From 55195e4659339f56036c2f98d06cfd59a0141514 Mon Sep 17 00:00:00 2001 From: Vivien Kraus Date: Fri, 17 Sep 2021 18:31:01 +0200 Subject: JWK: the default signature algorithm "alg" is now a key parameter --- doc/disfluid.texi | 19 ++-- po/disfluid.pot | 140 +++++++++++++------------- po/fr.po | 140 +++++++++++++------------- src/scm/webid-oidc/access-token.scm | 3 +- src/scm/webid-oidc/authorization-code.scm | 4 +- src/scm/webid-oidc/authorization-endpoint.scm | 3 +- src/scm/webid-oidc/client.scm | 3 - src/scm/webid-oidc/client/accounts.scm | 3 - src/scm/webid-oidc/dpop-proof.scm | 3 +- src/scm/webid-oidc/identity-provider.scm | 126 +++++++++++------------ src/scm/webid-oidc/jwk.scm | 45 +++++++-- src/scm/webid-oidc/oidc-id-token.scm | 4 +- src/scm/webid-oidc/token-endpoint.scm | 4 +- tests/authorization-endpoint-get-form.scm | 3 +- tests/authorization-endpoint-no-args.scm | 3 +- tests/authorization-endpoint-submit-form.scm | 3 +- tests/dpop-proof-iat-in-future.scm | 1 - tests/dpop-proof-iat-too-late.scm | 1 - tests/dpop-proof-invalid-ath.scm | 2 - tests/dpop-proof-no-ath.scm | 1 - tests/dpop-proof-replay.scm | 1 - tests/dpop-proof-valid-ath.scm | 2 - tests/dpop-proof-valid.scm | 1 - tests/dpop-proof-wrong-htm.scm | 1 - tests/dpop-proof-wrong-htu.scm | 1 - tests/dpop-proof-wrong-key.scm | 1 - tests/resource-server.scm | 2 - tests/token-endpoint-issue.scm | 6 +- tests/token-endpoint-refresh.scm | 5 +- 29 files changed, 265 insertions(+), 266 deletions(-) diff --git a/doc/disfluid.texi b/doc/disfluid.texi index 8004d3c..6f76838 100644 --- a/doc/disfluid.texi +++ b/doc/disfluid.texi @@ -360,9 +360,9 @@ implementation of @code{http-get} from @emph{(web client)}. Return Encode @var{token} and sign it with the issuer’s @var{key}. @end deffn -@deffn function issue-id-token @var{issuer-key} @var{#:alg} @var{#:webid} @var{#:iss} @var{#:sub} @var{#:aud} @var{#:validity} +@deffn function issue-id-token @var{issuer-key} @var{#:webid} @var{#:iss} @var{#:sub} @var{#:aud} @var{#:validity} Create an ID token that is valid for @var{#:validity} seconds, and -encode it with @var{issuer-key}. +sign and encode it with @var{issuer-key}. @end deffn @node The access token @@ -406,7 +406,7 @@ by the ID token validation. Return the decoded access token, or raise an exception. @end deffn -@deffn function issue-access-token @var{issuer-key} @var{#alg} @var{#webid} @var{#iss} @var{#:validity} @var{[#client-key} @var{|} @var{#cnf/jkt]} @var{#client-id} +@deffn function issue-access-token @var{issuer-key} #:@var{webid} #:@var{iss} #:@var{client-id} #:@var{validity} [#:@var{[client-key} | #:@var{cnf/jkt}] Create an access token for @var{#:validity} seconds, and encode it with @var{issuer-key}. You can either set the @code{#:cnf/jkt} keyword argument with the fingerprint of the client key, or set @@ -484,7 +484,7 @@ Encode the proof and sign it with @var{key}. To generate valid proofs, field of the proof. @end deffn -@deffn function issue-dpop-proof @var{client-key} @var{#alg} @var{#htm} @var{#htu} {[#:@var{access-token}=#f]} +@deffn function issue-dpop-proof @var{client-key} #:@var{htm} #:@var{htu} {[#:@var{access-token}=#f]} Create a proof, sign it and encode it with @var{client-key}. @var{client-key} should contain both the private and public key, because the public part is written in the proof and the @@ -532,9 +532,14 @@ Some functions require a key, or a key pair, to operate. The @emph{(webid-oidc jwk)} module provides you with everything required to manage keys. -@deftp {Class} () +@deftp {Class} () @var{alg} This is the base class for a private key. You need it to issue -signatures. +signatures. Signatures issued with this key will use @var{alg} for the +signature algorithm, but the public key associated with this private +key will verify signatures in any compatible algorithm, not just +@var{alg}. + +@var{alg} is a symbol, for instance @code{'RS256}. @end deftp @deftp {Class} () @@ -606,6 +611,8 @@ Return the private part of @var{key}. @deftypefnx {Generic method} ec-y (@var{key} @code{}) @deftypefnx {Generic method} ec-z (@var{key} @code{}) @deftypefnx {Generic method} ec-z (@var{key} @code{}) +@deftypefnx {Generic method} alg (@var{key} @code{}) +@deftypefnx {Generic method} alg (@var{key} @code{}) Key parameter getters. @end deftypefn diff --git a/po/disfluid.pot b/po/disfluid.pot index e933d84..cd8eb7d 100644 --- a/po/disfluid.pot +++ b/po/disfluid.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: disfluid SNAPSHOT\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-09-17 18:38+0200\n" +"POT-Creation-Date: 2021-09-17 18:39+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -141,21 +141,21 @@ msgid "this is not an access token" msgstr "" #: src/scm/webid-oidc/access-token.scm:101 -#: src/scm/webid-oidc/authorization-code.scm:88 -#: src/scm/webid-oidc/oidc-id-token.scm:96 +#: src/scm/webid-oidc/authorization-code.scm:89 +#: src/scm/webid-oidc/oidc-id-token.scm:97 #, scheme-format msgid "the payload is missing ~s" msgstr "" #: src/scm/webid-oidc/access-token.scm:123 -#: src/scm/webid-oidc/authorization-code.scm:104 -#: src/scm/webid-oidc/oidc-id-token.scm:117 +#: src/scm/webid-oidc/authorization-code.scm:105 +#: src/scm/webid-oidc/oidc-id-token.scm:118 #, scheme-format msgid "the \"webid\" field should be an URI, ~s is given" msgstr "" #: src/scm/webid-oidc/access-token.scm:130 -#: src/scm/webid-oidc/oidc-id-token.scm:124 +#: src/scm/webid-oidc/oidc-id-token.scm:125 #, scheme-format msgid "the \"iss\" field should be an URI, ~s is given" msgstr "" @@ -166,14 +166,14 @@ msgid "the \"aud\" field should be set to \"solid\", ~s is given" msgstr "" #: src/scm/webid-oidc/access-token.scm:142 -#: src/scm/webid-oidc/oidc-id-token.scm:152 +#: src/scm/webid-oidc/oidc-id-token.scm:153 #, scheme-format msgid "the \"iat\" field should be a timestamp, ~s is given" msgstr "" #: src/scm/webid-oidc/access-token.scm:149 -#: src/scm/webid-oidc/authorization-code.scm:125 -#: src/scm/webid-oidc/oidc-id-token.scm:159 +#: src/scm/webid-oidc/authorization-code.scm:126 +#: src/scm/webid-oidc/oidc-id-token.scm:160 #, scheme-format msgid "the \"exp\" field should be a timestamp, ~s is given" msgstr "" @@ -193,7 +193,7 @@ msgid "the \"cnf\" field should be an object, ~s is given" msgstr "" #: src/scm/webid-oidc/access-token.scm:178 -#: src/scm/webid-oidc/authorization-code.scm:111 +#: src/scm/webid-oidc/authorization-code.scm:112 #, scheme-format msgid "the \"client_id\" field should be an URI, ~s is given" msgstr "" @@ -208,13 +208,13 @@ msgid "the access token is invalid" msgstr "" #: src/scm/webid-oidc/access-token.scm:257 -#: src/scm/webid-oidc/oidc-id-token.scm:236 +#: src/scm/webid-oidc/oidc-id-token.scm:237 #, scheme-format msgid "I cannot query the identity provider configuration: ~a" msgstr "" #: src/scm/webid-oidc/access-token.scm:259 -#: src/scm/webid-oidc/oidc-id-token.scm:238 +#: src/scm/webid-oidc/oidc-id-token.scm:239 msgid "I cannot query the identity provider configuratioon" msgstr "" @@ -246,56 +246,56 @@ msgstr "" msgid "cannot encode the access token" msgstr "" -#: src/scm/webid-oidc/authorization-code.scm:63 +#: src/scm/webid-oidc/authorization-code.scm:64 #, scheme-format msgid "this is not an authorization code, because it is not even a JWS: ~a" msgstr "" -#: src/scm/webid-oidc/authorization-code.scm:65 +#: src/scm/webid-oidc/authorization-code.scm:66 msgid "this is not an authorization code, because it is not even a JWS" msgstr "" -#: src/scm/webid-oidc/authorization-code.scm:68 +#: src/scm/webid-oidc/authorization-code.scm:69 #, scheme-format msgid "this is not an authorization code: ~a" msgstr "" -#: src/scm/webid-oidc/authorization-code.scm:70 +#: src/scm/webid-oidc/authorization-code.scm:71 msgid "this is not an authorization code" msgstr "" -#: src/scm/webid-oidc/authorization-code.scm:118 +#: src/scm/webid-oidc/authorization-code.scm:119 #, scheme-format msgid "the \"jti\" field should be a string, ~s is given" msgstr "" -#: src/scm/webid-oidc/authorization-code.scm:170 +#: src/scm/webid-oidc/authorization-code.scm:171 #, scheme-format msgid "the authorization code is invalid: ~a" msgstr "" -#: src/scm/webid-oidc/authorization-code.scm:172 +#: src/scm/webid-oidc/authorization-code.scm:173 msgid "the authorization code is invalid" msgstr "" -#: src/scm/webid-oidc/authorization-code.scm:186 +#: src/scm/webid-oidc/authorization-code.scm:187 #, scheme-format msgid "the authorization expired ~a, which is in the past (from ~a)" msgstr "" -#: src/scm/webid-oidc/authorization-code.scm:202 +#: src/scm/webid-oidc/authorization-code.scm:203 #, scheme-format msgid "cannot encode the authorization code: ~a" msgstr "" -#: src/scm/webid-oidc/authorization-code.scm:204 +#: src/scm/webid-oidc/authorization-code.scm:205 msgid "cannot encode the authorization code" msgstr "" #: src/scm/webid-oidc/authorization-page-unsafe.scm:52 #: src/scm/webid-oidc/hello-world.scm:40 src/scm/webid-oidc/hello-world.scm:167 #: src/scm/webid-oidc/hello-world.scm:187 -#: src/scm/webid-oidc/identity-provider.scm:143 +#: src/scm/webid-oidc/identity-provider.scm:139 #: src/scm/webid-oidc/token-endpoint.scm:111 #: src/scm/webid-oidc/token-endpoint.scm:137 #: src/scm/webid-oidc/token-endpoint.scm:164 @@ -477,78 +477,78 @@ msgstr "" msgid "the client manifest is dereferenced from ~s, but it pretends to be ~s" msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:285 +#: src/scm/webid-oidc/client/accounts.scm:282 msgid "The refresh token has expired." msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:292 +#: src/scm/webid-oidc/client/accounts.scm:289 #, scheme-format msgid "The token request failed with code ~s (~s)." msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:301 +#: src/scm/webid-oidc/client/accounts.scm:298 msgid "The token response did not set the content type." msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:309 +#: src/scm/webid-oidc/client/accounts.scm:306 msgid "The token endpoint did not respond in UTF-8." msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:321 +#: src/scm/webid-oidc/client/accounts.scm:318 #, scheme-format msgid "The token response has content-type ~s, not application/json." msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:331 +#: src/scm/webid-oidc/client/accounts.scm:328 msgid "The token response is not valid JSON." msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:345 +#: src/scm/webid-oidc/client/accounts.scm:342 #, scheme-format msgid "The token response did not include an ID token: ~s" msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:353 +#: src/scm/webid-oidc/client/accounts.scm:350 #, scheme-format msgid "The token response did not include an access token: ~s\n" msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:364 +#: src/scm/webid-oidc/client/accounts.scm:361 #, scheme-format msgid "the ID token signature is invalid: ~a" msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:366 +#: src/scm/webid-oidc/client/accounts.scm:363 msgid "the ID token signature is invalid" msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:384 +#: src/scm/webid-oidc/client/accounts.scm:381 #, scheme-format msgid "the ID token delivered by the identity provider for ~s has ~s as webid" msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:394 +#: src/scm/webid-oidc/client/accounts.scm:391 #, scheme-format msgid "The ID token delivered by the identity provider ~s is for issuer ~s." msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:409 +#: src/scm/webid-oidc/client/accounts.scm:406 msgid "The issuer is required." msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:414 +#: src/scm/webid-oidc/client/accounts.scm:411 msgid "The optional subject and required issuer should be strings or URI." msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:450 +#: src/scm/webid-oidc/client/accounts.scm:447 msgid "Cannot check the username and/or password." msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:460 +#: src/scm/webid-oidc/client/accounts.scm:457 msgid "The subject should be a string or URI." msgstr "" -#: src/scm/webid-oidc/client/accounts.scm:474 +#: src/scm/webid-oidc/client/accounts.scm:471 msgid "The issuer should be a string or URI." msgstr "" @@ -1031,7 +1031,7 @@ msgstr "" msgid "Warning: generating a new key pair." msgstr "" -#: src/scm/webid-oidc/identity-provider.scm:136 +#: src/scm/webid-oidc/identity-provider.scm:132 msgid "reason-phrase|Not Found" msgstr "" @@ -1040,59 +1040,59 @@ msgstr "" msgid "a replay has been detected with JTI ~s" msgstr "" -#: src/scm/webid-oidc/jwk.scm:143 +#: src/scm/webid-oidc/jwk.scm:144 msgid "the point and scalar are not on the same curve" msgstr "" -#: src/scm/webid-oidc/jwk.scm:238 +#: src/scm/webid-oidc/jwk.scm:256 #, scheme-format msgid "the JWK is invalid: ~a" msgstr "" -#: src/scm/webid-oidc/jwk.scm:240 +#: src/scm/webid-oidc/jwk.scm:258 msgid "the JWK is invalid" msgstr "" -#: src/scm/webid-oidc/jwk.scm:249 +#: src/scm/webid-oidc/jwk.scm:267 msgid "cannot compute the key type" msgstr "" -#: src/scm/webid-oidc/jwk.scm:308 +#: src/scm/webid-oidc/jwk.scm:328 msgid "it is built as an RSA key or key pair, but it is not" msgstr "" -#: src/scm/webid-oidc/jwk.scm:316 +#: src/scm/webid-oidc/jwk.scm:336 msgid "it is built as an elliptic curve key or key pair, but it is not" msgstr "" -#: src/scm/webid-oidc/jwk.scm:357 +#: src/scm/webid-oidc/jwk.scm:378 #, scheme-format msgid "the key advertises a key type of ~s, but actually it is ~s" msgstr "" -#: src/scm/webid-oidc/jwk.scm:396 +#: src/scm/webid-oidc/jwk.scm:427 msgid "this is neither a RSA key nor an elliptic curve key" msgstr "" -#: src/scm/webid-oidc/jwk.scm:433 +#: src/scm/webid-oidc/jwk.scm:464 #, scheme-format msgid "cannot fetch a JWKS: ~a" msgstr "" -#: src/scm/webid-oidc/jwk.scm:435 +#: src/scm/webid-oidc/jwk.scm:466 msgid "cannot fetch a JWKS" msgstr "" -#: src/scm/webid-oidc/jwk.scm:439 +#: src/scm/webid-oidc/jwk.scm:470 #, scheme-format msgid "the request failed with ~s ~s" msgstr "" -#: src/scm/webid-oidc/jwk.scm:444 +#: src/scm/webid-oidc/jwk.scm:475 msgid "missing content-type" msgstr "" -#: src/scm/webid-oidc/jwk.scm:449 +#: src/scm/webid-oidc/jwk.scm:480 #, scheme-format msgid "invalid content-type: ~s" msgstr "" @@ -1239,77 +1239,77 @@ msgstr "" msgid "unexpected content-type: ~s" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:67 +#: src/scm/webid-oidc/oidc-id-token.scm:68 #, scheme-format msgid "this is not an ID token, because it is not even a JWS: ~a" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:70 +#: src/scm/webid-oidc/oidc-id-token.scm:71 msgid "this is not an ID token, because it is not even a JWS" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:72 +#: src/scm/webid-oidc/oidc-id-token.scm:73 #, scheme-format msgid "this is not an ID token: ~a" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:75 +#: src/scm/webid-oidc/oidc-id-token.scm:76 msgid "this is not an ID token" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:131 +#: src/scm/webid-oidc/oidc-id-token.scm:132 #, scheme-format msgid "the \"sub\" field should be a string, ~s is given" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:138 +#: src/scm/webid-oidc/oidc-id-token.scm:139 #, scheme-format msgid "the \"aud\" field should be an URI, ~s is given" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:145 +#: src/scm/webid-oidc/oidc-id-token.scm:146 #, scheme-format msgid "the \"nonce\" field should be a string, ~s is given" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:165 +#: src/scm/webid-oidc/oidc-id-token.scm:166 msgid "the payload should be a JSON object" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:218 +#: src/scm/webid-oidc/oidc-id-token.scm:219 #, scheme-format msgid "the ID token is invalid: ~a" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:220 +#: src/scm/webid-oidc/oidc-id-token.scm:221 msgid "the ID token is invalid" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:258 +#: src/scm/webid-oidc/oidc-id-token.scm:259 #, scheme-format msgid "I cannot query the JWKS URI of the identity provider: ~a" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:260 +#: src/scm/webid-oidc/oidc-id-token.scm:261 msgid "I cannot query the JWKS URI of the identity provider" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:271 +#: src/scm/webid-oidc/oidc-id-token.scm:272 #, scheme-format msgid "the ID token is signed in the future, ~a, relative to current ~a" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:280 +#: src/scm/webid-oidc/oidc-id-token.scm:281 #, scheme-format msgid "the ID token expired ~a, which is in the past (from ~a)" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:294 +#: src/scm/webid-oidc/oidc-id-token.scm:295 #, scheme-format msgid "cannot encode the ID token: ~a" msgstr "" -#: src/scm/webid-oidc/oidc-id-token.scm:296 +#: src/scm/webid-oidc/oidc-id-token.scm:297 msgid "cannot encode the ID token" msgstr "" diff --git a/po/fr.po b/po/fr.po index 0b7b882..15b615d 100644 --- a/po/fr.po +++ b/po/fr.po @@ -2,7 +2,7 @@ msgid "" msgstr "" "Project-Id-Version: webid-oidc 0.0.0\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-09-17 18:38+0200\n" +"POT-Creation-Date: 2021-09-17 18:39+0200\n" "PO-Revision-Date: 2021-09-17 18:38+0200\n" "Last-Translator: Vivien Kraus \n" "Language-Team: French \n" @@ -145,21 +145,21 @@ msgid "this is not an access token" msgstr "ce n’est pas un jeton d’accès" #: src/scm/webid-oidc/access-token.scm:101 -#: src/scm/webid-oidc/authorization-code.scm:88 -#: src/scm/webid-oidc/oidc-id-token.scm:96 +#: src/scm/webid-oidc/authorization-code.scm:89 +#: src/scm/webid-oidc/oidc-id-token.scm:97 #, scheme-format msgid "the payload is missing ~s" msgstr "il manque ~s à la charge utile" #: src/scm/webid-oidc/access-token.scm:123 -#: src/scm/webid-oidc/authorization-code.scm:104 -#: src/scm/webid-oidc/oidc-id-token.scm:117 +#: src/scm/webid-oidc/authorization-code.scm:105 +#: src/scm/webid-oidc/oidc-id-token.scm:118 #, scheme-format msgid "the \"webid\" field should be an URI, ~s is given" msgstr "le champ « webid » doit être une URI, pas ~s" #: src/scm/webid-oidc/access-token.scm:130 -#: src/scm/webid-oidc/oidc-id-token.scm:124 +#: src/scm/webid-oidc/oidc-id-token.scm:125 #, scheme-format msgid "the \"iss\" field should be an URI, ~s is given" msgstr "le champ « iss » doit être une URI, pas ~s" @@ -170,14 +170,14 @@ msgid "the \"aud\" field should be set to \"solid\", ~s is given" msgstr "le champ « aud » doit être « solid », pas ~s" #: src/scm/webid-oidc/access-token.scm:142 -#: src/scm/webid-oidc/oidc-id-token.scm:152 +#: src/scm/webid-oidc/oidc-id-token.scm:153 #, scheme-format msgid "the \"iat\" field should be a timestamp, ~s is given" msgstr "le champ « iat » doit être un horodatage, pas ~s" #: src/scm/webid-oidc/access-token.scm:149 -#: src/scm/webid-oidc/authorization-code.scm:125 -#: src/scm/webid-oidc/oidc-id-token.scm:159 +#: src/scm/webid-oidc/authorization-code.scm:126 +#: src/scm/webid-oidc/oidc-id-token.scm:160 #, scheme-format msgid "the \"exp\" field should be a timestamp, ~s is given" msgstr "le champ « exp » doit être un horodatage, pas ~s" @@ -197,7 +197,7 @@ msgid "the \"cnf\" field should be an object, ~s is given" msgstr "le champ « cnf » doit être un objet JSON, pas ~s" #: src/scm/webid-oidc/access-token.scm:178 -#: src/scm/webid-oidc/authorization-code.scm:111 +#: src/scm/webid-oidc/authorization-code.scm:112 #, scheme-format msgid "the \"client_id\" field should be an URI, ~s is given" msgstr "le champ « client_id » doit être une URI, pas ~s" @@ -212,14 +212,14 @@ msgid "the access token is invalid" msgstr "le jeton d’accès est invalide" #: src/scm/webid-oidc/access-token.scm:257 -#: src/scm/webid-oidc/oidc-id-token.scm:236 +#: src/scm/webid-oidc/oidc-id-token.scm:237 #, scheme-format msgid "I cannot query the identity provider configuration: ~a" msgstr "" "je ne peux pas requêter la configuration du fournisseur d’identité : ~a" #: src/scm/webid-oidc/access-token.scm:259 -#: src/scm/webid-oidc/oidc-id-token.scm:238 +#: src/scm/webid-oidc/oidc-id-token.scm:239 msgid "I cannot query the identity provider configuratioon" msgstr "je ne peux pas requêter la configurration du fournisseur d’identité" @@ -254,59 +254,59 @@ msgstr "impossible d’encoder le jeton d’accès : ~a" msgid "cannot encode the access token" msgstr "impossible d’encoder le jeton d’accès" -#: src/scm/webid-oidc/authorization-code.scm:63 +#: src/scm/webid-oidc/authorization-code.scm:64 #, scheme-format msgid "this is not an authorization code, because it is not even a JWS: ~a" msgstr "" "ce n’est pas un code d’autorisation, parce que ce n’est même pas un JWS : ~a" -#: src/scm/webid-oidc/authorization-code.scm:65 +#: src/scm/webid-oidc/authorization-code.scm:66 msgid "this is not an authorization code, because it is not even a JWS" msgstr "" "ce n’est pas un code d’autorisation, parce que ce n’est même pas un JWS" -#: src/scm/webid-oidc/authorization-code.scm:68 +#: src/scm/webid-oidc/authorization-code.scm:69 #, scheme-format msgid "this is not an authorization code: ~a" msgstr "ce n’est pas un code d’autorisation : ~a" -#: src/scm/webid-oidc/authorization-code.scm:70 +#: src/scm/webid-oidc/authorization-code.scm:71 msgid "this is not an authorization code" msgstr "ce n’est pas un code d’autorisation" -#: src/scm/webid-oidc/authorization-code.scm:118 +#: src/scm/webid-oidc/authorization-code.scm:119 #, scheme-format msgid "the \"jti\" field should be a string, ~s is given" msgstr "le champ « jti » doit être une chaîne de caractères, pas ~s" -#: src/scm/webid-oidc/authorization-code.scm:170 +#: src/scm/webid-oidc/authorization-code.scm:171 #, scheme-format msgid "the authorization code is invalid: ~a" msgstr "le code d’autorisation est invalide : ~a" -#: src/scm/webid-oidc/authorization-code.scm:172 +#: src/scm/webid-oidc/authorization-code.scm:173 msgid "the authorization code is invalid" msgstr "le code d’autorisation est invalide" -#: src/scm/webid-oidc/authorization-code.scm:186 +#: src/scm/webid-oidc/authorization-code.scm:187 #, scheme-format msgid "the authorization expired ~a, which is in the past (from ~a)" msgstr "" "le code d’autorisation a expiré le ~a, qui est dans le passé (depuis ~a)" -#: src/scm/webid-oidc/authorization-code.scm:202 +#: src/scm/webid-oidc/authorization-code.scm:203 #, scheme-format msgid "cannot encode the authorization code: ~a" msgstr "impossible d’encoder le code d’autorisation : ~a" -#: src/scm/webid-oidc/authorization-code.scm:204 +#: src/scm/webid-oidc/authorization-code.scm:205 msgid "cannot encode the authorization code" msgstr "impossible d’encoder le code d’autorisation" #: src/scm/webid-oidc/authorization-page-unsafe.scm:52 #: src/scm/webid-oidc/hello-world.scm:40 src/scm/webid-oidc/hello-world.scm:167 #: src/scm/webid-oidc/hello-world.scm:187 -#: src/scm/webid-oidc/identity-provider.scm:143 +#: src/scm/webid-oidc/identity-provider.scm:139 #: src/scm/webid-oidc/token-endpoint.scm:111 #: src/scm/webid-oidc/token-endpoint.scm:137 #: src/scm/webid-oidc/token-endpoint.scm:164 @@ -497,83 +497,83 @@ msgstr "impossible de télécharger le manifeste client ~s" msgid "the client manifest is dereferenced from ~s, but it pretends to be ~s" msgstr "le manifeste client est déréférencé depuis ~s, mais il prétend être ~s" -#: src/scm/webid-oidc/client/accounts.scm:285 +#: src/scm/webid-oidc/client/accounts.scm:282 msgid "The refresh token has expired." msgstr "le jeton de rafraîchissement a expiré." -#: src/scm/webid-oidc/client/accounts.scm:292 +#: src/scm/webid-oidc/client/accounts.scm:289 #, scheme-format msgid "The token request failed with code ~s (~s)." msgstr "La requête de jeton a échoué avec un code ~s (~s)." -#: src/scm/webid-oidc/client/accounts.scm:301 +#: src/scm/webid-oidc/client/accounts.scm:298 msgid "The token response did not set the content type." msgstr "Le jeton de réponse n’a pas défini de type de contenu." -#: src/scm/webid-oidc/client/accounts.scm:309 +#: src/scm/webid-oidc/client/accounts.scm:306 msgid "The token endpoint did not respond in UTF-8." msgstr "Le terminal de jetonn n’a pas répondu en UTF-8." -#: src/scm/webid-oidc/client/accounts.scm:321 +#: src/scm/webid-oidc/client/accounts.scm:318 #, scheme-format msgid "The token response has content-type ~s, not application/json." msgstr "La réponse de jeton a un type de contenu ~s, pas application/json." -#: src/scm/webid-oidc/client/accounts.scm:331 +#: src/scm/webid-oidc/client/accounts.scm:328 msgid "The token response is not valid JSON." msgstr "La réponse de jeton n’est pas un JSON valide." -#: src/scm/webid-oidc/client/accounts.scm:345 +#: src/scm/webid-oidc/client/accounts.scm:342 #, scheme-format msgid "The token response did not include an ID token: ~s" msgstr "La réponse de jeton n’a pas inclus de jeton d’ID : ~s" -#: src/scm/webid-oidc/client/accounts.scm:353 +#: src/scm/webid-oidc/client/accounts.scm:350 #, scheme-format msgid "The token response did not include an access token: ~s\n" msgstr "La réponse de jeton n’a pas inclus de jeton d’accès : ~s\n" -#: src/scm/webid-oidc/client/accounts.scm:364 +#: src/scm/webid-oidc/client/accounts.scm:361 #, scheme-format msgid "the ID token signature is invalid: ~a" msgstr "la signature du jeton d’ID est invalide : ~a" -#: src/scm/webid-oidc/client/accounts.scm:366 +#: src/scm/webid-oidc/client/accounts.scm:363 msgid "the ID token signature is invalid" msgstr "la signature du jeton d’ID est invalide" -#: src/scm/webid-oidc/client/accounts.scm:384 +#: src/scm/webid-oidc/client/accounts.scm:381 #, scheme-format msgid "the ID token delivered by the identity provider for ~s has ~s as webid" msgstr "" "le jeton d’ID délivré par le fournisseur d’identité pour ~s a ~s pour webid" -#: src/scm/webid-oidc/client/accounts.scm:394 +#: src/scm/webid-oidc/client/accounts.scm:391 #, scheme-format msgid "The ID token delivered by the identity provider ~s is for issuer ~s." msgstr "" "Le jeton d’ID délivré par le fournisseur d’identité ~s est pour l’émetteur " "~s." -#: src/scm/webid-oidc/client/accounts.scm:409 +#: src/scm/webid-oidc/client/accounts.scm:406 msgid "The issuer is required." msgstr "L’émetteur est requis." -#: src/scm/webid-oidc/client/accounts.scm:414 +#: src/scm/webid-oidc/client/accounts.scm:411 msgid "The optional subject and required issuer should be strings or URI." msgstr "" "Le sujet optionnel et émetteur doivent être des chaînes de caractère ou des " "URIs." -#: src/scm/webid-oidc/client/accounts.scm:450 +#: src/scm/webid-oidc/client/accounts.scm:447 msgid "Cannot check the username and/or password." msgstr "Impossible de vérifier le nom d’utilisateur et/ou le mot de passe." -#: src/scm/webid-oidc/client/accounts.scm:460 +#: src/scm/webid-oidc/client/accounts.scm:457 msgid "The subject should be a string or URI." msgstr "Le sujet doit être une chaîne de caractères ou une URI." -#: src/scm/webid-oidc/client/accounts.scm:474 +#: src/scm/webid-oidc/client/accounts.scm:471 msgid "The issuer should be a string or URI." msgstr "L’émetteur doit être une chaîne de caractères ou une URI." @@ -1114,7 +1114,7 @@ msgstr "" msgid "Warning: generating a new key pair." msgstr "Attention : génération d'une nouvelle paire de clé." -#: src/scm/webid-oidc/identity-provider.scm:136 +#: src/scm/webid-oidc/identity-provider.scm:132 msgid "reason-phrase|Not Found" msgstr "Non Trouvé" @@ -1123,63 +1123,63 @@ msgstr "Non Trouvé" msgid "a replay has been detected with JTI ~s" msgstr "une redite a été détectée avec le JTI ~s" -#: src/scm/webid-oidc/jwk.scm:143 +#: src/scm/webid-oidc/jwk.scm:144 msgid "the point and scalar are not on the same curve" msgstr "le point et le scalaire ne sont pas sur la même courbe elliptique" -#: src/scm/webid-oidc/jwk.scm:238 +#: src/scm/webid-oidc/jwk.scm:256 #, scheme-format msgid "the JWK is invalid: ~a" msgstr "le JWK est invalide : ~a" -#: src/scm/webid-oidc/jwk.scm:240 +#: src/scm/webid-oidc/jwk.scm:258 msgid "the JWK is invalid" msgstr "le JWK est invalide" -#: src/scm/webid-oidc/jwk.scm:249 +#: src/scm/webid-oidc/jwk.scm:267 msgid "cannot compute the key type" msgstr "impossible de calculer le type de clé" -#: src/scm/webid-oidc/jwk.scm:308 +#: src/scm/webid-oidc/jwk.scm:328 msgid "it is built as an RSA key or key pair, but it is not" msgstr "" "elle est construite comme une clé ou paire de clés RSA, mais ce n’en est pas " "une" -#: src/scm/webid-oidc/jwk.scm:316 +#: src/scm/webid-oidc/jwk.scm:336 msgid "it is built as an elliptic curve key or key pair, but it is not" msgstr "" "elle est construite comme une clé ou paire de clés sur une courbe " "elliptique, mais ce n’en est pas une" -#: src/scm/webid-oidc/jwk.scm:357 +#: src/scm/webid-oidc/jwk.scm:378 #, scheme-format msgid "the key advertises a key type of ~s, but actually it is ~s" msgstr "la clé publie un type de clé ~s, mais c’est en fait ~s" -#: src/scm/webid-oidc/jwk.scm:396 +#: src/scm/webid-oidc/jwk.scm:427 msgid "this is neither a RSA key nor an elliptic curve key" msgstr "ce n’est ni une clé RSA ni une clé sur une courbe elliptique" -#: src/scm/webid-oidc/jwk.scm:433 +#: src/scm/webid-oidc/jwk.scm:464 #, scheme-format msgid "cannot fetch a JWKS: ~a" msgstr "impossible de télécharger un JWKS : ~a" -#: src/scm/webid-oidc/jwk.scm:435 +#: src/scm/webid-oidc/jwk.scm:466 msgid "cannot fetch a JWKS" msgstr "impossible de télécharger un JWKS" -#: src/scm/webid-oidc/jwk.scm:439 +#: src/scm/webid-oidc/jwk.scm:470 #, scheme-format msgid "the request failed with ~s ~s" msgstr "la requête a échoué avec ~s ~s" -#: src/scm/webid-oidc/jwk.scm:444 +#: src/scm/webid-oidc/jwk.scm:475 msgid "missing content-type" msgstr "type de contenu manquant" -#: src/scm/webid-oidc/jwk.scm:449 +#: src/scm/webid-oidc/jwk.scm:480 #, scheme-format msgid "invalid content-type: ~s" msgstr "type de contenu invalide : ~s" @@ -1330,78 +1330,78 @@ msgstr "il n’y a pas de type de contenu" msgid "unexpected content-type: ~s" msgstr "type de contenu inattendu : ~s" -#: src/scm/webid-oidc/oidc-id-token.scm:67 +#: src/scm/webid-oidc/oidc-id-token.scm:68 #, scheme-format msgid "this is not an ID token, because it is not even a JWS: ~a" msgstr "ce n’est pas un jeton d’ID, parce que ce n’est même pas un JWS : ~a" -#: src/scm/webid-oidc/oidc-id-token.scm:70 +#: src/scm/webid-oidc/oidc-id-token.scm:71 msgid "this is not an ID token, because it is not even a JWS" msgstr "ce n’est pas un jeton d’ID, parce que ce n’est même pas un JWS" -#: src/scm/webid-oidc/oidc-id-token.scm:72 +#: src/scm/webid-oidc/oidc-id-token.scm:73 #, scheme-format msgid "this is not an ID token: ~a" msgstr "ce n’est pas un jeton d’ID : ~a" -#: src/scm/webid-oidc/oidc-id-token.scm:75 +#: src/scm/webid-oidc/oidc-id-token.scm:76 msgid "this is not an ID token" msgstr "ce n’est pas un jeton d’ID" -#: src/scm/webid-oidc/oidc-id-token.scm:131 +#: src/scm/webid-oidc/oidc-id-token.scm:132 #, scheme-format msgid "the \"sub\" field should be a string, ~s is given" msgstr "le champ « sub » doit être une chaîne de caractères, pas ~s" -#: src/scm/webid-oidc/oidc-id-token.scm:138 +#: src/scm/webid-oidc/oidc-id-token.scm:139 #, scheme-format msgid "the \"aud\" field should be an URI, ~s is given" msgstr "le champ « aud » doit être une URI, pas ~s" -#: src/scm/webid-oidc/oidc-id-token.scm:145 +#: src/scm/webid-oidc/oidc-id-token.scm:146 #, scheme-format msgid "the \"nonce\" field should be a string, ~s is given" msgstr "le champ « nonce » doit être une chaîne de caractères, pas ~s" -#: src/scm/webid-oidc/oidc-id-token.scm:165 +#: src/scm/webid-oidc/oidc-id-token.scm:166 msgid "the payload should be a JSON object" msgstr "la charge utile doit être un objet JSON" -#: src/scm/webid-oidc/oidc-id-token.scm:218 +#: src/scm/webid-oidc/oidc-id-token.scm:219 #, scheme-format msgid "the ID token is invalid: ~a" msgstr "le jeton d’ID est invalide : ~a" -#: src/scm/webid-oidc/oidc-id-token.scm:220 +#: src/scm/webid-oidc/oidc-id-token.scm:221 msgid "the ID token is invalid" msgstr "le jeton d’ID est invalide" -#: src/scm/webid-oidc/oidc-id-token.scm:258 +#: src/scm/webid-oidc/oidc-id-token.scm:259 #, scheme-format msgid "I cannot query the JWKS URI of the identity provider: ~a" msgstr "je ne peux pas requêter l’URI de JWKS du fournisseur d’identité : ~a" -#: src/scm/webid-oidc/oidc-id-token.scm:260 +#: src/scm/webid-oidc/oidc-id-token.scm:261 msgid "I cannot query the JWKS URI of the identity provider" msgstr "impossible de requêter l’URI de JWKS du fournisseur d’identité" -#: src/scm/webid-oidc/oidc-id-token.scm:271 +#: src/scm/webid-oidc/oidc-id-token.scm:272 #, scheme-format msgid "the ID token is signed in the future, ~a, relative to current ~a" msgstr "" "le jeton d’ID est signé dans le futur, ~a, par rapport à la date courante, ~a" -#: src/scm/webid-oidc/oidc-id-token.scm:280 +#: src/scm/webid-oidc/oidc-id-token.scm:281 #, scheme-format msgid "the ID token expired ~a, which is in the past (from ~a)" msgstr "le jeton d’ID a expiré le ~a, qui est dans le passé (depuis ~a)" -#: src/scm/webid-oidc/oidc-id-token.scm:294 +#: src/scm/webid-oidc/oidc-id-token.scm:295 #, scheme-format msgid "cannot encode the ID token: ~a" msgstr "impossible d’encoder le jeton d’ID : ~a" -#: src/scm/webid-oidc/oidc-id-token.scm:296 +#: src/scm/webid-oidc/oidc-id-token.scm:297 msgid "cannot encode the ID token" msgstr "impossible d’encoder le jeton d’ID" diff --git a/src/scm/webid-oidc/access-token.scm b/src/scm/webid-oidc/access-token.scm index 0cc8c27..7e67270 100644 --- a/src/scm/webid-oidc/access-token.scm +++ b/src/scm/webid-oidc/access-token.scm @@ -325,7 +325,6 @@ (define* (issue-access-token issuer-key #:key - (alg #f) (webid #f) (iss #f) (validity 3600) @@ -338,7 +337,7 @@ (exp (+ iat validity))) (jws-encode (the-access-token - `(((alg . ,(symbol->string alg))) + `(((alg . ,(symbol->string (alg issuer-key)))) . ((webid . ,(uri->string webid)) (iss . ,(uri->string iss)) (aud . "solid") diff --git a/src/scm/webid-oidc/authorization-code.scm b/src/scm/webid-oidc/authorization-code.scm index ff7fe60..1481b2c 100644 --- a/src/scm/webid-oidc/authorization-code.scm +++ b/src/scm/webid-oidc/authorization-code.scm @@ -18,6 +18,7 @@ #:use-module (webid-oidc errors) #:use-module ((webid-oidc stubs) #:prefix stubs:) #:use-module (webid-oidc jws) + #:use-module (webid-oidc jwk) #:use-module (webid-oidc jti) #:use-module ((webid-oidc parameters) #:prefix p:) #:use-module (web uri) @@ -209,14 +210,13 @@ (define* (issue-authorization-code issuer-key #:key - alg (validity 120) webid client-id) (let* ((iat (time-second (date->time-utc ((p:current-date))))) (exp (+ iat validity))) (authorization-code-encode - `(((alg . ,(symbol->string alg))) + `(((alg . ,(symbol->string (alg issuer-key)))) . ((webid . ,(uri->string webid)) (client_id . ,(uri->string client-id)) (exp . ,exp) diff --git a/src/scm/webid-oidc/authorization-endpoint.scm b/src/scm/webid-oidc/authorization-endpoint.scm index 86a8a4d..cf45a9c 100644 --- a/src/scm/webid-oidc/authorization-endpoint.scm +++ b/src/scm/webid-oidc/authorization-endpoint.scm @@ -43,7 +43,7 @@ (let ((c (crypt password encrypted-password))) (string=? c encrypted-password))) -(define* (make-authorization-endpoint subject encrypted-password alg jwk validity +(define* (make-authorization-endpoint subject encrypted-password jwk validity #:key (http-get http-get)) (define (parse-arg x decode-plus-to-space?) @@ -108,7 +108,6 @@ (lambda () (let ((code (issue-authorization-code jwk - #:alg alg #:webid subject #:client-id client-id)) (mf (get-client-manifest client-id diff --git a/src/scm/webid-oidc/client.scm b/src/scm/webid-oidc/client.scm index 52a33a4..5b6b0ef 100644 --- a/src/scm/webid-oidc/client.scm +++ b/src/scm/webid-oidc/client.scm @@ -139,9 +139,6 @@ (let ((key-pair (account:key-pair account))) (issue-dpop-proof key-pair - #:alg (case (kty key-pair) - ((EC) 'ES256) - ((RSA) 'RS256)) #:htm method #:htu uri #:access-token access-token)))) diff --git a/src/scm/webid-oidc/client/accounts.scm b/src/scm/webid-oidc/client/accounts.scm index 54c6e07..ddb592a 100644 --- a/src/scm/webid-oidc/client/accounts.scm +++ b/src/scm/webid-oidc/client/accounts.scm @@ -255,9 +255,6 @@ (let ((dpop-proof (dpop:issue-dpop-proof key-pair - #:alg (case (jwk:kty key-pair) - ((EC) 'ES256) - ((RSA) 'RS256)) #:htm 'POST #:htu token-endpoint))) (receive (response response-body) diff --git a/src/scm/webid-oidc/dpop-proof.scm b/src/scm/webid-oidc/dpop-proof.scm index 5e01235..8c66f68 100644 --- a/src/scm/webid-oidc/dpop-proof.scm +++ b/src/scm/webid-oidc/dpop-proof.scm @@ -409,13 +409,12 @@ (define* (issue-dpop-proof client-key #:key - (alg #f) (htm #f) (htu #f) (access-token #f)) (dpop-proof-encode (the-dpop-proof - `(((alg . ,(symbol->string alg)) + `(((alg . ,(symbol->string (alg client-key))) (typ . "dpop+jwt") (jwk . ,(key->jwk (public-key client-key)))) . ((jti . ,(stubs:random 12)) diff --git a/src/scm/webid-oidc/identity-provider.scm b/src/scm/webid-oidc/identity-provider.scm index cf06b62..7973917 100644 --- a/src/scm/webid-oidc/identity-provider.scm +++ b/src/scm/webid-oidc/identity-provider.scm @@ -80,73 +80,69 @@ (lambda (port) (stubs:scm->json (key->jwk k) port #:pretty #t))) k))))) - (let ((alg - (if (eq? (kty key) 'RSA) - 'RS256 - 'ES256))) - (let ((authorization-endpoint - (make-authorization-endpoint subject encrypted-password alg key 120 - #:http-get http-get)) - (token-endpoint - (make-token-endpoint token-endpoint-uri issuer alg key 3600)) - (openid-configuration - `((jwks_uri . ,(uri->string jwks-uri)) - (authorization_endpoint . ,(uri->string authorization-endpoint-uri)) - (token_endpoint . ,(uri->string token-endpoint-uri)) - (solid_oidc_supported . "https://solidproject.org/TR/solid-oidc"))) - (openid-configuration-uri - (build-uri 'https - #:host (uri-host issuer) - #:path "/.well-known/openid-configuration"))) - (lambda (request request-body) - (let ((uri (request-uri request)) - (current-time ((p:current-date)))) - (parameterize ((web-locale request)) - (cond ((same-uri? uri openid-configuration-uri) - (let* ((current-sec (time-second (date->time-utc current-time))) - (exp-sec (+ current-sec 3600)) - (exp (time-utc->date - (make-time time-utc 0 exp-sec)))) - (serve-oidc-configuration exp openid-configuration))) - ((same-uri? uri jwks-uri) - (let* ((current-sec (time-second (date->time-utc current-time))) - (exp-sec (+ current-sec 3600)) - (exp (time-utc->date - (make-time time-utc 0 exp-sec)))) - (serve (make #:keys (list key)) exp))) - ((same-uri? uri authorization-endpoint-uri #:skip-query #t) - (authorization-endpoint request request-body)) - ((same-uri? uri token-endpoint-uri) - (token-endpoint request request-body)) - ((same-uri? uri subject) - (values - (build-response #:headers '((content-type text/turtle)) - #:port #f) - (format #f - "@prefix foaf: . + (let ((authorization-endpoint + (make-authorization-endpoint subject encrypted-password key 120 + #:http-get http-get)) + (token-endpoint + (make-token-endpoint token-endpoint-uri issuer key 3600)) + (openid-configuration + `((jwks_uri . ,(uri->string jwks-uri)) + (authorization_endpoint . ,(uri->string authorization-endpoint-uri)) + (token_endpoint . ,(uri->string token-endpoint-uri)) + (solid_oidc_supported . "https://solidproject.org/TR/solid-oidc"))) + (openid-configuration-uri + (build-uri 'https + #:host (uri-host issuer) + #:path "/.well-known/openid-configuration"))) + (lambda (request request-body) + (let ((uri (request-uri request)) + (current-time ((p:current-date)))) + (parameterize ((web-locale request)) + (cond ((same-uri? uri openid-configuration-uri) + (let* ((current-sec (time-second (date->time-utc current-time))) + (exp-sec (+ current-sec 3600)) + (exp (time-utc->date + (make-time time-utc 0 exp-sec)))) + (serve-oidc-configuration exp openid-configuration))) + ((same-uri? uri jwks-uri) + (let* ((current-sec (time-second (date->time-utc current-time))) + (exp-sec (+ current-sec 3600)) + (exp (time-utc->date + (make-time time-utc 0 exp-sec)))) + (serve (make #:keys (list key)) exp))) + ((same-uri? uri authorization-endpoint-uri #:skip-query #t) + (authorization-endpoint request request-body)) + ((same-uri? uri token-endpoint-uri) + (token-endpoint request request-body)) + ((same-uri? uri subject) + (values + (build-response #:headers '((content-type text/turtle)) + #:port #f) + (format #f + "@prefix foaf: . @prefix rdfs: . <#~a> a foaf:Person ; rdfs:comment \"It works. Now you should use another service to serve that resource.\" . " - (uri-fragment subject)))) - (else - (values - (build-response #:code 404 - #:reason-phrase (W_ "reason-phrase|Not Found") - #:headers '((content-type application/xhtml+xml))) - (with-output-to-string - (lambda () - (sxml->xml - `(*TOP* (*PI* xml "version=\"1.0\" encoding=\"utf-8\"") - (html (@ (xmlns "http://www.w3.org/1999/xhtml") - (xml:lang ,(W_ "xml-lang|en"))) - (body - ,(sxml-match - (xml->sxml - (W_ (format #f "

Resource not found

"))) - ((*TOP* ,title) title)) - ,(sxml-match - (xml->sxml - (W_ (format #f "

This OpenID Connect identity provider does not know the resource you are requesting.

"))) - ((*TOP* ,p) p)))))))))))))))))) + (uri-fragment subject)))) + (else + (values + (build-response #:code 404 + #:reason-phrase (W_ "reason-phrase|Not Found") + #:headers '((content-type application/xhtml+xml))) + (with-output-to-string + (lambda () + (sxml->xml + `(*TOP* (*PI* xml "version=\"1.0\" encoding=\"utf-8\"") + (html (@ (xmlns "http://www.w3.org/1999/xhtml") + (xml:lang ,(W_ "xml-lang|en"))) + (body + ,(sxml-match + (xml->sxml + (W_ (format #f "

Resource not found

"))) + ((*TOP* ,title) title)) + ,(sxml-match + (xml->sxml + (W_ (format #f "

This OpenID Connect identity provider does not know the resource you are requesting.

"))) + ((*TOP* ,p) p))))))))))))))))) diff --git a/src/scm/webid-oidc/jwk.scm b/src/scm/webid-oidc/jwk.scm index e0308cb..f06818d 100644 --- a/src/scm/webid-oidc/jwk.scm +++ b/src/scm/webid-oidc/jwk.scm @@ -31,7 +31,7 @@ #:declarative? #t #:export ( - + alg public-key private-key @@ -72,7 +72,8 @@ make-not-a-jwks not-a-jwks?) -(define-class ()) +(define-class () + (alg #:init-keyword #:alg #:accessor alg)) (define-class ()) @@ -154,6 +155,12 @@ (define-method (initialize (key ) initargs) (next-method) + (let-keywords + initargs #t + ((alg #f)) + (when (string? alg) + (set! alg (string->symbol alg))) + (slot-set! key 'alg (or alg 'RS256))) (check-key key)) (define-method (initialize (key ) initargs) @@ -166,8 +173,17 @@ (define-method (initialize (key ) initargs) (next-method) + (let-keywords + initargs #t + ((alg #f)) + (when (string? alg) + (set! alg (string->symbol alg))) + (slot-set! key 'alg (or alg 'ES256))) (check-key key)) +(define-method (alg (key )) + (alg (private-key key))) + (define-method (rsa-d (key )) (rsa-d (private-key key))) @@ -216,7 +232,8 @@ (equal? (rsa-e x) (rsa-e y)))) (define-method (equal? (x ) (y )) - (and (equal? (rsa-d x) (rsa-d y)) + (and (equal? (alg x) (alg y)) + (equal? (rsa-d x) (rsa-d y)) (equal? (rsa-p x) (rsa-p y)) (equal? (rsa-q x) (rsa-q y)) (equal? (rsa-dp x) (rsa-dp y)) @@ -228,7 +245,8 @@ (equal? (ec-y x) (ec-y y)))) (define-method (equal? (x ) (y )) - (equal? (ec-z x) (ec-z y))) + (and (equal? (alg x) (alg y)) + (equal? (ec-z x) (ec-z y)))) (define (check-and-kty key) (with-exception-handler @@ -273,6 +291,7 @@ (define-method (key->jwk (key )) `((kty . ,(symbol->string (kty key))) + (alg . ,(symbol->string (alg key))) (d . ,(rsa-d key)) (p . ,(rsa-p key)) (q . ,(rsa-q key)) @@ -294,6 +313,7 @@ (define-method (key->jwk (key )) `((crv . ,(symbol->string (ec-crv key))) (kty . ,(symbol->string (kty key))) + (alg . ,(symbol->string (alg key))) (z . ,(ec-z key)))) (define-method (check-key key) @@ -348,7 +368,8 @@ key) (define (jwk->key fields) - (let ((kty (stubs:kty fields))) + (let ((kty (stubs:kty fields)) + (alg (assq-ref fields 'alg))) (let ((explicit-kty (assq-ref fields 'kty))) (when (and kty explicit-kty (not (eq? kty (string->symbol explicit-kty)))) (raise-exception @@ -371,7 +392,14 @@ (make #:n n #:e e))) (private (and d p q dp dq qi - (make #:d d #:p p #:q q #:dp dp #:dq dq #:qi qi)))) + (make + #:alg (and alg (string->symbol alg)) + #:d d + #:p p + #:q q + #:dp dp + #:dq dq + #:qi qi)))) (if (and public private) (make #:public-key public #:private-key private) (or public private))))) @@ -385,7 +413,10 @@ (make #:crv crv #:x x #:y y))) (private (and z - (make #:crv crv #:z z)))) + (make + #:alg (and alg (string->symbol alg)) + #:crv crv + #:z z)))) (if (and public private) (make #:public-key public #:private-key private) (or public private))))) diff --git a/src/scm/webid-oidc/oidc-id-token.scm b/src/scm/webid-oidc/oidc-id-token.scm index e44d946..abef88d 100644 --- a/src/scm/webid-oidc/oidc-id-token.scm +++ b/src/scm/webid-oidc/oidc-id-token.scm @@ -18,6 +18,7 @@ #:use-module (webid-oidc oidc-configuration) #:use-module (webid-oidc errors) #:use-module (webid-oidc jws) + #:use-module (webid-oidc jwk) #:use-module (webid-oidc jti) #:use-module (webid-oidc web-i18n) #:use-module ((webid-oidc stubs) #:prefix stubs:) @@ -302,7 +303,6 @@ (define* (issue-id-token issuer-key #:key - (alg #f) (webid #f) (iss #f) (sub #f) @@ -314,7 +314,7 @@ (exp (+ iat validity))) (jws-encode (the-id-token - `(((alg . ,(symbol->string alg))) + `(((alg . ,(symbol->string (alg issuer-key)))) . ((webid . ,(uri->string webid)) (iss . ,(uri->string iss)) (sub . ,sub) diff --git a/src/scm/webid-oidc/token-endpoint.scm b/src/scm/webid-oidc/token-endpoint.scm index 30a78d4..81f8e48 100644 --- a/src/scm/webid-oidc/token-endpoint.scm +++ b/src/scm/webid-oidc/token-endpoint.scm @@ -177,7 +177,7 @@ port))))))) thunk)))) -(define (make-token-endpoint token-endpoint-uri iss alg jwk validity) +(define (make-token-endpoint token-endpoint-uri iss jwk validity) (lambda (request request-body) (when (bytevector? request-body) (set! request-body (utf8->string request-body))) @@ -290,7 +290,6 @@ (let ((id-token (issue-id-token jwk - #:alg alg #:webid webid #:sub (uri->string webid) #:iss iss @@ -299,7 +298,6 @@ (access-token (issue-access-token jwk - #:alg alg #:webid webid #:iss iss #:validity 3600 diff --git a/tests/authorization-endpoint-get-form.scm b/tests/authorization-endpoint-get-form.scm index 7dbf6ba..6830df8 100644 --- a/tests/authorization-endpoint-get-form.scm +++ b/tests/authorization-endpoint-get-form.scm @@ -29,7 +29,6 @@ (with-test-environment "authorization-endpoint-get-form" (lambda () - (define alg 'RS256) (define key (generate-key #:n-size 2048)) (define subject (string->uri "https://authorization-endpoint-get-form.scm/profile/card#me")) (define password "p4ssw0rd") @@ -38,7 +37,7 @@ (exit 2)) (define endpoint (make-authorization-endpoint - subject password alg key validity + subject password key validity #:http-get http-get)) (receive (response response-body) (parameterize ((p:current-date 0)) diff --git a/tests/authorization-endpoint-no-args.scm b/tests/authorization-endpoint-no-args.scm index e996db3..a9661cd 100644 --- a/tests/authorization-endpoint-no-args.scm +++ b/tests/authorization-endpoint-no-args.scm @@ -29,7 +29,6 @@ (with-test-environment "authorization-endpoint-no-args" (lambda () - (define alg 'RS256) (define key (generate-key #:n-size 2048)) (define subject (string->uri "https://authorization-endpoint-get-form.scm/profile/card#me")) (define password "p4ssw0rd") @@ -38,7 +37,7 @@ (exit 2)) (define endpoint (make-authorization-endpoint - subject password alg key validity + subject password key validity #:http-get http-get)) (receive (response response-body) (parameterize ((p:current-date 0)) diff --git a/tests/authorization-endpoint-submit-form.scm b/tests/authorization-endpoint-submit-form.scm index ef84f40..37059fe 100644 --- a/tests/authorization-endpoint-submit-form.scm +++ b/tests/authorization-endpoint-submit-form.scm @@ -33,7 +33,6 @@ (with-test-environment "authorization-endpoint-submit-form" (lambda () - (define alg 'RS256) (define key (generate-key #:n-size 2048)) (define subject (string->uri "https://authorization-endpoint-submit-form.scm/profile/card#me")) (define client (string->uri "https://authorization-endpoint-submit-form.scm/client/card#app")) @@ -58,7 +57,7 @@ (with-cache #:http-get http-get)) (define endpoint (make-authorization-endpoint - subject encrypted-password alg key validity + subject encrypted-password key validity #:http-get cached-http-get)) (receive (response response-body) ;; The password is fake! diff --git a/tests/dpop-proof-iat-in-future.scm b/tests/dpop-proof-iat-in-future.scm index d7f345b..f212643 100644 --- a/tests/dpop-proof-iat-in-future.scm +++ b/tests/dpop-proof-iat-in-future.scm @@ -34,7 +34,6 @@ (parameterize ((p:current-date 10)) (issue-dpop-proof jwk - #:alg 'RS256 #:htm 'GET #:htu (string->uri "https://example.com/res#frag")))) (with-exception-handler diff --git a/tests/dpop-proof-iat-too-late.scm b/tests/dpop-proof-iat-too-late.scm index 7cf2146..149e814 100644 --- a/tests/dpop-proof-iat-too-late.scm +++ b/tests/dpop-proof-iat-too-late.scm @@ -34,7 +34,6 @@ (parameterize ((p:current-date 0)) (issue-dpop-proof jwk - #:alg 'RS256 #:htm 'GET #:htu (string->uri "https://example.com/res#frag")))) (with-exception-handler diff --git a/tests/dpop-proof-invalid-ath.scm b/tests/dpop-proof-invalid-ath.scm index cecd162..a82cf47 100644 --- a/tests/dpop-proof-invalid-ath.scm +++ b/tests/dpop-proof-invalid-ath.scm @@ -35,7 +35,6 @@ (parameterize ((p:current-date 10)) (issue-access-token idp-key - #:alg 'RS256 #:webid (string->uri "https://data.provider/subject") #:iss (string->uri "https://identity.provider") #:validity 3600 @@ -45,7 +44,6 @@ (parameterize ((p:current-date 0)) (issue-dpop-proof jwk - #:alg 'RS256 #:htm 'GET #:htu (string->uri "https://example.com/res?query") #:access-token "aaaaaaaaaaaaaaa"))) diff --git a/tests/dpop-proof-no-ath.scm b/tests/dpop-proof-no-ath.scm index 3d87368..ec37836 100644 --- a/tests/dpop-proof-no-ath.scm +++ b/tests/dpop-proof-no-ath.scm @@ -33,7 +33,6 @@ (parameterize ((p:current-date 0)) (issue-dpop-proof jwk - #:alg 'RS256 #:htm 'GET #:htu (string->uri "https://example.com/res?query")))) (with-exception-handler diff --git a/tests/dpop-proof-replay.scm b/tests/dpop-proof-replay.scm index 71cabe5..19e6a30 100644 --- a/tests/dpop-proof-replay.scm +++ b/tests/dpop-proof-replay.scm @@ -33,7 +33,6 @@ (parameterize ((p:current-date 0)) (issue-dpop-proof jwk - #:alg 'RS256 #:htm 'GET #:htu (string->uri "https://example.com/res#frag")))) (define (decode) diff --git a/tests/dpop-proof-valid-ath.scm b/tests/dpop-proof-valid-ath.scm index d916dcd..2a27e88 100644 --- a/tests/dpop-proof-valid-ath.scm +++ b/tests/dpop-proof-valid-ath.scm @@ -33,7 +33,6 @@ (parameterize ((p:current-date 10)) (issue-access-token idp-key - #:alg 'RS256 #:webid (string->uri "https://data.provider/subject") #:iss (string->uri "https://identity.provider") #:validity 3600 @@ -43,7 +42,6 @@ (parameterize ((p:current-date 0)) (issue-dpop-proof jwk - #:alg 'RS256 #:htm 'GET #:htu (string->uri "https://example.com/res#frag") #:access-token access-token))) diff --git a/tests/dpop-proof-valid.scm b/tests/dpop-proof-valid.scm index 893687d..71ef602 100644 --- a/tests/dpop-proof-valid.scm +++ b/tests/dpop-proof-valid.scm @@ -32,7 +32,6 @@ (parameterize ((p:current-date 0)) (issue-dpop-proof jwk - #:alg 'RS256 #:htm 'GET #:htu (string->uri "https://example.com/res#frag")))) (define decoded diff --git a/tests/dpop-proof-wrong-htm.scm b/tests/dpop-proof-wrong-htm.scm index 204e87a..1e94f72 100644 --- a/tests/dpop-proof-wrong-htm.scm +++ b/tests/dpop-proof-wrong-htm.scm @@ -33,7 +33,6 @@ (parameterize ((p:current-date 0)) (issue-dpop-proof jwk - #:alg 'RS256 #:htm 'POST #:htu (string->uri "https://example.com/res#frag")))) (with-exception-handler diff --git a/tests/dpop-proof-wrong-htu.scm b/tests/dpop-proof-wrong-htu.scm index 05bdea5..299060e 100644 --- a/tests/dpop-proof-wrong-htu.scm +++ b/tests/dpop-proof-wrong-htu.scm @@ -33,7 +33,6 @@ (parameterize ((p:current-date 0)) (issue-dpop-proof jwk - #:alg 'RS256 #:htm 'GET #:htu (string->uri "https://example.com/other-res#frag")))) (with-exception-handler diff --git a/tests/dpop-proof-wrong-key.scm b/tests/dpop-proof-wrong-key.scm index ca1e01b..1f3d033 100644 --- a/tests/dpop-proof-wrong-key.scm +++ b/tests/dpop-proof-wrong-key.scm @@ -33,7 +33,6 @@ (parameterize ((p:current-date 0)) (issue-dpop-proof jwk - #:alg 'RS256 #:htm 'GET #:htu (string->uri "https://example.com/res#frag")))) (with-exception-handler diff --git a/tests/resource-server.scm b/tests/resource-server.scm index 4df742f..02b7e46 100644 --- a/tests/resource-server.scm +++ b/tests/resource-server.scm @@ -59,7 +59,6 @@ (parameterize ((p:current-date 10)) (issue-access-token idp-key - #:alg 'RS256 #:webid subject #:iss (string->uri "https://identity.provider") #:validity 3600 @@ -72,7 +71,6 @@ (parameterize ((p:current-date 15)) (issue-dpop-proof client-key - #:alg 'RS256 #:htm method #:htu uri #:access-token access-token))) diff --git a/tests/token-endpoint-issue.scm b/tests/token-endpoint-issue.scm index 3b21f9b..c80658c 100644 --- a/tests/token-endpoint-issue.scm +++ b/tests/token-endpoint-issue.scm @@ -35,7 +35,6 @@ (with-test-environment "token-endpoint-issue" (lambda () - (define alg 'RS256) (define key (generate-key #:n-size 2048)) (define client-key (generate-key #:n-size 2048)) (define subject (string->uri "https://token-endpoint-issue.scm/profile/card#me")) @@ -46,21 +45,19 @@ (parameterize ((p:current-date 0)) (issue-authorization-code key - #:alg alg #:validity 120 #:webid subject #:client-id client))) (define endpoint (make-token-endpoint (string->uri "https://token-endpoint-issue.scm/token") - issuer alg key validity)) + issuer key validity)) (receive (response response-body . _) ;; The code is fake! (let ((dpop (parameterize ((p:current-date 0)) (issue-dpop-proof client-key - #:alg alg #:htm 'POST #:htu (string->uri "https://token-endpoint-issue.scm/token"))))) @@ -80,7 +77,6 @@ (parameterize ((p:current-date 10)) (issue-dpop-proof client-key - #:alg alg #:htm 'POST #:htu (string->uri "https://token-endpoint-issue.scm/token"))))) diff --git a/tests/token-endpoint-refresh.scm b/tests/token-endpoint-refresh.scm index 2d5ece4..f14d648 100644 --- a/tests/token-endpoint-refresh.scm +++ b/tests/token-endpoint-refresh.scm @@ -35,7 +35,6 @@ (with-test-environment "token-endpoint-refresh" (lambda () - (define alg 'RS256) (define key (generate-key #:n-size 2048)) (define client-key (generate-key #:n-size 2048)) (define subject (string->uri "https://token-endpoint-issue.scm/profile/card#me")) @@ -46,14 +45,13 @@ (issue-refresh-token subject client (jkt client-key))) (define endpoint (make-token-endpoint (string->uri "https://token-endpoint-issue.scm/token") - issuer alg key validity)) + issuer key validity)) (receive (response response-body . _) ;; The refresh token is fake! (let ((dpop (parameterize ((p:current-date 0)) (issue-dpop-proof client-key - #:alg alg #:htm 'POST #:htu (string->uri "https://token-endpoint-issue.scm/token"))))) @@ -73,7 +71,6 @@ (parameterize ((p:current-date 10)) (issue-dpop-proof client-key - #:alg alg #:htm 'POST #:htu (string->uri "https://token-endpoint-issue.scm/token"))))) -- cgit v1.2.3