From ecbac72644b054f635bdf57e0f7d42131f1b3616 Mon Sep 17 00:00:00 2001 From: Vivien Kraus Date: Sun, 6 Dec 2020 20:06:32 +0100 Subject: Implement the resource server verification code --- src/scm/webid-oidc/Makefile.am | 6 ++- src/scm/webid-oidc/resource-server.scm | 86 ++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 src/scm/webid-oidc/resource-server.scm (limited to 'src') diff --git a/src/scm/webid-oidc/Makefile.am b/src/scm/webid-oidc/Makefile.am index 42c65b6..061af17 100644 --- a/src/scm/webid-oidc/Makefile.am +++ b/src/scm/webid-oidc/Makefile.am @@ -19,7 +19,8 @@ dist_webidoidcmod_DATA += \ %reldir%/authorization-endpoint.scm \ %reldir%/token-endpoint.scm \ %reldir%/identity-provider.scm \ - %reldir%/provider-confirmation.scm + %reldir%/provider-confirmation.scm \ + %reldir%/resource-server.scm webidoidcgo_DATA += \ %reldir%/errors.go \ @@ -42,6 +43,7 @@ webidoidcgo_DATA += \ %reldir%/authorization-endpoint.go \ %reldir%/token-endpoint.go \ %reldir%/identity-provider.go \ - %reldir%/provider-confirmation.go + %reldir%/provider-confirmation.go \ + %reldir%/resource-server.go EXTRA_DIST += %reldir%/ChangeLog diff --git a/src/scm/webid-oidc/resource-server.scm b/src/scm/webid-oidc/resource-server.scm new file mode 100644 index 0000000..cef6a0c --- /dev/null +++ b/src/scm/webid-oidc/resource-server.scm @@ -0,0 +1,86 @@ +(define-module (webid-oidc resource-server) + #:use-module (webid-oidc errors) + #:use-module (webid-oidc oidc-configuration) + #:use-module (webid-oidc provider-confirmation) + #:use-module (webid-oidc jwk) + #:use-module (webid-oidc dpop-proof) + #:use-module ((webid-oidc config) #:prefix cfg:) + #:use-module (webid-oidc jti) + #:use-module (webid-oidc access-token) + #:use-module (web request) + #:use-module (web response) + #:use-module (web uri) + #:use-module (web server) + #:use-module (web client) + #:use-module (ice-9 optargs) + #:use-module (ice-9 receive) + #:use-module (ice-9 i18n) + #:use-module (ice-9 getopt-long) + #:use-module (ice-9 suspendable-ports) + #:use-module (sxml simple) + #:use-module (srfi srfi-19)) + +(define (G_ text) + (let ((out (gettext text))) + (if (string=? out text) + ;; No translation, disambiguate + (car (reverse (string-split text #\|))) + out))) + +(define*-public (make-authenticator jti-list + #:key + (server-uri #f) + (current-time current-time) + (http-get http-get)) + (unless (and server-uri (uri? server-uri)) + (error "You need to pass #:server-uri URI where URI is the public URI of the server, as a (web uri).")) + (lambda (request request-body) + (let ((headers (request-headers request)) + (uri (request-uri request)) + (method (request-method request)) + (current-time + (let ((t current-time)) + (when (thunk? t) + (set! t (t))) + (when (integer? t) + (set! t (make-time time-utc 0 t))) + (when (time? t) + (set! t (time-utc->date t))) + t))) + (let ((authz (assoc-ref headers 'authorization)) + (dpop (assoc-ref headers 'dpop)) + (full-uri (build-uri (uri-scheme server-uri) + #:userinfo (uri-userinfo server-uri) + #:host (uri-host server-uri) + #:port (uri-port server-uri) + #:path (string-append + "/" + (encode-and-join-uri-path + (append + (split-and-decode-uri-path (uri-path server-uri)) + (split-and-decode-uri-path + (uri-path uri)))))))) + (and authz dpop + (eq? (car authz) 'dpop) + (with-exception-handler + (lambda (error) + (format (current-error-port) + (G_ "~a: authentication failure: ~a\n") + (date->string current-time) + (error->str error)) + #f) + (lambda () + (let* ((access-token + (access-token-decode + (symbol->string (cadr authz)) + #:http-get http-get)) + (cnf/jkt (access-token-cnf/jkt access-token)) + (dpop-proof + (dpop-proof-decode + current-time jti-list method full-uri + dpop cnf/jkt))) + (let ((subject (access-token-webid access-token)) + (issuer (access-token-iss access-token))) + (confirm-provider subject issuer #:http-get http-get) + subject))) + #:unwind? #t)))))) -- cgit v1.2.3