diff options
author | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-08-05 11:35:05 +0200 |
---|---|---|
committer | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-08-05 11:35:05 +0200 |
commit | 6e764f4abd8a3f14f03a5a167af7d5cb703fd1d5 (patch) | |
tree | d5efbc30c698cdf191bf3ffa96e6c80ee5e9154c /src/reclaim/plugin_rest_openid_connect.c | |
parent | ade9b5e5248a97438ecb979f3be353f565a27ba1 (diff) | |
download | gnunet-6e764f4abd8a3f14f03a5a167af7d5cb703fd1d5.tar.gz gnunet-6e764f4abd8a3f14f03a5a167af7d5cb703fd1d5.zip |
reclaim: Make SPAs work with public clients. No longer encrypt code.
Diffstat (limited to 'src/reclaim/plugin_rest_openid_connect.c')
-rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 58 |
1 files changed, 53 insertions, 5 deletions
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 39eb9701a..238cffb85 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c | |||
@@ -525,6 +525,11 @@ struct RequestHandle | |||
525 | * Reponse code | 525 | * Reponse code |
526 | */ | 526 | */ |
527 | int response_code; | 527 | int response_code; |
528 | |||
529 | /** | ||
530 | * Public client | ||
531 | */ | ||
532 | int public_client; | ||
528 | }; | 533 | }; |
529 | 534 | ||
530 | 535 | ||
@@ -1872,6 +1877,7 @@ check_authorization (struct RequestHandle *handle, | |||
1872 | char *expected_pass; | 1877 | char *expected_pass; |
1873 | char *received_cid; | 1878 | char *received_cid; |
1874 | char *received_cpw; | 1879 | char *received_cpw; |
1880 | char *pkce_cv; | ||
1875 | 1881 | ||
1876 | if (GNUNET_OK == parse_credentials_basic_auth (handle, | 1882 | if (GNUNET_OK == parse_credentials_basic_auth (handle, |
1877 | &received_cid, | 1883 | &received_cid, |
@@ -1889,9 +1895,24 @@ check_authorization (struct RequestHandle *handle, | |||
1889 | } | 1895 | } |
1890 | else | 1896 | else |
1891 | { | 1897 | { |
1892 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT); | 1898 | /** Allow public clients with PKCE **/ |
1893 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | 1899 | pkce_cv = get_url_parameter_copy (handle, OIDC_CODE_VERIFIER_KEY); |
1894 | return GNUNET_SYSERR; | 1900 | if (NULL == pkce_cv) |
1901 | { | ||
1902 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_CLIENT); | ||
1903 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | ||
1904 | return GNUNET_SYSERR; | ||
1905 | } | ||
1906 | handle->public_client = GNUNET_YES; | ||
1907 | GNUNET_free (pkce_cv); | ||
1908 | received_cid = get_url_parameter_copy (handle, OIDC_CLIENT_ID_KEY); | ||
1909 | GNUNET_STRINGS_string_to_data (received_cid, | ||
1910 | strlen (received_cid), | ||
1911 | cid, | ||
1912 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)); | ||
1913 | GNUNET_free (received_cid); | ||
1914 | return GNUNET_OK; | ||
1915 | |||
1895 | } | 1916 | } |
1896 | 1917 | ||
1897 | // check client password | 1918 | // check client password |
@@ -2063,7 +2084,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
2063 | } | 2084 | } |
2064 | 2085 | ||
2065 | // decode code | 2086 | // decode code |
2066 | if (GNUNET_OK != OIDC_parse_authz_code (privkey, code, code_verifier, &ticket, | 2087 | if (GNUNET_OK != OIDC_parse_authz_code (&cid, code, code_verifier, &ticket, |
2067 | &cl, &al, &nonce)) | 2088 | &cl, &al, &nonce)) |
2068 | { | 2089 | { |
2069 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); | 2090 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); |
@@ -2452,7 +2473,7 @@ oidc_config_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
2452 | oidc_config = json_object (); | 2473 | oidc_config = json_object (); |
2453 | // FIXME get from config? | 2474 | // FIXME get from config? |
2454 | json_object_set_new (oidc_config, | 2475 | json_object_set_new (oidc_config, |
2455 | "issuer", json_string ("https://api.reclaim")); | 2476 | "issuer", json_string ("http://localhost:7776")); |
2456 | json_object_set_new (oidc_config, | 2477 | json_object_set_new (oidc_config, |
2457 | "authorization_endpoint", | 2478 | "authorization_endpoint", |
2458 | json_string ("https://api.reclaim/openid/authorize")); | 2479 | json_string ("https://api.reclaim/openid/authorize")); |
@@ -2514,6 +2535,31 @@ oidc_config_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
2514 | cleanup_handle (handle); | 2535 | cleanup_handle (handle); |
2515 | } | 2536 | } |
2516 | 2537 | ||
2538 | /** | ||
2539 | * Respond to OPTIONS request | ||
2540 | * | ||
2541 | * @param con_handle the connection handle | ||
2542 | * @param url the url | ||
2543 | * @param cls the RequestHandle | ||
2544 | */ | ||
2545 | static void | ||
2546 | oidc_config_cors (struct GNUNET_REST_RequestHandle *con_handle, | ||
2547 | const char *url, | ||
2548 | void *cls) | ||
2549 | { | ||
2550 | struct MHD_Response *resp; | ||
2551 | struct RequestHandle *handle = cls; | ||
2552 | |||
2553 | // For now, independent of path return all options | ||
2554 | resp = GNUNET_REST_create_response (NULL); | ||
2555 | MHD_add_response_header (resp, "Access-Control-Allow-Methods", allow_methods); | ||
2556 | MHD_add_response_header (resp, "Access-Control-Allow-Origin", "*"); | ||
2557 | handle->proc (handle->proc_cls, resp, MHD_HTTP_OK); | ||
2558 | cleanup_handle (handle); | ||
2559 | return; | ||
2560 | } | ||
2561 | |||
2562 | |||
2517 | 2563 | ||
2518 | static enum GNUNET_GenericReturnValue | 2564 | static enum GNUNET_GenericReturnValue |
2519 | rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle, | 2565 | rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle, |
@@ -2532,6 +2578,8 @@ rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle, | |||
2532 | { MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint }, | 2578 | { MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_USERINFO, &userinfo_endpoint }, |
2533 | { MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_OIDC_CONFIG, | 2579 | { MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_OIDC_CONFIG, |
2534 | &oidc_config_endpoint }, | 2580 | &oidc_config_endpoint }, |
2581 | { MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC_CONFIG, | ||
2582 | &oidc_config_cors }, | ||
2535 | { MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC, &options_cont }, | 2583 | { MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_OIDC, &options_cont }, |
2536 | GNUNET_REST_HANDLER_END }; | 2584 | GNUNET_REST_HANDLER_END }; |
2537 | 2585 | ||