Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

protected_resource bearer token validation #270

Closed
ll4strw opened this issue Mar 18, 2024 · 1 comment
Closed

protected_resource bearer token validation #270

ll4strw opened this issue Mar 18, 2024 · 1 comment
Assignees
Labels
enhancement New feature or request question Further information is requested
Milestone

Comments

@ll4strw
Copy link
Contributor

ll4strw commented Mar 18, 2024

I am wondering if it is desirable to add extended checks on a response obtained as a result of a token introspection request. The code below seems to grant access to protected resources as long as a bearer token is still active and its associated user exists in iRODS:

auto mapped_value{irods::http::process_stash::find(bearer_token)};
if (!mapped_value.has_value()) {
// If we're running as a protected resource, assume we have a OIDC token
if (irods::http::globals::oidc_configuration().at("mode").get_ref<const std::string&>() ==
"protected_resource") {
body_arguments args{{"token", bearer_token}, {"token_type_hint", "access_token"}};
auto json_res{hit_introspection_endpoint(url_encode_body(args))};
// Validate access token
if (!json_res.at("active").get<bool>()) {
logging::warn("{}: Access token is invalid or expired.", __func__);
return {.response = fail(status_type::unauthorized)};
}
// Do mapping of user to irods user
auto user{map_json_to_user(json_res)};
if (user) {
return {.client_info = {.username = *std::move(user)}};
}
logging::warn("{}: Could not find a matching user.", __func__);
return {.response = fail(status_type::unauthorized)};
}
logging::error("{}: Could not find bearer token matching [{}].", __func__, bearer_token);
return {.response = fail(status_type::unauthorized)};
}

What happens if a valid and active bearer token meant for another app/client, but for a valid iRODS user, is presented to the API server? Would this be let in? Could the token validation be performed also on the response client_id and aud? For instance, I could imagine an extra configuration parameter called audience to add an extra level of security

std::string aud = irods::http::globals::oidc_configuration().at("audience").get_ref<const std::string&>();
if (json_res.at("aud").get<string>() != aud) {
	logging::warn("{}: Access token is not meant for me.", __func__);
	return {.response = fail(status_type::unauthorized)};
}

Thanks in advance, L.

@korydraughn korydraughn added the question Further information is requested label Mar 18, 2024
@ll4strw
Copy link
Contributor Author

ll4strw commented Mar 18, 2024

@trel trel added the enhancement New feature or request label Mar 18, 2024
@trel trel added this to the 0.4.0 milestone Mar 18, 2024
@korydraughn korydraughn modified the milestones: 0.4.0, 0.5.0 Aug 14, 2024
@MartinFlores751 MartinFlores751 self-assigned this Oct 31, 2024
MartinFlores751 added a commit to MartinFlores751/irods_client_rest_cpp_beast that referenced this issue Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Development

No branches or pull requests

4 participants