changed `sub` conflict checking when getting keys
This commit is contained in:
tigerbot
parent
0e23100233
commit
19d153283e
97
jwks.js
97
jwks.js
|
|
@ -33,58 +33,63 @@ function thumbprint(jwk) {
|
|||
return PromiseA.resolve(makeB64UrlSafe(hash));
|
||||
}
|
||||
|
||||
function sanitizeJwk(jwk) {
|
||||
// We need to sanitize the key to make sure we don't deliver any private keys fields if
|
||||
// we were given a key we could use to sign tokens on behalf of the user. We also don't
|
||||
// want to deliver the sub or any other PPIDs.
|
||||
var whitelist = ['kty', 'alg', 'kid', 'use'];
|
||||
if (jwk.kty === 'EC') {
|
||||
whitelist = whitelist.concat(['crv', 'x', 'y']);
|
||||
} else if (jwk.kty === 'RSA') {
|
||||
whitelist = whitelist.concat(['e', 'n']);
|
||||
}
|
||||
|
||||
var result = {};
|
||||
whitelist.forEach(function (key) {
|
||||
result[key] = jwk[key];
|
||||
});
|
||||
return result;
|
||||
}
|
||||
|
||||
function create(app) {
|
||||
var restful = {};
|
||||
|
||||
async function getRawKey(req) {
|
||||
var store = await req.getSiteStore();
|
||||
|
||||
if (req.params.kid === req.experienceId) {
|
||||
return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId);
|
||||
}
|
||||
|
||||
// The keys are stored by the issuer PPID, but the sub we have might be a different PPID
|
||||
// for a 3rd party. As such we need to look up the subject in the grants to get the issuer
|
||||
// PPID and to make sure there wasn't some kind of error that allowed multiple users to
|
||||
// somehow use the same PPID.
|
||||
var results = await Promise.all([
|
||||
store.IssuerOauth3OrgGrants.find({ sub: req.params.sub }),
|
||||
store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }),
|
||||
]);
|
||||
var subList = [].concat.apply([], results).map(grant => grant.sub);
|
||||
subList = subList.filter((sub, ind, list) => list.indexOf(sub) === ind);
|
||||
if (!subList.length) {
|
||||
throw new OpErr("unknown PPID '" + req.params.sub + "'");
|
||||
}
|
||||
if (subList.length > 1) {
|
||||
// This should not ever happen since there is a check for PPID collisions when saving
|
||||
// grants, but it's probably better to have this check anyway just incase something
|
||||
// happens that isn't currently accounted for.
|
||||
throw new OpErr('PPID collision - unable to safely retrieve keys');
|
||||
}
|
||||
|
||||
return store.IssuerOauth3OrgJwks.get(subList[0] + '/' + req.params.kid);
|
||||
}
|
||||
|
||||
restful.get = function (req, res) {
|
||||
// The sub in params is the 3rd party PPID, but the keys are stored by the issuer PPID, so
|
||||
// we need to look up the issuer PPID using the 3rd party PPID.
|
||||
var promise = req.getSiteStore().then(function (store) {
|
||||
if (req.params.kid === req.experienceId) {
|
||||
return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId);
|
||||
}
|
||||
|
||||
// First we check to see if the key is being requested by the `sub` that we as the issuer use
|
||||
// to identify the user, and if not then we need to look up the specified `sub` to see if
|
||||
// we can determine which (if any) account it's associated with.
|
||||
return store.IssuerOauth3OrgJwks.get(req.params.sub+'/'+req.params.kid).then(function (jwk) {
|
||||
if (jwk) {
|
||||
return jwk;
|
||||
}
|
||||
|
||||
return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) {
|
||||
if (!results.length) {
|
||||
throw new OpErr("unknown PPID '"+req.params.sub+"'");
|
||||
}
|
||||
if (results.length > 1) {
|
||||
// This should not ever happen since there is a check for PPID collisions when saving
|
||||
// grants, but it's probably better to have this check anyway just incase something
|
||||
// happens that isn't currently accounted for.
|
||||
throw new OpErr('PPID collision - unable to safely retrieve keys');
|
||||
}
|
||||
|
||||
return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
|
||||
});
|
||||
});
|
||||
}).then(function (jwk) {
|
||||
var promise = PromiseA.resolve(getRawKey(req)).then(function (jwk) {
|
||||
if (!jwk) {
|
||||
throw new OpErr("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub);
|
||||
}
|
||||
|
||||
// We need to sanitize the key to make sure we don't deliver any private keys fields if
|
||||
// we were given a key we could use to sign tokens on behalf of the user. We also don't
|
||||
// want to deliver the sub or any other PPIDs.
|
||||
var whitelist = [ 'kty', 'alg', 'kid', 'use' ];
|
||||
if (jwk.kty === 'EC') {
|
||||
whitelist = whitelist.concat([ 'crv', 'x', 'y' ]);
|
||||
} else if (jwk.kty === 'RSA') {
|
||||
whitelist = whitelist.concat([ 'e', 'n' ]);
|
||||
}
|
||||
|
||||
var result = {};
|
||||
whitelist.forEach(function (key) {
|
||||
result[key] = jwk[key];
|
||||
});
|
||||
return result;
|
||||
return sanitizeJwk(jwk);
|
||||
});
|
||||
|
||||
app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve JWK");
|
||||
|
|
|
|||
Loading…
Reference in New Issue