GithubHelp home page GithubHelp logo

go-dpop's People

Contributors

a354dpa avatar dependabot[bot] avatar salladinbalwer avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar

go-dpop's Issues

[Bug]: JWK thumbprint includes optional members when calculated

Contact Details

No response

Describe the bug

When a DPoP is parsed, the JWK thumbprint should only include required members when calculated. See https://datatracker.ietf.org/doc/html/rfc7638#section-3.2

Related lines of code:

go-dpop/parse.go

Lines 124 to 137 in e3feea2

// Extract the public key from the proof and hash it.
// This is done in order to store the public key
// without the need for extracting and hashing it again.
jwkHeaderJSON, err := json.Marshal(dpopToken.Header["jwk"])
if err != nil {
// keyFunc used with parseWithClaims should ensure that this can not happen but better safe than sorry.
return nil, errors.Join(ErrInvalidProof, err)
}
h := sha256.New()
_, err = h.Write([]byte(jwkHeaderJSON))
if err != nil {
return nil, errors.Join(ErrInvalidProof, err)
}
b64URLjwkHash := base64.RawURLEncoding.EncodeToString(h.Sum(nil))

Steps to reproduce the behavior

Create a proof with a JWK containing optional fields, for example:

{
  "crv": "P-256",
  "ext": true,
  "kty": "EC",
  "x": "KDVM3aXrYGUgmKyo0q__DdIDVS0AV139ZTba04SKqFQ",
  "y": "SC-oR4qLdhmwrjr6PjJ7_LfFpC_BSFUT14LnMtgjHPs"
}

In this example, "ext" should be excluded.

OS

No response

Relevant log output

No response

Additional Notes

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

[Request]: Helper function for hashing bound authorization token

Contact Details

[email protected]

Is your feature request related to a problem?

Both resource servers and clients needs to hash bound authorization tokens during a normal DPoP authorization flow. If done incorrectly on either side it will result in a ath mismatch.

A clear and concise description of what you want to happen.

It would be helpful if the dpop-package had a utility function to hash a token according to the specification. Then both clients and resource servers could be confident in that the hash is made according to specification and reduce likelihood that a ath mismatch will occur.

Additional Notes

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

[Bug]: Inconsistent use of `TimeWindow`

Contact Details

No response

Describe the bug

When calling Parse you can add a TimeWIndow to the options. Currently, this TImeWindow is used both as checking skew for iat and some kind of expiry check on the iat. As a user, these are two separate variables which I want to assign different values for.

It also seems that TimeWindow does not affect the exp of the dpop proof, which seems inconsistent.

Steps to reproduce the behavior

In our case we want to have a smaller clock skew compared to the expiration time. It is also very confusing and hard to debug in the case where exp is set to a value which is a further in the future than iat + TimeWindow.

OS

No response

Relevant log output

No response

Additional Notes

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

[Bug]: `htu` claim is not verified correctly

Contact Details

[email protected]

Describe the bug

In parse.go, the htu is string matched to the httpurl string. According to the RFC, it should ignore any query and fragment parts. Quote:

https://datatracker.ietf.org/doc/html/rfc9449#section-4.3-2.9

The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.

The offending line(s)

	// Check that `htm` and `htu` claims match the HTTP method and URL of the current request.
	// This satisfies point 8 and 9 in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-4.3
	if httpMethod != claims.Method || httpURL.String() != claims.URL {
		return nil, errors.Join(ErrInvalidProof, ErrIncorrectHTTPTarget)
	}

Steps to reproduce the behavior

Try to match htu without a query param with a http request url with a query param

OS

No response

Relevant log output

No response

Additional Notes

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.