Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(auth): ensure endpoints are present in Validator #11209

Merged
merged 2 commits into from
Dec 3, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 36 additions & 22 deletions auth/credentials/idtoken/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,11 @@ import (
)

const (
es256KeySize int = 32
es256KeySize int = 32
// googleIAPCertsURL is used for ES256 Certs.
googleIAPCertsURL string = "https://www.gstatic.com/iap/verify/public_key-jwk"
googleSACertsURL string = "https://www.googleapis.com/oauth2/v3/certs"
// googleSACertsURL is used for RS256 Certs.
googleSACertsURL string = "https://www.googleapis.com/oauth2/v3/certs"
)

var (
Expand Down Expand Up @@ -67,17 +69,17 @@ type jwk struct {

// Validator provides a way to validate Google ID Tokens
type Validator struct {
client *cachingClient
rsa256CertsURL string
es256CertsURL string
client *cachingClient
rs256URL string
es256URL string
}

// ValidatorOptions provides a way to configure a [Validator].
type ValidatorOptions struct {
// Client used to make requests to the certs URL. Optional.
Client *http.Client
// Custom certs URL for RSA256 JWK to be used. Optional.
RSA256CertsURL string
// Custom certs URL for RS256 JWK to be used. Optional.
RS256CertsURL string
// Custom certs URL for ES256 JWK to be used. Optional.
ES256CertsURL string
}
Expand All @@ -91,17 +93,15 @@ func NewValidator(opts *ValidatorOptions) (*Validator, error) {
} else {
client = internal.DefaultClient()
}

rsa256CertsURL := googleSACertsURL
es256CertsURL := googleIAPCertsURL
if opts != nil && opts.RSA256CertsURL != "" {
rsa256CertsURL = opts.RSA256CertsURL
var rs256URL string
if opts != nil {
rs256URL = opts.RS256CertsURL
}
if opts != nil && opts.ES256CertsURL != "" {
es256CertsURL = opts.ES256CertsURL
var es256URL string
if opts != nil {
es256URL = opts.ES256CertsURL
}

return &Validator{client: newCachingClient(client), rsa256CertsURL: rsa256CertsURL, es256CertsURL: es256CertsURL}, nil
return &Validator{client: newCachingClient(client), rs256URL: rs256URL, es256URL: es256URL}, nil
}

// Validate is used to validate the provided idToken with a known Google cert
Expand Down Expand Up @@ -153,11 +153,11 @@ func (v *Validator) validate(ctx context.Context, idToken string, audience strin
hashedContent := hashHeaderPayload(idToken)
switch header.Algorithm {
case jwt.HeaderAlgRSA256:
if err := v.validateRS256(ctx, header.KeyID, hashedContent, sig, v.rsa256CertsURL); err != nil {
if err := v.validateRS256(ctx, header.KeyID, hashedContent, sig); err != nil {
return nil, err
}
case jwt.HeaderAlgES256:
if err := v.validateES256(ctx, header.KeyID, hashedContent, sig, v.es256CertsURL); err != nil {
if err := v.validateES256(ctx, header.KeyID, hashedContent, sig); err != nil {
return nil, err
}
default:
Expand All @@ -167,8 +167,8 @@ func (v *Validator) validate(ctx context.Context, idToken string, audience strin
return payload, nil
}

func (v *Validator) validateRS256(ctx context.Context, keyID string, hashedContent []byte, sig []byte, certsURL string) error {
certResp, err := v.client.getCert(ctx, certsURL)
func (v *Validator) validateRS256(ctx context.Context, keyID string, hashedContent []byte, sig []byte) error {
certResp, err := v.client.getCert(ctx, v.rs256CertsURL())
if err != nil {
return err
}
Expand All @@ -192,8 +192,15 @@ func (v *Validator) validateRS256(ctx context.Context, keyID string, hashedConte
return rsa.VerifyPKCS1v15(pk, crypto.SHA256, hashedContent, sig)
}

func (v *Validator) validateES256(ctx context.Context, keyID string, hashedContent []byte, sig []byte, certsURL string) error {
certResp, err := v.client.getCert(ctx, certsURL)
func (v *Validator) rs256CertsURL() string {
if v.rs256URL == "" {
return googleSACertsURL
}
return v.rs256URL
}

func (v *Validator) validateES256(ctx context.Context, keyID string, hashedContent []byte, sig []byte) error {
certResp, err := v.client.getCert(ctx, v.es256CertsURL())
if err != nil {
return err
}
Expand Down Expand Up @@ -223,6 +230,13 @@ func (v *Validator) validateES256(ctx context.Context, keyID string, hashedConte
return nil
}

func (v *Validator) es256CertsURL() string {
if v.es256URL == "" {
return googleIAPCertsURL
}
return v.es256URL
}

func findMatchingKey(response *certResponse, keyID string) (*jwk, error) {
if response == nil {
return nil, fmt.Errorf("idtoken: cert response is nil")
Expand Down
4 changes: 2 additions & 2 deletions auth/credentials/idtoken/validate_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -138,8 +138,8 @@ func TestValidateRS256(t *testing.T) {
now = tt.nowFunc

v, err := NewValidator(&ValidatorOptions{
Client: client,
RSA256CertsURL: tt.certsURL,
Client: client,
RS256CertsURL: tt.certsURL,
})
if err != nil {
t.Fatalf("NewValidator(...) = %q, want nil", err)
Expand Down
Loading