diff --git a/zeroidc/src/lib.rs b/zeroidc/src/lib.rs index 0671c9365..18c7f6bab 100644 --- a/zeroidc/src/lib.rs +++ b/zeroidc/src/lib.rs @@ -7,9 +7,10 @@ extern crate time; extern crate url; use bytes::Bytes; -use jsonwebtoken::{dangerous_insecure_decode};use openidconnect::core::{CoreClient, CoreProviderMetadata, CoreResponseType}; +use jsonwebtoken::{dangerous_insecure_decode}; +use openidconnect::core::{CoreClient, CoreProviderMetadata, CoreResponseType}; use openidconnect::reqwest::http_client; -use openidconnect::{AccessToken, AuthorizationCode, AuthenticationFlow, ClientId, CsrfToken, IssuerUrl, Nonce, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope, TokenResponse}; +use openidconnect::{AccessToken, AccessTokenHash, AuthorizationCode, AuthenticationFlow, ClientId, CsrfToken, IssuerUrl, Nonce, NonceVerifier, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope, TokenResponse}; use serde::{Deserialize, Serialize}; use std::str::from_utf8; use std::sync::{Arc, Mutex}; @@ -168,80 +169,122 @@ impl ZeroIDC { let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone(); if let Some(refresh_token) = refresh_token { if now >= (exp - Duration::from_secs(30)) { + let nonce = (*inner_local.lock().unwrap()).nonce.clone(); let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| { let res = c.exchange_refresh_token(&refresh_token) .request(http_client); - res - }); - - if let Some(res) = token_response { match res { Ok(res) => { - match res.id_token() { - Some(id_token) => { - - let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())]; - #[cfg(debug_assertions)] { - println!("New ID token: {}", id_token.to_string()); + let n = match nonce { + Some(n) => n, + None => { + return None; + } + }; + + let id = match res.id_token() { + Some(t) => t, + None => { + return None; + } + }; + + let claims = match id.claims(&c.id_token_verifier(), &n) { + Ok(c) => c, + Err(_e) => { + return None; + } + }; + + let signing_algo = match id.signing_alg() { + Ok(s) => s, + Err(_) => { + return None; + } + }; + + if let Some(expected_hash) = claims.access_token_hash() { + let actual_hash = match AccessTokenHash::from_token(res.access_token(), &signing_algo) { + Ok(h) => h, + Err(e) => { + println!("Error hashing access token: {}", e); + return None; } - let client = reqwest::blocking::Client::new(); - let r = client.post((*inner_local.lock().unwrap()).auth_endpoint.clone()) - .form(¶ms) - .send(); + }; + + if actual_hash != *expected_hash { + println!("token hash error"); + return None; + } + } + return Some(res); + }, + Err(_e) => { + return None; + } + }; + }); - match r { - Ok(r) => { - if r.status().is_success() { - #[cfg(debug_assertions)] { - println!("hit url: {}", r.url().as_str()); - println!("status: {}", r.status()); - } + if let Some(Some(res)) = token_response{ + match res.id_token() { + Some(id_token) => { + let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())]; + #[cfg(debug_assertions)] { + println!("New ID token: {}", id_token.to_string()); + } + let client = reqwest::blocking::Client::new(); + let r = client.post((*inner_local.lock().unwrap()).auth_endpoint.clone()) + .form(¶ms) + .send(); - let access_token = res.access_token(); - let at = access_token.secret(); - let exp = dangerous_insecure_decode::(&at); - - if let Ok(e) = exp { - (*inner_local.lock().unwrap()).exp_time = e.claims.exp - } - - (*inner_local.lock().unwrap()).access_token = Some(access_token.clone()); - if let Some(t) = res.refresh_token() { - // println!("New Refresh Token: {}", t.secret()); - (*inner_local.lock().unwrap()).refresh_token = Some(t.clone()); - } - #[cfg(debug_assertions)] { - println!("Central post succeeded"); - } - } else { - println!("Central post failed: {}", r.status().to_string()); - println!("hit url: {}", r.url().as_str()); - println!("Status: {}", r.status()); - (*inner_local.lock().unwrap()).exp_time = 0; - (*inner_local.lock().unwrap()).running = false; - } - }, - Err(e) => { - - println!("Central post failed: {}", e.to_string()); - println!("hit url: {}", e.url().unwrap().as_str()); - println!("Status: {}", e.status().unwrap()); - (*inner_local.lock().unwrap()).exp_time = 0; - (*inner_local.lock().unwrap()).running = false; + match r { + Ok(r) => { + if r.status().is_success() { + #[cfg(debug_assertions)] { + println!("hit url: {}", r.url().as_str()); + println!("status: {}", r.status()); } + + let access_token = res.access_token(); + let at = access_token.secret(); + let exp = dangerous_insecure_decode::(&at); + + if let Ok(e) = exp { + (*inner_local.lock().unwrap()).exp_time = e.claims.exp + } + + (*inner_local.lock().unwrap()).access_token = Some(access_token.clone()); + if let Some(t) = res.refresh_token() { + // println!("New Refresh Token: {}", t.secret()); + (*inner_local.lock().unwrap()).refresh_token = Some(t.clone()); + } + #[cfg(debug_assertions)] { + println!("Central post succeeded"); + } + } else { + println!("Central post failed: {}", r.status().to_string()); + println!("hit url: {}", r.url().as_str()); + println!("Status: {}", r.status()); + (*inner_local.lock().unwrap()).exp_time = 0; + (*inner_local.lock().unwrap()).running = false; } }, - None => { - println!("No id token???"); + Err(e) => { + + println!("Central post failed: {}", e.to_string()); + println!("hit url: {}", e.url().unwrap().as_str()); + println!("Status: {}", e.status().unwrap()); + (*inner_local.lock().unwrap()).exp_time = 0; + (*inner_local.lock().unwrap()).running = false; } } }, - Err(e) => { - println!("Error posting refresh token: {}", e) + None => { + println!("no id token?!?"); } } - } + } } else { println!("waiting to refresh"); } @@ -367,7 +410,49 @@ impl ZeroIDC { .request(http_client); match r { Ok(res) =>{ - return Some(res); + let n = match i.nonce.clone() { + Some(n) => n, + None => { + return None; + } + }; + + let id = match res.id_token() { + Some(t) => t, + None => { + return None; + } + }; + + let claims = match id.claims(&c.id_token_verifier(), &n) { + Ok(c) => c, + Err(_e) => { + return None; + } + }; + + let signing_algo = match id.signing_alg() { + Ok(s) => s, + Err(_) => { + return None; + } + }; + + if let Some(expected_hash) = claims.access_token_hash() { + let actual_hash = match AccessTokenHash::from_token(res.access_token(), &signing_algo) { + Ok(h) => h, + Err(e) => { + println!("Error hashing access token: {}", e); + return None; + } + }; + + if actual_hash != *expected_hash { + println!("token hash error"); + return None; + } + } + Some(res) }, Err(_e) => { #[cfg(debug_assertions)] {