Merge branch 'code-flow-to-server' into device-flow-after-server-code-flow

Author: DrDaveD

path_login.go

@@ -92,12 +92,22 @@ func (b *jwtAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d
 		return logical.ErrorResponse("error configuring token validator: %s", err.Error()), nil
 	}
 
+	// Validate JWT supported algorithms if they've been provided. Otherwise,
+	// ensure that the signing algorithm is a member of the supported set.
+	signingAlgorithms := toAlg(config.JWTSupportedAlgs)
+	if len(signingAlgorithms) == 0 {
+		signingAlgorithms = []jwt.Alg{
+			jwt.RS256, jwt.RS384, jwt.RS512, jwt.ES256, jwt.ES384,
+			jwt.ES512, jwt.PS256, jwt.PS384, jwt.PS512, jwt.EdDSA,
+		}
+	}
+
 	// Set expected claims values to assert on the JWT
 	expected := jwt.Expected{
 		Issuer:            config.BoundIssuer,
 		Subject:           role.BoundSubject,
 		Audiences:         role.BoundAudiences,
-		SigningAlgorithms: toAlg(config.JWTSupportedAlgs),
+		SigningAlgorithms: signingAlgorithms,
 		NotBeforeLeeway:   role.NotBeforeLeeway,
 		ExpirationLeeway:  role.ExpirationLeeway,
 		ClockSkewLeeway:   role.ClockSkewLeeway,

path_login_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/go-test/deep"
 	"github.com/hashicorp/cap/jwt"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/require"
 	"golang.org/x/sync/errgroup"
 	"gopkg.in/square/go-jose.v2"
 	sqjwt "gopkg.in/square/go-jose.v2/jwt"
@@ -65,7 +66,6 @@ func setupBackend(t *testing.T, cfg testConfig) (closeableBackend, logical.Stora
 			data = map[string]interface{}{
 				"bound_issuer":           "https://team-vault.auth0.com/",
 				"jwt_validation_pubkeys": ecdsaPubKey,
-				"jwt_supported_algs":     []string{string(jwt.ES256)},
 			}
 		} else {
 			p := newOIDCProvider(t)
@@ -77,9 +77,8 @@ func setupBackend(t *testing.T, cfg testConfig) (closeableBackend, logical.Stora
 			}
 
 			data = map[string]interface{}{
-				"jwks_url":           p.server.URL + "/certs",
-				"jwks_ca_pem":        cert,
-				"jwt_supported_algs": []string{string(jwt.ES256)},
+				"jwks_url":    p.server.URL + "/certs",
+				"jwks_ca_pem": cert,
 			}
 		}
 	}
@@ -955,6 +954,106 @@ func testLogin_NotBeforeClaims(t *testing.T, jwks bool) {
 	}
 }
 
+func TestLogin_JWTSupportedAlgs(t *testing.T) {
+	tests := []struct {
+		name             string
+		jwtSupportedAlgs []string
+		wantErr          bool
+	}{
+		{
+			name: "JWT auth with empty signing algorithms",
+		},
+		{
+			name:             "JWT auth with valid signing algorithm",
+			jwtSupportedAlgs: []string{string(jwt.ES256)},
+		},
+		{
+			name:             "JWT auth with valid signing algorithms",
+			jwtSupportedAlgs: []string{string(jwt.RS256), string(jwt.ES256), string(jwt.EdDSA)},
+		},
+		{
+			name:             "JWT auth with invalid signing algorithm",
+			jwtSupportedAlgs: []string{string(jwt.RS256)},
+			wantErr:          true,
+		},
+		{
+			name:             "JWT auth with invalid signing algorithms",
+			jwtSupportedAlgs: []string{string(jwt.RS256), string(jwt.ES512), string(jwt.EdDSA)},
+			wantErr:          true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			b, storage := getBackend(t)
+
+			// Configure the backend with an ES256 public key
+			data := map[string]interface{}{
+				"jwt_validation_pubkeys": ecdsaPubKey,
+				"jwt_supported_algs":     tt.jwtSupportedAlgs,
+			}
+			req := &logical.Request{
+				Operation: logical.UpdateOperation,
+				Path:      configPath,
+				Storage:   storage,
+				Data:      data,
+			}
+			resp, err := b.HandleRequest(context.Background(), req)
+			require.NoError(t, err)
+			require.False(t, resp.IsError())
+
+			// Configure a JWT role
+			data = map[string]interface{}{
+				"role_type":       "jwt",
+				"bound_audiences": []string{"https://vault.plugin.auth.jwt.test"},
+				"user_claim":      "email",
+			}
+			req = &logical.Request{
+				Operation: logical.CreateOperation,
+				Path:      "role/plugin-test",
+				Storage:   storage,
+				Data:      data,
+			}
+			resp, err = b.HandleRequest(context.Background(), req)
+			require.NoError(t, err)
+			require.False(t, resp.IsError())
+
+			// Sign a JWT with the related ES256 private key
+			cl := sqjwt.Claims{
+				Subject:   "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",
+				Issuer:    "https://team-vault.auth0.com/",
+				NotBefore: sqjwt.NewNumericDate(time.Now().Add(-5 * time.Second)),
+				Audience:  sqjwt.Audience{"https://vault.plugin.auth.jwt.test"},
+			}
+			privateCl := struct {
+				Email string `json:"email"`
+			}{
+				"[email protected]",
+			}
+			jwtData, _ := getTestJWT(t, ecdsaPrivKey, cl, privateCl)
+
+			// Authenticate using the signed JWT
+			data = map[string]interface{}{
+				"role": "plugin-test",
+				"jwt":  jwtData,
+			}
+			req = &logical.Request{
+				Operation: logical.UpdateOperation,
+				Path:      "login",
+				Storage:   storage,
+				Data:      data,
+			}
+			resp, err = b.HandleRequest(context.Background(), req)
+			if tt.wantErr {
+				require.True(t, resp.IsError())
+				return
+			}
+			require.NoError(t, err)
+			require.False(t, resp.IsError())
+		})
+	}
+}
+
 func setupLogin(t *testing.T, iat, exp, nbf time.Time, b logical.Backend, storage logical.Storage) *logical.Request {
 	cl := sqjwt.Claims{
 		Audience:  sqjwt.Audience{"https://vault.plugin.auth.jwt.test"},

path_oidc.go

@@ -287,12 +287,20 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
 		if oidcReq.idToken == "" {
 			return loginFailedResponse(useHttp, "No code or id_token received."), nil
 		}
-		token, err = oidc.NewToken(oidc.IDToken(oidcReq.idToken), nil)
+
+		// Verify the ID token received from the authentication response.
+		rawToken = oidc.IDToken(oidcReq.idToken)
+		if _, err := provider.VerifyIDToken(ctx, rawToken, oidcReq); err != nil {
+			return logical.ErrorResponse("%s %s", errTokenVerification, err.Error()), nil
+		}
+
+		token, err = oidc.NewToken(rawToken, nil)
 		if err != nil {
 			return nil, errwrap.Wrapf("error creating oidc token: {{err}}", err)
 		}
 	} else {
-		// ID token verification takes place in exchange
+		// Exchange the authorization code for an ID token and access token.
+		// ID token verification takes place in provider.Exchange.
 		token, err = provider.Exchange(ctx, oidcReq, stateID, code)
 		if err != nil {
 			return loginFailedResponse(useHttp, fmt.Sprintf("Error exchanging oidc code: %q.", err.Error())), nil
@@ -344,7 +352,15 @@ func (b *jwtAuthBackend) processToken(ctx context.Context, config *jwtConfig, oi
 		return loginFailedResponse(useHttp, "sub claim does not match bound subject"), nil
 	}
 
-	// If we have a tokenSource, attempt to fetch information from the /userinfo endpoint
+	// Set the token source for the access token if it's available. It will only
+	// be available for the authorization code flow (oidc_response_types=code).
+	// The access token will be used for fetching additional user and group info.
+	var tokenSource oauth2.TokenSource
+	if token != nil {
+		tokenSource = token.StaticTokenSource()
+	}
+
+	// If we have a token, attempt to fetch information from the /userinfo endpoint
 	// and merge it with the existing claims data. A failure to fetch additional information
 	// from this endpoint will not invalidate the authorization flow.
 	if tokenSource != nil {
@@ -365,15 +381,15 @@ func (b *jwtAuthBackend) processToken(ctx context.Context, config *jwtConfig, oi
 		}
 	}
 
-	if err := validateBoundClaims(b.Logger(), role.BoundClaimsType, role.BoundClaims, allClaims); err != nil {
-		return loginFailedResponse(useHttp, fmt.Sprintf("error validating claims: %s", err.Error())), nil
-	}
-
 	alias, groupAliases, err := b.createIdentity(ctx, allClaims, role, tokenSource)
 	if err != nil {
 		return loginFailedResponse(useHttp, err.Error()), nil
 	}
 
+	if err := validateBoundClaims(b.Logger(), role.BoundClaimsType, role.BoundClaims, allClaims); err != nil {
+		return loginFailedResponse(useHttp, fmt.Sprintf("error validating claims: %s", err.Error())), nil
+	}
+
 	tokenMetadata := map[string]string{"role": roleName}
 	for k, v := range alias.Metadata {
 		tokenMetadata[k] = v

path_oidc_test.go

@@ -467,6 +467,119 @@ func TestOIDC_AuthURL_max_age(t *testing.T) {
 	}
 }
 
+// TestOIDC_ResponseTypeIDToken tests authentication using an implicit flow
+// by setting oidc_response_types=id_token and oidc_response_mode=form_post.
+// This means that there is no exchange of an authorization code for tokens.
+// Instead, the OIDC provider's authorization endpoint responds with an ID
+// token, which will be verified to complete the authentication request.
+func TestOIDC_ResponseTypeIDToken(t *testing.T) {
+	b, storage := getBackend(t)
+
+	// Start the test OIDC provider
+	s := newOIDCProvider(t)
+	t.Cleanup(s.server.Close)
+	s.clientID = "abc"
+	s.clientSecret = "def"
+	cert, err := s.getTLSCert()
+	require.NoError(t, err)
+
+	// Configure the backend
+	data := map[string]interface{}{
+		"oidc_discovery_url":    s.server.URL,
+		"oidc_client_id":        s.clientID,
+		"oidc_client_secret":    s.clientSecret,
+		"oidc_discovery_ca_pem": cert,
+		"default_role":          "test",
+		"bound_issuer":          "http://vault.example.com/",
+		"jwt_supported_algs":    []string{"ES256"},
+		"oidc_response_mode":    "form_post",
+		"oidc_response_types":   "id_token",
+	}
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      configPath,
+		Storage:   storage,
+		Data:      data,
+	}
+	resp, err := b.HandleRequest(context.Background(), req)
+	require.NoError(t, err)
+	require.False(t, resp.IsError())
+
+	// Configure a role
+	data = map[string]interface{}{
+		"user_claim":            "email",
+		"bound_subject":         "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",
+		"allowed_redirect_uris": []string{"https://example.com"},
+	}
+	req = &logical.Request{
+		Operation: logical.CreateOperation,
+		Path:      "role/test",
+		Storage:   storage,
+		Data:      data,
+	}
+	resp, err = b.HandleRequest(context.Background(), req)
+	require.NoError(t, err)
+	require.False(t, resp.IsError())
+
+	// Generate an auth URL
+	data = map[string]interface{}{
+		"role":         "test",
+		"redirect_uri": "https://example.com",
+	}
+	req = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "oidc/auth_url",
+		Storage:   storage,
+		Data:      data,
+	}
+	resp, err = b.HandleRequest(context.Background(), req)
+	require.NoError(t, err)
+	require.False(t, resp.IsError())
+
+	// Parse the state and nonce from the auth URL
+	authURL := resp.Data["auth_url"].(string)
+	state := getQueryParam(t, authURL, "state")
+	nonce := getQueryParam(t, authURL, "nonce")
+
+	// Create a signed JWT which will act as the ID token that would be
+	// returned directly from the OIDC provider's authorization endpoint
+	stdClaims := jwt.Claims{
+		Subject:   "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",
+		Issuer:    s.server.URL,
+		NotBefore: jwt.NewNumericDate(time.Now().Add(-5 * time.Second)),
+		Expiry:    jwt.NewNumericDate(time.Now().Add(2 * time.Minute)),
+		Audience:  jwt.Audience{s.clientID},
+	}
+	idToken, _ := getTestJWT(t, ecdsaPrivKey, stdClaims, sampleClaims(nonce))
+
+	// Invoke the POST callback handler with the ID token and state
+	req = &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "oidc/callback",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"id_token": idToken,
+			"state":    state,
+		},
+	}
+	resp, err = b.HandleRequest(context.Background(), req)
+	require.NoError(t, err)
+	require.False(t, resp.IsError())
+
+	// Complete authentication by invoking the callback handler with the state
+	req = &logical.Request{
+		Operation: logical.ReadOperation,
+		Path:      "oidc/callback",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"state": state,
+		},
+	}
+	resp, err = b.HandleRequest(context.Background(), req)
+	require.NoError(t, err)
+	require.False(t, resp.IsError())
+}
+
 func TestOIDC_Callback(t *testing.T) {
 	t.Run("successful login", func(t *testing.T) {