Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

driver: Use proper key name when JWT is enabled #1373

Merged
merged 3 commits into from
Apr 19, 2019
Merged

driver: Use proper key name when JWT is enabled #1373

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ced3d51
driver: Use proper key name when JWT is enabled
aeneasr Apr 19, 2019
4585daa
oauth2: Use proper strategy for en/decoding JWTs
aeneasr Apr 19, 2019
763a194
u
aeneasr Apr 19, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,13 @@ test-resetdb:
docker rm -f hydra_test_database_mysql || true
docker rm -f hydra_test_database_postgres || true
docker run --rm --name hydra_test_database_mysql -p 3444:3306 -e MYSQL_ROOT_PASSWORD=secret -d mysql:5.7
docker run --rm --name hydra_test_database_postgres -p 3445:5432 -e POSTGRES_PASSWORD=secret -e POSTGRES_DB=hydra -d postgres:9.6
docker run --rm --name hydra_test_database_postgres -p 3445:5432 -e POSTGRES_PASSWORD=secret -e POSTGRES_DB=hydra -d postgres:9.

# Runs tests in short mode, without database adapters
.PHONY: docker
docker:
GO111MODULE=on GOOS=linux GOARCH=amd64 go build && docker build -t oryd/hydra:latest .
rm hydra

# Runs tests in short mode, without database adapters
.PHONY: quicktest
Expand Down
12 changes: 8 additions & 4 deletions driver/configuration/provider_viper.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ func (v *ViperProvider) InsecureRedirects() []string {

func (v *ViperProvider) WellKnownKeys(include ...string) []string {
if v.AccessTokenStrategy() == "jwt" {
include = append(include, x.OpenIDConnectKeyName)
include = append(include, x.OAuth2JWTKeyName)
}

include = append(include, x.OpenIDConnectKeyName)
Expand Down Expand Up @@ -125,9 +125,13 @@ func (v *ViperProvider) SubjectTypesSupported() []string {

if stringslice.Has(types, "pairwise") {
if v.AccessTokenStrategy() == "jwt" {
v.l.Fatalf(`The pairwise subject identifier algorithm is not supported by the JWT OAuth 2.0 Access Token Strategy. Please remove "pairwise" from oidc.subject_identifiers.supported or set strategies.access_token to "opaque".`)
}
if len(v.SubjectIdentifierAlgorithmSalt()) < 8 {
v.l.Warn(`The pairwise subject identifier algorithm is not supported by the JWT OAuth 2.0 Access Token Strategy and is thus being disabled. Please remove "pairwise" from oidc.subject_identifiers.enable" (e.g. oidc.subject_identifiers.enable=public) or set strategies.access_token to "opaque".`)
types = stringslice.Filter(types,
func(s string) bool {
return !(s == "public")
},
)
} else if len(v.SubjectIdentifierAlgorithmSalt()) < 8 {
v.l.Fatalf(`The pairwise subject identifier algorithm was set but length of oidc.subject_identifier.salt is too small (%d < 8), please set oidc.subject_identifiers.pairwise.salt to a random string with 8 characters or more.`, len(v.SubjectIdentifierAlgorithmSalt()))
}
}
Expand Down
9 changes: 9 additions & 0 deletions driver/configuration/provider_viper_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,15 @@ func TestSubjectTypesSupported(t *testing.T) {
c: setEnv(strings.ToUpper(strings.Replace(ViperKeySubjectTypesSupported, ".", "_", -1)), ""),
e: []string{"public", "pairwise"},
},
{
d: "Load legacy environment variable in legacy format",
p: func(t *testing.T) {
setEnv(strings.ToUpper(strings.Replace(ViperKeySubjectTypesSupported, ".", "_", -1)), "public,pairwise,foobar")(t)
setEnv(strings.ToUpper(strings.Replace(ViperKeyAccessTokenStrategy, ".", "_", -1)), "jwt")(t)
},
c: setEnv(strings.ToUpper(strings.Replace(ViperKeySubjectTypesSupported, ".", "_", -1)), ""),
e: []string{"public"},
},
} {
t.Run(fmt.Sprintf("case=%d/description=%s", k, tc.d), func(t *testing.T) {
tc.p(t)
Expand Down
Binary file removed hydra
View file
Open in desktop
Binary file not shown.
21 changes: 21 additions & 0 deletions quickstart-jwt.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
###########################################################################
####### FOR DEMONSTRATION PURPOSES ONLY #######
###########################################################################
# #
# If you have not yet read the tutorial, do so now: #
# https://www.ory.sh/docs/hydra/5min-tutorial #
# #
# This set up is only for demonstration purposes. The login #
# endpoint can only be used if you follow the steps in the tutorial. #
# #
###########################################################################

version: '3'

services:

hydra:
environment:
- OAUTH2_ACCESS_TOKEN_STRATEGY=jwt
- OIDC_SUBJECT_IDENTIFIERS_ENABLED=public
restart: unless-stopped
1 change: 0 additions & 1 deletion quickstart.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ services:
- OAUTH2_SHARE_ERROR_DEBUG=1
- OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise
- OIDC_SUBJECT_TYPE_PAIRWISE_SALT=youReallyNeedToChangeThis
# - OAUTH2_ACCESS_TOKEN_STRATEGY=jwt
restart: unless-stopped

consent:
Expand Down
96 changes: 96 additions & 0 deletions sdk/go/hydra/models/handled_authentication_request.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.