Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: jwt audience validation #89

Merged
merged 13 commits into from
Dec 10, 2024
5 changes: 3 additions & 2 deletions app.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,14 +64,15 @@ func New(appID string, config *Config) (*Passage, error) {
if err != nil {
return nil, err
}

user := newUser(appID, client)

return &App{
ID: appID,
Config: config,
Auth: auth,
User: user,
client: client,
User: user,
Auth: auth,
}, nil
}

Expand Down
14 changes: 9 additions & 5 deletions auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ func newAuth(appID string, client *ClientWithResponses) (*auth, error) {
}

if _, err := cache.Refresh(ctx, url); err != nil {
return nil, fmt.Errorf("Failed to fetch JWKS: %w", err)
return nil, fmt.Errorf("failed to fetch JWKS: %w", err)
}

auth := auth{
Expand Down Expand Up @@ -60,12 +60,16 @@ func (a *auth) ValidateJWT(authToken string) (string, error) {

claims, ok := parsedToken.Claims.(jwt.MapClaims)
if !ok {
return "", errors.New("Failed to extract claims from JWT")
return "", errors.New("failed to extract claims from JWT")
}

userID, ok := claims["sub"].(string)
if !ok {
return "", errors.New("Failed to find sub claim in JWT")
return "", errors.New("failed to find sub claim in JWT")
}

if !claims.VerifyAudience(a.appID, true) {
return "", errors.New("failed audience verification for JWT")
}

return userID, nil
Expand All @@ -74,12 +78,12 @@ func (a *auth) ValidateJWT(authToken string) (string, error) {
func (a *auth) getPublicKey(token *jwt.Token) (interface{}, error) {
keyID, ok := token.Header["kid"].(string)
if !ok {
return nil, errors.New("Failed to find kid in JWT header")
return nil, errors.New("failed to find kid in JWT header")
}

key, ok := a.jwksCacheSet.LookupKeyID(keyID)
if !ok {
return nil, fmt.Errorf("Failed to find key %q in JWKS", keyID)
return nil, fmt.Errorf("failed to find key %q in JWKS", keyID)
}

var pubKey interface{}
Expand Down
4 changes: 4 additions & 0 deletions authentication.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,5 +70,9 @@ func (a *App) ValidateAuthToken(authToken string) (string, bool) {
return "", false
}

if !claims.VerifyAudience(a.ID, true) {
return "", false
}

return userID, true
}
Loading