Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth #26

Merged
merged 19 commits into from
Apr 11, 2023
Merged

OAuth #26

merged 19 commits into from
Apr 11, 2023

Conversation

volovyks
Copy link
Collaborator

@volovyks volovyks commented Apr 9, 2023
edited
Loading

Info about OIDC, token validation, and how we are planning to handle internal user id added to README.
Some of the TODOs moved to separate issues.

Not sure how to fix audit CI, chrono crate is up tp date. Can we patch time version? Is it a good practice?

@volovyks volovyks linked an issue Apr 9, 2023 that may be closed by this pull request
Add OAuth token verification #16
Closed
@volovyks volovyks changed the title Serhii/google o auth OAuth Apr 10, 2023
@volovyks volovyks marked this pull request as ready for review April 10, 2023 20:50
@volovyks volovyks requested a review from itegulov April 10, 2023 20:50
itegulov
itegulov reviewed Apr 11, 2023
View reviewed changes
mpc-recovery/src/oauth.rs
#[async_trait::async_trait]
pub trait OAuthTokenVerifier {
async fn verify_token(token: &str) -> Option<&str>;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should create a clear separation of concern here. I don't think parsing stuff belongs here, so instead I would replace SupportedTokenVerifiers with something like this:

pub enum OAuthToken {
    GoogleToken(String),
    TestToken(String),
}

#[derive(Debug, PartialEq, Eq)]
struct ParseOAuthError;

impl FromStr for OAuthToken {
    type Err = ParseOAuthError;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s.len() {
            0 => Ok(OAuthToken::TestToken(s.into())),
            _ => Ok(OAuthToken::GoogleToken(s.into())),
        }
    }
}

And then OAuthTokenVerifier only works on OAuthToken and each impl can assert that this specific token corresponds to the expected type (e.g. Universal accepts all, Google only accepts GoogleToken etc). Meaning parsing has already happened by the point of this method's invocation.

Copy link
Collaborator Author

@volovyks volovyks Apr 11, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found out that issuer is a required field in ID token. I will refactor it, but probably in some other, more fundamental way and once we have end-to-end Google + some other verifier. Thanks for suggestion, strong Token typing should be usefull.

mpc-recovery/src/oauth.rs Outdated Show resolved Hide resolved
mpc-recovery/src/oauth.rs
#[async_trait::async_trait]
pub trait OAuthTokenVerifier {
async fn verify_token(token: &str) -> Option<&str>;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a big deal right now, but the right side of Result should ideally be a proper error type, something like

enum OAuthError {
	Type1(...),
	Type2(...)
}

mpc-recovery/src/oauth.rs Outdated
}
/// This function validates JWT (OIDC ID token) by checking the signature received
/// from the issuer, issuer, audience, and expiration time.
pub fn validate_jwt(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be inside GoogleTokenVerifier

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should not, because this function will be used in other verifiers (GitHub, Twitter, etc.). The use the same JWT.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to the OAuthTokenVerifier trait.

itegulov
itegulov reviewed Apr 11, 2023
View reviewed changes
mpc-recovery/src/oauth.rs Outdated Show resolved Hide resolved
@volovyks volovyks merged commit 3f7c743 into develop Apr 11, 2023
@volovyks volovyks deleted the serhii/GoogleOAuth branch April 14, 2023 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@itegulov itegulov itegulov left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add OAuth token verification
2 participants
@volovyks @itegulov