStaticKeySet/valid_public_keys (0.28s)
        --- PASS: TestNewStaticKeySet/empty_public_keys (0.00s)
    PASS
    ok  	github.com/hashicorp/cap/jwt	8.833s
    
    opened by austingebauer 2
  • Add option to allow all of IAT, NBF, and EXP to be missing

    Add option to allow all of IAT, NBF, and EXP to be missing

    This is necessary for Kubernetes 1.20 auth tokens, which don't include any of iat/exp/nbf, so this library has no way to deal with them. (Which blocks vault-plugin-auth-kubernetes from using this library, since we still support Kubernetes 1.20.)

    Also did a small amount of cleanup:

    • Generate a single 4096-bit RSA key in the tests, which speeds them up by a few seconds.
    • Update go.mod in ldap cli example to use commit that exists (otherwise the tests appear to fail)
    opened by swenson 1
  • Add support to skip issuer validation.

    Add support to skip issuer validation.

    the coreos package that cap uses recently added support to allow the validation of the issuer against the discovery doc: https://github.com/coreos/go-oidc/pull/315

    upgrading to v3 of go-oidc and supporting a similar flag in cap would allow callers to use providers like Azure with it's non-compliant issues.

    opened by jimlambrt 1
  • Adds initial implementation of the JWT package

    Adds initial implementation of the JWT package

    Description

    This PR adds an initial implementation of the JWT package, which provides signature verification and claims set validation for JWTs of the JWS form.

    The code in this package is similar to that in both the vault-plugin-auth-jwt and consul JWT auth implementations.

    Testing

    I've integrated and tested the code in this PR in the common-jwt-lib branch of vault-plugin-auth-jwt.

    Tests are intentionally absent from this PR in order to first agree on the API and behavior of the package. I'll be adding tests and additional documentation in a subsequent PR once there is agreement.

    opened by austingebauer 1
  • Support for: callbacks, PKCE, max_age, UserInfo response verification and example applications

    Support for: callbacks, PKCE, max_age, UserInfo response verification and example applications

    Features:

    • callbacks for: authorization code (with optional PKCE) and implicit flows.
    • PKCE support
    • max_age support
    • UserInfo response verification
    • example applications: cli and SPA

    Documentation:

    • READMEs for oidc and callback packages, plus example apps
    • package docs for oidc and callback packages
    • package examples
    opened by jimlambrt 1
  • Boundary 0.2.1 doesn't parse Dex OIDC provider's `aud` claim

    Boundary 0.2.1 doesn't parse Dex OIDC provider's `aud` claim

    [Note: this issue was seen in Boundary, but is being filed here per conversation with @jimlambrt]

    Describe the bug Boundary cannot unmarshal the aud claim that Dex returns. The output given in the Boundary UI is {"kind":"Internal", "message":"authmethod_service.(Service).authenticateOidcCallback: Callback validation failed.: parameter violation: error #100: oidc.Callback: unable to get user info from provider: unknown: error #0: Provider.UserInfo: failed to parse claims for UserInfo verification: json: cannot unmarshal string into Go struct field verifyClaims.Aud of type []string"}

    To Reproduce I set up a Dex provider in a Docker container with the following config:

    • Docker run:

    docker run -d -v /etc/dex/dex-config.yaml:/etc/dex/config.docker.yaml -p 5556:5556 -p 5558:5558 quay.io/dexidp/dex:latest

    • Dex config in /etc/dex/dex-config.yaml:
    issuer: http://[Dex instance public IP]:5556/dex
    
    storage:
      type: memory
    
    web:
      http: 0.0.0.0:5556
    
    telemetry:
      http: 0.0.0.0:5558
    
    grpc:
      addr: 127.0.0.1:5557
    
    logger:
      level: "debug"
      format: "text" # can also be "json"
    
    oauth2:
      responseTypes: [ "code", "token", "id_token" ] # also allowed are "token" and "id_token"
    
    staticClients:
    - id: boundary
      name: Boundary
      secret: [client secret]
      redirectUris:
      - [Boundary controller address]/v1/auth-methods/oidc:authenticate:callback
    
    connectors:
    - type: google
      id: google
      name: Google public login
    
    enablePasswordDB: true
    
    staticPasswords:
    - email: "[email protected]"
      hash: "[bcrypt password hash]"
      username: "jthompson"
    

    Boundary OIDC provider config for Dex:

    $ boundary auth-methods read -id amoidc_JZg1tu7M19
    
    Auth Method information:
      Created Time:           Mon, 17 May 2021 02:34:00 EDT
      ID:                     amoidc_JZg1tu7M19
      Is Primary For Scope:   false
      Name:                   Dex
      Type:                   oidc
      Updated Time:           Mon, 17 May 2021 02:36:15 EDT
      Version:                4
    
      Scope:
        ID:                   global
        Name:                 global
        Type:                 global
    
      Authorized Actions:
        no-op
        read
        update
        delete
        change-state
        authenticate
    
      Authorized Actions on Auth Method's Collections:
        accountss:
          create
          list
    
      Attributes:
        api_url_prefix:       [Boundary controller address]
        callback_url:
        [Boundary controller address]/v1/auth-methods/oidc:authenticate:callback
        client_id:            boundary
        client_secret_hmac:   kqu9d35RUER7qnleiSUmPMaCB9_YYQK_EIsJ1X-X0s0
        issuer:               http://[Dex instance public IP]:5556/dex
        signing_algorithms:   [RS256]
        state:                active-public
    

    Expected behavior

    Boundary OIDC should parse the aud claim received from Dex and authenticate the user.

    Desktop (please complete the following information):

    • OS: Fedora 34
    • Browser: Firefox
    • Version: 88
    opened by omkensey 0
  • Change subjectPasswords into subjectInfo

    Change subjectPasswords into subjectInfo

    Although this updates the locations where passwords are checked, I have not yet found and updated the various places where other values we want to override are set.

    opened by jefferai 0
  • OIDC: add the ability to run a TestProvider without TLS and start a TestProvider with using a type that implements the TestingT interface

    OIDC: add the ability to run a TestProvider without TLS and start a TestProvider with using a type that implements the TestingT interface

    These changes would allow devs to run the TestProvider outside of "tests" if they need a very simple Provider.

    I've also included a NewTestingLogger which implements the TestingT interface and logs errors via hclog

    @jefferai, @austingebauer : I just pushed a couple commits to this PR which add the ability to present a login form for interactive testing.

    opened by jimlambrt 0
  • Set specific version of golang.org/x/oauth2

    Set specific version of golang.org/x/oauth2

    Description

    This PR resets the version requirement for the golang.org/x/oauth2 dependency, which was set to a specific version in PR https://github.com/hashicorp/cap/pull/14. I missed seeing that this was changed when reviewing PR https://github.com/hashicorp/cap/pull/25. See PR https://github.com/hashicorp/cap/pull/14 for more context on why we're setting this specific version.

    An alternative would be to fix the etcd/grpc incompatibility in Vault based on guidance from https://github.com/etcd-io/etcd/issues/12124.

    Similar PRs

    • https://github.com/hashicorp/vault-plugin-auth-azure/pull/43
    opened by austingebauer 0
Releases(v0.2.0)
Owner
HashiCorp
Consistent workflows to provision, secure, connect, and run any infrastructure for any application.
HashiCorp
Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC

Casbin 3k May 22, 2022
Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.

Goth: Multi-Provider Authentication for Go Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applic

Mark Bates 3.7k May 16, 2022
an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

Vouch Proxy An SSO solution for Nginx using the auth_request module. Vouch Proxy can protect all of your websites at once. Vouch Proxy supports many O

Vouch 1.9k May 18, 2022
Demonstration of sharing secret data between an OAuth/OIDC client and an Identity Providers web client.

OAuth / OIDC Cubbyhole Share secret data between client applications. This is mostly a demonstration of some of the work I've been evaluating at Storj

mya 3 Mar 21, 2022
Jwtex - A serverless JWT exchanger and OIDC IdP

jwtex *This README is a work in progress jwtex is a serverless application that

Aidan Steele 25 Apr 22, 2022
Minting OIDC tokens from GitHub Actions for use with OpenFaaS

minty Experiment for minting OIDC tokens from GitHub Actions for use with OpenFaaS Why would you want this? Enable third-parties to deploy to your ope

Alex Ellis 9 Oct 31, 2021
Small library to make it easier to get a OIDC configuration

OIDC Discovery client This package covers two needs: Get the discovery document from some authority Get certificates from that authority Usage package

Martin Klingenberg 0 Nov 28, 2021
Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Authorization and authentication. Learning go by writing a simple authentication and authorization service.

Dinesh Bhattarai 0 Jan 30, 2022
Authelia: an open-source authentication and authorization server providing two-factor authentication

Authelia is an open-source authentication and authorization server providing two

Streato 0 Jan 5, 2022
Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Paul Greenberg 372 May 15, 2022
A simple passwordless authentication middleware that uses only email as the authentication provider

email auth A simple passwordless authentication middleware that uses only email as the authentication provider. Motivation I wanted to restrict access

Miroslav Šedivý 4 Jan 31, 2022
Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.

❗ Cache package has been moved to libcache repository Go-Guardian Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to

Sanad Haj Yahya 366 May 14, 2022
[DEPRECATED] Go package authcookie implements creation and verification of signed authentication cookies.

Package authcookie import "github.com/dchest/authcookie" Package authcookie implements creation and verification of signed authentication cookies. Co

Dmitry Chestnykh 112 Nov 19, 2021
Basic and Digest HTTP Authentication for golang http

HTTP Authentication implementation in Go This is an implementation of HTTP Basic and HTTP Digest authentication in Go language. It is designed as a si

Lev Shamardin 516 May 9, 2022
Herbert Fischer 196 Nov 17, 2021
Simple authentication and books management with GoFiber

Simple authentication and books management with GoFiber Simple authentication system with gofiber. Endpoints GET /api - Welcome message POST /api/auth

Arif Amir 9 Apr 30, 2022
An imaginary authentication and session tracking service that is defined in this Apiary

Userland This repository contains impelementation of "Userland" on boarding project Userland is an imaginary authentication and session tracking servi

Raja Moris 0 Dec 5, 2021
A demo of authentication and authorization using jwt

Nogopy Hi, this a demo of how to use jwt for authentication in microservices Keep in mind that this is a demo of how to authenticate using jwt, we don

null 2 Nov 1, 2021
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Pierre-Luc Simard 5 Mar 7, 2022