Require authentication for OAuth token refresh (#21421)
According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
parent
f982a71997
commit
afebbf29a9
2 changed files with 68 additions and 12 deletions
|
@ -48,6 +48,7 @@ const (
|
||||||
// TODO move error and responses to SDK or models
|
// TODO move error and responses to SDK or models
|
||||||
|
|
||||||
// AuthorizeErrorCode represents an error code specified in RFC 6749
|
// AuthorizeErrorCode represents an error code specified in RFC 6749
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1
|
||||||
type AuthorizeErrorCode string
|
type AuthorizeErrorCode string
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
@ -68,6 +69,7 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
// AuthorizeError represents an error type specified in RFC 6749
|
// AuthorizeError represents an error type specified in RFC 6749
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1
|
||||||
type AuthorizeError struct {
|
type AuthorizeError struct {
|
||||||
ErrorCode AuthorizeErrorCode `json:"error" form:"error"`
|
ErrorCode AuthorizeErrorCode `json:"error" form:"error"`
|
||||||
ErrorDescription string
|
ErrorDescription string
|
||||||
|
@ -80,6 +82,7 @@ func (err AuthorizeError) Error() string {
|
||||||
}
|
}
|
||||||
|
|
||||||
// AccessTokenErrorCode represents an error code specified in RFC 6749
|
// AccessTokenErrorCode represents an error code specified in RFC 6749
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
|
||||||
type AccessTokenErrorCode string
|
type AccessTokenErrorCode string
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
@ -98,6 +101,7 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
// AccessTokenError represents an error response specified in RFC 6749
|
// AccessTokenError represents an error response specified in RFC 6749
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
|
||||||
type AccessTokenError struct {
|
type AccessTokenError struct {
|
||||||
ErrorCode AccessTokenErrorCode `json:"error" form:"error"`
|
ErrorCode AccessTokenErrorCode `json:"error" form:"error"`
|
||||||
ErrorDescription string `json:"error_description"`
|
ErrorDescription string `json:"error_description"`
|
||||||
|
@ -129,6 +133,7 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
// AccessTokenResponse represents a successful access token response
|
// AccessTokenResponse represents a successful access token response
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2
|
||||||
type AccessTokenResponse struct {
|
type AccessTokenResponse struct {
|
||||||
AccessToken string `json:"access_token"`
|
AccessToken string `json:"access_token"`
|
||||||
TokenType TokenType `json:"token_type"`
|
TokenType TokenType `json:"token_type"`
|
||||||
|
@ -663,6 +668,30 @@ func AccessTokenOAuth(ctx *context.Context) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
|
func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
|
||||||
|
app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID)
|
||||||
|
if err != nil {
|
||||||
|
handleAccessTokenError(ctx, AccessTokenError{
|
||||||
|
ErrorCode: AccessTokenErrorCodeInvalidClient,
|
||||||
|
ErrorDescription: fmt.Sprintf("cannot load client with client id: %q", form.ClientID),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// "The authorization server MUST ... require client authentication for confidential clients"
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc6749#section-6
|
||||||
|
if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
|
||||||
|
errorDescription := "invalid client secret"
|
||||||
|
if form.ClientSecret == "" {
|
||||||
|
errorDescription = "invalid empty client secret"
|
||||||
|
}
|
||||||
|
// "invalid_client ... Client authentication failed"
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
|
||||||
|
handleAccessTokenError(ctx, AccessTokenError{
|
||||||
|
ErrorCode: AccessTokenErrorCodeInvalidClient,
|
||||||
|
ErrorDescription: errorDescription,
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
token, err := oauth2.ParseToken(form.RefreshToken, serverKey)
|
token, err := oauth2.ParseToken(form.RefreshToken, serverKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
handleAccessTokenError(ctx, AccessTokenError{
|
handleAccessTokenError(ctx, AccessTokenError{
|
||||||
|
|
|
@ -299,10 +299,11 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) {
|
||||||
"client_secret": "inconsistent",
|
"client_secret": "inconsistent",
|
||||||
})
|
})
|
||||||
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
|
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
|
||||||
|
resp = MakeRequest(t, req, http.StatusBadRequest)
|
||||||
parsedError = new(auth.AccessTokenError)
|
parsedError = new(auth.AccessTokenError)
|
||||||
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
|
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
|
||||||
assert.Equal(t, "invalid_request", string(parsedError.ErrorCode))
|
assert.Equal(t, "invalid_request", string(parsedError.ErrorCode))
|
||||||
assert.Equal(t, "client_id in request body inconsistent with Authorization header", parsedError.ErrorDescription)
|
assert.Equal(t, "client_secret in request body inconsistent with Authorization header", parsedError.ErrorDescription)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestRefreshTokenInvalidation(t *testing.T) {
|
func TestRefreshTokenInvalidation(t *testing.T) {
|
||||||
|
@ -329,7 +330,33 @@ func TestRefreshTokenInvalidation(t *testing.T) {
|
||||||
// test without invalidation
|
// test without invalidation
|
||||||
setting.OAuth2.InvalidateRefreshTokens = false
|
setting.OAuth2.InvalidateRefreshTokens = false
|
||||||
|
|
||||||
refreshReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
|
||||||
|
"grant_type": "refresh_token",
|
||||||
|
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
|
||||||
|
// omit secret
|
||||||
|
"redirect_uri": "a",
|
||||||
|
"refresh_token": parsed.RefreshToken,
|
||||||
|
})
|
||||||
|
resp = MakeRequest(t, req, http.StatusBadRequest)
|
||||||
|
parsedError := new(auth.AccessTokenError)
|
||||||
|
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
|
||||||
|
assert.Equal(t, "invalid_client", string(parsedError.ErrorCode))
|
||||||
|
assert.Equal(t, "invalid empty client secret", parsedError.ErrorDescription)
|
||||||
|
|
||||||
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
|
||||||
|
"grant_type": "refresh_token",
|
||||||
|
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
|
||||||
|
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
|
||||||
|
"redirect_uri": "a",
|
||||||
|
"refresh_token": "UNEXPECTED",
|
||||||
|
})
|
||||||
|
resp = MakeRequest(t, req, http.StatusBadRequest)
|
||||||
|
parsedError = new(auth.AccessTokenError)
|
||||||
|
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
|
||||||
|
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
|
||||||
|
assert.Equal(t, "unable to parse refresh token", parsedError.ErrorDescription)
|
||||||
|
|
||||||
|
req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
|
||||||
"grant_type": "refresh_token",
|
"grant_type": "refresh_token",
|
||||||
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
|
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
|
||||||
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
|
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
|
||||||
|
@ -337,24 +364,24 @@ func TestRefreshTokenInvalidation(t *testing.T) {
|
||||||
"refresh_token": parsed.RefreshToken,
|
"refresh_token": parsed.RefreshToken,
|
||||||
})
|
})
|
||||||
|
|
||||||
bs, err := io.ReadAll(refreshReq.Body)
|
bs, err := io.ReadAll(req.Body)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
|
req.Body = io.NopCloser(bytes.NewReader(bs))
|
||||||
MakeRequest(t, refreshReq, http.StatusOK)
|
MakeRequest(t, req, http.StatusOK)
|
||||||
|
|
||||||
refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
|
req.Body = io.NopCloser(bytes.NewReader(bs))
|
||||||
MakeRequest(t, refreshReq, http.StatusOK)
|
MakeRequest(t, req, http.StatusOK)
|
||||||
|
|
||||||
// test with invalidation
|
// test with invalidation
|
||||||
setting.OAuth2.InvalidateRefreshTokens = true
|
setting.OAuth2.InvalidateRefreshTokens = true
|
||||||
refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
|
req.Body = io.NopCloser(bytes.NewReader(bs))
|
||||||
MakeRequest(t, refreshReq, http.StatusOK)
|
MakeRequest(t, req, http.StatusOK)
|
||||||
|
|
||||||
// repeat request should fail
|
// repeat request should fail
|
||||||
refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
|
req.Body = io.NopCloser(bytes.NewReader(bs))
|
||||||
resp = MakeRequest(t, refreshReq, http.StatusBadRequest)
|
resp = MakeRequest(t, req, http.StatusBadRequest)
|
||||||
parsedError := new(auth.AccessTokenError)
|
parsedError = new(auth.AccessTokenError)
|
||||||
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
|
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
|
||||||
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
|
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
|
||||||
assert.Equal(t, "token was already used", parsedError.ErrorDescription)
|
assert.Equal(t, "token was already used", parsedError.ErrorDescription)
|
||||||
|
|
Reference in a new issue