From 10450e9b984ed69ddc3af37c3603021991bd4ceb Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Tue, 13 Aug 2019 23:35:56 +0000 Subject: [PATCH] add easy header and exp options --- mockid.go | 132 +++++++++++++++++++++++++++++++++++----------- public/index.html | 21 +++++++- 2 files changed, 120 insertions(+), 33 deletions(-) diff --git a/mockid.go b/mockid.go index 0436c66..a79cc71 100644 --- a/mockid.go +++ b/mockid.go @@ -12,6 +12,7 @@ import ( "log" "math/big" "net/http" + "net/url" "os" "strconv" "time" @@ -30,7 +31,7 @@ type PublicJWK struct { func main() { done := make(chan bool) var port int - var host string + var host string jwkm := map[string]string{ "crv": "P-256", @@ -51,7 +52,7 @@ func main() { thumbprint := thumbprintKey(pub) portFlag := flag.Int("port", 0, "Port on which the HTTP server should run") - urlFlag := flag.String("url", "", "Outward-facing address, such as https://example.com") + urlFlag := flag.String("url", "", "Outward-facing address, such as https://example.com") flag.Parse() if nil != portFlag && *portFlag > 0 { @@ -65,34 +66,62 @@ func main() { os.Exit(1) } - if nil != urlFlag && "" != *urlFlag { - host = *urlFlag - } else { - host = "http://localhost:" + strconv.Itoa(port) - } + if nil != urlFlag && "" != *urlFlag { + host = *urlFlag + } else { + host = "http://localhost:" + strconv.Itoa(port) + } http.HandleFunc("/access_token", func(w http.ResponseWriter, r *http.Request) { log.Printf("%s %s\n", r.Method, r.URL.Path) - var scheme string - if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") { - scheme = "https://" - } else { - scheme = "http://" - } - _, _, token := genToken(scheme + r.Host, priv) + var scheme string + if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") { + scheme = "https://" + } else { + scheme = "http://" + } + _, _, token := genToken(scheme+r.Host, priv, r.URL.Query()) fmt.Fprintf(w, token) }) + http.HandleFunc("/authorization_header", func(w http.ResponseWriter, r *http.Request) { + log.Printf("%s %s\n", r.Method, r.URL.Path) + var scheme string + if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") { + scheme = "https://" + } else { + scheme = "http://" + } + + var header string + headers, _ := r.URL.Query()["header"] + if 0 == len(headers) { + header = "Authorization" + } else { + header = headers[0] + } + + var prefix string + prefixes, _ := r.URL.Query()["prefix"] + if 0 == len(prefixes) { + prefix = "Bearer " + } else { + prefix = prefixes[0] + } + + _, _, token := genToken(scheme+r.Host, priv, r.URL.Query()) + fmt.Fprintf(w, "%s: %s%s", header, prefix, token) + }) http.HandleFunc("/key.jwk.json", func(w http.ResponseWriter, r *http.Request) { log.Printf("%s %s", r.Method, r.URL.Path) fmt.Fprintf(w, `{ "kty": "EC" , "crv": %q , "d": %q , "x": %q , "y": %q , "ext": true , "key_ops": ["sign"] }`, jwk.Crv, jwk.D, jwk.X, jwk.Y) }) http.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) { - var scheme string - if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") { - scheme = "https://" - } else { - scheme = "http://" - } + var scheme string + if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") { + scheme = "https://" + } else { + scheme = "http://" + } log.Printf("%s %s\n", r.Method, r.URL.Path) fmt.Fprintf(w, `{ "issuer": "%s", "jwks_uri": "%s/.well-known/jwks.json" }`, scheme+r.Host, scheme+r.Host) }) @@ -106,14 +135,14 @@ func main() { fmt.Println(jwkstr) fmt.Fprintf(w, jwkstr) }) - fs := http.FileServer(http.Dir("public")) - http.Handle("/", fs) -/* - http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - log.Printf(r.Method, r.URL.Path) - http.Error(w, "Not Found", http.StatusNotFound) - }) -*/ + fs := http.FileServer(http.Dir("public")) + http.Handle("/", fs) + /* + http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + log.Printf(r.Method, r.URL.Path) + http.Error(w, "Not Found", http.StatusNotFound) + }) + */ fmt.Printf("Serving on port %d\n", port) go func() { @@ -125,7 +154,7 @@ func main() { fmt.Printf("Private Key:\n\t%s\n", string(b)) b, _ = json.Marshal(jwk.PublicJWK) fmt.Printf("Public Key:\n\t%s\n", string(b)) - protected, payload, token := genToken(host, priv) + protected, payload, token := genToken(host, priv, url.Values{}) fmt.Printf("Protected (Header):\n\t%s\n", protected) fmt.Printf("Payload (Claims):\n\t%s\n", payload) fmt.Printf("Access Token:\n\t%s\n", token) @@ -133,15 +162,56 @@ func main() { <-done } -func genToken(host string, priv *ecdsa.PrivateKey) (string, string, string) { +func parseExp(exp string) (int, error) { + if "" == exp { + exp = "15m" + } + mult := 1 + switch exp[len(exp)-1] { + case 'w': + mult *= 7 + fallthrough + case 'd': + mult *= 24 + fallthrough + case 'h': + mult *= 60 + fallthrough + case 'm': + mult *= 60 + fallthrough + case 's': + // no fallthrough + default: + // could be 'k' or 'z', but we assume its empty + exp += "s" + } + + num, err := strconv.Atoi(exp[:len(exp)-1]) + if nil != err { + return 0, err + } + return num * mult, nil +} + +func genToken(host string, priv *ecdsa.PrivateKey, query url.Values) (string, string, string) { thumbprint := thumbprintKey(&priv.PublicKey) protected := fmt.Sprintf(`{"typ":"JWT","alg":"ES256","kid":"%s"}`, thumbprint) protected64 := base64.RawURLEncoding.EncodeToString([]byte(protected)) + + exp, err := parseExp(query.Get("exp")) + if nil != err { + // cryptic error code + // TODO propagate error + exp = 422 + } + payload := fmt.Sprintf( `{"iss":"%s/","sub":"dummy","exp":%s}`, - host, strconv.FormatInt(time.Now().Add(15*time.Minute).Unix(), 10), + host, strconv.FormatInt(time.Now().Add(time.Duration(exp)*time.Second).Unix(), 10), ) payload64 := base64.RawURLEncoding.EncodeToString([]byte(payload)) + hash := sha256.Sum256([]byte(fmt.Sprintf(`%s.%s`, protected64, payload64))) r, s, _ := ecdsa.Sign(rand.Reader, priv, hash[:]) rb := r.Bytes() diff --git a/public/index.html b/public/index.html index 36456ec..3a4b122 100644 --- a/public/index.html +++ b/public/index.html @@ -4,14 +4,15 @@ Compatible with * OAuth2 * OpenID Connect (OIDC) -* JOSE +* JOSE (Signed Access Tokens) * JWT - * JWK (Signed Access Tokens) + * JWK * JWS

Resources

* https://mock.pocketid.app/access_token + * https://mock.pocketid.app/authorization_header * https://xxx.mock.pocketid.app/.well-known/openid-configuration * https://xxx.mock.pocketid.app/.well-known/jwks.json * https://mock.pocketid.app/key.jwk.json @@ -26,6 +27,22 @@ For example: TOKEN=$(curl -fL https://mock.pocketid.app/access_token) +You can set the expiration (`exp`) with query parameters: + + * https://mock.pocketid.app/access_token?exp=90d (+90 days) + * https://mock.pocketid.app/access_token?exp=3h (+3 hours) + * https://mock.pocketid.app/access_token?exp=15m (+15 minutes) + * https://mock.pocketid.app/access_token?exp=1565739000 (exactly 2019-08-13 5:30pm) + +(you can also get the whole header) + + https://mock.pocketid.app/authorization_header + +For example: + + HEADER=$(curl -fL https://mock.pocketid.app/authorization_header) + # Authorization: Bearer <token> +

The Token, Decoded

The Token will look like this: