diff options
Diffstat (limited to 'src/reclaim')
-rw-r--r-- | src/reclaim/jwt.c | 30 | ||||
-rw-r--r-- | src/reclaim/jwt.h | 17 | ||||
-rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 55 | ||||
-rw-r--r-- | src/reclaim/reclaim.conf | 2 |
4 files changed, 50 insertions, 54 deletions
diff --git a/src/reclaim/jwt.c b/src/reclaim/jwt.c index 9885bf467..41a3747ed 100644 --- a/src/reclaim/jwt.c +++ b/src/reclaim/jwt.c | |||
@@ -83,19 +83,25 @@ fix_base64(char* str) { | |||
83 | /** | 83 | /** |
84 | * Create a JWT from attributes | 84 | * Create a JWT from attributes |
85 | * | 85 | * |
86 | * @param aud_key the public of the subject | 86 | * @param aud_key the public of the audience |
87 | * @param sub_key the public key of the subject | ||
87 | * @param attrs the attribute list | 88 | * @param attrs the attribute list |
88 | * @param priv_key the key used to sign the JWT | 89 | * @param expiration_time the validity of the token |
90 | * @param secret_key the key used to sign the JWT | ||
89 | * @return a new base64-encoded JWT string. | 91 | * @return a new base64-encoded JWT string. |
90 | */ | 92 | */ |
91 | char* | 93 | char* |
92 | jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | 94 | jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, |
93 | const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, | 95 | const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, |
94 | const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, | 96 | const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, |
97 | const struct GNUNET_TIME_Relative *expiration_time, | ||
98 | const char *nonce, | ||
95 | const char *secret_key) | 99 | const char *secret_key) |
96 | { | 100 | { |
97 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry *le; | 101 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimListEntry *le; |
98 | struct GNUNET_HashCode signature; | 102 | struct GNUNET_HashCode signature; |
103 | struct GNUNET_TIME_Absolute exp_time; | ||
104 | struct GNUNET_TIME_Absolute time_now; | ||
99 | char* audience; | 105 | char* audience; |
100 | char* subject; | 106 | char* subject; |
101 | char* header; | 107 | char* header; |
@@ -107,9 +113,11 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | |||
107 | char* signature_base64; | 113 | char* signature_base64; |
108 | char* attr_val_str; | 114 | char* attr_val_str; |
109 | json_t* body; | 115 | json_t* body; |
110 | 116 | ||
111 | //exp REQUIRED time expired from config | ||
112 | //iat REQUIRED time now | 117 | //iat REQUIRED time now |
118 | time_now = GNUNET_TIME_absolute_get(); | ||
119 | //exp REQUIRED time expired from config | ||
120 | exp_time = GNUNET_TIME_absolute_add (time_now, *expiration_time); | ||
113 | //auth_time only if max_age | 121 | //auth_time only if max_age |
114 | //nonce only if nonce | 122 | //nonce only if nonce |
115 | // OPTIONAL acr,amr,azp | 123 | // OPTIONAL acr,amr,azp |
@@ -130,6 +138,20 @@ jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | |||
130 | //aud REQUIRED public key client_id must be there | 138 | //aud REQUIRED public key client_id must be there |
131 | json_object_set_new (body, | 139 | json_object_set_new (body, |
132 | "aud", json_string (audience)); | 140 | "aud", json_string (audience)); |
141 | //iat | ||
142 | json_object_set_new (body, | ||
143 | "iat", json_integer (time_now.abs_value_us)); | ||
144 | //exp | ||
145 | json_object_set_new (body, | ||
146 | "exp", json_integer (exp_time.abs_value_us)); | ||
147 | //nbf | ||
148 | json_object_set_new (body, | ||
149 | "nbf", json_integer (time_now.abs_value_us)); | ||
150 | //nonce | ||
151 | if (NULL != nonce) | ||
152 | json_object_set_new (body, | ||
153 | "nonce", json_string (nonce)); | ||
154 | |||
133 | for (le = attrs->list_head; NULL != le; le = le->next) | 155 | for (le = attrs->list_head; NULL != le; le = le->next) |
134 | { | 156 | { |
135 | attr_val_str = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (le->claim->type, | 157 | attr_val_str = GNUNET_RECLAIM_ATTRIBUTE_value_to_string (le->claim->type, |
diff --git a/src/reclaim/jwt.h b/src/reclaim/jwt.h index 39b4e2f3c..12ff85b01 100644 --- a/src/reclaim/jwt.h +++ b/src/reclaim/jwt.h | |||
@@ -1,10 +1,23 @@ | |||
1 | #ifndef JWT_H | 1 | #ifndef JWT_H |
2 | #define JWT_H | 2 | #define JWT_H |
3 | 3 | ||
4 | /** | ||
5 | * Create a JWT from attributes | ||
6 | * | ||
7 | * @param aud_key the public of the audience | ||
8 | * @param sub_key the public key of the subject | ||
9 | * @param attrs the attribute list | ||
10 | * @param expiration_time the validity of the token | ||
11 | * @param nonce the nonce, may be NULL | ||
12 | * @param secret_key the key used to sign the JWT | ||
13 | * @return a new base64-encoded JWT string. | ||
14 | */ | ||
4 | char* | 15 | char* |
5 | jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, | 16 | jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key, |
6 | const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, | 17 | const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key, |
7 | const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, | 18 | const struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *attrs, |
8 | const char* secret_key); | 19 | const struct GNUNET_TIME_Relative *expiration_time, |
20 | const char *nonce, | ||
21 | const char *secret_key); | ||
9 | 22 | ||
10 | #endif | 23 | #endif |
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 5a34e5b72..d1c5b31b6 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c | |||
@@ -168,7 +168,6 @@ static char* OIDC_ignored_parameter_array [] = | |||
168 | { | 168 | { |
169 | "display", | 169 | "display", |
170 | "prompt", | 170 | "prompt", |
171 | "max_age", | ||
172 | "ui_locales", | 171 | "ui_locales", |
173 | "response_mode", | 172 | "response_mode", |
174 | "id_token_hint", | 173 | "id_token_hint", |
@@ -1320,7 +1319,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1320 | int client_exists = GNUNET_NO; | 1319 | int client_exists = GNUNET_NO; |
1321 | struct MHD_Response *resp; | 1320 | struct MHD_Response *resp; |
1322 | char* code_output; | 1321 | char* code_output; |
1323 | json_t *root, *ticket_string, *nonce, *max_age; | 1322 | json_t *root; |
1323 | json_t *ticket_string; | ||
1324 | json_t *nonce; | ||
1324 | json_error_t error; | 1325 | json_error_t error; |
1325 | char *json_response; | 1326 | char *json_response; |
1326 | char *jwt_secret; | 1327 | char *jwt_secret; |
@@ -1515,7 +1516,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1515 | GNUNET_free(code_output); | 1516 | GNUNET_free(code_output); |
1516 | ticket_string = json_object_get (root, "ticket"); | 1517 | ticket_string = json_object_get (root, "ticket"); |
1517 | nonce = json_object_get (root, "nonce"); | 1518 | nonce = json_object_get (root, "nonce"); |
1518 | max_age = json_object_get (root, "max_age"); | ||
1519 | 1519 | ||
1520 | if(ticket_string == NULL && !json_is_string(ticket_string)) | 1520 | if(ticket_string == NULL && !json_is_string(ticket_string)) |
1521 | { | 1521 | { |
@@ -1557,9 +1557,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1557 | } | 1557 | } |
1558 | 1558 | ||
1559 | //create jwt | 1559 | //create jwt |
1560 | unsigned long long int expiration_time; | 1560 | struct GNUNET_TIME_Relative expiration_time; |
1561 | if ( GNUNET_OK | 1561 | if ( GNUNET_OK |
1562 | != GNUNET_CONFIGURATION_get_value_number(cfg, "reclaim-rest-plugin", | 1562 | != GNUNET_CONFIGURATION_get_value_time(cfg, "reclaim-rest-plugin", |
1563 | "expiration_time", &expiration_time) ) | 1563 | "expiration_time", &expiration_time) ) |
1564 | { | 1564 | { |
1565 | GNUNET_free_non_null(user_psw); | 1565 | GNUNET_free_non_null(user_psw); |
@@ -1572,48 +1572,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1572 | } | 1572 | } |
1573 | 1573 | ||
1574 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList); | 1574 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList); |
1575 | //aud REQUIRED public key client_id must be there | 1575 | |
1576 | GNUNET_RECLAIM_ATTRIBUTE_list_add(cl, | ||
1577 | "aud", | ||
1578 | GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING, | ||
1579 | client_id, | ||
1580 | strlen(client_id)); | ||
1581 | //exp REQUIRED time expired from config | ||
1582 | struct GNUNET_TIME_Absolute exp_time = GNUNET_TIME_relative_to_absolute ( | ||
1583 | GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (), | ||
1584 | expiration_time)); | ||
1585 | const char* exp_time_string = GNUNET_STRINGS_absolute_time_to_string(exp_time); | ||
1586 | GNUNET_RECLAIM_ATTRIBUTE_list_add (cl, | ||
1587 | "exp", | ||
1588 | GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING, | ||
1589 | exp_time_string, | ||
1590 | strlen(exp_time_string)); | ||
1591 | //iat REQUIRED time now | ||
1592 | struct GNUNET_TIME_Absolute time_now = GNUNET_TIME_absolute_get(); | ||
1593 | const char* time_now_string = GNUNET_STRINGS_absolute_time_to_string(time_now); | ||
1594 | GNUNET_RECLAIM_ATTRIBUTE_list_add (cl, | ||
1595 | "iat", | ||
1596 | GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING, | ||
1597 | time_now_string, | ||
1598 | strlen(time_now_string)); | ||
1599 | //nonce only if nonce is provided | ||
1600 | if ( NULL != nonce && json_is_string(nonce) ) | ||
1601 | { | ||
1602 | GNUNET_RECLAIM_ATTRIBUTE_list_add (cl, | ||
1603 | "nonce", | ||
1604 | GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING, | ||
1605 | json_string_value(nonce), | ||
1606 | strlen(json_string_value(nonce))); | ||
1607 | } | ||
1608 | //auth_time only if max_age is provided | ||
1609 | if ( NULL != max_age && json_is_string(max_age) ) | ||
1610 | { | ||
1611 | GNUNET_RECLAIM_ATTRIBUTE_list_add (cl, | ||
1612 | "auth_time", | ||
1613 | GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING, | ||
1614 | json_string_value(max_age), | ||
1615 | strlen(json_string_value(max_age))); | ||
1616 | } | ||
1617 | //TODO OPTIONAL acr,amr,azp | 1576 | //TODO OPTIONAL acr,amr,azp |
1618 | 1577 | ||
1619 | struct EgoEntry *ego_entry; | 1578 | struct EgoEntry *ego_entry; |
@@ -1652,6 +1611,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1652 | char *id_token = jwt_create_from_list(&ticket->audience, | 1611 | char *id_token = jwt_create_from_list(&ticket->audience, |
1653 | &pk, | 1612 | &pk, |
1654 | cl, | 1613 | cl, |
1614 | &expiration_time, | ||
1615 | (NULL != nonce && json_is_string(nonce)) ? json_string_value (nonce) : NULL, | ||
1655 | jwt_secret); | 1616 | jwt_secret); |
1656 | 1617 | ||
1657 | //Create random access_token | 1618 | //Create random access_token |
diff --git a/src/reclaim/reclaim.conf b/src/reclaim/reclaim.conf index e93899e05..cf0a0dc5e 100644 --- a/src/reclaim/reclaim.conf +++ b/src/reclaim/reclaim.conf | |||
@@ -17,7 +17,7 @@ DATABASE = sqlite | |||
17 | ADDRESS = https://reclaim.ui/#/login | 17 | ADDRESS = https://reclaim.ui/#/login |
18 | PSW = secret | 18 | PSW = secret |
19 | JWT_SECRET = secret | 19 | JWT_SECRET = secret |
20 | EXPIRATION_TIME = 3600 | 20 | EXPIRATION_TIME = 1d |
21 | 21 | ||
22 | [reclaim-sqlite] | 22 | [reclaim-sqlite] |
23 | FILENAME = $GNUNET_DATA_HOME/reclaim/sqlite.db | 23 | FILENAME = $GNUNET_DATA_HOME/reclaim/sqlite.db |