diff --git a/authz/authz.go b/authz/authz.go index ea9fd134cc54..e5d450306c98 100644 --- a/authz/authz.go +++ b/authz/authz.go @@ -94,6 +94,7 @@ p, *, *, GET, /api/get-human-check, *, * p, *, *, POST, /api/reset-email-or-phone, *, * p, *, *, POST, /api/upload-resource, *, * p, *, *, GET, /.well-known/openid-configuration, *, * +p, *, *, *, /api/certs, *, * ` sa := stringadapter.NewAdapter(ruleText) diff --git a/controllers/oidc_discovery.go b/controllers/oidc_discovery.go index 560df801e700..cfb1177e186e 100644 --- a/controllers/oidc_discovery.go +++ b/controllers/oidc_discovery.go @@ -20,3 +20,13 @@ func (c *ApiController) GetOidcDiscovery() { c.Data["json"] = object.GetOidcDiscovery() c.ServeJSON() } + +func (c *ApiController) GetOidcCert() { + jwks, err := object.GetJSONWebKeySet() + if err != nil { + c.ResponseError(err.Error()) + return + } + c.Data["json"] = jwks + c.ServeJSON() +} diff --git a/go.mod b/go.mod index ecde7b429fec..c388a608d759 100644 --- a/go.mod +++ b/go.mod @@ -23,13 +23,13 @@ require ( github.com/satori/go.uuid v1.2.0 // indirect github.com/smartystreets/goconvey v1.6.4 // indirect github.com/thanhpk/randstr v1.0.4 - golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df // indirect gopkg.in/ini.v1 v1.62.0 // indirect + gopkg.in/square/go-jose.v2 v2.6.0 xorm.io/core v0.7.2 xorm.io/xorm v1.0.3 ) diff --git a/go.sum b/go.sum index 5286c54ee050..c71568466df7 100644 --- a/go.sum +++ b/go.sum @@ -597,6 +597,8 @@ gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA= +gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= +gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/object/oidc_discovery.go b/object/oidc_discovery.go index f7f42375bf3f..ef55b0438b3c 100644 --- a/object/oidc_discovery.go +++ b/object/oidc_discovery.go @@ -15,8 +15,12 @@ package object import ( + "crypto/x509" + "encoding/pem" "fmt" + jose "gopkg.in/square/go-jose.v2" + "github.com/astaxie/beego" ) @@ -68,3 +72,20 @@ func init() { func GetOidcDiscovery() OidcDiscovery { return oidcDiscovery } + +func GetJSONWebKeySet() (jose.JSONWebKeySet, error) { + //follows the protocol rfc 7517(draft) + //link here: https://self-issued.info/docs/draft-ietf-jose-json-web-key.html + //or https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key + certPEMBlock := []byte(tokenJwtPublicKey) + certDERBlock, _ := pem.Decode(certPEMBlock) + x509Cert, _ := x509.ParseCertificate(certDERBlock.Bytes) + + var jwk jose.JSONWebKey + jwk.Key = x509Cert.PublicKey + jwk.Certificates = []*x509.Certificate{x509Cert} + + var jwks jose.JSONWebKeySet + jwks.Keys = []jose.JSONWebKey{jwk} + return jwks, nil +} diff --git a/routers/router.go b/routers/router.go index fd447d23fa5e..a553d4599025 100644 --- a/routers/router.go +++ b/routers/router.go @@ -119,4 +119,5 @@ func initAPI() { beego.Router("/api/send-sms", &controllers.ApiController{}, "POST:SendSms") beego.Router("/.well-known/openid-configuration", &controllers.ApiController{}, "GET:GetOidcDiscovery") + beego.Router("/api/certs",&controllers.ApiController{},"*:GetOidcCert") }