From afebbf29a92b895cd41038a06a68e6f4013df357 Mon Sep 17 00:00:00 2001 From: M Hickford Date: Sun, 23 Oct 2022 07:28:46 +0200 Subject: [PATCH] Require authentication for OAuth token refresh (#21421) According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted Co-authored-by: Lunny Xiao --- routers/web/auth/oauth.go | 29 +++++++++++++++++++ tests/integration/oauth_test.go | 51 +++++++++++++++++++++++++-------- 2 files changed, 68 insertions(+), 12 deletions(-) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index e0e3c6e59f..c98385c8f6 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -48,6 +48,7 @@ const ( // TODO move error and responses to SDK or models // AuthorizeErrorCode represents an error code specified in RFC 6749 +// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1 type AuthorizeErrorCode string const ( @@ -68,6 +69,7 @@ const ( ) // AuthorizeError represents an error type specified in RFC 6749 +// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1 type AuthorizeError struct { ErrorCode AuthorizeErrorCode `json:"error" form:"error"` ErrorDescription string @@ -80,6 +82,7 @@ func (err AuthorizeError) Error() string { } // AccessTokenErrorCode represents an error code specified in RFC 6749 +// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 type AccessTokenErrorCode string const ( @@ -98,6 +101,7 @@ const ( ) // AccessTokenError represents an error response specified in RFC 6749 +// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 type AccessTokenError struct { ErrorCode AccessTokenErrorCode `json:"error" form:"error"` ErrorDescription string `json:"error_description"` @@ -129,6 +133,7 @@ const ( ) // AccessTokenResponse represents a successful access token response +// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2 type AccessTokenResponse struct { AccessToken string `json:"access_token"` TokenType TokenType `json:"token_type"` @@ -663,6 +668,30 @@ func AccessTokenOAuth(ctx *context.Context) { } func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) { + app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) + if err != nil { + handleAccessTokenError(ctx, AccessTokenError{ + ErrorCode: AccessTokenErrorCodeInvalidClient, + ErrorDescription: fmt.Sprintf("cannot load client with client id: %q", form.ClientID), + }) + return + } + // "The authorization server MUST ... require client authentication for confidential clients" + // https://datatracker.ietf.org/doc/html/rfc6749#section-6 + if !app.ValidateClientSecret([]byte(form.ClientSecret)) { + errorDescription := "invalid client secret" + if form.ClientSecret == "" { + errorDescription = "invalid empty client secret" + } + // "invalid_client ... Client authentication failed" + // https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 + handleAccessTokenError(ctx, AccessTokenError{ + ErrorCode: AccessTokenErrorCodeInvalidClient, + ErrorDescription: errorDescription, + }) + return + } + token, err := oauth2.ParseToken(form.RefreshToken, serverKey) if err != nil { handleAccessTokenError(ctx, AccessTokenError{ diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go index 9621acbbcc..acd32e3625 100644 --- a/tests/integration/oauth_test.go +++ b/tests/integration/oauth_test.go @@ -299,10 +299,11 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) { "client_secret": "inconsistent", }) req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9") + resp = MakeRequest(t, req, http.StatusBadRequest) parsedError = new(auth.AccessTokenError) assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) assert.Equal(t, "invalid_request", string(parsedError.ErrorCode)) - assert.Equal(t, "client_id in request body inconsistent with Authorization header", parsedError.ErrorDescription) + assert.Equal(t, "client_secret in request body inconsistent with Authorization header", parsedError.ErrorDescription) } func TestRefreshTokenInvalidation(t *testing.T) { @@ -329,7 +330,33 @@ func TestRefreshTokenInvalidation(t *testing.T) { // test without invalidation setting.OAuth2.InvalidateRefreshTokens = false - refreshReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ + req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ + "grant_type": "refresh_token", + "client_id": "da7da3ba-9a13-4167-856f-3899de0b0138", + // omit secret + "redirect_uri": "a", + "refresh_token": parsed.RefreshToken, + }) + resp = MakeRequest(t, req, http.StatusBadRequest) + parsedError := new(auth.AccessTokenError) + assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) + assert.Equal(t, "invalid_client", string(parsedError.ErrorCode)) + assert.Equal(t, "invalid empty client secret", parsedError.ErrorDescription) + + req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ + "grant_type": "refresh_token", + "client_id": "da7da3ba-9a13-4167-856f-3899de0b0138", + "client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=", + "redirect_uri": "a", + "refresh_token": "UNEXPECTED", + }) + resp = MakeRequest(t, req, http.StatusBadRequest) + parsedError = new(auth.AccessTokenError) + assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) + assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode)) + assert.Equal(t, "unable to parse refresh token", parsedError.ErrorDescription) + + req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ "grant_type": "refresh_token", "client_id": "da7da3ba-9a13-4167-856f-3899de0b0138", "client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=", @@ -337,24 +364,24 @@ func TestRefreshTokenInvalidation(t *testing.T) { "refresh_token": parsed.RefreshToken, }) - bs, err := io.ReadAll(refreshReq.Body) + bs, err := io.ReadAll(req.Body) assert.NoError(t, err) - refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) - MakeRequest(t, refreshReq, http.StatusOK) + req.Body = io.NopCloser(bytes.NewReader(bs)) + MakeRequest(t, req, http.StatusOK) - refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) - MakeRequest(t, refreshReq, http.StatusOK) + req.Body = io.NopCloser(bytes.NewReader(bs)) + MakeRequest(t, req, http.StatusOK) // test with invalidation setting.OAuth2.InvalidateRefreshTokens = true - refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) - MakeRequest(t, refreshReq, http.StatusOK) + req.Body = io.NopCloser(bytes.NewReader(bs)) + MakeRequest(t, req, http.StatusOK) // repeat request should fail - refreshReq.Body = io.NopCloser(bytes.NewReader(bs)) - resp = MakeRequest(t, refreshReq, http.StatusBadRequest) - parsedError := new(auth.AccessTokenError) + req.Body = io.NopCloser(bytes.NewReader(bs)) + resp = MakeRequest(t, req, http.StatusBadRequest) + parsedError = new(auth.AccessTokenError) assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError)) assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode)) assert.Equal(t, "token was already used", parsedError.ErrorDescription)