aboutsummaryrefslogtreecommitdiffstats
path: root/server/resty/openidc.lua
diff options
context:
space:
mode:
Diffstat (limited to 'server/resty/openidc.lua')
-rw-r--r--server/resty/openidc.lua1870
1 files changed, 1870 insertions, 0 deletions
diff --git a/server/resty/openidc.lua b/server/resty/openidc.lua
new file mode 100644
index 0000000..246414e
--- /dev/null
+++ b/server/resty/openidc.lua
@@ -0,0 +1,1870 @@
+--[[
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+
+***************************************************************************
+Copyright (C) 2017-2019 ZmartZone IAM
+Copyright (C) 2015-2017 Ping Identity Corporation
+All rights reserved.
+
+For further information please contact:
+
+ Ping Identity Corporation
+ 1099 18th St Suite 2950
+ Denver, CO 80202
+ 303.468.2900
+ http://www.pingidentity.com
+
+DISCLAIMER OF WARRANTIES:
+
+THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
+ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING,
+WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT,
+MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY
+WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE
+USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET
+YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE
+WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+@Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
+--]]
+
+local require = require
+local cjson = require("cjson")
+local cjson_s = require("cjson.safe")
+local http = require("resty.http")
+local r_session = require("resty.session")
+local string = string
+local ipairs = ipairs
+local pairs = pairs
+local type = type
+local ngx = ngx
+local b64 = ngx.encode_base64
+local unb64 = ngx.decode_base64
+
+local log = ngx.log
+local DEBUG = ngx.DEBUG
+local ERROR = ngx.ERR
+local WARN = ngx.WARN
+
+local function token_auth_method_precondition(method, required_field)
+ return function(opts)
+ if not opts[required_field] then
+ log(DEBUG, "Can't use " .. method .. " without opts." .. required_field)
+ return false
+ end
+ return true
+ end
+end
+
+local supported_token_auth_methods = {
+ client_secret_basic = true,
+ client_secret_post = true,
+ private_key_jwt = token_auth_method_precondition('private_key_jwt', 'client_rsa_private_key'),
+ client_secret_jwt = token_auth_method_precondition('client_secret_jwt', 'client_secret')
+}
+
+local openidc = {
+ _VERSION = "1.7.5"
+}
+openidc.__index = openidc
+
+local function store_in_session(opts, feature)
+ -- We don't have a whitelist of features to enable
+ if not opts.session_contents then
+ return true
+ end
+
+ return opts.session_contents[feature]
+end
+
+-- set value in server-wide cache if available
+local function openidc_cache_set(type, key, value, exp)
+ local dict = ngx.shared[type]
+ if dict and (exp > 0) then
+ local success, err, forcible = dict:set(key, value, exp)
+ log(DEBUG, "cache set: success=", success, " err=", err, " forcible=", forcible)
+ end
+end
+
+-- retrieve value from server-wide cache if available
+local function openidc_cache_get(type, key)
+ local dict = ngx.shared[type]
+ local value
+ if dict then
+ value = dict:get(key)
+ if value then log(DEBUG, "cache hit: type=", type, " key=", key) end
+ end
+ return value
+end
+
+-- invalidate values of server-wide cache
+local function openidc_cache_invalidate(type)
+ local dict = ngx.shared[type]
+ if dict then
+ log(DEBUG, "flushing cache for " .. type)
+ dict.flush_all(dict)
+ local nbr = dict.flush_expired(dict)
+ end
+end
+
+-- invalidate all server-wide caches
+function openidc.invalidate_caches()
+ openidc_cache_invalidate("discovery")
+ openidc_cache_invalidate("jwks")
+ openidc_cache_invalidate("introspection")
+ openidc_cache_invalidate("jwt_verification")
+end
+
+-- validate the contents of and id_token
+local function openidc_validate_id_token(opts, id_token, nonce)
+
+ -- check issuer
+ if opts.discovery.issuer ~= id_token.iss then
+ log(ERROR, "issuer \"", id_token.iss, "\" in id_token is not equal to the issuer from the discovery document \"", opts.discovery.issuer, "\"")
+ return false
+ end
+
+ -- check sub
+ if not id_token.sub then
+ log(ERROR, "no \"sub\" claim found in id_token")
+ return false
+ end
+
+ -- check nonce
+ if nonce and nonce ~= id_token.nonce then
+ log(ERROR, "nonce \"", id_token.nonce, "\" in id_token is not equal to the nonce that was sent in the request \"", nonce, "\"")
+ return false
+ end
+
+ -- check issued-at timestamp
+ if not id_token.iat then
+ log(ERROR, "no \"iat\" claim found in id_token")
+ return false
+ end
+
+ local slack = opts.iat_slack and opts.iat_slack or 120
+ if id_token.iat > (ngx.time() + slack) then
+ log(ERROR, "id_token not yet valid: id_token.iat=", id_token.iat, ", ngx.time()=", ngx.time(), ", slack=", slack)
+ return false
+ end
+
+ -- check expiry timestamp
+ if not id_token.exp then
+ log(ERROR, "no \"exp\" claim found in id_token")
+ return false
+ end
+
+ if (id_token.exp + slack) < ngx.time() then
+ log(ERROR, "token expired: id_token.exp=", id_token.exp, ", ngx.time()=", ngx.time())
+ return false
+ end
+
+ -- check audience (array or string)
+ if not id_token.aud then
+ log(ERROR, "no \"aud\" claim found in id_token")
+ return false
+ end
+
+ if (type(id_token.aud) == "table") then
+ for _, value in pairs(id_token.aud) do
+ if value == opts.client_id then
+ return true
+ end
+ end
+ log(ERROR, "no match found token audience array: client_id=", opts.client_id)
+ return false
+ elseif (type(id_token.aud) == "string") then
+ if id_token.aud ~= opts.client_id then
+ log(ERROR, "token audience does not match: id_token.aud=", id_token.aud, ", client_id=", opts.client_id)
+ return false
+ end
+ end
+ return true
+end
+
+local function get_first(table_or_string)
+ local res = table_or_string
+ if table_or_string and type(table_or_string) == 'table' then
+ res = table_or_string[1]
+ end
+ return res
+end
+
+local function get_first_header(headers, header_name)
+ local header = headers[header_name]
+ return get_first(header)
+end
+
+local function get_first_header_and_strip_whitespace(headers, header_name)
+ local header = get_first_header(headers, header_name)
+ return header and header:gsub('%s', '')
+end
+
+local function get_forwarded_parameter(headers, param_name)
+ local forwarded = get_first_header(headers, 'Forwarded')
+ local params = {}
+ if forwarded then
+ local function parse_parameter(pv)
+ local name, value = pv:match("^%s*([^=]+)%s*=%s*(.-)%s*$")
+ if name and value then
+ if value:sub(1, 1) == '"' then
+ value = value:sub(2, -2)
+ end
+ params[name:lower()] = value
+ end
+ end
+
+ -- this assumes there is no quoted comma inside the header's value
+ -- which should be fine as comma is not legal inside a node name,
+ -- a URI scheme or a host name. The only thing that might bite us
+ -- are extensions.
+ local first_part = forwarded
+ local first_comma = forwarded:find("%s*,%s*")
+ if first_comma then
+ first_part = forwarded:sub(1, first_comma - 1)
+ end
+ first_part:gsub("[^;]+", parse_parameter)
+ end
+ return params[param_name:gsub("^%s*(.-)%s*$", "%1"):lower()]
+end
+
+local function get_scheme(headers)
+ return get_forwarded_parameter(headers, 'proto')
+ or get_first_header_and_strip_whitespace(headers, 'X-Forwarded-Proto')
+ or ngx.var.scheme
+end
+
+local function get_host_name_from_x_header(headers)
+ local header = get_first_header_and_strip_whitespace(headers, 'X-Forwarded-Host')
+ return header and header:gsub('^([^,]+),?.*$', '%1')
+end
+
+local function get_host_name(headers)
+ return get_forwarded_parameter(headers, 'host')
+ or get_host_name_from_x_header(headers)
+ or ngx.var.http_host
+end
+
+-- assemble the redirect_uri
+local function openidc_get_redirect_uri(opts, session)
+ local path = opts.redirect_uri_path
+ if opts.redirect_uri then
+ if opts.redirect_uri:sub(1, 1) == '/' then
+ path = opts.redirect_uri
+ else
+ return opts.redirect_uri
+ end
+ end
+ local headers = ngx.req.get_headers()
+ local scheme = opts.redirect_uri_scheme or get_scheme(headers)
+ local host = get_host_name(headers)
+ if not host then
+ -- possibly HTTP 1.0 and no Host header
+ if session then session:close() end
+ ngx.exit(ngx.HTTP_BAD_REQUEST)
+ end
+ return scheme .. "://" .. host .. path
+end
+
+-- perform base64url decoding
+local function openidc_base64_url_decode(input)
+ local reminder = #input % 4
+ if reminder > 0 then
+ local padlen = 4 - reminder
+ input = input .. string.rep('=', padlen)
+ end
+ input = input:gsub('%-', '+'):gsub('_', '/')
+ return unb64(input)
+end
+
+-- perform base64url encoding
+local function openidc_base64_url_encode(input)
+ local output = b64(input, true)
+ return output:gsub('%+', '-'):gsub('/', '_')
+end
+
+local function openidc_combine_uri(uri, params)
+ if params == nil or next(params) == nil then
+ return uri
+ end
+ local sep = "?"
+ if string.find(uri, "?", 1, true) then
+ sep = "&"
+ end
+ return uri .. sep .. ngx.encode_args(params)
+end
+
+local function decorate_request(http_request_decorator, req)
+ return http_request_decorator and http_request_decorator(req) or req
+end
+
+local function openidc_s256(verifier)
+ local sha256 = (require 'resty.sha256'):new()
+ sha256:update(verifier)
+ return openidc_base64_url_encode(sha256:final())
+end
+
+-- send the browser of to the OP's authorization endpoint
+local function openidc_authorize(opts, session, target_url, prompt)
+ local resty_random = require("resty.random")
+ local resty_string = require("resty.string")
+ local err
+
+ -- generate state and nonce
+ local state = resty_string.to_hex(resty_random.bytes(16))
+ local nonce = (opts.use_nonce == nil or opts.use_nonce)
+ and resty_string.to_hex(resty_random.bytes(16))
+ local code_verifier = opts.use_pkce and openidc_base64_url_encode(resty_random.bytes(32))
+
+ -- assemble the parameters to the authentication request
+ local params = {
+ client_id = opts.client_id,
+ response_type = "code",
+ scope = opts.scope and opts.scope or "openid email profile",
+ redirect_uri = openidc_get_redirect_uri(opts, session),
+ state = state,
+ }
+
+ if nonce then
+ params.nonce = nonce
+ end
+
+ if prompt then
+ params.prompt = prompt
+ end
+
+ if opts.display then
+ params.display = opts.display
+ end
+
+ if code_verifier then
+ params.code_challenge_method = 'S256'
+ params.code_challenge = openidc_s256(code_verifier)
+ end
+
+ -- merge any provided extra parameters
+ if opts.authorization_params then
+ for k, v in pairs(opts.authorization_params) do params[k] = v end
+ end
+
+ -- store state in the session
+ session.data.original_url = target_url
+ session.data.state = state
+ session.data.nonce = nonce
+ session.data.code_verifier = code_verifier
+ session.data.last_authenticated = ngx.time()
+
+ if opts.lifecycle and opts.lifecycle.on_created then
+ err = opts.lifecycle.on_created(session)
+ if err then
+ log(WARN, "failed in `on_created` handler: " .. err)
+ return err
+ end
+ end
+
+ session:save()
+
+ -- redirect to the /authorization endpoint
+ ngx.header["Cache-Control"] = "no-cache, no-store, max-age=0"
+ return ngx.redirect(openidc_combine_uri(opts.discovery.authorization_endpoint, params))
+end
+
+-- parse the JSON result from a call to the OP
+local function openidc_parse_json_response(response, ignore_body_on_success)
+ local ignore_body_on_success = ignore_body_on_success or false
+
+ local err
+ local res
+
+ -- check the response from the OP
+ if response.status ~= 200 then
+ err = "response indicates failure, status=" .. response.status .. ", body=" .. response.body
+ else
+ if ignore_body_on_success then
+ return nil, nil
+ end
+
+ -- decode the response and extract the JSON object
+ res = cjson_s.decode(response.body)
+
+ if not res then
+ err = "JSON decoding failed"
+ end
+ end
+
+ return res, err
+end
+
+local function openidc_configure_timeouts(httpc, timeout)
+ if timeout then
+ if type(timeout) == "table" then
+ local r, e = httpc:set_timeouts(timeout.connect or 0, timeout.send or 0, timeout.read or 0)
+ else
+ local r, e = httpc:set_timeout(timeout)
+ end
+ end
+end
+
+-- Set outgoing proxy options
+local function openidc_configure_proxy(httpc, proxy_opts)
+ if httpc and proxy_opts and type(proxy_opts) == "table" then
+ log(DEBUG, "openidc_configure_proxy : use http proxy")
+ httpc:set_proxy_options(proxy_opts)
+ else
+ log(DEBUG, "openidc_configure_proxy : don't use http proxy")
+ end
+end
+
+-- make a call to the token endpoint
+function openidc.call_token_endpoint(opts, endpoint, body, auth, endpoint_name, ignore_body_on_success)
+ local ignore_body_on_success = ignore_body_on_success or false
+
+ local ep_name = endpoint_name or 'token'
+ if not endpoint then
+ return nil, 'no endpoint URI for ' .. ep_name
+ end
+
+ local headers = {
+ ["Content-Type"] = "application/x-www-form-urlencoded"
+ }
+
+ if auth then
+ if auth == "client_secret_basic" then
+ if opts.client_secret then
+ headers.Authorization = "Basic " .. b64(ngx.escape_uri(opts.client_id) .. ":" .. ngx.escape_uri(opts.client_secret))
+ else
+ -- client_secret must not be set if Windows Integrated Authentication (WIA) is used with
+ -- Active Directory Federation Services (AD FS) 4.0 (or newer) on Windows Server 2016 (or newer)
+ headers.Authorization = "Basic " .. b64(ngx.escape_uri(opts.client_id) .. ":")
+ end
+ log(DEBUG, "client_secret_basic: authorization header '" .. headers.Authorization .. "'")
+
+ elseif auth == "client_secret_post" then
+ body.client_id = opts.client_id
+ if opts.client_secret then
+ body.client_secret = opts.client_secret
+ end
+ log(DEBUG, "client_secret_post: client_id and client_secret being sent in POST body")
+
+ elseif auth == "private_key_jwt" or auth == "client_secret_jwt" then
+ local key = auth == "private_key_jwt" and opts.client_rsa_private_key or opts.client_secret
+ if not key then
+ return nil, "Can't use " .. auth .. " without a key."
+ end
+ body.client_id = opts.client_id
+ body.client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
+ local now = ngx.time()
+ local assertion = {
+ header = {
+ typ = "JWT",
+ alg = auth == "private_key_jwt" and "RS256" or "HS256",
+ },
+ payload = {
+ iss = opts.client_id,
+ sub = opts.client_id,
+ aud = endpoint,
+ jti = ngx.var.request_id,
+ exp = now + (opts.client_jwt_assertion_expires_in and opts.client_jwt_assertion_expires_in or 60),
+ iat = now
+ }
+ }
+ if auth == "private_key_jwt" then
+ assertion.header.kid = opts.client_rsa_private_key_id
+ end
+
+ local r_jwt = require("resty.jwt")
+ body.client_assertion = r_jwt:sign(key, assertion)
+ log(DEBUG, auth .. ": client_id, client_assertion_type and client_assertion being sent in POST body")
+ end
+ end
+
+ local pass_cookies = opts.pass_cookies
+ if pass_cookies then
+ if ngx.req.get_headers()["Cookie"] then
+ local t = {}
+ for cookie_name in string.gmatch(pass_cookies, "%S+") do
+ local cookie_value = ngx.var["cookie_" .. cookie_name]
+ if cookie_value then
+ table.insert(t, cookie_name .. "=" .. cookie_value)
+ end
+ end
+ headers.Cookie = table.concat(t, "; ")
+ end
+ end
+
+ log(DEBUG, "request body for " .. ep_name .. " endpoint call: ", ngx.encode_args(body))
+
+ local httpc = http.new()
+ openidc_configure_timeouts(httpc, opts.timeout)
+ openidc_configure_proxy(httpc, opts.proxy_opts)
+ local res, err = httpc:request_uri(endpoint, decorate_request(opts.http_request_decorator, {
+ method = "POST",
+ body = ngx.encode_args(body),
+ headers = headers,
+ ssl_verify = (opts.ssl_verify ~= "no"),
+ keepalive = (opts.keepalive ~= "no")
+ }))
+ if not res then
+ err = "accessing " .. ep_name .. " endpoint (" .. endpoint .. ") failed: " .. err
+ log(ERROR, err)
+ return nil, err
+ end
+
+ log(DEBUG, ep_name .. " endpoint response: ", res.body)
+
+ return openidc_parse_json_response(res, ignore_body_on_success)
+end
+
+-- computes access_token expires_in value (in seconds)
+local function openidc_access_token_expires_in(opts, expires_in)
+ return (expires_in or opts.access_token_expires_in or 3600) - 1 - (opts.access_token_expires_leeway or 0)
+end
+
+local function openidc_load_jwt_none_alg(enc_hdr, enc_payload)
+ local header = cjson_s.decode(openidc_base64_url_decode(enc_hdr))
+ local payload = cjson_s.decode(openidc_base64_url_decode(enc_payload))
+ if header and payload and header.alg == "none" then
+ return {
+ raw_header = enc_hdr,
+ raw_payload = enc_payload,
+ header = header,
+ payload = payload,
+ signature = ''
+ }
+ end
+ return nil
+end
+
+-- get the Discovery metadata from the specified URL
+local function openidc_discover(url, ssl_verify, keepalive, timeout, exptime, proxy_opts, http_request_decorator)
+ log(DEBUG, "openidc_discover: URL is: " .. url)
+
+ local json, err
+ local v = openidc_cache_get("discovery", url)
+ if not v then
+
+ log(DEBUG, "discovery data not in cache, making call to discovery endpoint")
+ -- make the call to the discovery endpoint
+ local httpc = http.new()
+ openidc_configure_timeouts(httpc, timeout)
+ openidc_configure_proxy(httpc, proxy_opts)
+ local res, error = httpc:request_uri(url, decorate_request(http_request_decorator, {
+ ssl_verify = (ssl_verify ~= "no"),
+ keepalive = (keepalive ~= "no")
+ }))
+ if not res then
+ err = "accessing discovery url (" .. url .. ") failed: " .. error
+ log(ERROR, err)
+ else
+ log(DEBUG, "response data: " .. res.body)
+ json, err = openidc_parse_json_response(res)
+ if json then
+ openidc_cache_set("discovery", url, cjson.encode(json), exptime or 24 * 60 * 60)
+ else
+ err = "could not decode JSON from Discovery data" .. (err and (": " .. err) or '')
+ log(ERROR, err)
+ end
+ end
+
+ else
+ json = cjson.decode(v)
+ end
+
+ return json, err
+end
+
+-- turn a discovery url set in the opts dictionary into the discovered information
+local function openidc_ensure_discovered_data(opts)
+ local err
+ if type(opts.discovery) == "string" then
+ local discovery
+ discovery, err = openidc_discover(opts.discovery, opts.ssl_verify, opts.keepalive, opts.timeout, opts.discovery_expires_in, opts.proxy_opts,
+ opts.http_request_decorator)
+ if not err then
+ opts.discovery = discovery
+ end
+ end
+ return err
+end
+
+-- make a call to the userinfo endpoint
+function openidc.call_userinfo_endpoint(opts, access_token)
+ local err = openidc_ensure_discovered_data(opts)
+ if err then
+ return nil, err
+ end
+ if not (opts and opts.discovery and opts.discovery.userinfo_endpoint) then
+ log(DEBUG, "no userinfo endpoint supplied")
+ return nil, nil
+ end
+
+ local headers = {
+ ["Authorization"] = "Bearer " .. access_token,
+ }
+
+ log(DEBUG, "authorization header '" .. headers.Authorization .. "'")
+
+ local httpc = http.new()
+ openidc_configure_timeouts(httpc, opts.timeout)
+ openidc_configure_proxy(httpc, opts.proxy_opts)
+ local res, err = httpc:request_uri(opts.discovery.userinfo_endpoint,
+ decorate_request(opts.http_request_decorator, {
+ headers = headers,
+ ssl_verify = (opts.ssl_verify ~= "no"),
+ keepalive = (opts.keepalive ~= "no")
+ }))
+ if not res then
+ err = "accessing (" .. opts.discovery.userinfo_endpoint .. ") failed: " .. err
+ return nil, err
+ end
+
+ log(DEBUG, "userinfo response: ", res.body)
+
+ -- parse the response from the user info endpoint
+ return openidc_parse_json_response(res)
+end
+
+local function can_use_token_auth_method(method, opts)
+ local supported = supported_token_auth_methods[method]
+ return supported and (type(supported) ~= 'function' or supported(opts))
+end
+
+-- get the token endpoint authentication method
+local function openidc_get_token_auth_method(opts)
+
+ if opts.token_endpoint_auth_method ~= nil and not can_use_token_auth_method(opts.token_endpoint_auth_method, opts) then
+ log(ERROR, "configured value for token_endpoint_auth_method (" .. opts.token_endpoint_auth_method .. ") is not supported, ignoring it")
+ opts.token_endpoint_auth_method = nil
+ end
+
+ local result
+ if opts.discovery.token_endpoint_auth_methods_supported ~= nil then
+ -- if set check to make sure the discovery data includes the selected client auth method
+ if opts.token_endpoint_auth_method ~= nil then
+ for index, value in ipairs(opts.discovery.token_endpoint_auth_methods_supported) do
+ log(DEBUG, index .. " => " .. value)
+ if value == opts.token_endpoint_auth_method then
+ log(DEBUG, "configured value for token_endpoint_auth_method (" .. opts.token_endpoint_auth_method .. ") found in token_endpoint_auth_methods_supported in metadata")
+ result = opts.token_endpoint_auth_method
+ break
+ end
+ end
+ if result == nil then
+ log(ERROR, "configured value for token_endpoint_auth_method (" .. opts.token_endpoint_auth_method .. ") NOT found in token_endpoint_auth_methods_supported in metadata")
+ return nil
+ end
+ else
+ for index, value in ipairs(opts.discovery.token_endpoint_auth_methods_supported) do
+ log(DEBUG, index .. " => " .. value)
+ if can_use_token_auth_method(value, opts) then
+ result = value
+ log(DEBUG, "no configuration setting for option so select the first supported method specified by the OP: " .. result)
+ break
+ end
+ end
+ end
+ else
+ result = opts.token_endpoint_auth_method
+ end
+
+ -- set a sane default if auto-configuration failed
+ if result == nil then
+ result = "client_secret_basic"
+ end
+
+ log(DEBUG, "token_endpoint_auth_method result set to " .. result)
+
+ return result
+end
+
+-- ensure that discovery and token auth configuration is available in opts
+local function ensure_config(opts)
+ local err
+ err = openidc_ensure_discovered_data(opts)
+ if err then
+ return err
+ end
+
+ -- set the authentication method for the token endpoint
+ opts.token_endpoint_auth_method = openidc_get_token_auth_method(opts)
+end
+
+-- query for discovery endpoint data
+function openidc.get_discovery_doc(opts)
+ local err = openidc_ensure_discovered_data(opts)
+ if err then
+ log(ERROR, "error getting endpoints definition using discovery endpoint")
+ end
+
+ return opts.discovery, err
+end
+
+local function openidc_jwks(url, force, ssl_verify, keepalive, timeout, exptime, proxy_opts, http_request_decorator)
+ log(DEBUG, "openidc_jwks: URL is: " .. url .. " (force=" .. force .. ") (decorator=" .. (http_request_decorator and type(http_request_decorator) or "nil"))
+
+ local json, err, v
+
+ if force == 0 then
+ v = openidc_cache_get("jwks", url)
+ end
+
+ if not v then
+
+ log(DEBUG, "cannot use cached JWKS data; making call to jwks endpoint")
+ -- make the call to the jwks endpoint
+ local httpc = http.new()
+ openidc_configure_timeouts(httpc, timeout)
+ openidc_configure_proxy(httpc, proxy_opts)
+ local res, error = httpc:request_uri(url, decorate_request(http_request_decorator, {
+ ssl_verify = (ssl_verify ~= "no"),
+ keepalive = (keepalive ~= "no")
+ }))
+ if not res then
+ err = "accessing jwks url (" .. url .. ") failed: " .. error
+ log(ERROR, err)
+ else
+ log(DEBUG, "response data: " .. res.body)
+ json, err = openidc_parse_json_response(res)
+ if json then
+ openidc_cache_set("jwks", url, cjson.encode(json), exptime or 24 * 60 * 60)
+ end
+ end
+
+ else
+ json = cjson.decode(v)
+ end
+
+ return json, err
+end
+
+local function split_by_chunk(text, chunkSize)
+ local s = {}
+ for i = 1, #text, chunkSize do
+ s[#s + 1] = text:sub(i, i + chunkSize - 1)
+ end
+ return s
+end
+
+local function get_jwk(keys, kid)
+
+ local rsa_keys = {}
+ for _, value in pairs(keys) do
+ if value.kty == "RSA" and (not value.use or value.use == "sig") then
+ table.insert(rsa_keys, value)
+ end
+ end
+
+ if kid == nil then
+ if #rsa_keys == 1 then
+ log(DEBUG, "returning only RSA key of JWKS for keyid-less JWT")
+ return rsa_keys[1], nil
+ else
+ return nil, "JWT doesn't specify kid but the keystore contains multiple RSA keys"
+ end
+ end
+ for _, value in pairs(rsa_keys) do
+ if value.kid == kid then
+ return value, nil
+ end
+ end
+
+ return nil, "RSA key with id " .. kid .. " not found"
+end
+
+local wrap = ('.'):rep(64)
+
+local envelope = "-----BEGIN %s-----\n%s\n-----END %s-----\n"
+
+local function der2pem(data, typ)
+ typ = typ:upper() or "CERTIFICATE"
+ data = b64(data)
+ return string.format(envelope, typ, data:gsub(wrap, '%0\n', (#data - 1) / 64), typ)
+end
+
+
+local function encode_length(length)
+ if length < 0x80 then
+ return string.char(length)
+ elseif length < 0x100 then
+ return string.char(0x81, length)
+ elseif length < 0x10000 then
+ return string.char(0x82, math.floor(length / 0x100), length % 0x100)
+ end
+ error("Can't encode lengths over 65535")
+end
+
+
+local function encode_sequence(array, of)
+ local encoded_array = array
+ if of then
+ encoded_array = {}
+ for i = 1, #array do
+ encoded_array[i] = of(array[i])
+ end
+ end
+ encoded_array = table.concat(encoded_array)
+
+ return string.char(0x30) .. encode_length(#encoded_array) .. encoded_array
+end
+
+local function encode_binary_integer(bytes)
+ if bytes:byte(1) > 127 then
+ -- We currenly only use this for unsigned integers,
+ -- however since the high bit is set here, it would look
+ -- like a negative signed int, so prefix with zeroes
+ bytes = "\0" .. bytes
+ end
+ return "\2" .. encode_length(#bytes) .. bytes
+end
+
+local function encode_sequence_of_integer(array)
+ return encode_sequence(array, encode_binary_integer)
+end
+
+local function encode_bit_string(array)
+ local s = "\0" .. array -- first octet holds the number of unused bits
+ return "\3" .. encode_length(#s) .. s
+end
+
+local function openidc_pem_from_x5c(x5c)
+ log(DEBUG, "Found x5c, getting PEM public key from x5c entry of json public key")
+ local chunks = split_by_chunk(b64(openidc_base64_url_decode(x5c[1])), 64)
+ local pem = "-----BEGIN CERTIFICATE-----\n" ..
+ table.concat(chunks, "\n") ..
+ "\n-----END CERTIFICATE-----"
+ log(DEBUG, "Generated PEM key from x5c:", pem)
+ return pem
+end
+
+local function openidc_pem_from_rsa_n_and_e(n, e)
+ log(DEBUG, "getting PEM public key from n and e parameters of json public key")
+
+ local der_key = {
+ openidc_base64_url_decode(n), openidc_base64_url_decode(e)
+ }
+ local encoded_key = encode_sequence_of_integer(der_key)
+ local pem = der2pem(encode_sequence({
+ encode_sequence({
+ "\6\9\42\134\72\134\247\13\1\1\1" -- OID :rsaEncryption
+ .. "\5\0" -- ASN.1 NULL of length 0
+ }),
+ encode_bit_string(encoded_key)
+ }), "PUBLIC KEY")
+ log(DEBUG, "Generated pem key from n and e: ", pem)
+ return pem
+end
+
+local function openidc_pem_from_jwk(opts, kid)
+ local err = openidc_ensure_discovered_data(opts)
+ if err then
+ return nil, err
+ end
+
+ if not opts.discovery.jwks_uri or not (type(opts.discovery.jwks_uri) == "string") or (opts.discovery.jwks_uri == "") then
+ return nil, "opts.discovery.jwks_uri is not present or not a string"
+ end
+
+ local cache_id = opts.discovery.jwks_uri .. '#' .. (kid or '')
+ local v = openidc_cache_get("jwks", cache_id)
+
+ if v then
+ return v
+ end
+
+ local jwk, jwks
+
+ for force = 0, 1 do
+ jwks, err = openidc_jwks(opts.discovery.jwks_uri, force, opts.ssl_verify, opts.keepalive, opts.timeout, opts.jwk_expires_in, opts.proxy_opts,
+ opts.http_request_decorator)
+ if err then
+ return nil, err
+ end
+
+ jwk, err = get_jwk(jwks.keys, kid)
+
+ if jwk and not err then
+ break
+ end
+ end
+
+ if err then
+ return nil, err
+ end
+
+ local x5c = jwk.x5c
+ if x5c and #(jwk.x5c) == 0 then
+ log(WARN, "Found invalid JWK with empty x5c array, ignoring x5c claim")
+ x5c = nil
+ end
+
+ local pem
+ if x5c then
+ pem = openidc_pem_from_x5c(x5c)
+ elseif jwk.kty == "RSA" and jwk.n and jwk.e then
+ pem = openidc_pem_from_rsa_n_and_e(jwk.n, jwk.e)
+ else
+ return nil, "don't know how to create RSA key/cert for " .. cjson.encode(jwk)
+ end
+
+ openidc_cache_set("jwks", cache_id, pem, opts.jwk_expires_in or 24 * 60 * 60)
+ return pem
+end
+
+-- does lua-resty-jwt and/or we know how to handle the algorithm of the JWT?
+local function is_algorithm_supported(jwt_header)
+ return jwt_header and jwt_header.alg and (jwt_header.alg == "none"
+ or string.sub(jwt_header.alg, 1, 2) == "RS"
+ or string.sub(jwt_header.alg, 1, 2) == "HS")
+end
+
+-- is the JWT signing algorithm an asymmetric one whose key might be
+-- obtained from the discovery endpoint?
+local function uses_asymmetric_algorithm(jwt_header)
+ return string.sub(jwt_header.alg, 1, 2) == "RS"
+end
+
+-- is the JWT signing algorithm one that has been expected?
+local function is_algorithm_expected(jwt_header, expected_algs)
+ if expected_algs == nil or not jwt_header or not jwt_header.alg then
+ return true
+ end
+ if type(expected_algs) == 'string' then
+ expected_algs = { expected_algs }
+ end
+ for _, alg in ipairs(expected_algs) do
+ if alg == jwt_header.alg then
+ return true
+ end
+ end
+ return false
+end
+
+-- parse a JWT and verify its signature (if present)
+local function openidc_load_jwt_and_verify_crypto(opts, jwt_string, asymmetric_secret,
+symmetric_secret, expected_algs, ...)
+ local r_jwt = require("resty.jwt")
+ local enc_hdr, enc_payload, enc_sign = string.match(jwt_string, '^(.+)%.(.+)%.(.*)$')
+ if enc_payload and (not enc_sign or enc_sign == "") then
+ local jwt = openidc_load_jwt_none_alg(enc_hdr, enc_payload)
+ if jwt then
+ if opts.accept_none_alg then
+ log(DEBUG, "accept JWT with alg \"none\" and no signature")
+ return jwt
+ else
+ return jwt, "token uses \"none\" alg but accept_none_alg is not enabled"
+ end
+ end -- otherwise the JWT is invalid and load_jwt produces an error
+ end
+
+ local jwt_obj = r_jwt:load_jwt(jwt_string, nil)
+ if not jwt_obj.valid then
+ local reason = "invalid jwt"
+ if jwt_obj.reason then
+ reason = reason .. ": " .. jwt_obj.reason
+ end
+ return nil, reason
+ end
+
+ if not is_algorithm_expected(jwt_obj.header, expected_algs) then
+ local alg = jwt_obj.header and jwt_obj.header.alg or "no algorithm at all"
+ return nil, "token is signed by unexpected algorithm \"" .. alg .. "\""
+ end
+
+ local secret
+ if is_algorithm_supported(jwt_obj.header) then
+ if uses_asymmetric_algorithm(jwt_obj.header) then
+ if opts.secret then
+ log(WARN, "using deprecated option `opts.secret` for asymmetric key; switch to `opts.public_key` instead")
+ end
+ secret = asymmetric_secret or opts.secret
+ if not secret and opts.discovery then
+ log(DEBUG, "using discovery to find key")
+ local err
+ secret, err = openidc_pem_from_jwk(opts, jwt_obj.header.kid)
+
+ if secret == nil then
+ log(ERROR, err)
+ return nil, err
+ end
+ end
+ else
+ if opts.secret then
+ log(WARN, "using deprecated option `opts.secret` for symmetric key; switch to `opts.symmetric_key` instead")
+ end
+ secret = symmetric_secret or opts.secret
+ end
+ end
+
+ if #{ ... } == 0 then
+ -- an empty list of claim specs makes lua-resty-jwt add default
+ -- validators for the exp and nbf claims if they are
+ -- present. These validators need to know the configured slack
+ -- value
+ local jwt_validators = require("resty.jwt-validators")
+ jwt_validators.set_system_leeway(opts.iat_slack and opts.iat_slack or 120)
+ end
+
+ jwt_obj = r_jwt:verify_jwt_obj(secret, jwt_obj, ...)
+ if jwt_obj then
+ log(DEBUG, "jwt: ", cjson.encode(jwt_obj), " ,valid: ", jwt_obj.valid, ", verified: ", jwt_obj.verified)
+ end
+ if not jwt_obj.verified then
+ local reason = "jwt signature verification failed"
+ if jwt_obj.reason then
+ reason = reason .. ": " .. jwt_obj.reason
+ end
+ return jwt_obj, reason
+ end
+ return jwt_obj
+end
+
+--
+-- Load and validate id token from the id_token properties of the token endpoint response
+-- Parameters :
+-- - opts the openidc module options
+-- - jwt_id_token the id_token from the id_token properties of the token endpoint response
+-- - session the current session
+-- Return the id_token, nil if valid
+-- Return nil, the error if invalid
+--
+local function openidc_load_and_validate_jwt_id_token(opts, jwt_id_token, session)
+
+ local jwt_obj, err = openidc_load_jwt_and_verify_crypto(opts, jwt_id_token, opts.public_key, opts.client_secret,
+ opts.discovery.id_token_signing_alg_values_supported)
+ if err then
+ local alg = (jwt_obj and jwt_obj.header and jwt_obj.header.alg) or ''
+ local is_unsupported_signature_error = jwt_obj and not jwt_obj.verified and not is_algorithm_supported(jwt_obj.header)
+ if is_unsupported_signature_error then
+ if opts.accept_unsupported_alg == nil or opts.accept_unsupported_alg then
+ log(WARN, "ignored id_token signature as algorithm '" .. alg .. "' is not supported")
+ else
+ err = "token is signed using algorithm \"" .. alg .. "\" which is not supported by lua-resty-jwt"
+ log(ERROR, err)
+ return nil, err
+ end
+ else
+ log(ERROR, "id_token '" .. alg .. "' signature verification failed")
+ return nil, err
+ end
+ end
+ local id_token = jwt_obj.payload
+
+ log(DEBUG, "id_token header: ", cjson.encode(jwt_obj.header))
+ log(DEBUG, "id_token payload: ", cjson.encode(jwt_obj.payload))
+
+ -- validate the id_token contents
+ if openidc_validate_id_token(opts, id_token, session.data.nonce) == false then
+ err = "id_token validation failed"
+ log(ERROR, err)
+ return nil, err
+ end
+
+ return id_token
+end
+
+-- handle a "code" authorization response from the OP
+local function openidc_authorization_response(opts, session)
+ local args = ngx.req.get_uri_args()
+ local err, log_err, client_err
+
+ if not args.code or not args.state then
+ err = "unhandled request to the redirect_uri: " .. ngx.var.request_uri
+ log(ERROR, err)
+ return nil, err, session.data.original_url, session
+ end
+
+ -- check that the state returned in the response against the session; prevents CSRF
+ if args.state ~= session.data.state then
+ log_err = "state from argument: " .. (args.state and args.state or "nil") .. " does not match state restored from session: " .. (session.data.state and session.data.state or "nil")
+ client_err = "state from argument does not match state restored from session"
+ log(ERROR, log_err)
+ return nil, client_err, session.data.original_url, session
+ end
+
+ err = ensure_config(opts)
+ if err then
+ return nil, err, session.data.original_url, session
+ end
+
+ -- check the iss if returned from the OP
+ if args.iss and args.iss ~= opts.discovery.issuer then
+ log_err = "iss from argument: " .. args.iss .. " does not match expected issuer: " .. opts.discovery.issuer
+ client_err = "iss from argument does not match expected issuer"
+ log(ERROR, log_err)
+ return nil, client_err, session.data.original_url, session
+ end
+
+ -- check the client_id if returned from the OP
+ if args.client_id and args.client_id ~= opts.client_id then
+ log_err = "client_id from argument: " .. args.client_id .. " does not match expected client_id: " .. opts.client_id
+ client_err = "client_id from argument does not match expected client_id"
+ log(ERROR, log_err)
+ return nil, client_err, session.data.original_url, session
+ end
+
+ -- assemble the parameters to the token endpoint
+ local body = {
+ grant_type = "authorization_code",
+ code = args.code,
+ redirect_uri = openidc_get_redirect_uri(opts, session),
+ state = session.data.state,
+ code_verifier = session.data.code_verifier
+ }
+
+ log(DEBUG, "Authentication with OP done -> Calling OP Token Endpoint to obtain tokens")
+
+ local current_time = ngx.time()
+ -- make the call to the token endpoint
+ local json
+ json, err = openidc.call_token_endpoint(opts, opts.discovery.token_endpoint, body, opts.token_endpoint_auth_method)
+ if err then
+ return nil, err, session.data.original_url, session
+ end
+
+ local id_token, err = openidc_load_and_validate_jwt_id_token(opts, json.id_token, session);
+ if err then
+ return nil, err, session.data.original_url, session
+ end
+
+ -- mark this sessions as authenticated
+ session.data.authenticated = true
+ -- clear state, nonce and code_verifier to protect against potential misuse
+ session.data.nonce = nil
+ session.data.state = nil
+ session.data.code_verifier = nil
+ if store_in_session(opts, 'id_token') then
+ session.data.id_token = id_token
+ end
+
+ if store_in_session(opts, 'user') then
+ -- call the user info endpoint
+ -- TODO: should this error be checked?
+ local user
+ user, err = openidc.call_userinfo_endpoint(opts, json.access_token)
+
+ if err then
+ log(ERROR, "error calling userinfo endpoint: " .. err)
+ elseif user then
+ if id_token.sub ~= user.sub then
+ err = "\"sub\" claim in id_token (\"" .. (id_token.sub or "null") .. "\") is not equal to the \"sub\" claim returned from the userinfo endpoint (\"" .. (user.sub or "null") .. "\")"
+ log(ERROR, err)
+ else
+ session.data.user = user
+ end
+ end
+ end
+
+ if store_in_session(opts, 'enc_id_token') then
+ session.data.enc_id_token = json.id_token
+ end
+
+ if store_in_session(opts, 'access_token') then
+ session.data.access_token = json.access_token
+ session.data.access_token_expiration = current_time
+ + openidc_access_token_expires_in(opts, json.expires_in)
+ if json.refresh_token ~= nil then
+ session.data.refresh_token = json.refresh_token
+ end
+ end
+
+ if opts.lifecycle and opts.lifecycle.on_authenticated then
+ err = opts.lifecycle.on_authenticated(session, id_token, json)
+ if err then
+ log(WARN, "failed in `on_authenticated` handler: " .. err)
+ return nil, err, session.data.original_url, session
+ end
+ end
+
+ -- save the session with the obtained id_token
+ session:save()
+
+ -- redirect to the URL that was accessed originally
+ log(DEBUG, "OIDC Authorization Code Flow completed -> Redirecting to original URL (" .. session.data.original_url .. ")")
+ ngx.redirect(session.data.original_url)
+ return nil, nil, session.data.original_url, session
+end
+
+-- token revocation (RFC 7009)
+local function openidc_revoke_token(opts, token_type_hint, token)
+ if not opts.discovery.revocation_endpoint then
+ log(DEBUG, "no revocation endpoint supplied. unable to revoke " .. token_type_hint .. ".")
+ return nil
+ end
+
+ local token_type_hint = token_type_hint or nil
+ local body = {
+ token = token
+ }
+ if token_type_hint then
+ body['token_type_hint'] = token_type_hint
+ end
+ local token_type_log = token_type_hint or 'token'
+
+ -- ensure revocation endpoint auth method is properly discovered
+ local err = ensure_config(opts)
+ if err then
+ log(ERROR, "revocation of " .. token_type_log .. " unsuccessful: " .. err)
+ return false
+ end
+
+ -- call the revocation endpoint
+ local _
+ _, err = openidc.call_token_endpoint(opts, opts.discovery.revocation_endpoint, body, opts.token_endpoint_auth_method, "revocation", true)
+ if err then
+ log(ERROR, "revocation of " .. token_type_log .. " unsuccessful: " .. err)
+ return false
+ else
+ log(DEBUG, "revocation of " .. token_type_log .. " successful")
+ return true
+ end
+end
+
+function openidc.revoke_token(opts, token_type_hint, token)
+ local err = openidc_ensure_discovered_data(opts)
+ if err then
+ log(ERROR, "revocation of " .. (token_type_hint or "token (no type specified)") .. " unsuccessful: " .. err)
+ return false
+ end
+
+ return openidc_revoke_token(opts, token_type_hint, token)
+end
+
+function openidc.revoke_tokens(opts, session)
+ local err = openidc_ensure_discovered_data(opts)
+ if err then
+ log(ERROR, "revocation of tokens unsuccessful: " .. err)
+ return false
+ end
+
+ local access_token = session.data.access_token
+ local refresh_token = session.data.refresh_token
+
+ local access_token_revoke, refresh_token_revoke
+ if refresh_token then
+ access_token_revoke = openidc_revoke_token(opts, "refresh_token", refresh_token)
+ end
+ if access_token then
+ refresh_token_revoke = openidc_revoke_token(opts, "access_token", access_token)
+ end
+ return access_token_revoke and refresh_token_revoke
+end
+
+local openidc_transparent_pixel = "\137\080\078\071\013\010\026\010\000\000\000\013\073\072\068\082" ..
+ "\000\000\000\001\000\000\000\001\008\004\000\000\000\181\028\012" ..
+ "\002\000\000\000\011\073\068\065\084\120\156\099\250\207\000\000" ..
+ "\002\007\001\002\154\028\049\113\000\000\000\000\073\069\078\068" ..
+ "\174\066\096\130"
+
+-- handle logout
+local function openidc_logout(opts, session)
+ local session_token = session.data.enc_id_token
+ local access_token = session.data.access_token
+ local refresh_token = session.data.refresh_token
+ local err
+
+ if opts.lifecycle and opts.lifecycle.on_logout then
+ err = opts.lifecycle.on_logout(session)
+ if err then
+ log(WARN, "failed in `on_logout` handler: " .. err)
+ return err
+ end
+ end
+
+ session:destroy()
+
+ if opts.revoke_tokens_on_logout then
+ log(DEBUG, "revoke_tokens_on_logout is enabled. " ..
+ "trying to revoke access and refresh tokens...")
+ if refresh_token then
+ openidc_revoke_token(opts, "refresh_token", refresh_token)
+ end
+ if access_token then
+ openidc_revoke_token(opts, "access_token", access_token)
+ end
+ end
+
+ local headers = ngx.req.get_headers()
+ local header = get_first(headers['Accept'])
+ if header and header:find("image/png") then
+ ngx.header["Cache-Control"] = "no-cache, no-store"
+ ngx.header["Pragma"] = "no-cache"
+ ngx.header["P3P"] = "CAO PSA OUR"
+ ngx.header["Expires"] = "0"
+ ngx.header["X-Frame-Options"] = "DENY"
+ ngx.header.content_type = "image/png"
+ ngx.print(openidc_transparent_pixel)
+ ngx.exit(ngx.OK)
+ return
+ elseif opts.redirect_after_logout_uri or opts.discovery.end_session_endpoint then
+ local uri
+ if opts.redirect_after_logout_uri then
+ uri = opts.redirect_after_logout_uri
+ else
+ uri = opts.discovery.end_session_endpoint
+ end
+ local params = {}
+ if (opts.redirect_after_logout_with_id_token_hint or not opts.redirect_after_logout_uri) and session_token then
+ params["id_token_hint"] = session_token
+ end
+ if opts.post_logout_redirect_uri then
+ params["post_logout_redirect_uri"] = opts.post_logout_redirect_uri
+ end
+ return ngx.redirect(openidc_combine_uri(uri, params))
+ elseif opts.discovery.ping_end_session_endpoint then
+ local params = {}
+ if opts.post_logout_redirect_uri then
+ params["TargetResource"] = opts.post_logout_redirect_uri
+ end
+ return ngx.redirect(openidc_combine_uri(opts.discovery.ping_end_session_endpoint, params))
+ end
+
+ ngx.header.content_type = "text/html"
+ ngx.say("<html><body>Logged Out</body></html>")
+ ngx.exit(ngx.OK)
+end
+
+-- returns a valid access_token (eventually refreshing the token)
+local function openidc_access_token(opts, session, try_to_renew)
+
+ local err
+
+ if session.data.access_token == nil then
+ return nil, err
+ end
+ local current_time = ngx.time()
+ if current_time < session.data.access_token_expiration then
+ return session.data.access_token, err
+ end
+ if not try_to_renew then
+ return nil, "token expired"
+ end
+ if session.data.refresh_token == nil then
+ return nil, "token expired and no refresh token available"
+ end
+
+ log(DEBUG, "refreshing expired access_token: ", session.data.access_token, " with: ", session.data.refresh_token)
+
+ -- retrieve token endpoint URL from discovery endpoint if necessary
+ err = ensure_config(opts)
+ if err then
+ return nil, err
+ end
+
+ -- assemble the parameters to the token endpoint
+ local body = {
+ grant_type = "refresh_token",
+ refresh_token = session.data.refresh_token,
+ scope = opts.scope and opts.scope or "openid email profile"
+ }
+
+ local json
+ json, err = openidc.call_token_endpoint(opts, opts.discovery.token_endpoint, body, opts.token_endpoint_auth_method)
+ if err then
+ return nil, err
+ end
+ local id_token
+ if json.id_token then
+ id_token, err = openidc_load_and_validate_jwt_id_token(opts, json.id_token, session)
+ if err then
+ log(ERROR, "invalid id token, discarding tokens returned while refreshing")
+ return nil, err
+ end
+ end
+ log(DEBUG, "access_token refreshed: ", json.access_token, " updated refresh_token: ", json.refresh_token)
+
+ session.data.access_token = json.access_token
+ session.data.access_token_expiration = current_time + openidc_access_token_expires_in(opts, json.expires_in)
+ if json.refresh_token then
+ session.data.refresh_token = json.refresh_token
+ end
+
+ if json.id_token and
+ (store_in_session(opts, 'enc_id_token') or store_in_session(opts, 'id_token')) then
+ log(DEBUG, "id_token refreshed: ", json.id_token)
+ if store_in_session(opts, 'enc_id_token') then
+ session.data.enc_id_token = json.id_token
+ end
+ if store_in_session(opts, 'id_token') then
+ session.data.id_token = id_token
+ end
+ end
+
+ -- save the session with the new access_token and optionally the new refresh_token and id_token using a new sessionid
+ local regenerated
+ regenerated, err = session:regenerate()
+ if err then
+ log(ERROR, "failed to regenerate session: " .. err)
+ return nil, err
+ end
+ if opts.lifecycle and opts.lifecycle.on_regenerated then
+ err = opts.lifecycle.on_regenerated(session)
+ if err then
+ log(WARN, "failed in `on_regenerated` handler: " .. err)
+ return nil, err
+ end
+ end
+
+ return session.data.access_token, err
+end
+
+local function openidc_get_path(uri)
+ local without_query = uri:match("(.-)%?") or uri
+ return without_query:match(".-//[^/]+(/.*)") or without_query
+end
+
+local function openidc_get_redirect_uri_path(opts)
+ return opts.redirect_uri and openidc_get_path(opts.redirect_uri) or opts.redirect_uri_path
+end
+
+local function is_session(o)
+ return o ~= nil and o.start and type(o.start) == "function"
+end
+
+-- main routine for OpenID Connect user authentication
+function openidc.authenticate(opts, target_url, unauth_action, session_or_opts)
+
+ if opts.redirect_uri_path then
+ log(WARN, "using deprecated option `opts.redirect_uri_path`; switch to using an absolute URI and `opts.redirect_uri` instead")
+ end
+
+ local err
+
+ local session
+ if is_session(session_or_opts) then
+ session = session_or_opts
+ else
+ local session_error
+ session, session_error = r_session.start(session_or_opts)
+ if session == nil then
+ log(ERROR, "Error starting session: " .. session_error)
+ return nil, session_error, target_url, session
+ end
+ end
+
+ target_url = target_url or ngx.var.request_uri
+
+ local access_token
+
+ -- see if this is a request to the redirect_uri i.e. an authorization response
+ local path = openidc_get_path(target_url)
+ if path == openidc_get_redirect_uri_path(opts) then
+ log(DEBUG, "Redirect URI path (" .. path .. ") is currently navigated -> Processing authorization response coming from OP")
+
+ if not session.present then
+ err = "request to the redirect_uri path but there's no session state found"
+ log(ERROR, err)
+ return nil, err, target_url, session
+ end
+
+ return openidc_authorization_response(opts, session)
+ end
+
+ -- see if this is a request to logout
+ if path == (opts.logout_path or "/logout") then
+ log(DEBUG, "Logout path (" .. path .. ") is currently navigated -> Processing local session removal before redirecting to next step of logout process")
+
+ err = ensure_config(opts)
+ if err then
+ return nil, err, session.data.original_url, session
+ end
+
+ openidc_logout(opts, session)
+ return nil, nil, target_url, session
+ end
+
+ local token_expired = false
+ local try_to_renew = opts.renew_access_token_on_expiry == nil or opts.renew_access_token_on_expiry
+ if session.present and session.data.authenticated
+ and store_in_session(opts, 'access_token') then
+
+ -- refresh access_token if necessary
+ access_token, err = openidc_access_token(opts, session, try_to_renew)
+ if err then
+ log(ERROR, "lost access token:" .. err)
+ err = nil
+ end
+ if not access_token then
+ token_expired = true
+ end
+ end
+
+ log(DEBUG,
+ "session.present=", session.present,
+ ", session.data.id_token=", session.data.id_token ~= nil,
+ ", session.data.authenticated=", session.data.authenticated,
+ ", opts.force_reauthorize=", opts.force_reauthorize,
+ ", opts.renew_access_token_on_expiry=", opts.renew_access_token_on_expiry,
+ ", try_to_renew=", try_to_renew,
+ ", token_expired=", token_expired)
+
+ -- if we are not authenticated then redirect to the OP for authentication
+ -- the presence of the id_token is check for backwards compatibility
+ if not session.present
+ or not (session.data.id_token or session.data.authenticated)
+ or opts.force_reauthorize
+ or (try_to_renew and token_expired) then
+ if unauth_action == "pass" then
+ if token_expired then
+ session.data.authenticated = false
+ return nil, 'token refresh failed', target_url, session
+ end
+ return nil, err, target_url, session
+ end
+ if unauth_action == 'deny' then
+ return nil, 'unauthorized request', target_url, session
+ end
+
+ err = ensure_config(opts)
+ if err then
+ return nil, err, session.data.original_url, session
+ end
+
+ log(DEBUG, "Authentication is required - Redirecting to OP Authorization endpoint")
+ openidc_authorize(opts, session, target_url, opts.prompt)
+ return nil, nil, target_url, session
+ end
+
+ -- silently reauthenticate if necessary (mainly used for session refresh/getting updated id_token data)
+ if opts.refresh_session_interval ~= nil then
+ if session.data.last_authenticated == nil or (session.data.last_authenticated + opts.refresh_session_interval) < ngx.time() then
+ err = ensure_config(opts)
+ if err then
+ return nil, err, session.data.original_url, session
+ end
+
+ log(DEBUG, "Silent authentication is required - Redirecting to OP Authorization endpoint")
+ openidc_authorize(opts, session, target_url, "none")
+ return nil, nil, target_url, session
+ end
+ end
+
+ if store_in_session(opts, 'id_token') then
+ -- log id_token contents
+ log(DEBUG, "id_token=", cjson.encode(session.data.id_token))
+ end
+
+ -- return the id_token to the caller Lua script for access control purposes
+ return
+ {
+ id_token = session.data.id_token,
+ access_token = access_token,
+ user = session.data.user
+ },
+ err,
+ target_url,
+ session
+end
+
+-- get a valid access_token (eventually refreshing the token), or nil if there's no valid access_token
+function openidc.access_token(opts, session_opts)
+
+ local session = r_session.start(session_opts)
+ local token, err = openidc_access_token(opts, session, true)
+ session:close()
+ return token, err
+end
+
+
+-- get an OAuth 2.0 bearer access token from the HTTP request cookies
+local function openidc_get_bearer_access_token_from_cookie(opts)
+
+ local err
+
+ log(DEBUG, "getting bearer access token from Cookie")
+
+ local accept_token_as = opts.auth_accept_token_as or "header"
+ if accept_token_as:find("cookie") ~= 1 then
+ return nil, "openidc_get_bearer_access_token_from_cookie called but auth_accept_token_as wants "
+ .. opts.auth_accept_token_as
+ end
+ local divider = accept_token_as:find(':')
+ local cookie_name = divider and accept_token_as:sub(divider + 1) or "PA.global"
+
+ log(DEBUG, "bearer access token from cookie named: " .. cookie_name)
+
+ local cookies = ngx.req.get_headers()["Cookie"]
+ if not cookies then
+ err = "no Cookie header found"
+ log(ERROR, err)
+ return nil, err
+ end
+
+ local cookie_value = ngx.var["cookie_" .. cookie_name]
+ if not cookie_value then
+ err = "no Cookie " .. cookie_name .. " found"
+ log(ERROR, err)
+ end
+
+ return cookie_value, err
+end
+
+
+-- get an OAuth 2.0 bearer access token from the HTTP request
+local function openidc_get_bearer_access_token(opts)
+
+ local err
+
+ local accept_token_as = opts.auth_accept_token_as or "header"
+
+ if accept_token_as:find("cookie") == 1 then
+ return openidc_get_bearer_access_token_from_cookie(opts)
+ end
+
+ -- get the access token from the Authorization header
+ local headers = ngx.req.get_headers()
+ local header_name = opts.auth_accept_token_as_header_name or "Authorization"
+ local header = get_first(headers[header_name])
+
+ if header == nil or header:find(" ") == nil then
+ err = "no Authorization header found"
+ log(ERROR, err)
+ return nil, err
+ end
+
+ local divider = header:find(' ')
+ if string.lower(header:sub(0, divider - 1)) ~= string.lower("Bearer") then
+ err = "no Bearer authorization header value found"
+ log(ERROR, err)
+ return nil, err
+ end
+
+ local access_token = header:sub(divider + 1)
+ if access_token == nil then
+ err = "no Bearer access token value found"
+ log(ERROR, err)
+ return nil, err
+ end
+
+ return access_token, err
+end
+
+local function get_introspection_endpoint(opts)
+ local introspection_endpoint = opts.introspection_endpoint
+ if not introspection_endpoint then
+ local err = openidc_ensure_discovered_data(opts)
+ if err then
+ return nil, "opts.introspection_endpoint not said and " .. err
+ end
+ local endpoint = opts.discovery and opts.discovery.introspection_endpoint
+ if endpoint then
+ return endpoint
+ end
+ end
+ return introspection_endpoint
+end
+
+local function get_introspection_cache_prefix(opts)
+ return (opts.cache_segment and opts.cache_segment.gsub(',', '_') or 'DEFAULT') .. ','
+ .. (get_introspection_endpoint(opts) or 'nil-endpoint') .. ','
+ .. (opts.client_id or 'no-client_id') .. ','
+ .. (opts.client_secret and 'secret' or 'no-client_secret') .. ':'
+end
+
+local function get_cached_introspection(opts, access_token)
+ local introspection_cache_ignore = opts.introspection_cache_ignore or false
+ if not introspection_cache_ignore then
+ return openidc_cache_get("introspection",
+ get_introspection_cache_prefix(opts) .. access_token)
+ end
+end
+
+local function set_cached_introspection(opts, access_token, encoded_json, ttl)
+ local introspection_cache_ignore = opts.introspection_cache_ignore or false
+ if not introspection_cache_ignore then
+ openidc_cache_set("introspection",
+ get_introspection_cache_prefix(opts) .. access_token,
+ encoded_json, ttl)
+ end
+end
+
+-- main routine for OAuth 2.0 token introspection
+function openidc.introspect(opts)
+
+ -- get the access token from the request
+ local access_token, err = openidc_get_bearer_access_token(opts)
+ if access_token == nil then
+ return nil, err
+ end
+
+ -- see if we've previously cached the introspection result for this access token
+ local json
+ local v = get_cached_introspection(opts, access_token)
+
+ if v then
+ json = cjson.decode(v)
+ return json, err
+ end
+
+ -- assemble the parameters to the introspection (token) endpoint
+ local token_param_name = opts.introspection_token_param_name and opts.introspection_token_param_name or "token"
+
+ local body = {}
+
+ body[token_param_name] = access_token
+
+ if opts.client_id then
+ body.client_id = opts.client_id
+ end
+ if opts.client_secret then
+ body.client_secret = opts.client_secret
+ end
+
+ -- merge any provided extra parameters
+ if opts.introspection_params then
+ for key, val in pairs(opts.introspection_params) do body[key] = val end
+ end
+
+ -- call the introspection endpoint
+ local introspection_endpoint
+ introspection_endpoint, err = get_introspection_endpoint(opts)
+ if err then
+ return nil, err
+ end
+ json, err = openidc.call_token_endpoint(opts, introspection_endpoint, body, opts.introspection_endpoint_auth_method, "introspection")
+
+
+ if not json then
+ return json, err
+ end
+
+ if not json.active then
+ err = "invalid token"
+ return json, err
+ end
+
+ -- cache the results
+ local introspection_cache_ignore = opts.introspection_cache_ignore or false
+ local expiry_claim = opts.introspection_expiry_claim or "exp"
+
+ if not introspection_cache_ignore and json[expiry_claim] then
+ local introspection_interval = opts.introspection_interval or 0
+ local ttl = json[expiry_claim]
+ if expiry_claim == "exp" then --https://tools.ietf.org/html/rfc7662#section-2.2
+ ttl = ttl - ngx.time()
+ end
+ if introspection_interval > 0 then
+ if ttl > introspection_interval then
+ ttl = introspection_interval
+ end
+ end
+ log(DEBUG, "cache token ttl: " .. ttl)
+ set_cached_introspection(opts, access_token, cjson.encode(json), ttl)
+ end
+
+ return json, err
+
+end
+
+local function get_jwt_verification_cache_prefix(opts)
+ local signing_alg_values_expected = (opts.accept_none_alg and 'none' or 'no-none')
+ local expected_algs = opts.token_signing_alg_values_expected or {}
+ if type(expected_algs) == 'string' then
+ expected_algs = { expected_algs }
+ end
+ for _, alg in ipairs(expected_algs) do
+ signing_alg_values_expected = signing_alg_values_expected .. ',' .. alg
+ end
+ return (opts.cache_segment and opts.cache_segment.gsub(',', '_') or 'DEFAULT') .. ','
+ .. (opts.public_key or 'no-pubkey') .. ','
+ .. (opts.symmetric_key or 'no-symkey') .. ','
+ .. signing_alg_values_expected .. ':'
+end
+
+local function get_cached_jwt_verification(opts, access_token)
+ local jwt_verification_cache_ignore = opts.jwt_verification_cache_ignore or false
+ if not jwt_verification_cache_ignore then
+ return openidc_cache_get("jwt_verification",
+ get_jwt_verification_cache_prefix(opts) .. access_token)
+ end
+end
+
+local function set_cached_jwt_verification(opts, access_token, encoded_json, ttl)
+ local jwt_verification_cache_ignore = opts.jwt_verification_cache_ignore or false
+ if not jwt_verification_cache_ignore then
+ openidc_cache_set("jwt_verification",
+ get_jwt_verification_cache_prefix(opts) .. access_token,
+ encoded_json, ttl)
+ end
+end
+
+-- main routine for OAuth 2.0 JWT token validation
+-- optional args are claim specs, see jwt-validators in resty.jwt
+function openidc.jwt_verify(access_token, opts, ...)
+ local err
+ local json
+ local v = get_cached_jwt_verification(opts, access_token)
+
+ local slack = opts.iat_slack and opts.iat_slack or 120
+ if not v then
+ local jwt_obj
+ jwt_obj, err = openidc_load_jwt_and_verify_crypto(opts, access_token, opts.public_key, opts.symmetric_key,
+ opts.token_signing_alg_values_expected, ...)
+ if not err then
+ json = jwt_obj.payload
+ local encoded_json = cjson.encode(json)
+ log(DEBUG, "jwt: ", encoded_json)
+
+ set_cached_jwt_verification(opts, access_token, encoded_json,
+ json.exp and json.exp - ngx.time() or 120)
+ end
+
+ else
+ -- decode from the cache
+ json = cjson.decode(v)
+ end
+
+ -- check the token expiry
+ if json then
+ if json.exp and json.exp + slack < ngx.time() then
+ log(ERROR, "token expired: json.exp=", json.exp, ", ngx.time()=", ngx.time())
+ err = "JWT expired"
+ end
+ end
+
+ return json, err
+end
+
+function openidc.bearer_jwt_verify(opts, ...)
+ local json
+
+ -- get the access token from the request
+ local access_token, err = openidc_get_bearer_access_token(opts)
+ if access_token == nil then
+ return nil, err
+ end
+
+ log(DEBUG, "access_token: ", access_token)
+
+ json, err = openidc.jwt_verify(access_token, opts, ...)
+ return json, err, access_token
+end
+
+-- Passing nil to any of the arguments resets the configuration to default
+function openidc.set_logging(new_log, new_levels)
+ log = new_log and new_log or ngx.log
+ DEBUG = new_levels.DEBUG and new_levels.DEBUG or ngx.DEBUG
+ ERROR = new_levels.ERROR and new_levels.ERROR or ngx.ERR
+ WARN = new_levels.WARN and new_levels.WARN or ngx.WARN
+end
+
+return openidc