reclaim: Make SPAs work with public clients. No longer encrypt code.

author: Martin Schanzenbach <mschanzenbach@posteo.de> 2020-08-05 11:35:05 +0200
committer: Martin Schanzenbach <mschanzenbach@posteo.de> 2020-08-05 11:35:05 +0200
commit: 6e764f4abd8a3f14f03a5a167af7d5cb703fd1d5 (patch)
tree: d5efbc30c698cdf191bf3ffa96e6c80ee5e9154c /src/reclaim/plugin_rest_openid_connect.c
parent: ade9b5e5248a97438ecb979f3be353f565a27ba1 (diff)
download: gnunet-6e764f4abd8a3f14f03a5a167af7d5cb703fd1d5.tar.gz
gnunet-6e764f4abd8a3f14f03a5a167af7d5cb703fd1d5.zip
1 files changed, 53 insertions, 5 deletions
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c
index 39eb9701a..238cffb85 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -525,6 +525,11 @@ struct RequestHandle
   * Reponse code
   */
  int response_code;
+  /**
+   * Public client
+   */
+  int public_client;
 };
@@ -1872,6 +1877,7 @@ check_authorization (struct RequestHandle *handle,
  char *expected_pass;
  char *received_cid;
  char *received_cpw;
+  char *pkce_cv;
  if (GNUNET_OK == parse_credentials_basic_auth (handle,
                                                 &received_cid,
@@ -1889,9 +1895,24 @@ check_authorization (struct RequestHandle *handle,
  }
  else
  {
-    handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT);
+    /** Allow public clients with PKCE **/
-    handle->response_code = MHD_HTTP_UNAUTHORIZED;
+    pkce_cv = get_url_parameter_copy (handle, OIDC_CODE_VERIFIER_KEY);
-    return GNUNET_SYSERR;
+    if (NULL == pkce_cv)
+    {
+      handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT);
+      handle->response_code = MHD_HTTP_UNAUTHORIZED;
+      return GNUNET_SYSERR;
+    }
+    handle->public_client = GNUNET_YES;
+    GNUNET_free (pkce_cv);
+    received_cid = get_url_parameter_copy (handle, OIDC_CLIENT_ID_KEY);
+    GNUNET_STRINGS_string_to_data (received_cid,
+                                   strlen (received_cid),
+                                   cid,
+                                   sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey));
+    GNUNET_free (received_cid);
+    return GNUNET_OK;
  }
  // check client password
@@ -2063,7 +2084,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
  }
  // decode code
-  if (GNUNET_OK != OIDC_parse_authz_code (privkey, code, code_verifier, &ticket,
+  if (GNUNET_OK != OIDC_parse_authz_code (&cid, code, code_verifier, &ticket,
                                          &cl, &al, &nonce))
  {
    handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
@@ -2452,7 +2473,7 @@ oidc_config_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
  oidc_config = json_object ();
  // FIXME get from config?
  json_object_set_new (oidc_config,
-                       "issuer", json_string ("https://api.reclaim"));
+                       "issuer", json_string ("http://localhost:7776"));
  json_object_set_new (oidc_config,
                       "authorization_endpoint",
                       json_string ("https://api.reclaim/openid/authorize"));
@@ -2514,6 +2535,31 @@ oidc_config_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
  cleanup_handle (handle);
 }
+/**
+ * Respond to OPTIONS request
+ *
+ * @param con_handle the connection handle
+ * @param url the url
+ * @param cls the RequestHandle
+ */
+static void
+oidc_config_cors (struct GNUNET_REST_RequestHandle *con_handle,
+              const char *url,
+              void *cls)
+{
+  struct MHD_Response *resp;
+  struct RequestHandle *handle = cls;
+  // For now, independent of path return all options
+  resp = GNUNET_REST_create_response (NULL);
+  MHD_add_response_header (resp, "Access-Control-Allow-Methods", allow_methods);
+  MHD_add_response_header (resp, "Access-Control-Allow-Origin", "*");
+  handle->proc (handle->proc_cls, resp, MHD_HTTP_OK);
+  cleanup_handle (handle);
+  return;
+}
 static enum GNUNET_GenericReturnValue
 rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle,
@@ -2532,6 +2578,8 @@ rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle,
    { MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint },
    { MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_OIDC_CONFIG,
      &oidc_config_endpoint },
+    { MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC_CONFIG,
+      &oidc_config_cors },
    { MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC, &options_cont },
    GNUNET_REST_HANDLER_END };
author	Martin Schanzenbach <mschanzenbach@posteo.de>	2020-08-05 11:35:05 +0200
committer	Martin Schanzenbach <mschanzenbach@posteo.de>	2020-08-05 11:35:05 +0200
commit	6e764f4abd8a3f14f03a5a167af7d5cb703fd1d5 (patch)
tree	d5efbc30c698cdf191bf3ffa96e6c80ee5e9154c /src/reclaim/plugin_rest_openid_connect.c
parent	ade9b5e5248a97438ecb979f3be353f565a27ba1 (diff)
download	gnunet-6e764f4abd8a3f14f03a5a167af7d5cb703fd1d5.tar.gz gnunet-6e764f4abd8a3f14f03a5a167af7d5cb703fd1d5.zip

diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 39eb9701a..238cffb85 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -525,6 +525,11 @@ struct RequestHandle
525	* Reponse code	525	* Reponse code
526	*/	526	*/
527	int response_code;	527	int response_code;
		528
		529	/**
		530	* Public client
		531	*/
		532	int public_client;
528	};	533	};
529		534
530		535
@@ -1872,6 +1877,7 @@ check_authorization (struct RequestHandle *handle,
1872	char *expected_pass;	1877	char *expected_pass;
1873	char *received_cid;	1878	char *received_cid;
1874	char *received_cpw;	1879	char *received_cpw;
		1880	char *pkce_cv;
1875		1881
1876	if (GNUNET_OK == parse_credentials_basic_auth (handle,	1882	if (GNUNET_OK == parse_credentials_basic_auth (handle,
1877	&received_cid,	1883	&received_cid,
@@ -1889,9 +1895,24 @@ check_authorization (struct RequestHandle *handle,
1889	}	1895	}
1890	else	1896	else
1891	{	1897	{
1892	handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT);	1898	/ Allow public clients with PKCE /
1893	handle->response_code = MHD_HTTP_UNAUTHORIZED;	1899	pkce_cv = get_url_parameter_copy (handle, OIDC_CODE_VERIFIER_KEY);
1894	return GNUNET_SYSERR;	1900	if (NULL == pkce_cv)
		1901	{
		1902	handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT);
		1903	handle->response_code = MHD_HTTP_UNAUTHORIZED;
		1904	return GNUNET_SYSERR;
		1905	}
		1906	handle->public_client = GNUNET_YES;
		1907	GNUNET_free (pkce_cv);
		1908	received_cid = get_url_parameter_copy (handle, OIDC_CLIENT_ID_KEY);
		1909	GNUNET_STRINGS_string_to_data (received_cid,
		1910	strlen (received_cid),
		1911	cid,
		1912	sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey));
		1913	GNUNET_free (received_cid);
		1914	return GNUNET_OK;
		1915
1895	}	1916	}
1896		1917
1897	// check client password	1918	// check client password
@@ -2063,7 +2084,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
2063	}	2084	}
2064		2085
2065	// decode code	2086	// decode code
2066	if (GNUNET_OK != OIDC_parse_authz_code (privkey, code, code_verifier, &ticket,	2087	if (GNUNET_OK != OIDC_parse_authz_code (&cid, code, code_verifier, &ticket,
2067	&cl, &al, &nonce))	2088	&cl, &al, &nonce))
2068	{	2089	{
2069	handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);	2090	handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST);
@@ -2452,7 +2473,7 @@ oidc_config_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
2452	oidc_config = json_object ();	2473	oidc_config = json_object ();
2453	// FIXME get from config?	2474	// FIXME get from config?
2454	json_object_set_new (oidc_config,	2475	json_object_set_new (oidc_config,
2455	"issuer", json_string ("https://api.reclaim"));	2476	"issuer", json_string ("http://localhost:7776"));
2456	json_object_set_new (oidc_config,	2477	json_object_set_new (oidc_config,
2457	"authorization_endpoint",	2478	"authorization_endpoint",
2458	json_string ("https://api.reclaim/openid/authorize"));	2479	json_string ("https://api.reclaim/openid/authorize"));
@@ -2514,6 +2535,31 @@ oidc_config_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
2514	cleanup_handle (handle);	2535	cleanup_handle (handle);
2515	}	2536	}
2516		2537
		2538	/**
		2539	* Respond to OPTIONS request
		2540	*
		2541	* @param con_handle the connection handle
		2542	* @param url the url
		2543	* @param cls the RequestHandle
		2544	*/
		2545	static void
		2546	oidc_config_cors (struct GNUNET_REST_RequestHandle *con_handle,
		2547	const char *url,
		2548	void *cls)
		2549	{
		2550	struct MHD_Response *resp;
		2551	struct RequestHandle *handle = cls;
		2552
		2553	// For now, independent of path return all options
		2554	resp = GNUNET_REST_create_response (NULL);
		2555	MHD_add_response_header (resp, "Access-Control-Allow-Methods", allow_methods);
		2556	MHD_add_response_header (resp, "Access-Control-Allow-Origin", "*");
		2557	handle->proc (handle->proc_cls, resp, MHD_HTTP_OK);
		2558	cleanup_handle (handle);
		2559	return;
		2560	}
		2561
		2562
2517		2563
2518	static enum GNUNET_GenericReturnValue	2564	static enum GNUNET_GenericReturnValue
2519	rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle,	2565	rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle,
@@ -2532,6 +2578,8 @@ rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle,
2532	{ MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint },	2578	{ MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint },
2533	{ MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_OIDC_CONFIG,	2579	{ MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_OIDC_CONFIG,
2534	&oidc_config_endpoint },	2580	&oidc_config_endpoint },
		2581	{ MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC_CONFIG,
		2582	&oidc_config_cors },
2535	{ MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC, &options_cont },	2583	{ MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC, &options_cont },
2536	GNUNET_REST_HANDLER_END };	2584	GNUNET_REST_HANDLER_END };
2537		2585