feat: accept lists in the token audience claim
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
This commit is contained in:
parent
97fa1183bf
commit
3472f7a8e3
4 changed files with 35 additions and 22 deletions
|
@ -180,7 +180,7 @@ func (issuer *TokenIssuer) CreateJWT(subject string, audience string, grantedAcc
|
||||||
claimSet := token.ClaimSet{
|
claimSet := token.ClaimSet{
|
||||||
Issuer: issuer.Issuer,
|
Issuer: issuer.Issuer,
|
||||||
Subject: subject,
|
Subject: subject,
|
||||||
Audience: audience,
|
Audience: []string{audience},
|
||||||
Expiration: now.Add(exp).Unix(),
|
Expiration: now.Add(exp).Unix(),
|
||||||
NotBefore: now.Unix(),
|
NotBefore: now.Unix(),
|
||||||
IssuedAt: now.Unix(),
|
IssuedAt: now.Unix(),
|
||||||
|
|
|
@ -44,7 +44,7 @@ type ClaimSet struct {
|
||||||
// Public claims
|
// Public claims
|
||||||
Issuer string `json:"iss"`
|
Issuer string `json:"iss"`
|
||||||
Subject string `json:"sub"`
|
Subject string `json:"sub"`
|
||||||
Audience string `json:"aud"`
|
Audience WeakStringList `json:"aud"`
|
||||||
Expiration int64 `json:"exp"`
|
Expiration int64 `json:"exp"`
|
||||||
NotBefore int64 `json:"nbf"`
|
NotBefore int64 `json:"nbf"`
|
||||||
IssuedAt int64 `json:"iat"`
|
IssuedAt int64 `json:"iat"`
|
||||||
|
@ -141,8 +141,8 @@ func (t *Token) Verify(verifyOpts VerifyOptions) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify that the Audience claim is allowed.
|
// Verify that the Audience claim is allowed.
|
||||||
if !contains(verifyOpts.AcceptedAudiences, t.Claims.Audience) {
|
if !containsAny(verifyOpts.AcceptedAudiences, t.Claims.Audience) {
|
||||||
log.Infof("token intended for another audience: %q", t.Claims.Audience)
|
log.Infof("token intended for another audience: %v", t.Claims.Audience)
|
||||||
return ErrInvalidToken
|
return ErrInvalidToken
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -185,6 +185,7 @@ func (t *Token) Verify(verifyOpts VerifyOptions) error {
|
||||||
|
|
||||||
// VerifySigningKey attempts to get the key which was used to sign this token.
|
// VerifySigningKey attempts to get the key which was used to sign this token.
|
||||||
// The token header should contain either of these 3 fields:
|
// The token header should contain either of these 3 fields:
|
||||||
|
//
|
||||||
// `x5c` - The x509 certificate chain for the signing key. Needs to be
|
// `x5c` - The x509 certificate chain for the signing key. Needs to be
|
||||||
// verified.
|
// verified.
|
||||||
// `jwk` - The JSON Web Key representation of the signing key.
|
// `jwk` - The JSON Web Key representation of the signing key.
|
||||||
|
@ -192,6 +193,7 @@ func (t *Token) Verify(verifyOpts VerifyOptions) error {
|
||||||
// `kid` - The unique identifier for the key. This library interprets it
|
// `kid` - The unique identifier for the key. This library interprets it
|
||||||
// as a libtrust fingerprint. The key itself can be looked up in
|
// as a libtrust fingerprint. The key itself can be looked up in
|
||||||
// the trustedKeys field of the given verify options.
|
// the trustedKeys field of the given verify options.
|
||||||
|
//
|
||||||
// Each of these methods are tried in that order of preference until the
|
// Each of these methods are tried in that order of preference until the
|
||||||
// signing key is found or an error is returned.
|
// signing key is found or an error is returned.
|
||||||
func (t *Token) VerifySigningKey(verifyOpts VerifyOptions) (signingKey libtrust.PublicKey, err error) {
|
func (t *Token) VerifySigningKey(verifyOpts VerifyOptions) (signingKey libtrust.PublicKey, err error) {
|
||||||
|
|
|
@ -117,7 +117,7 @@ func makeTestToken(issuer, audience string, access []*ResourceActions, rootKey l
|
||||||
claimSet := &ClaimSet{
|
claimSet := &ClaimSet{
|
||||||
Issuer: issuer,
|
Issuer: issuer,
|
||||||
Subject: "foo",
|
Subject: "foo",
|
||||||
Audience: audience,
|
Audience: []string{audience},
|
||||||
Expiration: exp.Unix(),
|
Expiration: exp.Unix(),
|
||||||
NotBefore: now.Unix(),
|
NotBefore: now.Unix(),
|
||||||
IssuedAt: now.Unix(),
|
IssuedAt: now.Unix(),
|
||||||
|
|
|
@ -56,3 +56,14 @@ func contains(ss []string, q string) bool {
|
||||||
|
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// containsAny returns true if any of q is found in ss.
|
||||||
|
func containsAny(ss []string, q []string) bool {
|
||||||
|
for _, s := range ss {
|
||||||
|
if contains(q, s) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue