From bdd3cd36f49f3471f2230c0e64b2d40f017783c3 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Fri, 10 Nov 2017 12:39:49 -0700 Subject: [PATCH 1/7] add standard files --- CHANGELOG | 6 ++++++ LICENSE | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 CHANGELOG create mode 100644 LICENSE diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 0000000..c13ff00 --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,6 @@ +v1.2.0 - Issuer Pub/Priv Key and Grant APIs for OAuth3 + * Resource Owner Password token exchange + * Implicit Grant token exchange + * Public / Private Keypair generation + * Public key (remember device) syncing + * BUG: ppid rescoping is not handled correctly for 3rd parties diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3da90f9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,41 @@ +Copyright 2017 OAuth3 + +This is open source software; you can redistribute it and/or modify it under the +terms of either: + + a) the "MIT License" + b) the "Apache-2.0 License" + +MIT License + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +Apache-2.0 License Summary + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. From f3988a5665cb86809cfcfa72f6580dadb9bdfca0 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Fri, 10 Nov 2017 12:40:21 -0700 Subject: [PATCH 2/7] update urls --- README.md | 5 +++++ package.json | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 76101ed..b42762c 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,11 @@ issuer@oauth3.org (js) ====================== +| [oauth3.js](https://git.oauth3.org/OAuth3/oauth3.js) +| [issuer.html](https://git.oauth3.org/OAuth3/issuer.html) +| *issuer.rest.walnut.js* +| Sponsored by [Daplie](https://daplie.com) + Implementation of server-side RESTful OAuth3 issuer APIs. These are the OAuth3 APIs that allow for creation and retrieval of public keys diff --git a/package.json b/package.json index 3dc956a..840d1ac 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "issuer_oauth3.org", - "version": "1.0.0-placeholder", + "version": "1.2.0", "description": "Implementation of server-side RESTful OAuth3 issuer APIs", "main": "rest.js", "scripts": { @@ -8,7 +8,7 @@ }, "repository": { "type": "git", - "url": "git+https://git.daplie.com/Oauth3/issuer_oauth3.org.git" + "url": "git+https://git.oauth3.org/OAuth3/issuer.rest.walnut.js.git" }, "dependencies": { "bluebird": "^3.5.0", From 40f8f0877eec8b282eabc9600b7f264e4ceab50b Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Mon, 13 Nov 2017 11:11:35 -0700 Subject: [PATCH 3/7] add standard files --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 3da90f9..6297ea2 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright 2017 OAuth3 +Copyright 2017 Daplie, Inc This is open source software; you can redistribute it and/or modify it under the terms of either: From 0e23100233c499c5d7cb15db6d38d777f97b4430 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Mon, 13 Nov 2017 11:27:09 -0700 Subject: [PATCH 4/7] update urls --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b42762c..61b6bfd 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,7 @@ issuer@oauth3.org (js) | [oauth3.js](https://git.oauth3.org/OAuth3/oauth3.js) | [issuer.html](https://git.oauth3.org/OAuth3/issuer.html) | *issuer.rest.walnut.js* +| [issuer.srv](https://git.oauth3.org/OAuth3/issuer.srv) | Sponsored by [Daplie](https://daplie.com) Implementation of server-side RESTful OAuth3 issuer APIs. From 19d153283e2f963dec3bfdd6c7347c58b0ab8388 Mon Sep 17 00:00:00 2001 From: tigerbot Date: Thu, 2 Nov 2017 16:11:18 -0600 Subject: [PATCH 5/7] changed `sub` conflict checking when getting keys --- jwks.js | 97 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 51 insertions(+), 46 deletions(-) diff --git a/jwks.js b/jwks.js index 1e4bde6..c769f09 100644 --- a/jwks.js +++ b/jwks.js @@ -33,58 +33,63 @@ function thumbprint(jwk) { return PromiseA.resolve(makeB64UrlSafe(hash)); } +function sanitizeJwk(jwk) { + // We need to sanitize the key to make sure we don't deliver any private keys fields if + // we were given a key we could use to sign tokens on behalf of the user. We also don't + // want to deliver the sub or any other PPIDs. + var whitelist = ['kty', 'alg', 'kid', 'use']; + if (jwk.kty === 'EC') { + whitelist = whitelist.concat(['crv', 'x', 'y']); + } else if (jwk.kty === 'RSA') { + whitelist = whitelist.concat(['e', 'n']); + } + + var result = {}; + whitelist.forEach(function (key) { + result[key] = jwk[key]; + }); + return result; +} + function create(app) { var restful = {}; + + async function getRawKey(req) { + var store = await req.getSiteStore(); + + if (req.params.kid === req.experienceId) { + return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId); + } + + // The keys are stored by the issuer PPID, but the sub we have might be a different PPID + // for a 3rd party. As such we need to look up the subject in the grants to get the issuer + // PPID and to make sure there wasn't some kind of error that allowed multiple users to + // somehow use the same PPID. + var results = await Promise.all([ + store.IssuerOauth3OrgGrants.find({ sub: req.params.sub }), + store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }), + ]); + var subList = [].concat.apply([], results).map(grant => grant.sub); + subList = subList.filter((sub, ind, list) => list.indexOf(sub) === ind); + if (!subList.length) { + throw new OpErr("unknown PPID '" + req.params.sub + "'"); + } + if (subList.length > 1) { + // This should not ever happen since there is a check for PPID collisions when saving + // grants, but it's probably better to have this check anyway just incase something + // happens that isn't currently accounted for. + throw new OpErr('PPID collision - unable to safely retrieve keys'); + } + + return store.IssuerOauth3OrgJwks.get(subList[0] + '/' + req.params.kid); + } + restful.get = function (req, res) { - // The sub in params is the 3rd party PPID, but the keys are stored by the issuer PPID, so - // we need to look up the issuer PPID using the 3rd party PPID. - var promise = req.getSiteStore().then(function (store) { - if (req.params.kid === req.experienceId) { - return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId); - } - - // First we check to see if the key is being requested by the `sub` that we as the issuer use - // to identify the user, and if not then we need to look up the specified `sub` to see if - // we can determine which (if any) account it's associated with. - return store.IssuerOauth3OrgJwks.get(req.params.sub+'/'+req.params.kid).then(function (jwk) { - if (jwk) { - return jwk; - } - - return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) { - if (!results.length) { - throw new OpErr("unknown PPID '"+req.params.sub+"'"); - } - if (results.length > 1) { - // This should not ever happen since there is a check for PPID collisions when saving - // grants, but it's probably better to have this check anyway just incase something - // happens that isn't currently accounted for. - throw new OpErr('PPID collision - unable to safely retrieve keys'); - } - - return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid); - }); - }); - }).then(function (jwk) { + var promise = PromiseA.resolve(getRawKey(req)).then(function (jwk) { if (!jwk) { throw new OpErr("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub); } - - // We need to sanitize the key to make sure we don't deliver any private keys fields if - // we were given a key we could use to sign tokens on behalf of the user. We also don't - // want to deliver the sub or any other PPIDs. - var whitelist = [ 'kty', 'alg', 'kid', 'use' ]; - if (jwk.kty === 'EC') { - whitelist = whitelist.concat([ 'crv', 'x', 'y' ]); - } else if (jwk.kty === 'RSA') { - whitelist = whitelist.concat([ 'e', 'n' ]); - } - - var result = {}; - whitelist.forEach(function (key) { - result[key] = jwk[key]; - }); - return result; + return sanitizeJwk(jwk); }); app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve JWK"); From f6fe7acaa3c71db3c3121d6dd34bd2d91b87feaf Mon Sep 17 00:00:00 2001 From: tigerbot Date: Fri, 3 Nov 2017 16:32:09 -0600 Subject: [PATCH 6/7] made it possible for a user to have same `sub` for multiple `azp`'s --- common.js | 23 +++++++++++++++++++++++ grants.js | 16 +++++++++------- jwks.js | 31 +++++++++++++------------------ 3 files changed, 45 insertions(+), 25 deletions(-) diff --git a/common.js b/common.js index e95ea5b..eae7c05 100644 --- a/common.js +++ b/common.js @@ -40,5 +40,28 @@ function checkIssuerToken(req, expectedSub) { }); } +async function getPrimarySub(grantStore, secondary) { + var results = await Promise.all([ + grantStore.find({ sub: secondary }), + grantStore.find({ azpSub: secondary }), + ]); + + // Extract only the sub field from each row and reduce the duplicates so that each value + // can only appear in the final list once. + var subList = [].concat.apply([], results).map(grant => grant.sub); + subList = subList.filter((sub, ind, list) => list.indexOf(sub) === ind); + + if (subList.length > 1) { + // This should not ever happen since there is a check for PPID collisions when saving + // grants, but it's probably better to have this check anyway just incase something + // happens that isn't currently accounted for. + console.error('acounts ' + JSON.stringify(subList) + ' are all associated with "'+secondary+'"'); + throw new Error('PPID collision'); + } + + return subList[0]; +} + module.exports.checkIssuerToken = checkIssuerToken; +module.exports.getPrimarySub = getPrimarySub; module.exports.makeB64UrlSafe = makeB64UrlSafe; diff --git a/grants.js b/grants.js index dec2d1d..2fe161a 100644 --- a/grants.js +++ b/grants.js @@ -56,14 +56,16 @@ function create(app) { throw new OpErr("malformed request: 'sub' and 'scope' must be strings"); } - return req.Store.find({ azpSub: req.body.sub }); - }).then(function (existing) { - if (existing.length) { - if (existing.length > 1) { - throw new OpErr("pre-existing PPID collision detected"); - } else if (existing[0].sub !== req.params.sub || existing[0].azp !== req.params.azp) { - throw new OpErr("PPID collision detected, cannot save authorized party's sub"); + return require('./common').getPrimarySub(req.Store, req.body.sub).catch(function (err) { + if (/collision/.test(err.message)) { + err.message = 'pre-existing PPID collision detected'; } + throw err; + }); + }).then(function (primSub) { + if (primSub && primSub !== req.params.sub) { + console.log('account "'+req.params.sub+'" cannot use PPID "'+req.body.sub+'" already used by "'+primSub+'"'); + throw new OpErr("PPID collision detected, cannot save authorized party's sub"); } var grant = { diff --git a/jwks.js b/jwks.js index c769f09..0be4092 100644 --- a/jwks.js +++ b/jwks.js @@ -62,26 +62,21 @@ function create(app) { } // The keys are stored by the issuer PPID, but the sub we have might be a different PPID - // for a 3rd party. As such we need to look up the subject in the grants to get the issuer - // PPID and to make sure there wasn't some kind of error that allowed multiple users to - // somehow use the same PPID. - var results = await Promise.all([ - store.IssuerOauth3OrgGrants.find({ sub: req.params.sub }), - store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }), - ]); - var subList = [].concat.apply([], results).map(grant => grant.sub); - subList = subList.filter((sub, ind, list) => list.indexOf(sub) === ind); - if (!subList.length) { - throw new OpErr("unknown PPID '" + req.params.sub + "'"); - } - if (subList.length > 1) { - // This should not ever happen since there is a check for PPID collisions when saving - // grants, but it's probably better to have this check anyway just incase something - // happens that isn't currently accounted for. - throw new OpErr('PPID collision - unable to safely retrieve keys'); + // for a 3rd party. + var issuerSub; + try { + issuerSub = await require('./common').getPrimarySub(store.IssuerOauth3OrgGrants, req.params.sub); + } catch (err) { + if (/collision/.test(err.message)) { + err.message = 'PPID collision - unable to safely retrieve keys'; + } + throw err; } - return store.IssuerOauth3OrgJwks.get(subList[0] + '/' + req.params.kid); + if (!issuerSub) { + throw new OpErr("unknown PPID '" + req.params.sub + "'"); + } + return store.IssuerOauth3OrgJwks.get(issuerSub + '/' + req.params.kid); } restful.get = function (req, res) { From 8c1f39178d84b968b3f5a8c12165b38ef8bc85f5 Mon Sep 17 00:00:00 2001 From: tigerbot Date: Mon, 13 Nov 2017 14:37:02 -0700 Subject: [PATCH 7/7] v1.2.1 --- CHANGELOG | 3 +++ package.json | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index c13ff00..2fd76e2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,6 @@ +v1.2.1 - Allow PPID reuse + * Now allows a single user to use the same PPID for multiple sites + v1.2.0 - Issuer Pub/Priv Key and Grant APIs for OAuth3 * Resource Owner Password token exchange * Implicit Grant token exchange diff --git a/package.json b/package.json index 840d1ac..103e901 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "issuer_oauth3.org", - "version": "1.2.0", + "version": "1.2.1", "description": "Implementation of server-side RESTful OAuth3 issuer APIs", "main": "rest.js", "scripts": {