Don't verify token issuer.

This makes it possible to use token authentication without an authentication server.

Don't verify token issuer.
This makes it possible to use token authentication without an authentication server.
1d583e53 · Juliusz Chroboczek · 7784a2ac · 1d583e53 · 1d583e53 · 1d583e53
Commit 1d583e53 authored Feb 18, 2022 by Juliusz Chroboczek
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 35 deletions

group/group.go group/group.go +2 -3

token/token.go token/token.go +1 -6

token/token_test.go token/token_test.go +5 -26

No files found.
--- a/group/group.go
+++ b/group/group.go
@@ -1097,10 +1097,9 @@ func (desc *Description) GetPermission(group string, creds ClientCredentials) (C
 		return p, ErrNotAuthorised
 	}

-	if desc.AuthServer != "" && creds.Token != "" {
+	if creds.Token != "" {
 		aud, perms, err := token.Valid(
-			creds.Username, creds.Token,
-			desc.AuthKeys, desc.AuthServer,
+			creds.Username, creds.Token, desc.AuthKeys,
 		)
 		if err != nil {
 			log.Printf("Token authentication: %v", err)

--- a/token/token.go
+++ b/token/token.go
@@ -11,7 +11,6 @@ import (
 )

 var ErrUnexpectedSub = errors.New("unexpected 'sub' field")
-var ErrUnexpectedIss = errors.New("unexpected 'iss' field")

 func parseBase64(k string, d map[string]interface{}) ([]byte, error) {
 	v, ok := d[k].(string)
@@ -106,7 +105,7 @@ func getKey(header map[string]interface{}, keys []map[string]interface{}) (inter
 	return nil, errors.New("key not found")
 }

-func Valid(username, token string, keys []map[string]interface{}, issuer string) ([]string, map[string]interface{}, error) {
+func Valid(username, token string, keys []map[string]interface{}) ([]string, map[string]interface{}, error) {
 	tok, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
 		return getKey(t.Header, keys)
 	})
@@ -119,10 +118,6 @@ func Valid(username, token string, keys []map[string]interface{}, issuer string)
 	if !ok || sub != username {
 		return nil, nil, ErrUnexpectedSub
 	}
-	iss, ok := claims["iss"].(string)
-	if !ok || iss != issuer {
-		return nil, nil, ErrUnexpectedIss
-	}
 	aud, ok := claims["aud"]
 	var res []string
 	if ok {

--- a/token/token_test.go
+++ b/token/token_test.go
@@ -75,9 +75,7 @@ func TestValid(t *testing.T) {

 	goodToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1MzkxLCJleHAiOjIyNzU5MTUzOTEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.PMgfwYwSLSFIfcNJdOEfHEZ41HM2CzbATuS1fTxncbaGyX-xXq7d9V04enXpLOMGnAlsZpOJvd7eJN2mngJMAg"

-	aud, perms, err := Valid(
-		"john", goodToken, keys, "http://localhost:1234/",
-	)
+	aud, perms, err := Valid("john", goodToken, keys)

 	if err != nil {
 		t.Errorf("Token invalid: %v", err)
@@ -92,26 +90,14 @@ func TestValid(t *testing.T) {
 		}
 	}

-	aud, perms, err = Valid(
-		"jack", goodToken, keys, "http://localhost:1234/",
-	)
+	aud, perms, err = Valid("jack", goodToken, keys)
 	if err != ErrUnexpectedSub {
 		t.Errorf("Token should have bad username")
 	}

-	aud, perms, err = Valid(
-		"john", goodToken, keys, "http://localhost:4567/",
-	)
-	if err != ErrUnexpectedIss {
-		t.Errorf("Token should have bad issuer")
-	}
-
 	badToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk2MDE5LCJleHAiOjIyNjAzNjQwMTksImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.4TN5zxzuKeNIw0rX0yirEkVYF1d0FHI_Lezmsa27ayi0R4ocSgTZ3q2bmlACXvyuoBqEEbuP4e77BUbGCHmpSg"

-	_, _, err = Valid(
-		"john", badToken, keys,
-		"https://localhost:1234/group/auth/",
-	)
+	_, _, err = Valid("john", badToken, keys)

 	var verr *jwt.ValidationError
 	if !errors.As(err, &verr) {
@@ -120,10 +106,7 @@ func TestValid(t *testing.T) {

 	expiredToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NTY3LCJleHAiOjE2NDUxOTU1OTcsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.GXcLeyNVr5cnZjIECENyjMLH1HyNKWKkHMc9onvqA_RVYMyDLeeR_3NKH9Y7eKSXWC8jhatDWtH7Ed3KdsSxAA"

-	_, _, err = Valid(
-		"john", expiredToken, keys,
-		"https://localhost:1234/group/auth/",
-	)
+	_, _, err = Valid("john", expiredToken, keys)

 	if !errors.As(err, &verr) {
 		t.Errorf("Token should be expired")
@@ -131,11 +114,7 @@ func TestValid(t *testing.T) {

 	noneToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NzgyLCJleHAiOjIyNjAzNjM3ODIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ."

-	_, _, err = Valid(
-		"john", noneToken, keys,
-		"https://localhost:1234/group/auth/",
-	)
-
+	_, _, err = Valid("john", noneToken, keys)
 	if err == nil {
 		t.Errorf("Unsigned token should fail")
 	}