lukaszraczylo/traefikoidc
1
0
Fork 0
mirror of https://github.com/lukaszraczylo/traefikoidc.git synced 2026-06-05 22:44:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a316a98e4f75ec6705f3018bb7ff967b10178cbd
traefikoidc/internal/token/validator.go
T
lukaszraczylo e64fc7f730 Add redis support for distributed caching (#83) 
* Add redis support for distributed caching

* Move towards the self-provided Redis connection pool and RESP protocol implementation.
Official redis client library won't work with yaegi.

* fixup! Move towards the self-provided Redis connection pool and RESP protocol implementation. Official redis client library won't work with yaegi.

* fixup! fixup! Move towards the self-provided Redis connection pool and RESP protocol implementation. Official redis client library won't work with yaegi.

* fixup! fixup! fixup! Move towards the self-provided Redis connection pool and RESP protocol implementation. Official redis client library won't work with yaegi.

* fixup! fixup! fixup! fixup! Move towards the self-provided Redis connection pool and RESP protocol implementation. Official redis client library won't work with yaegi.

* fixup! fixup! fixup! fixup! fixup! Move towards the self-provided Redis connection pool and RESP protocol implementation. Official redis client library won't work with yaegi.

* ... and another all nighter.

* fixup! ... and another all nighter.

* fixup! fixup! ... and another all nighter.

* fixup! fixup! fixup! ... and another all nighter.

* Resolve issue #85 by adding ability to set custom claims in JWT tokens

* Remove redundant validation in auth middleware ( issue #89 )

* Add ability to set cookie prefix for session cookies ( #87 )

* fixup! Add ability to set cookie prefix for session cookies ( #87 )

* Add ability to set cookie max age - issue #91

* Potential fix for code scanning alert no. 10: Size computation for allocation may overflow

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* fixup! Merge main into 0.8.0-redis: resolve conflicts

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2025-11-30 02:18:46 +00:00

356 lines
9.6 KiB
Go
Raw Blame History

package token
import (
"context"
"fmt"
"net/http"
"strings"
"sync"
"time"
)
// Validator handles token validation operations
type Validator struct {
clientID string
audience string
issuerURL string
jwksURL string
tokenCache TokenCacheInterface
tokenBlacklist CacheInterface
tokenTypeCache CacheInterface
jwkCache interface{} // JWK cache interface
httpClient *http.Client
limiter interface{} // Rate limiter interface
extractClaimsFunc ClaimsExtractor
tokenVerifier TokenVerifier
disableReplayDetection bool
suppressDiagnosticLogs bool
metadataMu *sync.RWMutex
logger interface{} // Logger interface
}
// NewValidator creates a new token validator
func NewValidator(config ValidatorConfig) *Validator {
var metadataMu *sync.RWMutex
if config.MetadataMu != nil {
if mu, ok := config.MetadataMu.(*sync.RWMutex); ok {
metadataMu = mu
}
}
return &Validator{
clientID: config.ClientID,
audience: config.Audience,
issuerURL: config.IssuerURL,
jwksURL: config.JwksURL,
tokenCache: config.TokenCache,
tokenBlacklist: config.TokenBlacklist,
tokenTypeCache: config.TokenTypeCache,
jwkCache: config.JwkCache,
httpClient: config.HTTPClient,
limiter: config.Limiter,
extractClaimsFunc: config.ExtractClaimsFunc,
tokenVerifier: config.TokenVerifier,
disableReplayDetection: config.DisableReplayDetection,
suppressDiagnosticLogs: config.SuppressDiagnosticLogs,
metadataMu: metadataMu,
logger: config.Logger,
}
}
// VerifyToken verifies the validity of an ID token or access token.
// It performs comprehensive validation including format checks, blacklist verification,
// signature validation using JWKs, and standard claims validation.
func (v *Validator) VerifyToken(token string) error {
if token == "" {
return fmt.Errorf("invalid JWT format: token is empty")
}
if strings.Count(token, ".") != 2 {
return fmt.Errorf("invalid JWT format: expected JWT with 3 parts, got %d parts", strings.Count(token, ".")+1)
}
if len(token) < 10 {
return fmt.Errorf("token too short to be valid JWT")
}
// Check raw token blacklist
if v.tokenBlacklist != nil {
if blacklisted, exists := v.tokenBlacklist.Get(token); exists && blacklisted != nil {
return fmt.Errorf("token is blacklisted (raw string) in cache")
}
}
// Parse JWT for further validation
parsedJWT, parseErr := v.parseJWT(token)
if parseErr != nil {
return fmt.Errorf("failed to parse JWT for blacklist check: %w", parseErr)
}
tokenType := v.determineTokenType(parsedJWT)
// Check token cache FIRST - if token is already verified and cached, return immediately
// This prevents false positives when multiple goroutines validate the same token concurrently
if claims, exists := v.tokenCache.GetCachedToken(token); exists && len(claims) > 0 {
return nil
}
// Check JTI blacklist for replay detection
if err := v.checkJTIBlacklist(parsedJWT, token); err != nil {
return err
}
// Rate limiting check
if !v.checkRateLimit() {
return fmt.Errorf("rate limit exceeded")
}
// Verify signature and claims
if err := v.VerifyJWTSignatureAndClaims(parsedJWT, token); err != nil {
if !strings.Contains(err.Error(), "token has expired") {
v.logErrorf("%s token verification failed: %v", tokenType, err)
}
return err
}
// Cache verified token
v.cacheVerifiedToken(token, parsedJWT.Claims)
// Add JTI to blacklist for replay prevention
v.addJTIToBlacklist(parsedJWT)
return nil
}
// VerifyJWTSignatureAndClaims verifies JWT signature using provider's public keys and validates standard claims
func (v *Validator) VerifyJWTSignatureAndClaims(jwt *JWT, token string) error {
v.logDebugf("Verifying JWT signature and claims")
// Get JWKS URL
v.metadataMu.RLock()
jwksURL := v.jwksURL
v.metadataMu.RUnlock()
// Get JWKS from cache
jwks, err := v.getJWKS(context.Background(), jwksURL)
if err != nil {
return fmt.Errorf("failed to get JWKS: %w", err)
}
// Extract key ID and algorithm from token header
kid, ok := jwt.Header["kid"].(string)
if !ok {
return fmt.Errorf("missing key ID in token header")
}
alg, ok := jwt.Header["alg"].(string)
if !ok {
return fmt.Errorf("missing algorithm in token header")
}
// Find matching key in JWKS
matchingKey := v.findMatchingKey(jwks, kid)
if matchingKey == nil {
return fmt.Errorf("no matching public key found for kid: %s", kid)
}
// Convert JWK to PEM and verify signature
if err := v.verifyTokenSignature(token, matchingKey, alg); err != nil {
return fmt.Errorf("signature verification failed: %w", err)
}
// Detect token type and validate claims
isIDToken := v.detectTokenType(jwt, token)
expectedAudience := v.audience
if isIDToken {
expectedAudience = v.clientID
}
// Verify standard claims
v.metadataMu.RLock()
issuerURL := v.issuerURL
v.metadataMu.RUnlock()
if err := v.verifyStandardClaims(jwt, issuerURL, expectedAudience); err != nil {
return fmt.Errorf("standard claim verification failed: %w", err)
}
return nil
}
// detectTokenType efficiently detects whether a token is an ID token or access token
func (v *Validator) detectTokenType(jwt *JWT, token string) bool {
// Use first 32 chars of token as cache key
cacheKey := token
if len(token) > 32 {
cacheKey = token[:32]
}
// Check cache first
if v.tokenTypeCache != nil {
if cachedData, found := v.tokenTypeCache.Get(cacheKey); found {
if isIDToken, ok := cachedData["is_id_token"].(bool); ok {
return isIDToken
}
}
}
// Check for ID token indicators
isIDToken := false
// 1. Check 'nonce' claim (definitive for ID tokens)
if nonce, ok := jwt.Claims["nonce"]; ok {
if _, ok := nonce.(string); ok {
v.cacheTokenType(cacheKey, true)
return true
}
}
// 2. Check 'typ' header for "at+jwt" (definitive for access tokens)
if typ, ok := jwt.Header["typ"].(string); ok && typ == "at+jwt" {
v.cacheTokenType(cacheKey, false)
return false
}
// 3. Check 'token_use' claim
if tokenUse, ok := jwt.Claims["token_use"].(string); ok {
switch tokenUse {
case "id":
v.cacheTokenType(cacheKey, true)
return true
case "access":
v.cacheTokenType(cacheKey, false)
return false
}
}
// 4. Check 'scope' claim (indicator for access tokens)
if scope, ok := jwt.Claims["scope"]; ok {
if _, ok := scope.(string); ok {
v.cacheTokenType(cacheKey, false)
return false
}
}
// 5. Check audience matching
if aud, ok := jwt.Claims["aud"]; ok {
if audStr, ok := aud.(string); ok && audStr == v.clientID {
isIDToken = true
} else if audArr, ok := aud.([]interface{}); ok && len(audArr) == 1 {
for _, val := range audArr {
if str, ok := val.(string); ok && str == v.clientID {
isIDToken = true
break
}
}
}
}
v.cacheTokenType(cacheKey, isIDToken)
return isIDToken
}
// Helper methods (stubs for interface compatibility)
func (v *Validator) parseJWT(token string) (*JWT, error) {
// This would call the actual JWT parsing function
// For now, returning a stub
return nil, fmt.Errorf("parseJWT not implemented")
}
func (v *Validator) determineTokenType(jwt *JWT) string {
if v.detectTokenType(jwt, "") {
return TokenTypeID
}
return TokenTypeAccess
}
func (v *Validator) checkJTIBlacklist(jwt *JWT, token string) error {
if v.disableReplayDetection {
return nil
}
if jti, ok := jwt.Claims["jti"].(string); ok && jti != "" {
// Skip for test tokens
if !strings.HasPrefix(token, "eyJhbGciOiJSUzI1NiIsImtpZCI6InRlc3Qta2V5LWlkIiwidHlwIjoiSldUIn0") {
if v.tokenBlacklist != nil {
if blacklisted, exists := v.tokenBlacklist.Get(jti); exists && blacklisted != nil {
return fmt.Errorf("token replay detected (jti: %s) in cache", jti)
}
}
}
}
return nil
}
func (v *Validator) checkRateLimit() bool {
// Interface method call would go here
return true
}
func (v *Validator) cacheVerifiedToken(token string, claims map[string]interface{}) {
v.tokenCache.CacheToken(token, claims)
}
func (v *Validator) addJTIToBlacklist(jwt *JWT) {
if v.disableReplayDetection {
return
}
jti, ok := jwt.Claims["jti"].(string)
if !ok || jti == "" {
return
}
if v.tokenBlacklist != nil {
v.tokenBlacklist.Set(jti, map[string]interface{}{
"blacklisted_at": time.Now().Unix(),
"reason": "jti_replay_prevention",
})
}
}
func (v *Validator) cacheTokenType(cacheKey string, isIDToken bool) {
if v.tokenTypeCache != nil {
v.tokenTypeCache.Set(cacheKey, map[string]interface{}{
"is_id_token": isIDToken,
"cached_at": time.Now().Unix(),
})
}
}
func (v *Validator) getJWKS(ctx context.Context, jwksURL string) (*JWKS, error) {
// Interface method call would go here
return nil, fmt.Errorf("getJWKS not implemented")
}
func (v *Validator) findMatchingKey(jwks *JWKS, kid string) *JWK {
if jwks == nil {
return nil
}
for _, key := range jwks.Keys {
if key.Kid == kid {
return &key
}
}
return nil
}
func (v *Validator) verifyTokenSignature(token string, key *JWK, alg string) error {
// Interface method call would go here
return fmt.Errorf("verifyTokenSignature not implemented")
}
func (v *Validator) verifyStandardClaims(jwt *JWT, issuer, audience string) error {
// Interface method call would go here
return fmt.Errorf("verifyStandardClaims not implemented")
}
func (v *Validator) logDebugf(format string, args ...interface{}) {
// Logger interface call would go here
}
func (v *Validator) logErrorf(format string, args ...interface{}) {
// Logger interface call would go here
}
Reference in New Issue View Git Blame Copy Permalink