diff --git a/.env.example b/.env.example index 75716bae..30a3fb29 100644 --- a/.env.example +++ b/.env.example @@ -432,3 +432,43 @@ EXPIRED_TOKEN_CLEANUP_INTERVAL=1h # How often to run the cleanup (default: # exact-only, so existing clients are unaffected. Set to false to instantly # disable the feature without touching stored patterns. # REDIRECT_URI_PATTERN_MATCHING_ENABLED=false + +# ============================================================ +# Enterprise-Managed Authorization (ID-JAG) — MCP extension +# ============================================================ +# AuthGate can both ACCEPT and MINT Identity Assertion JWT Authorization Grants +# (ID-JAGs) so MCP clients obtain audience-bound access tokens for downstream MCP +# servers without per-server consent. Both roles are default-deny and OFF. +# See docs/ENTERPRISE_AUTH.md for the full flow and security model. + +# --- RAS role: accept an ID-JAG via grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer --- +# Master switch (default false). When off, the jwt-bearer grant is refused and +# is not advertised in discovery metadata. +# IDJAG_ENABLED=false +# +# Trusted external IdPs whose ID-JAGs AuthGate will accept, as a JSON array. +# Each entry: issuer (exact `iss` match), jwks_uri (fetched, cached, refetched on +# key rotation), and audience (the value the assertion's `aud` must equal — i.e. +# this AuthGate as RAS; defaults to BASE_URL when omitted). Empty (the default) +# rejects every jwt-bearer request. Only RS256/ES256 IdPs are supported — HS256 +# assertions are always rejected. +# TRUSTED_IDPS=[{"issuer":"https://idp.example.com","jwks_uri":"https://idp.example.com/.well-known/jwks.json","audience":"https://auth.example.com"}] +# +# JWKS fetch tuning (fail-closed: an IdP JWKS outage rejects the grant, never +# hangs the token endpoint). +# JWKS_CACHE_TTL=1h +# JWKS_FETCH_TIMEOUT=5s + +# --- IdP role: mint an ID-JAG via grant_type=urn:ietf:params:oauth:grant-type:token-exchange --- +# Master switch (default false). When off, token-exchange is refused and not +# advertised in discovery metadata. NOTE: enabling this requires an asymmetric +# JWT_SIGNING_ALGORITHM (RS256/ES256) — startup fails under the default HS256, +# because a downstream RAS can only verify a minted ID-JAG via JWKS. +# IDJAG_ISSUANCE_ENABLED=false +# +# Allowlist of downstream RAS audiences AuthGate may mint ID-JAGs for +# (comma-separated). Empty (the default) rejects every token-exchange request. +# IDJAG_ALLOWED_AUDIENCES=https://auth.example.com,https://other-ras.example.com +# +# Lifetime of a minted ID-JAG (default 300s / 5m, matching the spec guidance). +# IDJAG_EXPIRATION=300s diff --git a/CLAUDE.md b/CLAUDE.md index 9d611901..2e9665a6 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -112,6 +112,7 @@ In addition to Device Code Flow, AuthGate supports Authorization Code Flow with - `OAuthApplication.AllowedResources` - Per-client RFC 8707 Resource Indicator allowlist (`StringArray`, `gorm:"type:json"`). A client may obtain a token whose `aud` was derived from a client-supplied `resource` only when the value is an **exact-string match** of an allowlist entry; enforced on all four grants (`client_credentials`, `authorization_code`, `device_code`, `refresh_token`) via the shared `services.validateClientResource` helper. **Deny-all by default**: an empty allowlist rejects any client-supplied `resource` with `invalid_target` (sending no `resource` still gets the operator-configured `JWT_AUDIENCE` fallback). Entries are syntax-validated at save time (same rules as `util.ValidateResourceIndicators`). Admins manage it in the client create/edit form. **Breaking change**: clients currently passing `resource` get `invalid_target` until an admin populates the allowlist. See `docs/MCP.md` "Per-client resource allowlist". - `OAuthApplication.RedirectURIPatterns` - Per-client origin-locked path-prefix redirect patterns (`StringArray`, `gorm:"type:json"`). When the global `REDIRECT_URI_PATTERN_MATCHING_ENABLED` flag is on **and** the client has ≥1 pattern, a presented `redirect_uri` is also accepted if its scheme/host/port are **byte-exact** to a pattern and its path is the pattern path or a **sub-path** of it (so `…/callback` accepts `…/callback/ab12cd`, while `…/callbackXYZ`, a different origin, userinfo, `http://` downgrade, `..`-traversal, encoded slash, or any query is rejected). Matched in `services.matchRedirectPattern` (`internal/services/redirect_match.go`), gated in `AuthorizationService.isValidRedirectURI`. **Additive & default-deny**: empty list ⇒ today's exact matching, unchanged; flag off ⇒ patterns ignored (instant kill switch). The **token endpoint stays exact** — the authorization code binds the concrete `redirect_uri` and `ExchangeCode` still exact-matches it; pattern matching only widens `/oauth/authorize`. Save-time `services.validateRedirectURIPatterns` rejects bare-origin/`/`-only paths, wildcard/regex chars, query, fragment, userinfo, and applies the `STRICT_REDIRECT_URIS` loopback-only-`http` rule; capped at 10 patterns × 512 chars. Admins manage it in the client create/edit form. See `docs/CONFIGURATION.md` "Redirect URI pattern matching". - `OAuthApplication.TokenProfile` - Per-client token lifetime preset: `short` (15min / 1d), `standard` (default, 10h / 30d), or `long` (24h / 90d). Preset TTLs are defined in `config.TokenProfiles` and overridable via `TOKEN_PROFILE_*` env vars; hard caps are enforced via `JWT_EXPIRATION_MAX` / `REFRESH_TOKEN_EXPIRATION_MAX`. Changes to a client's profile take effect on the next token issuance and refresh. +- `OAuthApplication.EnableIDJAGFlow` / `OAuthApplication.AllowedIDJAGIssuers` - Per-client toggle + trusted-IdP issuer allowlist for the MCP **Enterprise-Managed Authorization** (ID-JAG) flow. `EnableIDJAGFlow` is the per-client default-deny gate for **both** roles: redeeming an ID-JAG via `jwt-bearer` (RAS) **and** minting one via `token-exchange` (IdP) — enabling either master switch globally does not make a client eligible until an admin turns this on. Default-deny: flow off by default; an empty `AllowedIDJAGIssuers` accepts any `TRUSTED_IDPS` issuer, a non-empty one restricts to those `iss` values. **RAS role:** the assertion's `resource` is authorized against the existing `AllowedResources` allowlist, and the issued access token's `aud` is bound to it (access token only, no refresh); validation (signature via fetched IdP JWKS — RS256/ES256 only, `iss`/`aud`/`exp`, required claims, single-use `jti`) lives in `services/idjag_validator.go`; issuance + auto-provisioning in `services/token_jwt_bearer.go`. **IdP role:** minting via `grant_type=token-exchange` (`services/token_idjag_exchange.go`, `token/idjag.go`) additionally requires an active user **consent grant** for the client and binds the minted `scope`/`resource` to that grant (an omitted `scope` defaults to the granted scope, never the client's full registration). Both roles default-off behind `IDJAG_ENABLED` / `IDJAG_ISSUANCE_ENABLED`; trusted-IdP JWKS URIs must be `https` (cleartext `http` is allowed only for loopback). See `docs/ENTERPRISE_AUTH.md`. - `UserAuthorization` - Per-app consent grants (one record per user+app pair) - `AccessToken` - Unified storage for both access and refresh tokens (distinguished by `token_category` field) - `User.IsActive` - Boolean (default `true`) controlling whether a user may log in. Disabling revokes all of the user's tokens and `RequireAuth` clears any live session on the next request. Guards prevent self-disable and disabling the last _active_ admin. @@ -156,7 +157,7 @@ In addition to Device Code Flow, AuthGate supports Authorization Code Flow with - Tracks authentication, device authorization, token operations, admin actions, security events - Asynchronous batch writes (every 1s or 100 records) for minimal performance impact - Automatic sensitive data masking (passwords, tokens, secrets) -- Event types: AUTHENTICATION*\*, DEVICE_CODE*\_, TOKEN\_\_, CLIENT\_\*, USER\_\* (`USER_CREATED`, `USER_DISABLED`, `USER_ENABLED`, `USER_PASSWORD_RESET`, `USER_ROLE_CHANGED`), `OAUTH_CONNECTION_DELETED`, `SESSION_REVOKED` / `SESSION_REVOKED_ALL` (browser login-session sign-out), RATE_LIMIT_EXCEEDED +- Event types: AUTHENTICATION*\*, DEVICE_CODE*\_, TOKEN\_\_, CLIENT\_\*, USER\_\* (`USER_CREATED`, `USER_DISABLED`, `USER_ENABLED`, `USER_PASSWORD_RESET`, `USER_ROLE_CHANGED`), `OAUTH_CONNECTION_DELETED`, `SESSION_REVOKED` / `SESSION_REVOKED_ALL` (browser login-session sign-out), `ID_JAG_TOKEN_ISSUED` (RAS jwt-bearer) / `ID_JAG_ISSUED` (IdP token-exchange), RATE_LIMIT_EXCEEDED - Severity levels: INFO, WARNING, ERROR, CRITICAL - Web interface at `/admin/audit` with filtering and CSV export @@ -210,6 +211,8 @@ In addition to Device Code Flow, AuthGate supports Authorization Code Flow with - `grant_type=urn:ietf:params:oauth:grant-type:device_code` - Exchange device_code for tokens - `grant_type=authorization_code` - Exchange authorization code for tokens - `grant_type=refresh_token` - Refresh access token + - `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer` - Exchange an ID-JAG (Enterprise-Managed Authorization, RAS role) for an audience-bound access token; gated by `IDJAG_ENABLED` + per-client `EnableIDJAGFlow` + - `grant_type=urn:ietf:params:oauth:grant-type:token-exchange` (`requested_token_type=...:token-type:id-jag`) - Mint an ID-JAG from an AuthGate ID Token (IdP role); gated by `IDJAG_ISSUANCE_ENABLED` + `IDJAG_ALLOWED_AUDIENCES` - `GET /oauth/tokeninfo` - Verify JWT validity - `POST /oauth/revoke` - Revoke tokens (RFC 7009) @@ -294,6 +297,7 @@ Key configuration categories (see `.env.example` and `docs/CONFIGURATION.md` for - `LOGIN_SESSION_TRACKING_ENABLED` (default `true`) - Server-side login-session registry powering the Active Sessions page / remote sign-out; the auth-path SID lookup is gated on this flag (kill switch). `LOGIN_SESSION_RETENTION_DAYS` (default `30`) - sweep window for revoked/expired login-session rows - `CORS_ENABLED`, `CORS_ALLOWED_ORIGINS` - CORS for SPA frontends (applied to `/oauth/*` only) - `REDIRECT_URI_PATTERN_MATCHING_ENABLED` (default `false`) - Global kill switch for origin-locked path-prefix `redirect_uri` matching. Off ⇒ exact matching only; on ⇒ clients with `RedirectURIPatterns` also accept origin-exact sub-path callbacks. Token-endpoint binding stays exact. See `OAuthApplication.RedirectURIPatterns` above and `docs/CONFIGURATION.md` "Redirect URI pattern matching" +- `IDJAG_ENABLED` (default `false`) + `TRUSTED_IDPS` (JSON array of `{issuer, jwks_uri, audience}`; empty = deny-all) + `JWKS_CACHE_TTL` (default `1h`) + `JWKS_FETCH_TIMEOUT` (default `5s`) - **Enterprise-Managed Authorization (ID-JAG), RAS role.** Accept an ID-JAG via `grant_type=jwt-bearer`; RS256/ES256 IdPs only, fail-closed JWKS fetch, single-use `jti`. A malformed `TRUSTED_IDPS` fails startup. `IDJAG_ISSUANCE_ENABLED` (default `false`) + `IDJAG_ALLOWED_AUDIENCES` (comma-separated; empty = deny-all) + `IDJAG_EXPIRATION` (default `300s`) - **IdP role**: mint ID-JAGs via `grant_type=token-exchange`. Both roles default-off; disabling a master switch instantly kills its grant and drops it from discovery. See `docs/ENTERPRISE_AUTH.md` **OAuth Providers** diff --git a/docs/CONFIGURATION.md b/docs/CONFIGURATION.md index 7eb692d9..63a14215 100644 --- a/docs/CONFIGURATION.md +++ b/docs/CONFIGURATION.md @@ -253,6 +253,42 @@ Security model: - **The token endpoint is unchanged.** The authorization code binds the *concrete* `redirect_uri` the browser actually used, and `POST /oauth/token` still requires an **exact** match against that bound value. Pattern matching only widens what `/oauth/authorize` accepts; it never weakens the code↔token binding. - **No raw regex or wildcards.** Patterns are plain origin + path-prefix URIs. Save-time validation rejects bare-origin patterns (path must be more specific than `/`), wildcard/regex characters, queries, fragments, and userinfo, and applies the same loopback-only-`http` rule as `STRICT_REDIRECT_URIS`. A client may store at most 10 patterns, 512 characters each. +## Enterprise-Managed Authorization (ID-JAG) + +AuthGate can accept and mint **Identity Assertion JWT Authorization Grants +(ID-JAGs)** for MCP's Enterprise-Managed Authorization extension. Both roles are +**off by default** and gated by their own master switch. + +```bash +# RAS role — accept an ID-JAG (grant_type=...:grant-type:jwt-bearer) +IDJAG_ENABLED=false # master switch (default false) +TRUSTED_IDPS=[] # JSON array of {issuer, jwks_uri, audience}; empty rejects all +JWKS_CACHE_TTL=1h # cache lifetime for fetched IdP JWKS +JWKS_FETCH_TIMEOUT=5s # per-fetch timeout (fail-closed) + +# IdP role — mint an ID-JAG (grant_type=...:grant-type:token-exchange) +IDJAG_ISSUANCE_ENABLED=false # master switch (default false) +IDJAG_ALLOWED_AUDIENCES= # comma-separated RAS audiences; empty rejects all +IDJAG_EXPIRATION=300s # minted ID-JAG lifetime +``` + +Key points: + +- **Default-deny + kill switches.** Both master switches default off; an empty + `TRUSTED_IDPS` rejects every `jwt-bearer` request; an empty + `IDJAG_ALLOWED_AUDIENCES` rejects every `token-exchange` request. Per-client, + an admin must enable the flow and list the target `resource` in the client's + Allowed Resources allowlist. +- **Only RS256/ES256** external IdPs are validatable — HS256 assertions are + rejected. JWKS fetches are timeout-bounded, cached, and fail closed. +- A malformed `TRUSTED_IDPS` JSON value **fails startup** rather than silently + disabling the grant. +- Issued access tokens are **audience-bound to the assertion's `resource`**; no + refresh token is issued for `jwt-bearer`. + +See **[ENTERPRISE_AUTH.md](ENTERPRISE_AUTH.md)** for the full flow, validation +rules, the discovery metadata it advertises, and the security model. + ## TLS / HTTPS AuthGate can serve HTTPS directly by setting two environment variables. When both are configured, the server listens on `SERVER_ADDR` using TLS. When both are empty (the default), it serves plain HTTP. Setting only one of the two is rejected at startup by `Config.Validate()` — this prevents silently falling back to HTTP when the operator meant to enable TLS. diff --git a/docs/ENTERPRISE_AUTH.md b/docs/ENTERPRISE_AUTH.md new file mode 100644 index 00000000..64b49385 --- /dev/null +++ b/docs/ENTERPRISE_AUTH.md @@ -0,0 +1,192 @@ +# Enterprise-Managed Authorization (ID-JAG) for MCP + +AuthGate implements the MCP **Enterprise-Managed Authorization** extension built +on the **Identity Assertion JWT Authorization Grant (ID-JAG)**. It removes the +per-server consent friction of enterprise MCP deployments: an enterprise IdP +vouches for the user once, and the MCP client exchanges that assertion for a +server access token — no interactive authorization per MCP server, with central +policy and audit at the IdP. + +AuthGate can play **both** sides of the flow, each behind its own master switch +and **disabled by default**: + +- **RAS role** (Resource Authorization Server) — accept an ID-JAG minted by a + trusted external IdP via `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer`, + validate it, and issue an AuthGate access token **audience-restricted to the + assertion's `resource`**. +- **IdP role** — mint ID-JAGs via + `grant_type=urn:ietf:params:oauth:grant-type:token-exchange` + (`requested_token_type=urn:ietf:params:oauth:token-type:id-jag`), exchanging an + AuthGate-issued **ID Token** for an ID-JAG targeted at a downstream RAS. + +## End-to-end flow + +```mermaid +sequenceDiagram + participant C as MCP Client + participant IdP as AuthGate · IdP role
POST /oauth/token + participant RAS as AuthGate · RAS role
POST /oauth/token + participant MCP as MCP Server (resource) + + Note over C,IdP: User already did SSO and holds an AuthGate ID Token + C->>IdP: grant_type=token-exchange
requested_token_type=id-jag
subject_token=ID Token, audience=RAS, resource=MCP + Note right of IdP: validate subject_token, audience allowlist,
sign ID-JAG with AuthGate key + IdP-->>C: { access_token: ID-JAG, issued_token_type: id-jag } + + C->>RAS: grant_type=jwt-bearer
assertion=ID-JAG, client_id + Note right of RAS: verify ID-JAG sig via trusted-IdP JWKS,
check iss/aud/exp/jti, resource∈AllowedResources,
auto-provision user + RAS-->>C: { access_token (aud=MCP), token_type=Bearer } + + C->>MCP: call tool with Bearer access_token + MCP-->>C: result +``` + +In a single-vendor deployment AuthGate can be **both** the IdP and the RAS (it +trusts its own issuer); in a federated deployment the IdP and RAS are different +AuthGate instances or a third-party IdP plus AuthGate. + +## RAS role — accepting an ID-JAG (`jwt-bearer`) + +Enable with `IDJAG_ENABLED=true` and configure at least one trusted IdP in +`TRUSTED_IDPS`. A client may use the grant only when an admin has set +**Enable Enterprise-Managed Authorization** on it and listed the target +`resource` in the client's **Allowed Resources** (RFC 8707 allowlist). + +Request: + +```bash +curl -X POST https://auth.example.com/oauth/token \ + -d grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \ + -d assertion="$ID_JAG" \ + -d client_id="$CLIENT_ID" +``` + +On success AuthGate returns a standard `Bearer` access token whose `aud` is the +assertion's `resource`. **No refresh token is issued** — an assertion grant is +not a delegation to persist; the client must present a fresh ID-JAG to obtain +another access token (the same model as `client_credentials`). + +### Validation (fail-closed) + +Every ID-JAG must pass all of: + +1. **Trusted issuer** — `iss` exactly matches a `TRUSTED_IDPS` entry, and (when + the client has a non-empty **Allowed ID-JAG Issuers** list) is also in that + per-client allowlist. +2. **Signature** — verified against the IdP's JWKS (fetched, cached, refetched on + unknown `kid`). **Only RS256/ES256** are accepted; HS256 and `none` are + rejected (AuthGate shares no secret with a third-party IdP). +3. **Audience** — `aud` equals the IdP entry's configured `audience` (or + `BASE_URL` when omitted) — i.e. this AuthGate instance as RAS. +4. **Expiry** — `exp`/`nbf` enforced by the JWT library. +5. **Required claims** — `jti`, `sub`, `resource`, `client_id` present; the + assertion's `client_id` must match the client authenticating at the token + endpoint. `scope` is optional and is **narrowed to the client's registered + scopes** (the issued token never exceeds the client's registration); an + omitted `scope` falls back to the full registered set. +6. **Resource allowlisted** — `resource` is an exact match of an entry in the + client's RFC 8707 **Allowed Resources** (otherwise `invalid_target`). +7. **Single-use `jti`** — the assertion's `jti` is recorded for its lifetime; + replaying it is rejected (`invalid_grant`). + +The asserted user is **auto-provisioned** (find-or-create keyed on `issuer+sub`), +always non-admin, tagged with an `idjag:` auth source. The raw assertion +is never logged. + +### Error mapping + +| Condition | OAuth error | +|---|---| +| `IDJAG_ENABLED=false` | `unsupported_grant_type` | +| Client lacks the flow | `unauthorized_client` | +| Unknown/inactive client | `invalid_client` | +| Untrusted issuer / bad signature / wrong `aud` / expired / missing claim / replayed `jti` | `invalid_grant` | +| `resource` not in client allowlist | `invalid_target` | + +## IdP role — minting an ID-JAG (`token-exchange`) + +Enable with `IDJAG_ISSUANCE_ENABLED=true` and list permitted downstream RAS +audiences in `IDJAG_ALLOWED_AUDIENCES`. The requesting client authenticates +normally (confidential clients present their secret) **and must have the +per-client `Enable Enterprise-Managed Authorization` flow turned on** — the same +default-deny toggle as the RAS role, so enabling issuance globally does not make +every client eligible. + +```bash +curl -X POST https://auth.example.com/oauth/token \ + -d grant_type=urn:ietf:params:oauth:grant-type:token-exchange \ + -d requested_token_type=urn:ietf:params:oauth:token-type:id-jag \ + -d subject_token_type=urn:ietf:params:oauth:token-type:id_token \ + -d subject_token="$ID_TOKEN" \ + -d audience=https://ras.example.com \ + -d resource=https://mcp.example.com \ + -d client_id="$CLIENT_ID" -d client_secret="$CLIENT_SECRET" +``` + +AuthGate validates the `subject_token` as one of its **own ID Tokens issued to the +requesting client** (signature + expiry, and `aud` must equal the authenticating +`client_id` — this rejects access/refresh tokens, previously-minted ID-JAGs, and +ID Tokens minted for a different client), confirms the subject user is still +active **and still has an active consent grant for this client**, checks +`audience` against `IDJAG_ALLOWED_AUDIENCES`, validates the `resource` against +both the client's RFC 8707 allowlist **and the user's consented resource set**, +bounds the `scope` to **the user's granted scope** (an omitted `scope` defaults to +the grant rather than the client's full registration), then signs an ID-JAG with +its own key (the one published at `/.well-known/jwks.json`). The RFC 8693 response carries +`issued_token_type=...:token-type:id-jag`, `token_type=N_A`, and +`expires_in≈IDJAG_EXPIRATION`. + +> Because a minted ID-JAG is verified by a RAS via JWKS, the IdP role requires an +> **asymmetric `JWT_SIGNING_ALGORITHM` (RS256/ES256)** — AuthGate refuses to start +> with `IDJAG_ISSUANCE_ENABLED=true` under the default HS256. + +> v1 accepts **ID Tokens only** as the `subject_token`, and gates on a flat +> `IDJAG_ALLOWED_AUDIENCES` allowlist. Group-based policy and refresh-token +> subjects are possible follow-ups. + +## Discovery + +When the respective master switch is on, AuthGate advertises in both +`/.well-known/openid-configuration` and `/.well-known/oauth-authorization-server`: + +- `grant_types_supported` gains `...:grant-type:jwt-bearer` (RAS) and/or + `...:grant-type:token-exchange` (IdP); +- `authorization_grant_profiles_supported` gains + `urn:ietf:params:oauth:grant-profile:id-jag` (RAS). + +## Configuration reference + +| Variable | Default | Purpose | +|---|---|---| +| `IDJAG_ENABLED` | `false` | Master switch for the RAS (`jwt-bearer`) role. | +| `TRUSTED_IDPS` | empty | JSON array of `{issuer, jwks_uri, audience}`; empty rejects all `jwt-bearer`. Each `jwks_uri` must be `https` (cleartext `http` allowed only for loopback hosts). | +| `JWKS_CACHE_TTL` | `1h` | How long fetched IdP JWKS are cached. | +| `JWKS_FETCH_TIMEOUT` | `5s` | Per-fetch HTTP timeout for IdP JWKS (fail-closed). | +| `IDJAG_ISSUANCE_ENABLED` | `false` | Master switch for the IdP (`token-exchange`) role. | +| `IDJAG_ALLOWED_AUDIENCES` | empty | Comma-separated RAS audiences AuthGate may mint for; empty rejects all. | +| `IDJAG_EXPIRATION` | `300s` | Lifetime of a minted ID-JAG. | + +## Security model & limitations + +- **Default-deny everywhere.** Both master switches default off; an empty + `TRUSTED_IDPS` rejects `jwt-bearer`; an empty `IDJAG_ALLOWED_AUDIENCES` rejects + `token-exchange`; per-client `Enable Enterprise-Managed Authorization` defaults + off; an empty client **Allowed Resources** denies all client-supplied resources. +- **Kill switches.** Setting `IDJAG_ENABLED=false` / `IDJAG_ISSUANCE_ENABLED=false` + instantly disables a role (no client redeploy, no destructive migration). +- **Fail-closed JWKS.** Fetches are timeout-bounded, retried with backoff, and + cached; an IdP JWKS outage rejects the grant rather than blocking other grants. +- **No HS256 from third parties.** Only asymmetric RS256/ES256 external IdPs are + validatable. +- **Replay protection** uses a per-instance jti store (memory). Multi-pod + deployments wanting cross-instance replay protection should front AuthGate with + a shared store; single-instance and sticky-routed deployments are unaffected. +- **Auto-provisioned users are never admin** and are tagged `idjag:`; + AuthGate never auto-promotes. + +## Migration / breaking-change notes + +This feature is **purely additive**: new files, additive token-endpoint switch +cases, and two auto-migrated nullable columns on `oauth_applications` +(`enable_idjag_flow`, `allowed_idjag_issuers`). The four existing grants behave +identically. With both master switches at their defaults (off), nothing changes. diff --git a/docs/MCP.md b/docs/MCP.md index c351bb92..24d7731d 100644 --- a/docs/MCP.md +++ b/docs/MCP.md @@ -236,6 +236,28 @@ curl -X POST http://localhost:8080/oauth/token \ # Expect: 400 {"error":"invalid_target",...} ``` +## Enterprise-Managed Authorization (ID-JAG) + +For enterprise MCP fleets where re-authorizing every MCP server per user is +untenable, AuthGate supports the MCP **Enterprise-Managed Authorization** +extension via the **Identity Assertion JWT Authorization Grant (ID-JAG)**. An +enterprise IdP vouches for the user once; the MCP client exchanges that assertion +for an audience-bound access token at the MCP server's authorization server — no +per-server consent screen. + +AuthGate can act as the **RAS** (accept an ID-JAG via +`grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer` and issue an access token +bound to the assertion's `resource`) and/or the **IdP** (mint an ID-JAG from one +of its own ID Tokens via `grant_type=urn:ietf:params:oauth:grant-type:token-exchange`). +Both roles are off by default. When enabled, the two grant types and the +`urn:ietf:params:oauth:grant-profile:id-jag` profile appear in the AS metadata +documents above. + +See **[ENTERPRISE_AUTH.md](ENTERPRISE_AUTH.md)** for the full flow, validation +rules, configuration, and security model. The RAS reuses the same per-client +RFC 8707 **Allowed Resources** allowlist documented below to authorize the +assertion's `resource`. + ## Configuration checklist For an MCP-ready deployment: diff --git a/internal/config/config.go b/internal/config/config.go index 580fc2c5..f6a3e927 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -1,9 +1,12 @@ package config import ( + "encoding/json" "errors" "fmt" "log" + "net" + "net/url" "os" "regexp" "strings" @@ -154,6 +157,23 @@ type TokenProfile struct { RefreshTokenTTL time.Duration } +// TrustedIDP describes an external Identity Provider whose Identity Assertion +// JWT Authorization Grants (ID-JAGs) AuthGate will accept on the +// grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer flow (RAS role). +// Configured as a JSON array via the TRUSTED_IDPS env var. +type TrustedIDP struct { + // Issuer is the exact `iss` claim AuthGate matches an incoming ID-JAG + // against. Must be unique across the list. + Issuer string `json:"issuer"` + // JWKSURI is the HTTPS endpoint AuthGate fetches the IdP's public signing + // keys from (timeout-bounded, cached, refetched on unknown kid). + JWKSURI string `json:"jwks_uri"` + // Audience is the value the ID-JAG's `aud` claim MUST equal (the identifier + // the IdP minted the assertion for — i.e. this AuthGate instance acting as + // RAS). Empty falls back to BaseURL. + Audience string `json:"audience"` +} + type Config struct { // Server settings ServerAddr string @@ -381,6 +401,27 @@ type Config struct { // is the pattern path or a sub-path of it. The token endpoint binding stays exact. RedirectURIPatternMatchingEnabled bool + // Enterprise-Managed Authorization — ID-JAG, RAS role (grant_type=jwt-bearer). + // AuthGate accepts an Identity Assertion JWT minted by a trusted external IdP + // and issues an audience-bound access token. Default-deny: disabled by the + // master switch and an empty TrustedIDPs list both reject the grant. + IDJAGEnabled bool // IDJAG_ENABLED (default false): master switch for accepting ID-JAG assertions + TrustedIDPs []TrustedIDP // TRUSTED_IDPS: JSON array of trusted external IdPs; empty ⇒ jwt-bearer rejected + JWKSCacheTTL time.Duration // JWKS_CACHE_TTL (default 1h): how long fetched IdP JWKS are cached + JWKSFetchTimeout time.Duration // JWKS_FETCH_TIMEOUT (default 5s): per-fetch HTTP timeout for IdP JWKS + // trustedIDPsParseErr records a malformed TRUSTED_IDPS JSON value detected in + // Load(); Validate() surfaces it so a typo fails startup instead of silently + // disabling the grant. + trustedIDPsParseErr error + + // Enterprise-Managed Authorization — ID-JAG, IdP role (grant_type=token-exchange). + // AuthGate exchanges one of its own ID Tokens for an ID-JAG targeted at a + // downstream RAS. Default-deny: disabled by the master switch; an empty + // IDJAGAllowedAudiences allowlist rejects every requested audience. + IDJAGIssuanceEnabled bool // IDJAG_ISSUANCE_ENABLED (default false): master switch for minting ID-JAGs + IDJAGAllowedAudiences []string // IDJAG_ALLOWED_AUDIENCES (comma-separated); empty ⇒ all audiences rejected + IDJAGExpiration time.Duration // IDJAG_EXPIRATION (default 300s): lifetime of a minted ID-JAG + // CORS settings CORSEnabled bool // Enable CORS for API endpoints (default: false) CORSAllowedOrigins []string // Allowed origins (comma-separated via env, e.g. "http://localhost:3000") @@ -425,6 +466,11 @@ func Load() *Config { // so the map must be built after the values are known. jwtExpiration := getEnvDuration("JWT_EXPIRATION", 10*time.Hour) refreshTokenExpiration := getEnvDuration("REFRESH_TOKEN_EXPIRATION", 720*time.Hour) + + // Parse the trusted-IdP allowlist up front; a malformed value is remembered + // and surfaced by Validate() so startup fails loudly rather than silently + // disabling the jwt-bearer grant. + trustedIDPs, trustedIDPsErr := parseTrustedIDPs(os.Getenv("TRUSTED_IDPS")) tokenProfiles := map[string]TokenProfile{ models.TokenProfileShort: { AccessTokenTTL: getEnvDuration("TOKEN_PROFILE_SHORT_ACCESS_TTL", 15*time.Minute), @@ -649,6 +695,16 @@ func Load() *Config { false, ), + // Enterprise-Managed Authorization — ID-JAG (RAS + IdP roles) + IDJAGEnabled: getEnvBool("IDJAG_ENABLED", false), + TrustedIDPs: trustedIDPs, + JWKSCacheTTL: getEnvDuration("JWKS_CACHE_TTL", time.Hour), + JWKSFetchTimeout: getEnvDuration("JWKS_FETCH_TIMEOUT", 5*time.Second), + trustedIDPsParseErr: trustedIDPsErr, + IDJAGIssuanceEnabled: getEnvBool("IDJAG_ISSUANCE_ENABLED", false), + IDJAGAllowedAudiences: getEnvSlice("IDJAG_ALLOWED_AUDIENCES", nil), + IDJAGExpiration: getEnvDuration("IDJAG_EXPIRATION", 5*time.Minute), + // Bootstrap and shutdown timeout settings DBInitTimeout: getEnvDuration("DB_INIT_TIMEOUT", 30*time.Second), RedisConnTimeout: getEnvDuration("REDIS_CONN_TIMEOUT", 5*time.Second), @@ -677,6 +733,22 @@ func Load() *Config { } } +// parseTrustedIDPs parses the TRUSTED_IDPS env var, a JSON array of TrustedIDP +// objects. An empty/blank value yields (nil, nil) — the feature is simply +// deny-all. A non-empty value that fails to parse returns the error so Validate() +// can fail startup rather than silently treating it as an empty (deny-all) list. +func parseTrustedIDPs(raw string) ([]TrustedIDP, error) { + raw = strings.TrimSpace(raw) + if raw == "" { + return nil, nil + } + var idps []TrustedIDP + if err := json.Unmarshal([]byte(raw), &idps); err != nil { + return nil, fmt.Errorf("TRUSTED_IDPS is not valid JSON: %w", err) + } + return idps, nil +} + func getEnv(key, defaultValue string) string { if value := os.Getenv(key); value != "" { return value @@ -936,9 +1008,108 @@ func (c *Config) Validate() error { ) } + if err := c.validateIDJAG(); err != nil { + return err + } + return c.validateTokenProfiles() } +// validateAbsHTTPURL checks that raw is an absolute http/https URL with a +// non-empty host, used for trusted-IdP JWKS endpoints. Cleartext http is allowed +// only for loopback hosts (internal/test IdPs and httptest servers); a non-loopback +// http JWKS endpoint is rejected because anyone on the network path could +// substitute the public key set and then forge ID-JAG assertions this RAS would +// accept. Production trusted IdPs must use https. +func validateAbsHTTPURL(name, raw string) error { + u, err := url.Parse(strings.TrimSpace(raw)) + if err != nil { + return fmt.Errorf("%s is not a valid URL: %q", name, raw) + } + if u.Scheme != "http" && u.Scheme != "https" { + return fmt.Errorf("%s must use http or https scheme: %q", name, raw) + } + if u.Host == "" { + return fmt.Errorf("%s must have a host: %q", name, raw) + } + if u.Scheme == "http" && !isLoopbackHost(u.Hostname()) { + return fmt.Errorf( + "%s must use https; cleartext http is only allowed for loopback hosts: %q", + name, raw, + ) + } + return nil +} + +// isLoopbackHost reports whether host is the literal "localhost" or a loopback IP +// (127.0.0.0/8, ::1). +func isLoopbackHost(host string) bool { + if strings.EqualFold(host, "localhost") { + return true + } + if ip := net.ParseIP(host); ip != nil { + return ip.IsLoopback() + } + return false +} + +// validateIDJAG validates the Enterprise-Managed Authorization (ID-JAG) config +// for both the RAS (jwt-bearer) and IdP (token-exchange) roles. A malformed +// TRUSTED_IDPS JSON always fails startup, regardless of the master switch, so a +// typo is caught early. Per-field checks only run for an enabled role; an empty +// TrustedIDPs / IDJAGAllowedAudiences list is allowed (it simply rejects the +// grant at runtime — default-deny). +func (c *Config) validateIDJAG() error { + if c.trustedIDPsParseErr != nil { + return c.trustedIDPsParseErr + } + + if c.IDJAGEnabled { + if err := requirePositiveDuration("JWKS_CACHE_TTL", c.JWKSCacheTTL); err != nil { + return err + } + if err := requirePositiveDuration("JWKS_FETCH_TIMEOUT", c.JWKSFetchTimeout); err != nil { + return err + } + seen := make(map[string]struct{}, len(c.TrustedIDPs)) + for i, idp := range c.TrustedIDPs { + issuer := strings.TrimSpace(idp.Issuer) + if issuer == "" { + return fmt.Errorf("TRUSTED_IDPS[%d]: issuer is required", i) + } + if _, dup := seen[issuer]; dup { + return fmt.Errorf("TRUSTED_IDPS[%d]: duplicate issuer %q", i, issuer) + } + seen[issuer] = struct{}{} + if err := validateAbsHTTPURL( + fmt.Sprintf("TRUSTED_IDPS[%d].jwks_uri", i), idp.JWKSURI, + ); err != nil { + return err + } + } + } + + if c.IDJAGIssuanceEnabled { + if err := requirePositiveDuration("IDJAG_EXPIRATION", c.IDJAGExpiration); err != nil { + return err + } + // Minted ID-JAGs are verified by a downstream RAS via JWKS, which only + // works with an asymmetric key. With the default HS256 the assertions + // would be silently unredeemable, so fail closed at startup. + switch c.JWTSigningAlgorithm { + case AlgRS256, AlgES256: + default: + return fmt.Errorf( + "IDJAG_ISSUANCE_ENABLED requires an asymmetric JWT_SIGNING_ALGORITHM "+ + "(RS256 or ES256) so minted ID-JAGs are verifiable via JWKS (got %q)", + c.JWTSigningAlgorithm, + ) + } + } + + return nil +} + // validateSecrets enforces the minimum length of both signing/encryption // secrets and rejects either secret's published placeholder value when running // in production. Length checks are co-located here so all secret validation diff --git a/internal/config/idjag_test.go b/internal/config/idjag_test.go new file mode 100644 index 00000000..7a89d3ad --- /dev/null +++ b/internal/config/idjag_test.go @@ -0,0 +1,154 @@ +package config + +import ( + "testing" + "time" +) + +// baseIDJAGConfig returns a minimal valid config so validateIDJAG can be +// exercised in isolation (token-profile validation is skipped for zero-value +// TokenProfiles + caps). +func baseIDJAGConfig() *Config { + return &Config{ + JWTExpiration: time.Hour, + JWTSecret: "0123456789abcdef0123456789abcdef", + SessionSecret: "0123456789abcdef0123456789abcdef", + BaseURL: "https://auth.example.com", + } +} + +func TestParseTrustedIDPs(t *testing.T) { + t.Run("empty yields nil", func(t *testing.T) { + idps, err := parseTrustedIDPs("") + if err != nil || idps != nil { + t.Fatalf("expected (nil,nil), got (%v,%v)", idps, err) + } + }) + t.Run("valid JSON", func(t *testing.T) { + raw := `[{"issuer":"https://idp.example.com","jwks_uri":"https://idp.example.com/jwks","audience":"https://auth.example.com"}]` + idps, err := parseTrustedIDPs(raw) + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if len(idps) != 1 || idps[0].Issuer != "https://idp.example.com" { + t.Fatalf("unexpected parse result: %+v", idps) + } + }) + t.Run("malformed JSON errors", func(t *testing.T) { + if _, err := parseTrustedIDPs("{not json"); err == nil { + t.Fatal("expected error for malformed JSON") + } + }) +} + +func TestValidateIDJAG(t *testing.T) { + t.Run("disabled is a no-op", func(t *testing.T) { + cfg := baseIDJAGConfig() + if err := cfg.validateIDJAG(); err != nil { + t.Fatalf("expected nil, got %v", err) + } + }) + + t.Run("malformed TRUSTED_IDPS always fails", func(t *testing.T) { + cfg := baseIDJAGConfig() + _, cfg.trustedIDPsParseErr = parseTrustedIDPs("{bad") + if err := cfg.validateIDJAG(); err == nil { + t.Fatal("expected parse error to surface") + } + }) + + t.Run("RAS enabled requires positive TTL/timeout", func(t *testing.T) { + cfg := baseIDJAGConfig() + cfg.IDJAGEnabled = true + cfg.JWKSCacheTTL = 0 + cfg.JWKSFetchTimeout = time.Second + if err := cfg.validateIDJAG(); err == nil { + t.Fatal("expected error for non-positive JWKS_CACHE_TTL") + } + }) + + t.Run("RAS rejects bad jwks_uri", func(t *testing.T) { + cfg := baseIDJAGConfig() + cfg.IDJAGEnabled = true + cfg.JWKSCacheTTL = time.Hour + cfg.JWKSFetchTimeout = time.Second + cfg.TrustedIDPs = []TrustedIDP{{Issuer: "https://idp", JWKSURI: "not-a-url"}} + if err := cfg.validateIDJAG(); err == nil { + t.Fatal("expected error for invalid jwks_uri") + } + }) + + t.Run("RAS rejects duplicate issuer", func(t *testing.T) { + cfg := baseIDJAGConfig() + cfg.IDJAGEnabled = true + cfg.JWKSCacheTTL = time.Hour + cfg.JWKSFetchTimeout = time.Second + cfg.TrustedIDPs = []TrustedIDP{ + {Issuer: "https://idp", JWKSURI: "https://idp/jwks"}, + {Issuer: "https://idp", JWKSURI: "https://idp/jwks2"}, + } + if err := cfg.validateIDJAG(); err == nil { + t.Fatal("expected error for duplicate issuer") + } + }) + + t.Run("RAS valid passes", func(t *testing.T) { + cfg := baseIDJAGConfig() + cfg.IDJAGEnabled = true + cfg.JWKSCacheTTL = time.Hour + cfg.JWKSFetchTimeout = time.Second + cfg.TrustedIDPs = []TrustedIDP{{Issuer: "https://idp", JWKSURI: "https://idp/jwks"}} + if err := cfg.validateIDJAG(); err != nil { + t.Fatalf("expected valid config, got %v", err) + } + }) + + t.Run("RAS rejects non-loopback http jwks_uri", func(t *testing.T) { + cfg := baseIDJAGConfig() + cfg.IDJAGEnabled = true + cfg.JWKSCacheTTL = time.Hour + cfg.JWKSFetchTimeout = time.Second + cfg.TrustedIDPs = []TrustedIDP{ + {Issuer: "https://idp", JWKSURI: "http://idp.example.com/jwks"}, + } + if err := cfg.validateIDJAG(); err == nil { + t.Fatal("expected error for cleartext http jwks_uri on a public host") + } + }) + + t.Run("RAS allows loopback http jwks_uri", func(t *testing.T) { + for _, uri := range []string{ + "http://127.0.0.1:8080/jwks", + "http://localhost:8080/jwks", + "http://[::1]:8080/jwks", + } { + cfg := baseIDJAGConfig() + cfg.IDJAGEnabled = true + cfg.JWKSCacheTTL = time.Hour + cfg.JWKSFetchTimeout = time.Second + cfg.TrustedIDPs = []TrustedIDP{{Issuer: "https://idp", JWKSURI: uri}} + if err := cfg.validateIDJAG(); err != nil { + t.Fatalf("expected loopback http %q to pass, got %v", uri, err) + } + } + }) + + t.Run("RAS allows empty TrustedIDPs (deny-all at runtime)", func(t *testing.T) { + cfg := baseIDJAGConfig() + cfg.IDJAGEnabled = true + cfg.JWKSCacheTTL = time.Hour + cfg.JWKSFetchTimeout = time.Second + if err := cfg.validateIDJAG(); err != nil { + t.Fatalf("empty TrustedIDPs must be allowed, got %v", err) + } + }) + + t.Run("IdP enabled requires positive expiration", func(t *testing.T) { + cfg := baseIDJAGConfig() + cfg.IDJAGIssuanceEnabled = true + cfg.IDJAGExpiration = 0 + if err := cfg.validateIDJAG(); err == nil { + t.Fatal("expected error for non-positive IDJAG_EXPIRATION") + } + }) +} diff --git a/internal/handlers/client.go b/internal/handlers/client.go index 1b127e3e..155a90f3 100644 --- a/internal/handlers/client.go +++ b/internal/handlers/client.go @@ -133,6 +133,8 @@ func (h *ClientHandler) CreateClient(c *gin.Context) { EnableDeviceFlow: c.PostForm("enable_device_flow") == queryValueTrue, EnableAuthCodeFlow: c.PostForm("enable_auth_code_flow") == queryValueTrue, EnableClientCredentialsFlow: c.PostForm("enable_client_credentials_flow") == queryValueTrue, + EnableIDJAGFlow: c.PostForm("enable_idjag_flow") == queryValueTrue, + AllowedIDJAGIssuers: parseURIList(c.PostForm("allowed_idjag_issuers")), TokenProfile: c.PostForm("token_profile"), Project: c.PostForm("project"), ServiceAccount: c.PostForm("service_account"), @@ -155,6 +157,8 @@ func (h *ClientHandler) CreateClient(c *gin.Context) { EnableDeviceFlow: req.EnableDeviceFlow, EnableAuthCodeFlow: req.EnableAuthCodeFlow, EnableClientCredentialsFlow: req.EnableClientCredentialsFlow, + EnableIDJAGFlow: req.EnableIDJAGFlow, + AllowedIDJAGIssuers: strings.Join(req.AllowedIDJAGIssuers, ", "), TokenProfile: req.TokenProfile, Project: req.Project, ServiceAccount: req.ServiceAccount, @@ -236,6 +240,8 @@ func (h *ClientHandler) UpdateClient(c *gin.Context) { EnableDeviceFlow: c.PostForm("enable_device_flow") == queryValueTrue, EnableAuthCodeFlow: c.PostForm("enable_auth_code_flow") == queryValueTrue, EnableClientCredentialsFlow: c.PostForm("enable_client_credentials_flow") == queryValueTrue, + EnableIDJAGFlow: c.PostForm("enable_idjag_flow") == queryValueTrue, + AllowedIDJAGIssuers: parseURIList(c.PostForm("allowed_idjag_issuers")), TokenProfile: c.PostForm("token_profile"), Project: c.PostForm("project"), ServiceAccount: c.PostForm("service_account"), @@ -269,6 +275,8 @@ func (h *ClientHandler) UpdateClient(c *gin.Context) { EnableDeviceFlow: req.EnableDeviceFlow, EnableAuthCodeFlow: req.EnableAuthCodeFlow, EnableClientCredentialsFlow: req.EnableClientCredentialsFlow, + EnableIDJAGFlow: req.EnableIDJAGFlow, + AllowedIDJAGIssuers: strings.Join(req.AllowedIDJAGIssuers, ", "), Status: req.Status, TokenProfile: req.TokenProfile, Project: req.Project, diff --git a/internal/handlers/oidc.go b/internal/handlers/oidc.go index 5e7e16b4..d552f240 100644 --- a/internal/handlers/oidc.go +++ b/internal/handlers/oidc.go @@ -86,6 +86,10 @@ type discoveryMetadata struct { GrantTypesSupported []string `json:"grant_types_supported"` ClaimsSupported []string `json:"claims_supported"` CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` + // AuthorizationGrantProfilesSupported advertises higher-level grant profiles + // built on the base grant types — currently the MCP Enterprise-Managed + // Authorization ID-JAG profile, present only when IDJAG_ENABLED is set. + AuthorizationGrantProfilesSupported []string `json:"authorization_grant_profiles_supported,omitempty"` } // oauthASMetadata is the curated OAuth 2.0 Authorization Server Metadata @@ -110,6 +114,9 @@ type oauthASMetadata struct { IntrospectionEndpointAuthMethods []string `json:"introspection_endpoint_auth_methods_supported"` GrantTypesSupported []string `json:"grant_types_supported"` CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` + // AuthorizationGrantProfilesSupported advertises the MCP Enterprise-Managed + // Authorization ID-JAG grant profile when IDJAG_ENABLED is set. + AuthorizationGrantProfilesSupported []string `json:"authorization_grant_profiles_supported,omitempty"` // RFC 8707 §3 — advertise that the `resource` request parameter is // honored on /authorize and /token. Always true for this server. // Two field names are emitted because the RFC 8707 draft used @@ -152,8 +159,15 @@ type baseMetadata struct { GrantTypesSupported []string CodeChallengeMethodsSupported []string IDTokenSigningAlgValues []string // empty when ID token not supported + // AuthorizationGrantProfiles is non-empty (the ID-JAG profile) only when + // IDJAG_ENABLED is set. + AuthorizationGrantProfiles []string } +// grantProfileIDJAG is the MCP Enterprise-Managed Authorization grant profile +// identifier advertised in discovery metadata when the RAS role is enabled. +const grantProfileIDJAG = "urn:ietf:params:oauth:grant-profile:id-jag" + // buildBaseMetadata returns the shared core used by both discovery endpoints. func (h *OIDCHandler) buildBaseMetadata() baseMetadata { alg := h.config.JWTSigningAlgorithm @@ -198,6 +212,16 @@ func (h *OIDCHandler) buildBaseMetadata() baseMetadata { CodeChallengeMethodsSupported: []string{"S256"}, IDTokenSigningAlgValues: idTokenAlgs, } + // Enterprise-Managed Authorization (ID-JAG) grants are advertised only when + // their respective master switches are on, so discovery reflects what the + // token endpoint will actually accept. + if h.config.IDJAGEnabled { + m.GrantTypesSupported = append(m.GrantTypesSupported, GrantTypeJWTBearer) + m.AuthorizationGrantProfiles = []string{grantProfileIDJAG} + } + if h.config.IDJAGIssuanceEnabled { + m.GrantTypesSupported = append(m.GrantTypesSupported, GrantTypeTokenExchange) + } if h.config.EnableDynamicClientRegistration { m.RegistrationEndpoint = h.issuerURL + "/oauth/register" } @@ -219,20 +243,21 @@ func (h *OIDCHandler) Discovery(c *gin.Context) { base := h.baseMeta meta := discoveryMetadata{ - Issuer: base.Issuer, - AuthorizationEndpoint: base.AuthorizationEndpoint, - TokenEndpoint: base.TokenEndpoint, - UserinfoEndpoint: base.UserinfoEndpoint, - RevocationEndpoint: base.RevocationEndpoint, - JwksURI: base.JwksURI, - ResponseTypesSupported: base.ResponseTypesSupported, - SubjectTypesSupported: oidcSubjectTypesSupported, - IDTokenSigningAlgValuesSupported: base.IDTokenSigningAlgValues, - ScopesSupported: base.ScopesSupported, - TokenEndpointAuthMethods: base.TokenEndpointAuthMethods, - GrantTypesSupported: base.GrantTypesSupported, - ClaimsSupported: oidcClaimsSupported, - CodeChallengeMethodsSupported: base.CodeChallengeMethodsSupported, + Issuer: base.Issuer, + AuthorizationEndpoint: base.AuthorizationEndpoint, + TokenEndpoint: base.TokenEndpoint, + UserinfoEndpoint: base.UserinfoEndpoint, + RevocationEndpoint: base.RevocationEndpoint, + JwksURI: base.JwksURI, + ResponseTypesSupported: base.ResponseTypesSupported, + SubjectTypesSupported: oidcSubjectTypesSupported, + IDTokenSigningAlgValuesSupported: base.IDTokenSigningAlgValues, + ScopesSupported: base.ScopesSupported, + TokenEndpointAuthMethods: base.TokenEndpointAuthMethods, + GrantTypesSupported: base.GrantTypesSupported, + ClaimsSupported: oidcClaimsSupported, + CodeChallengeMethodsSupported: base.CodeChallengeMethodsSupported, + AuthorizationGrantProfilesSupported: base.AuthorizationGrantProfiles, } c.Header("Cache-Control", "public, max-age=3600") @@ -276,6 +301,7 @@ func (h *OIDCHandler) OAuthAuthorizationServerMetadata(c *gin.Context) { IntrospectionEndpointAuthMethods: base.IntrospectionEndpointAuthMethods, GrantTypesSupported: base.GrantTypesSupported, CodeChallengeMethodsSupported: base.CodeChallengeMethodsSupported, + AuthorizationGrantProfilesSupported: base.AuthorizationGrantProfiles, ResourceIndicatorsSupported: true, ResourceParameterSupported: true, } diff --git a/internal/handlers/oidc_test.go b/internal/handlers/oidc_test.go index 6506a3d6..241fa59b 100644 --- a/internal/handlers/oidc_test.go +++ b/internal/handlers/oidc_test.go @@ -725,3 +725,63 @@ func TestOIDCDiscovery_UnaffectedByOAuthMetadataAddition(t *testing.T) { ) } } + +// TestDiscovery_IDJAGGrantsAdvertised verifies that enabling the ID-JAG roles +// surfaces the two grant types and the grant profile in discovery metadata, and +// that they are omitted when disabled. +func TestDiscovery_IDJAGGrantsAdvertised(t *testing.T) { + gin.SetMode(gin.TestMode) + + cfg := &config.Config{ + BaseURL: "https://auth.example.com", + IDJAGEnabled: true, + IDJAGIssuanceEnabled: true, + } + handler := NewOIDCHandler(nil, nil, cfg, false, true) + r := gin.New() + r.GET("/.well-known/openid-configuration", handler.Discovery) + r.GET("/.well-known/oauth-authorization-server", handler.OAuthAuthorizationServerMetadata) + + for _, path := range []string{ + "/.well-known/openid-configuration", + "/.well-known/oauth-authorization-server", + } { + req := httptest.NewRequest(http.MethodGet, path, nil) + w := httptest.NewRecorder() + r.ServeHTTP(w, req) + require.Equal(t, http.StatusOK, w.Code) + + var meta map[string]any + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &meta)) + + grants, _ := meta["grant_types_supported"].([]any) + assert.Contains(t, grants, "urn:ietf:params:oauth:grant-type:jwt-bearer", path) + assert.Contains(t, grants, "urn:ietf:params:oauth:grant-type:token-exchange", path) + + profiles, _ := meta["authorization_grant_profiles_supported"].([]any) + assert.Contains(t, profiles, "urn:ietf:params:oauth:grant-profile:id-jag", path) + } +} + +func TestDiscovery_IDJAGOmittedWhenDisabled(t *testing.T) { + gin.SetMode(gin.TestMode) + + cfg := &config.Config{BaseURL: "https://auth.example.com"} + handler := NewOIDCHandler(nil, nil, cfg, false, true) + r := gin.New() + r.GET("/.well-known/openid-configuration", handler.Discovery) + + req := httptest.NewRequest(http.MethodGet, "/.well-known/openid-configuration", nil) + w := httptest.NewRecorder() + r.ServeHTTP(w, req) + require.Equal(t, http.StatusOK, w.Code) + + var meta map[string]any + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &meta)) + + grants, _ := meta["grant_types_supported"].([]any) + assert.NotContains(t, grants, "urn:ietf:params:oauth:grant-type:jwt-bearer") + assert.NotContains(t, grants, "urn:ietf:params:oauth:grant-type:token-exchange") + _, hasProfiles := meta["authorization_grant_profiles_supported"] + assert.False(t, hasProfiles, "profile field must be omitted when ID-JAG is disabled") +} diff --git a/internal/handlers/token.go b/internal/handlers/token.go index be123481..f3afbfe1 100644 --- a/internal/handlers/token.go +++ b/internal/handlers/token.go @@ -23,6 +23,9 @@ const ( GrantTypeRefreshToken = "refresh_token" GrantTypeAuthorizationCode = "authorization_code" GrantTypeClientCredentials = "client_credentials" + // Enterprise-Managed Authorization (ID-JAG) grant types. + GrantTypeJWTBearer = "urn:ietf:params:oauth:grant-type:jwt-bearer" + GrantTypeTokenExchange = "urn:ietf:params:oauth:grant-type:token-exchange" // OAuth 2.0 error codes (RFC 6749 §5.2, RFC 8628 §3.5, RFC 8707 §2) errInvalidGrant = "invalid_grant" @@ -189,16 +192,210 @@ func (h *TokenHandler) Token(c *gin.Context) { h.handleAuthorizationCodeGrant(c) case GrantTypeClientCredentials: h.handleClientCredentialsGrant(c) + case GrantTypeJWTBearer: + h.handleJWTBearerGrant(c) + case GrantTypeTokenExchange: + h.handleTokenExchangeGrant(c) default: respondOAuthError( c, http.StatusBadRequest, errUnsupportedGrant, - "Supported grant types: device_code, refresh_token, authorization_code, client_credentials", + "Supported grant types: device_code, refresh_token, authorization_code, "+ + "client_credentials, urn:ietf:params:oauth:grant-type:jwt-bearer, "+ + "urn:ietf:params:oauth:grant-type:token-exchange", ) } } +// handleJWTBearerGrant handles the urn:ietf:params:oauth:grant-type:jwt-bearer +// grant — the RAS role of Enterprise-Managed Authorization. It exchanges an +// ID-JAG (minted by a trusted external IdP) for an AuthGate access token whose +// `aud` is bound to the assertion's `resource`. No refresh token is returned. +func (h *TokenHandler) handleJWTBearerGrant(c *gin.Context) { + assertion := c.PostForm("assertion") + // Client credentials come from HTTP Basic Auth or the form body. The secret + // is optional (public clients omit it) but a confidential client must present + // it — the service enforces that. + clientID, clientSecret := parseClientCredentials(c) + if assertion == "" || clientID == "" { + respondOAuthError( + c, + http.StatusBadRequest, + errInvalidRequest, + "assertion and client_id are required", + ) + return + } + + accessToken, err := h.tokenService.IssueTokenFromIDJAG( + c.Request.Context(), assertion, clientID, clientSecret, + ) + if err != nil { + switch { + case errors.Is(err, services.ErrIDJAGDisabled): + respondOAuthError( + c, http.StatusBadRequest, errUnsupportedGrant, + "The jwt-bearer grant is not enabled on this server", + ) + case errors.Is(err, services.ErrIDJAGFlowDisabled): + respondOAuthError( + c, http.StatusBadRequest, errUnauthorizedClient, + "This client is not permitted to use the jwt-bearer grant", + ) + case errors.Is(err, services.ErrIDJAGInvalidClient): + respondOAuthError( + c, http.StatusUnauthorized, errInvalidClient, + "Unknown or inactive client", + ) + case errors.Is(err, services.ErrInvalidClientCredentials): + c.Header("WWW-Authenticate", `Basic realm="token"`) + respondOAuthError( + c, http.StatusUnauthorized, errInvalidClient, + "Client authentication failed", + ) + case errors.Is(err, services.ErrInvalidTarget): + respondOAuthError( + c, http.StatusBadRequest, errInvalidTarget, + resourceErrorDescription(err, "Requested resource is not allowed for this client"), + ) + case errors.Is(err, services.ErrAccessDenied): + respondOAuthError( + c, http.StatusBadRequest, errAccessDenied, + "The user is no longer permitted to complete this request", + ) + case errors.Is(err, services.ErrIDJAGUntrustedIssuer), + errors.Is(err, services.ErrIDJAGInvalidAssertion), + errors.Is(err, services.ErrIDJAGMissingClaim), + errors.Is(err, services.ErrIDJAGReplay): + respondOAuthError( + c, http.StatusBadRequest, errInvalidGrant, + "The ID-JAG assertion is invalid", + ) + case errors.Is(err, services.ErrIDJAGInvalidRequest): + respondOAuthError( + c, http.StatusBadRequest, errInvalidRequest, + "assertion and client_id are required", + ) + default: + log.Printf("[token] jwt-bearer grant error: %v", err) + respondOAuthError( + c, http.StatusInternalServerError, errServerError, + "An internal error occurred", + ) + } + return + } + + // RAS issues an access token only — no refresh token for assertion grants. + c.JSON(http.StatusOK, buildTokenResponse(accessToken, nil, "")) +} + +// handleTokenExchangeGrant handles the urn:ietf:params:oauth:grant-type:token-exchange +// grant for minting ID-JAGs (the IdP role of Enterprise-Managed Authorization, +// RFC 8693 profile). It exchanges an AuthGate ID Token for an ID-JAG targeted at +// a downstream RAS. Only requested_token_type=...:token-type:id-jag is supported. +func (h *TokenHandler) handleTokenExchangeGrant(c *gin.Context) { + if rtt := c.PostForm("requested_token_type"); rtt != token.TokenTypeIDJAG { + respondOAuthError( + c, http.StatusBadRequest, errInvalidRequest, + "requested_token_type must be "+token.TokenTypeIDJAG, + ) + return + } + + clientID, clientSecret := parseClientCredentials(c) + if clientID == "" { + c.Header("WWW-Authenticate", `Basic realm="token"`) + respondOAuthError( + c, http.StatusUnauthorized, errInvalidClient, + "Client authentication required", + ) + return + } + + req := services.IDJAGExchangeRequest{ + SubjectToken: c.PostForm("subject_token"), + SubjectTokenType: c.PostForm("subject_token_type"), + Audience: c.PostForm("audience"), + Resource: c.PostForm("resource"), + Scope: c.PostForm("scope"), + ClientID: clientID, + ClientSecret: clientSecret, + } + + result, err := h.tokenService.IssueIDJAG(c.Request.Context(), req) + if err != nil { + switch { + case errors.Is(err, services.ErrIDJAGIssuanceDisabled): + respondOAuthError( + c, http.StatusBadRequest, errUnsupportedGrant, + "The token-exchange grant is not enabled on this server", + ) + case errors.Is(err, services.ErrIDJAGFlowDisabled): + respondOAuthError( + c, http.StatusBadRequest, errUnauthorizedClient, + "This client is not permitted to mint ID-JAGs", + ) + case errors.Is(err, services.ErrInvalidClientCredentials): + c.Header("WWW-Authenticate", `Basic realm="token"`) + respondOAuthError( + c, http.StatusUnauthorized, errInvalidClient, + "Client authentication failed", + ) + case errors.Is(err, services.ErrIDJAGInvalidSubjectTokenType): + respondOAuthError( + c, http.StatusBadRequest, errInvalidRequest, + "subject_token_type must be "+token.TokenTypeIDToken, + ) + case errors.Is(err, services.ErrIDJAGInvalidSubjectToken): + respondOAuthError( + c, http.StatusBadRequest, errInvalidGrant, + "subject_token is invalid or is not an ID Token", + ) + case errors.Is(err, services.ErrAccessDenied): + respondOAuthError( + c, http.StatusBadRequest, errAccessDenied, + "The subject user is no longer permitted to complete this request", + ) + case errors.Is(err, token.ErrInvalidScope): + respondOAuthError( + c, http.StatusBadRequest, errInvalidScope, + "Requested scope exceeds the client's registered scopes", + ) + case errors.Is(err, services.ErrIDJAGAudienceNotAllowed), + errors.Is(err, services.ErrInvalidTarget): + respondOAuthError( + c, http.StatusBadRequest, errInvalidTarget, + resourceErrorDescription(err, "Requested audience or resource is not allowed"), + ) + case errors.Is(err, services.ErrIDJAGInvalidRequest): + respondOAuthError( + c, http.StatusBadRequest, errInvalidRequest, + "audience and resource are required", + ) + default: + log.Printf("[token] token-exchange grant error: %v", err) + respondOAuthError( + c, http.StatusInternalServerError, errServerError, + "An internal error occurred", + ) + } + return + } + + // RFC 8693 §2.2.1 token-exchange response. token_type is "N_A" because an + // ID-JAG is not a bearer token presented to a resource server — it is an + // assertion redeemed at a RAS's token endpoint. + expiresIn := max(int(time.Until(result.ExpiresAt).Seconds()), 0) + c.JSON(http.StatusOK, gin.H{ + "access_token": result.Assertion, + "issued_token_type": token.TokenTypeIDJAG, + "token_type": "N_A", + "expires_in": expiresIn, + }) +} + // handleDeviceCodeGrant handles device code grant type (RFC 8628) func (h *TokenHandler) handleDeviceCodeGrant(c *gin.Context) { deviceCode := c.PostForm("device_code") diff --git a/internal/handlers/token_idjag_test.go b/internal/handlers/token_idjag_test.go new file mode 100644 index 00000000..4445eeae --- /dev/null +++ b/internal/handlers/token_idjag_test.go @@ -0,0 +1,1206 @@ +package handlers + +import ( + "context" + "crypto/rand" + "crypto/rsa" + "encoding/base64" + "encoding/json" + "net/http" + "net/http/httptest" + "net/url" + "testing" + "time" + + "github.com/go-authgate/authgate/internal/cache" + "github.com/go-authgate/authgate/internal/config" + "github.com/go-authgate/authgate/internal/core" + "github.com/go-authgate/authgate/internal/metrics" + "github.com/go-authgate/authgate/internal/models" + "github.com/go-authgate/authgate/internal/services" + "github.com/go-authgate/authgate/internal/store" + "github.com/go-authgate/authgate/internal/token" + + "github.com/gin-gonic/gin" + "github.com/golang-jwt/jwt/v5" + "github.com/google/uuid" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +// ─── ID-JAG test infrastructure ────────────────────────────────────────────── + +const ( + idjagTestIssuer = "https://idp.example.com" + idjagTestAudience = "http://localhost:8080" // this AuthGate acting as RAS + idjagTestResource = "https://mcp.example.com" + idjagTestSubject = "idp-subject-123" +) + +// newIDJAGEnv wires a token endpoint with the supplied config and provider so +// ID-JAG tests can exercise RS256 signing and custom config. +func newIDJAGEnv( + t *testing.T, + cfg *config.Config, + provider *token.LocalTokenProvider, +) (*gin.Engine, *store.Store) { + t.Helper() + gin.SetMode(gin.TestMode) + + s, err := store.New(context.Background(), "sqlite", ":memory:", &config.Config{}) + require.NoError(t, err) + + audit := services.NewNoopAuditService() + clientSvc := services.NewClientService(s, audit, nil, 0, nil, 0) + deviceSvc := services.NewDeviceService(s, cfg, audit, metrics.NewNoopMetrics(), clientSvc) + tokenSvc := services.NewTokenService( + s, cfg, deviceSvc, provider, audit, metrics.NewNoopMetrics(), + cache.NewNoopCache[models.AccessToken](), clientSvc, + ) + authzSvc := services.NewAuthorizationService(s, cfg, audit, tokenSvc, clientSvc) + handler := NewTokenHandler(tokenSvc, authzSvc, cfg) + + r := gin.New() + r.POST("/oauth/token", handler.Token) + r.GET("/oauth/tokeninfo", handler.TokenInfo) + return r, s +} + +// newRS256Provider builds an RS256 LocalTokenProvider with a fresh key, returning +// the provider and the private key (for direct signing in tests). +func newRS256Provider( + t *testing.T, + baseURL string, +) (*token.LocalTokenProvider, *rsa.PrivateKey, string) { + t.Helper() + key, err := rsa.GenerateKey(rand.Reader, 2048) + require.NoError(t, err) + kid, err := token.DeriveKeyID(&key.PublicKey) + require.NoError(t, err) + cfg := &config.Config{ + JWTSigningAlgorithm: config.AlgRS256, + BaseURL: baseURL, + JWTExpiration: time.Hour, + } + p, err := token.NewLocalTokenProvider(cfg, + token.WithSigningKey(key, &key.PublicKey), + token.WithKeyID(kid), + ) + require.NoError(t, err) + return p, key, kid +} + +// serveJWKS publishes provider's public key at a JWKS endpoint and returns its URL. +func serveJWKS(t *testing.T, provider *token.LocalTokenProvider) string { + t.Helper() + jh := NewJWKSHandler(provider.Algorithm(), provider.KeyID(), provider.PublicKey()) + gr := gin.New() + gr.GET("/jwks", jh.JWKS) + srv := httptest.NewServer(gr) + t.Cleanup(srv.Close) + return srv.URL + "/jwks" +} + +// signRS256 signs the given claims with key (RS256) and kid header — gives tests +// full control over every claim (iss/aud/exp/jti/...). +func signRS256(t *testing.T, key *rsa.PrivateKey, kid string, claims jwt.MapClaims) string { + t.Helper() + tok := jwt.NewWithClaims(jwt.SigningMethodRS256, claims) + tok.Header["kid"] = kid + signed, err := tok.SignedString(key) + require.NoError(t, err) + return signed +} + +// idjagClaims builds a valid baseline ID-JAG claim set; callers tweak fields. +func idjagClaims() jwt.MapClaims { + now := time.Now() + return jwt.MapClaims{ + "iss": idjagTestIssuer, + "sub": idjagTestSubject, + "aud": idjagTestAudience, + "jti": uuid.New().String(), + "iat": now.Unix(), + "exp": now.Add(5 * time.Minute).Unix(), + "resource": idjagTestResource, + "client_id": "", // set by caller to the redeeming client + "scope": "read", + } +} + +// createIDJAGClient creates a confidential client with the ID-JAG flow enabled +// and the test resource in its RFC 8707 allowlist. +func createIDJAGClient(t *testing.T, s *store.Store) (*models.OAuthApplication, string) { + return newIDJAGClient(t, s, core.ClientTypePublic) +} + +// createConfidentialIDJAGClient creates a confidential ID-JAG client (its secret +// must be presented to redeem/mint), used by the token-exchange and round-trip +// tests. +func createConfidentialIDJAGClient( + t *testing.T, + s *store.Store, +) (*models.OAuthApplication, string) { + return newIDJAGClient(t, s, core.ClientTypeConfidential) +} + +func newIDJAGClient( + t *testing.T, + s *store.Store, + clientType core.ClientType, +) (*models.OAuthApplication, string) { + t.Helper() + client := &models.OAuthApplication{ + ClientID: uuid.New().String(), + ClientName: "MCP Client", + UserID: uuid.New().String(), + Scopes: "read write", + GrantTypes: "urn:ietf:params:oauth:grant-type:jwt-bearer", + ClientType: clientType.String(), + EnableIDJAGFlow: true, + AllowedResources: models.StringArray{idjagTestResource}, + Status: models.ClientStatusActive, + } + secret, err := client.GenerateClientSecret(context.Background()) + require.NoError(t, err) + require.NoError(t, s.CreateClient(client)) + return client, secret +} + +// idjagRASConfig returns a config with the RAS (jwt-bearer) role enabled and the +// in-test IdP trusted, pointing at the given JWKS URL. +func idjagRASConfig(jwksURL string) *config.Config { + cfg := defaultTokenTestConfig() + cfg.BaseURL = idjagTestAudience + cfg.IDJAGEnabled = true + cfg.JWKSCacheTTL = time.Hour + cfg.JWKSFetchTimeout = 5 * time.Second + cfg.TrustedIDPs = []config.TrustedIDP{{ + Issuer: idjagTestIssuer, + JWKSURI: jwksURL, + Audience: idjagTestAudience, + }} + return cfg +} + +func decodeJWTPayload(t *testing.T, tokenString string) map[string]any { + t.Helper() + parts := splitJWT(tokenString) + require.Len(t, parts, 3, "token must have three segments") + raw, err := base64.RawURLEncoding.DecodeString(parts[1]) + require.NoError(t, err) + var claims map[string]any + require.NoError(t, json.Unmarshal(raw, &claims)) + return claims +} + +func splitJWT(s string) []string { + var parts []string + start := 0 + for i := 0; i < len(s); i++ { + if s[i] == '.' { + parts = append(parts, s[start:i]) + start = i + 1 + } + } + parts = append(parts, s[start:]) + return parts +} + +// ─── Phase 1 (RAS) test 1: happy path ──────────────────────────────────────── + +func TestIDJAG_JWTBearer_HappyPath(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + + hsProvider, err := token.NewLocalTokenProvider(cfg) + require.NoError(t, err) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + claims := idjagClaims() + claims["client_id"] = client.ClientID + assertion := signRS256(t, idpKey, idpKid, claims) + + form := url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + } + w := postToken(t, r, form, nil) + require.Equal(t, http.StatusOK, w.Code, w.Body.String()) + + var resp map[string]any + require.NoError(t, json.NewDecoder(w.Body).Decode(&resp)) + assert.NotEmpty(t, resp["access_token"]) + assert.Equal(t, "Bearer", resp["token_type"]) + assert.Nil(t, resp["refresh_token"], "jwt-bearer must not issue a refresh token") + + // The access token's audience must be bound to the assertion's resource. + w2 := tokenInfoReq(t, r, resp["access_token"].(string)) + require.Equal(t, http.StatusOK, w2.Code) + var info map[string]any + require.NoError(t, json.NewDecoder(w2.Body).Decode(&info)) + assert.Equal(t, idjagTestResource, info["aud"]) + + // A user row must have been auto-provisioned for the ID-JAG subject. + user, err := s.GetUserByExternalID(idjagTestSubject, "idjag:"+idjagTestIssuer) + require.NoError(t, err, "user should be auto-provisioned") + assert.False(t, user.IsAdmin(), "provisioned users must never be admin") +} + +// ─── Phase 1 (RAS) test 2: untrusted / tampered assertions ─────────────────── + +func TestIDJAG_JWTBearer_UntrustedIssuer(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, "https://evil.example.com") + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) // trusts idjagTestIssuer, not evil + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + claims := idjagClaims() + claims["iss"] = "https://evil.example.com" // not in TrustedIDPs + claims["client_id"] = client.ClientID + assertion := signRS256(t, idpKey, idpKid, claims) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_grant", decodeError(t, w)) + assertNoTokens(t, s, client.ClientID) +} + +func TestIDJAG_JWTBearer_BadSignature(t *testing.T) { + idp, _, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + // Sign with a DIFFERENT key than the one published in the JWKS. + wrongKey, err := rsa.GenerateKey(rand.Reader, 2048) + require.NoError(t, err) + claims := idjagClaims() + claims["client_id"] = client.ClientID + assertion := signRS256(t, wrongKey, idpKid, claims) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_grant", decodeError(t, w)) + assertNoTokens(t, s, client.ClientID) +} + +// An assertion whose email claim collides with an existing user's unique email +// must still provision the ID-JAG identity (a deterministic synthetic email is +// used) rather than failing the grant on a duplicate-key error. +func TestIDJAG_JWTBearer_EmailCollisionStillProvisions(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + // An existing local user already owns this email. + const sharedEmail = "shared@example.com" + require.NoError(t, s.CreateUser(&models.User{ + ID: uuid.New().String(), + Username: "existing-local-user", + Email: sharedEmail, + IsActive: true, + AuthSource: models.AuthSourceLocal, + Role: models.UserRoleUser, + })) + + claims := idjagClaims() + claims["client_id"] = client.ClientID + claims["email"] = sharedEmail // collides with the existing user's unique email + assertion := signRS256(t, idpKey, idpKid, claims) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusOK, w.Code, w.Body.String()) + + // A distinct row was provisioned with a synthetic (non-colliding) email. + provisioned, err := s.GetUserByExternalID(idjagTestSubject, "idjag:"+idjagTestIssuer) + require.NoError(t, err) + assert.NotEqual(t, sharedEmail, provisioned.Email) +} + +func TestIDJAG_JWTBearer_WrongAudience(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + claims := idjagClaims() + claims["aud"] = "https://someone-else.example.com" + claims["client_id"] = client.ClientID + assertion := signRS256(t, idpKey, idpKid, claims) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_grant", decodeError(t, w)) + assertNoTokens(t, s, client.ClientID) +} + +func TestIDJAG_JWTBearer_Expired(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + claims := idjagClaims() + claims["client_id"] = client.ClientID + claims["iat"] = time.Now().Add(-10 * time.Minute).Unix() + claims["exp"] = time.Now().Add(-1 * time.Minute).Unix() // expired + assertion := signRS256(t, idpKey, idpKid, claims) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_grant", decodeError(t, w)) + assertNoTokens(t, s, client.ClientID) +} + +func TestIDJAG_JWTBearer_HS256Rejected(t *testing.T) { + idp, _, _ := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + // Assertion signed with HS256 — must be rejected even though iss is trusted. + claims := idjagClaims() + claims["client_id"] = client.ClientID + tok := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) + assertion, err := tok.SignedString([]byte("a-shared-secret-attacker-knows!!")) + require.NoError(t, err) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_grant", decodeError(t, w)) + assertNoTokens(t, s, client.ClientID) +} + +// ─── Phase 1 (RAS) test 3: resource / authorization errors ─────────────────── + +func TestIDJAG_JWTBearer_ResourceNotAllowed(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + claims := idjagClaims() + claims["client_id"] = client.ClientID + claims["resource"] = "https://not-allowed.example.com" + assertion := signRS256(t, idpKey, idpKid, claims) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_target", decodeError(t, w)) + assertNoTokens(t, s, client.ClientID) +} + +func TestIDJAG_JWTBearer_FlowDisabled(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + + // Client with the ID-JAG flow disabled. + client := &models.OAuthApplication{ + ClientID: uuid.New().String(), + ClientName: "No IDJAG", + UserID: uuid.New().String(), + Scopes: "read", + ClientType: core.ClientTypeConfidential.String(), + EnableIDJAGFlow: false, + AllowedResources: models.StringArray{idjagTestResource}, + Status: models.ClientStatusActive, + } + _, err := client.GenerateClientSecret(context.Background()) + require.NoError(t, err) + require.NoError(t, s.CreateClient(client)) + + claims := idjagClaims() + claims["client_id"] = client.ClientID + assertion := signRS256(t, idpKey, idpKid, claims) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "unauthorized_client", decodeError(t, w)) +} + +func TestIDJAG_JWTBearer_ReplayRejected(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + claims := idjagClaims() + claims["client_id"] = client.ClientID + assertion := signRS256(t, idpKey, idpKid, claims) + + form := url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + } + // First use succeeds. + w1 := postToken(t, r, form, nil) + require.Equal(t, http.StatusOK, w1.Code, w1.Body.String()) + // Replaying the same assertion (same jti) must fail. + w2 := postToken(t, r, form, nil) + require.Equal(t, http.StatusBadRequest, w2.Code) + assert.Equal(t, "invalid_grant", decodeError(t, w2)) +} + +func TestIDJAG_JWTBearer_DisabledGlobally(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + cfg.IDJAGEnabled = false // kill switch + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + claims := idjagClaims() + claims["client_id"] = client.ClientID + assertion := signRS256(t, idpKey, idpKid, claims) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "unsupported_grant_type", decodeError(t, w)) +} + +// ─── Phase 2 (IdP) test 4: happy path ──────────────────────────────────────── + +// idjagIdPConfig enables the token-exchange (IdP) role for an audience. +func idjagIdPConfig() *config.Config { + cfg := defaultTokenTestConfig() + cfg.BaseURL = idjagTestAudience + cfg.IDJAGIssuanceEnabled = true + cfg.IDJAGAllowedAudiences = []string{idjagTestAudience} + cfg.IDJAGExpiration = 300 * time.Second + return cfg +} + +func mintIDToken( + t *testing.T, + provider *token.LocalTokenProvider, + cfg *config.Config, + audience string, +) string { + t.Helper() + idToken, err := provider.GenerateIDToken(core.IDTokenParams{ + Issuer: cfg.BaseURL, + Subject: idjagTestSubject, + Audience: audience, + AuthTime: time.Now(), + Expiry: time.Hour, + }) + require.NoError(t, err) + return idToken +} + +// createSubjectUser inserts an active user whose ID matches the ID token's +// subject, so the IdP role's "subject must be an active user" check passes. +func createSubjectUser(t *testing.T, s *store.Store, userID string) *models.User { + t.Helper() + u := &models.User{ + ID: userID, + Username: "subject-" + userID, + Email: "subject-" + userID + "@example.com", + IsActive: true, + AuthSource: models.AuthSourceLocal, + Role: models.UserRoleUser, + } + require.NoError(t, s.CreateUser(u)) + return u +} + +// authorizeSubject records an active consent grant for (userID, client) with the +// client's full "read write" scope and a resource binding for idjagTestResource, +// which the IdP token-exchange path requires before minting an ID-JAG: the minted +// resource must be one the user actually consented to, so an empty grant resource +// would be rejected (see TestIDJAG_TokenExchange_ResourceExceedsConsentRejected +// for the negative case). Returns the grant's UUID so callers can revoke it. +func authorizeSubject( + t *testing.T, + s *store.Store, + userID string, + client *models.OAuthApplication, +) string { + return authorizeSubjectGrant(t, s, userID, client, "read write", + models.StringArray{idjagTestResource}) +} + +// authorizeSubjectGrant records an active consent grant with explicit scopes and +// resource binding, so tests can assert that a minted ID-JAG never exceeds what +// the user actually approved. +func authorizeSubjectGrant( + t *testing.T, + s *store.Store, + userID string, + client *models.OAuthApplication, + scopes string, + resources models.StringArray, +) string { + t.Helper() + auth := &models.UserAuthorization{ + UUID: uuid.New().String(), + UserID: userID, + ApplicationID: client.ID, + ClientID: client.ClientID, + Scopes: scopes, + Resource: resources, + } + require.NoError(t, s.UpsertUserAuthorization(auth)) + return auth.UUID +} + +func TestIDJAG_TokenExchange_HappyPath(t *testing.T) { + cfg := idjagIdPConfig() + provider, err := token.NewLocalTokenProvider(cfg) + require.NoError(t, err) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) + createSubjectUser(t, s, idjagTestSubject) + authorizeSubject(t, s, idjagTestSubject, client) + + idToken := mintIDToken(t, provider, cfg, client.ClientID) + + form := url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, + "scope": {"read"}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + } + w := postToken(t, r, form, nil) + require.Equal(t, http.StatusOK, w.Code, w.Body.String()) + + var resp map[string]any + require.NoError(t, json.NewDecoder(w.Body).Decode(&resp)) + assert.Equal(t, token.TokenTypeIDJAG, resp["issued_token_type"]) + assert.Equal(t, "N_A", resp["token_type"]) + require.NotEmpty(t, resp["access_token"]) + + claims := decodeJWTPayload(t, resp["access_token"].(string)) + assert.Equal(t, idjagTestAudience, claims["iss"]) // AuthGate's BaseURL + assert.Equal(t, idjagTestSubject, claims["sub"]) + assert.Equal(t, idjagTestAudience, claims["aud"]) + assert.Equal(t, idjagTestResource, claims["resource"]) + assert.Equal(t, client.ClientID, claims["client_id"]) + assert.Equal(t, "read", claims["scope"]) + + // exp ≈ now + 300s + expiresIn, ok := resp["expires_in"].(float64) + require.True(t, ok) + assert.InDelta(t, 300, expiresIn, 10) +} + +// ─── Phase 2 (IdP) test 5: policy reject ───────────────────────────────────── + +func TestIDJAG_TokenExchange_AudienceNotAllowed(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) + createSubjectUser(t, s, idjagTestSubject) + authorizeSubject(t, s, idjagTestSubject, client) + idToken := mintIDToken(t, provider, cfg, client.ClientID) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {"https://not-allowed.example.com"}, + "resource": {idjagTestResource}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_target", decodeError(t, w)) +} + +// A minted ID-JAG must not be accepted as a subject_token (it is not an ID Token +// bound to the requesting client) — otherwise it could be replayed to re-mint +// assertions for other audiences. +func TestIDJAG_TokenExchange_RejectsIDJAGAsSubject(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) + createSubjectUser(t, s, idjagTestSubject) + authorizeSubject(t, s, idjagTestSubject, client) + idToken := mintIDToken(t, provider, cfg, client.ClientID) + + // First, legitimately mint an ID-JAG. + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusOK, w.Code, w.Body.String()) + var exch map[string]any + require.NoError(t, json.NewDecoder(w.Body).Decode(&exch)) + idjag := exch["access_token"].(string) + + // Now try to use that ID-JAG as the subject_token — must be rejected. + w2 := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idjag}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusBadRequest, w2.Code) + assert.Equal(t, "invalid_grant", decodeError(t, w2)) +} + +// An ID Token minted for a different client must not be exchangeable by this client. +func TestIDJAG_TokenExchange_RejectsCrossClientIDToken(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) + + // ID token whose audience is a DIFFERENT client. + idToken := mintIDToken(t, provider, cfg, "some-other-client-id") + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_grant", decodeError(t, w)) +} + +func TestIDJAG_TokenExchange_InvalidSubjectToken(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {"not-a-valid-jwt"}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_grant", decodeError(t, w)) +} + +// ─── Round-trip: Phase 2 ID-JAG fed into Phase 1 ───────────────────────────── + +func TestIDJAG_RoundTrip(t *testing.T) { + // AuthGate signs with RS256 so its own ID-JAGs are verifiable via its JWKS, + // and trusts itself as an IdP. + baseURL := idjagTestAudience + provider, _, _ := newRS256Provider(t, baseURL) + jwksURL := serveJWKS(t, provider) + + cfg := defaultTokenTestConfig() + cfg.JWTSigningAlgorithm = config.AlgRS256 + cfg.BaseURL = baseURL + // RAS role + cfg.IDJAGEnabled = true + cfg.JWKSCacheTTL = time.Hour + cfg.JWKSFetchTimeout = 5 * time.Second + cfg.TrustedIDPs = []config.TrustedIDP{{ + Issuer: baseURL, + JWKSURI: jwksURL, + Audience: baseURL, + }} + // IdP role + cfg.IDJAGIssuanceEnabled = true + cfg.IDJAGAllowedAudiences = []string{baseURL} + cfg.IDJAGExpiration = 300 * time.Second + + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) + createSubjectUser(t, s, idjagTestSubject) + authorizeSubject(t, s, idjagTestSubject, client) + + // Phase 2: mint an ID-JAG from an AuthGate ID Token. + idToken := mintIDToken(t, provider, cfg, client.ClientID) + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {baseURL}, + "resource": {idjagTestResource}, + "scope": {"read"}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusOK, w.Code, w.Body.String()) + var exch map[string]any + require.NoError(t, json.NewDecoder(w.Body).Decode(&exch)) + idjag := exch["access_token"].(string) + + // Phase 1: redeem the ID-JAG for an audience-bound access token. The client is + // confidential, so its secret must be presented. + w2 := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {idjag}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusOK, w2.Code, w2.Body.String()) + var resp map[string]any + require.NoError(t, json.NewDecoder(w2.Body).Decode(&resp)) + require.NotEmpty(t, resp["access_token"]) + + w3 := tokenInfoReq(t, r, resp["access_token"].(string)) + require.Equal(t, http.StatusOK, w3.Code) + var info map[string]any + require.NoError(t, json.NewDecoder(w3.Body).Decode(&info)) + assert.Equal(t, idjagTestResource, info["aud"], + "round-trip access token must be bound to the resource") +} + +// ─── Codex-review regression tests ─────────────────────────────────────────── + +// After the user revokes the app's authorization, the IdP must not mint fresh +// ID-JAGs from a lingering (stateless) ID token. +func TestIDJAG_TokenExchange_RevokedAuthorizationRejected(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) + createSubjectUser(t, s, idjagTestSubject) + authUUID := authorizeSubject(t, s, idjagTestSubject, client) + idToken := mintIDToken(t, provider, cfg, client.ClientID) + + // User revokes the app authorization. + _, err := s.RevokeUserAuthorization(authUUID, idjagTestSubject) + require.NoError(t, err) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "access_denied", decodeError(t, w)) +} + +// Even with issuance enabled globally, a client whose per-client ID-JAG flow is +// off (default-deny) must not be able to mint ID-JAGs via token-exchange. +func TestIDJAG_TokenExchange_FlowDisabledRejected(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) + createSubjectUser(t, s, idjagTestSubject) + authorizeSubject(t, s, idjagTestSubject, client) + idToken := mintIDToken(t, provider, cfg, client.ClientID) + + // Admin has NOT opted this client into the Enterprise-Managed Authorization flow. + client.EnableIDJAGFlow = false + require.NoError(t, s.UpdateClient(client)) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "unauthorized_client", decodeError(t, w)) +} + +// The IdP role must not mint an ID-JAG for a resource outside the client's +// RFC 8707 allowlist, even if the resource is syntactically valid. +func TestIDJAG_TokenExchange_ResourceNotAllowed(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) // allows only idjagTestResource + createSubjectUser(t, s, idjagTestSubject) + authorizeSubject(t, s, idjagTestSubject, client) + idToken := mintIDToken(t, provider, cfg, client.ClientID) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {idjagTestAudience}, + "resource": {"https://not-allowed.example.com"}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_target", decodeError(t, w)) +} + +// Presenting a valid assertion to the wrong client must not burn its jti: the +// legitimate client can still redeem the same assertion afterwards. +func TestIDJAG_JWTBearer_JTINotBurnedOnRejection(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + clientA, _ := createIDJAGClient(t, s) + clientB, _ := createIDJAGClient(t, s) + + claims := idjagClaims() + claims["client_id"] = clientA.ClientID + assertion := signRS256(t, idpKey, idpKid, claims) + + // Present the assertion to the WRONG client → rejected; jti must NOT be burned. + wWrong := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {clientB.ClientID}, + }, nil) + require.Equal(t, http.StatusBadRequest, wWrong.Code) + assert.Equal(t, "invalid_grant", decodeError(t, wWrong)) + + // The legitimate client can still redeem the same assertion. + wRight := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {clientA.ClientID}, + }, nil) + require.Equal(t, http.StatusOK, wRight.Code, wRight.Body.String()) +} + +// A confidential client must present its secret to redeem an ID-JAG; the +// assertion alone (plus the public client_id) is not enough. +func TestIDJAG_JWTBearer_ConfidentialRequiresSecret(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, secret := createConfidentialIDJAGClient(t, s) + + claims := idjagClaims() + claims["client_id"] = client.ClientID + assertion := signRS256(t, idpKey, idpKid, claims) + + // Without the secret → rejected. + wNoSecret := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusUnauthorized, wNoSecret.Code) + assert.Equal(t, "invalid_client", decodeError(t, wNoSecret)) + + // With the correct secret → succeeds (fresh jti to avoid the replay guard). + claims2 := idjagClaims() + claims2["client_id"] = client.ClientID + wWithSecret := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {signRS256(t, idpKey, idpKid, claims2)}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusOK, wWithSecret.Code, wWithSecret.Body.String()) +} + +// A multi-audience ID-JAG must be rejected — the assertion's aud must be exactly +// the single RAS identifier. +func TestIDJAG_JWTBearer_MultiAudienceRejected(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + claims := idjagClaims() + claims["client_id"] = client.ClientID + claims["aud"] = []string{idjagTestAudience, "https://other-ras.example.com"} + assertion := signRS256(t, idpKey, idpKid, claims) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {assertion}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_grant", decodeError(t, w)) + assertNoTokens(t, s, client.ClientID) +} + +// A disabled subject must not be able to mint a fresh ID-JAG from a lingering ID token. +func TestIDJAG_TokenExchange_DisabledSubjectRejected(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) + user := createSubjectUser(t, s, idjagTestSubject) + idToken := mintIDToken(t, provider, cfg, client.ClientID) + + // Admin disables the subject after the ID token was issued. + user.IsActive = false + require.NoError(t, s.UpdateUser(user)) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "access_denied", decodeError(t, w)) +} + +// A scope that exceeds the client's registered scopes must be rejected, not +// silently narrowed (which could redeem as full scope at the RAS). +func TestIDJAG_TokenExchange_ScopeExceedsRejected(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) // registered scopes: "read write" + createSubjectUser(t, s, idjagTestSubject) + authorizeSubject(t, s, idjagTestSubject, client) + idToken := mintIDToken(t, provider, cfg, client.ClientID) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, + "scope": {"admin"}, // not in the client's registered scopes + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_scope", decodeError(t, w)) +} + +// A scope within the client's registration but outside the user's actual consent +// must be rejected — the minted ID-JAG must never exceed the user's grant. +func TestIDJAG_TokenExchange_ScopeExceedsConsentRejected(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) // registered scopes: "read write" + createSubjectUser(t, s, idjagTestSubject) + authorizeSubjectGrant(t, s, idjagTestSubject, client, "read", + models.StringArray{idjagTestResource}) // user granted only "read" + idToken := mintIDToken(t, provider, cfg, client.ClientID) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, + "scope": {"write"}, // registered for the client, but not consented + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_scope", decodeError(t, w)) +} + +// An omitted scope must bind to the user's granted scope, NOT default to empty +// (which the RAS would expand to the client's full registered scope set). +func TestIDJAG_TokenExchange_OmittedScopeBoundToConsent(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) // registered scopes: "read write" + createSubjectUser(t, s, idjagTestSubject) + authorizeSubjectGrant(t, s, idjagTestSubject, client, "read", + models.StringArray{idjagTestResource}) // user granted only "read" + idToken := mintIDToken(t, provider, cfg, client.ClientID) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, + // scope intentionally omitted + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusOK, w.Code, w.Body.String()) + + var resp map[string]any + require.NoError(t, json.NewDecoder(w.Body).Decode(&resp)) + claims := decodeJWTPayload(t, resp["access_token"].(string)) + assert.Equal(t, "read", claims["scope"], + "omitted scope must bind to the user's grant, not the client's full scope set") +} + +// A resource within the client's allowlist but outside the user's consented +// resource set must be rejected — the user-approved resource binding is the floor. +func TestIDJAG_TokenExchange_ResourceExceedsConsentRejected(t *testing.T) { + cfg := idjagIdPConfig() + provider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, provider) + client, secret := createConfidentialIDJAGClient(t, s) // allows idjagTestResource + createSubjectUser(t, s, idjagTestSubject) + // User consented to a different (also-syntactically-valid) resource only. + authorizeSubjectGrant(t, s, idjagTestSubject, client, "read write", + models.StringArray{"https://other.example.com"}) + idToken := mintIDToken(t, provider, cfg, client.ClientID) + + w := postToken(t, r, url.Values{ + "grant_type": {GrantTypeTokenExchange}, + "requested_token_type": {token.TokenTypeIDJAG}, + "subject_token_type": {token.TokenTypeIDToken}, + "subject_token": {idToken}, + "audience": {idjagTestAudience}, + "resource": {idjagTestResource}, // allowed for the client, not consented + "client_id": {client.ClientID}, + "client_secret": {secret}, + }, nil) + require.Equal(t, http.StatusBadRequest, w.Code) + assert.Equal(t, "invalid_target", decodeError(t, w)) +} + +// A subject auto-provisioned by an earlier jwt-bearer grant who is later disabled +// must not be able to redeem a fresh assertion (RAS path). +func TestIDJAG_JWTBearer_DisabledUserRejected(t *testing.T) { + idp, idpKey, idpKid := newRS256Provider(t, idjagTestIssuer) + jwksURL := serveJWKS(t, idp) + cfg := idjagRASConfig(jwksURL) + hsProvider, _ := token.NewLocalTokenProvider(cfg) + r, s := newIDJAGEnv(t, cfg, hsProvider) + client, _ := createIDJAGClient(t, s) + + // First grant provisions the user (active). + claims := idjagClaims() + claims["client_id"] = client.ClientID + w1 := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {signRS256(t, idpKey, idpKid, claims)}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusOK, w1.Code, w1.Body.String()) + + // Admin disables the provisioned user. + provisioned, err := s.GetUserByExternalID(idjagTestSubject, "idjag:"+idjagTestIssuer) + require.NoError(t, err) + provisioned.IsActive = false + require.NoError(t, s.UpdateUser(provisioned)) + + // A second, fresh assertion (new jti) must now be rejected. + claims2 := idjagClaims() + claims2["client_id"] = client.ClientID + w2 := postToken(t, r, url.Values{ + "grant_type": {GrantTypeJWTBearer}, + "assertion": {signRS256(t, idpKey, idpKid, claims2)}, + "client_id": {client.ClientID}, + }, nil) + require.Equal(t, http.StatusBadRequest, w2.Code) + assert.Equal(t, "access_denied", decodeError(t, w2)) +} + +// ─── helpers ───────────────────────────────────────────────────────────────── + +func decodeError(t *testing.T, w *httptest.ResponseRecorder) string { + t.Helper() + var resp map[string]any + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + s, _ := resp["error"].(string) + return s +} + +func assertNoTokens(t *testing.T, s *store.Store, clientID string) { + t.Helper() + count, err := s.CountActiveTokensByClientID(clientID) + require.NoError(t, err) + assert.Equal(t, int64(0), count, "no token must be issued on failure") +} diff --git a/internal/handlers/utils.go b/internal/handlers/utils.go index 5c343c7b..3e8b9e99 100644 --- a/internal/handlers/utils.go +++ b/internal/handlers/utils.go @@ -85,6 +85,8 @@ func clientToDisplay(app *models.OAuthApplication) *templates.ClientDisplay { EnableDeviceFlow: app.EnableDeviceFlow, EnableAuthCodeFlow: app.EnableAuthCodeFlow, EnableClientCredentialsFlow: app.EnableClientCredentialsFlow, + EnableIDJAGFlow: app.EnableIDJAGFlow, + AllowedIDJAGIssuers: app.AllowedIDJAGIssuers.Join(", "), Status: app.Status, TokenProfile: app.TokenProfile, Project: app.Project, diff --git a/internal/jwks/remote.go b/internal/jwks/remote.go new file mode 100644 index 00000000..bf58dedb --- /dev/null +++ b/internal/jwks/remote.go @@ -0,0 +1,424 @@ +// Package jwks fetches and caches the public signing keys (JWKS, RFC 7517) of +// trusted external Identity Providers so AuthGate can verify Identity Assertion +// JWT Authorization Grants (ID-JAGs) on the jwt-bearer grant. +// +// Fetches are timeout-bounded, retried with a short backoff, cached for a TTL, +// and re-fetched once when an incoming token's `kid` is unknown (key rotation). +// Any failure returns an error so the caller fails closed — an IdP JWKS outage +// rejects the grant rather than hanging the token endpoint. +package jwks + +import ( + "context" + "crypto" + "crypto/ecdh" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rsa" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + "io" + "math/big" + "net" + "net/http" + "net/url" + "slices" + "strings" + "sync" + "time" + + "github.com/go-authgate/authgate/internal/cache" + "github.com/go-authgate/authgate/internal/core" +) + +var ( + // ErrKeyNotFound is returned when no key matching the requested kid exists in + // the (freshly re-fetched) key set. + ErrKeyNotFound = errors.New("jwks: signing key not found") + // ErrFetch is returned when the JWKS endpoint cannot be fetched or parsed. + ErrFetch = errors.New("jwks: failed to fetch key set") + // ErrUnsupportedKey is returned for JWK entries AuthGate cannot use + // (non-RSA/EC, non-P-256 curve, malformed parameters). + ErrUnsupportedKey = errors.New("jwks: unsupported key") +) + +// maxJWKSBytes caps the response body read from a JWKS endpoint so a hostile or +// misconfigured IdP cannot exhaust memory. 1 MiB is far larger than any real +// key set. +const maxJWKSBytes = 1 << 20 + +// minRSAModulusBits is the smallest RSA modulus AuthGate accepts from a trusted +// IdP's JWKS, matching the floor enforced on its own RS256 signing key. +const minRSAModulusBits = 2048 + +// jwk is a single JSON Web Key (RFC 7517) — only the RSA and EC P-256 fields +// AuthGate understands are modelled. +type jwk struct { + Kty string `json:"kty"` + Kid string `json:"kid"` + Alg string `json:"alg"` + Use string `json:"use"` + KeyOps []string `json:"key_ops"` + N string `json:"n"` + E string `json:"e"` + Crv string `json:"crv"` + X string `json:"x"` + Y string `json:"y"` +} + +type jwkDocument struct { + Keys []jwk `json:"keys"` +} + +// keySet maps a key's `kid` to its parsed public key. A key advertised without +// a kid is stored under the empty string. soleKey holds the only usable key when +// the JWKS contained exactly one usable key in total, which is the sole condition +// under which a no-`kid` token may be verified. +type keySet struct { + keys map[string]crypto.PublicKey + soleKey crypto.PublicKey +} + +// lookup returns the key for kid. When the token carries no kid, the lookup only +// succeeds if the original JWKS held exactly one usable key (soleKey). Basing this +// on soleKey rather than the post-dedup map length is deliberate: a document with +// several usable keys (e.g. two no-kid keys plus a distinct-kid key) collapses to +// a one-entry map after ambiguous kids are dropped, but a no-kid token against it +// is still ambiguous and must be rejected. +func (ks keySet) lookup(kid string) (crypto.PublicKey, bool) { + if kid != "" { + k, ok := ks.keys[kid] + return k, ok + } + if ks.soleKey != nil { + return ks.soleKey, true + } + return nil, false +} + +// Fetcher fetches and caches JWKS documents keyed by their URI. +type Fetcher struct { + client *http.Client + cache core.Cache[keySet] + ttl time.Duration + maxAttempts int + retryDelay time.Duration + + // refetchMu guards lastRefetch, which throttles the unknown-kid forced + // refetch (see GetKey) to at most once per minRefetch per URI. Without this, + // a stream of tokens carrying random kids for a trusted issuer would evict + // the good key set and hammer the IdP's JWKS endpoint on every request. + refetchMu sync.Mutex + lastRefetch map[string]time.Time + minRefetch time.Duration +} + +// minRefetchInterval bounds how often an unknown kid can force a live JWKS +// refetch for a given URI. Legitimate key rotation still picks up within this +// window (and within the cache TTL); random-kid spam cannot amplify past it. +const minRefetchInterval = time.Minute + +// NewFetcher creates a Fetcher with the given per-request HTTP timeout and cache +// TTL. The in-memory cache uses lazy expiration (no background goroutine), so a +// Fetcher needs no explicit shutdown. +func NewFetcher(timeout, ttl time.Duration) *Fetcher { + if timeout <= 0 { + timeout = 5 * time.Second + } + if ttl <= 0 { + ttl = time.Hour + } + return &Fetcher{ + client: &http.Client{Timeout: timeout, CheckRedirect: checkRedirect}, + cache: cache.NewMemoryCache[keySet](0), // 0 = lazy expiry, no reaper goroutine + ttl: ttl, + maxAttempts: 3, + retryDelay: 200 * time.Millisecond, + lastRefetch: make(map[string]time.Time), + minRefetch: minRefetchInterval, + } +} + +// checkRedirect re-applies the trusted-IdP scheme rule to every redirect hop. +// The startup config validation requires each configured JWKS URI to be https +// (or loopback http), but the default http.Client would silently follow a +// redirect to plain http on an arbitrary host — letting a network attacker on +// that hop substitute the public key set and forge ID-JAG assertions this RAS +// would then accept. Rejecting insecure hops keeps the HTTPS guarantee end to +// end. The default net/http cap of 10 redirects still applies. +func checkRedirect(req *http.Request, _ []*http.Request) error { + if !isSafeJWKSURL(req.URL) { + return fmt.Errorf("%w: insecure redirect to %q", ErrFetch, req.URL.Redacted()) + } + return nil +} + +// isSafeJWKSURL reports whether u is an https URL, or http only to a loopback +// host. Mirrors config.validateAbsHTTPURL so the runtime redirect check and the +// startup validation enforce the same policy. +func isSafeJWKSURL(u *url.URL) bool { + switch u.Scheme { + case "https": + return true + case "http": + return isLoopbackHost(u.Hostname()) + default: + return false + } +} + +// isLoopbackHost reports whether host is the literal "localhost" or a loopback +// IP (127.0.0.0/8, ::1). +func isLoopbackHost(host string) bool { + if strings.EqualFold(host, "localhost") { + return true + } + if ip := net.ParseIP(host); ip != nil { + return ip.IsLoopback() + } + return false +} + +// GetKey returns the verification key for (jwksURI, kid). It serves from cache +// when fresh, fetches on a miss, and re-fetches once when kid is unknown to pick +// up a rotated key. Returns ErrKeyNotFound when the key is still absent after a +// fresh fetch, or ErrFetch when the endpoint is unreachable. +func (f *Fetcher) GetKey(ctx context.Context, jwksURI, kid string) (crypto.PublicKey, error) { + ks, err := f.load(ctx, jwksURI) + if err != nil { + return nil, err + } + if key, ok := ks.lookup(kid); ok { + return key, nil + } + // Unknown kid: keys may have rotated since we cached them. Evict and refetch, + // but throttle so attacker-supplied random kids cannot bust the cache and + // hammer the IdP on every request. + if !f.allowRefetch(jwksURI) { + return nil, fmt.Errorf("%w: kid=%q", ErrKeyNotFound, kid) + } + // Refetch the live key set WITHOUT first evicting the cache. A transient IdP + // JWKS outage must not drop the still-fresh cached keys: doing so would fail + // otherwise-valid assertions signed with the previously cached key until the + // endpoint recovers. We fetch into a temporary set and only overwrite the + // cache once the refetch succeeds. + fresh, err := f.fetch(ctx, jwksURI) + if err != nil { + return nil, err + } + _ = f.cache.Set(ctx, jwksURI, fresh, f.ttl) + if key, ok := fresh.lookup(kid); ok { + return key, nil + } + return nil, fmt.Errorf("%w: kid=%q", ErrKeyNotFound, kid) +} + +// allowRefetch reports whether an unknown-kid forced refetch is permitted for +// jwksURI right now, recording the time when it is. At most one forced refetch +// per minRefetch window per URI. +func (f *Fetcher) allowRefetch(jwksURI string) bool { + f.refetchMu.Lock() + defer f.refetchMu.Unlock() + now := time.Now() + if last, ok := f.lastRefetch[jwksURI]; ok && now.Sub(last) < f.minRefetch { + return false + } + f.lastRefetch[jwksURI] = now + return true +} + +func (f *Fetcher) load(ctx context.Context, jwksURI string) (keySet, error) { + return f.cache.GetWithFetch(ctx, jwksURI, f.ttl, + func(ctx context.Context, key string) (keySet, error) { + return f.fetch(ctx, key) + }, + ) +} + +// fetch retrieves and parses the JWKS document, retrying transient failures with +// a short backoff bounded by the context deadline. +func (f *Fetcher) fetch(ctx context.Context, jwksURI string) (keySet, error) { + var lastErr error + for attempt := 0; attempt < f.maxAttempts; attempt++ { + if attempt > 0 { + select { + case <-ctx.Done(): + return keySet{}, fmt.Errorf("%w: %v", ErrFetch, ctx.Err()) + case <-time.After(f.retryDelay * time.Duration(attempt)): + } + } + ks, err := f.fetchOnce(ctx, jwksURI) + if err == nil { + return ks, nil + } + lastErr = err + } + return keySet{}, lastErr +} + +func (f *Fetcher) fetchOnce(ctx context.Context, jwksURI string) (keySet, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, jwksURI, nil) + if err != nil { + return keySet{}, fmt.Errorf("%w: %v", ErrFetch, err) + } + resp, err := f.client.Do(req) + if err != nil { + return keySet{}, fmt.Errorf("%w: %v", ErrFetch, err) + } + defer func() { _ = resp.Body.Close() }() + + if resp.StatusCode != http.StatusOK { + return keySet{}, fmt.Errorf("%w: status %d", ErrFetch, resp.StatusCode) + } + body, err := io.ReadAll(io.LimitReader(resp.Body, maxJWKSBytes)) + if err != nil { + return keySet{}, fmt.Errorf("%w: %v", ErrFetch, err) + } + var doc jwkDocument + if err := json.Unmarshal(body, &doc); err != nil { + return keySet{}, fmt.Errorf("%w: invalid JSON", ErrFetch) + } + + keys := make(map[string]crypto.PublicKey, len(doc.Keys)) + seen := make(map[string]int, len(doc.Keys)) + usable := 0 + var lastKey crypto.PublicKey + for _, k := range doc.Keys { + pub, perr := k.publicKey() + if perr != nil { + // Skip keys we cannot use; another entry may still verify the token. + continue + } + usable++ + lastKey = pub + seen[k.Kid]++ + keys[k.Kid] = pub + } + // Drop any kid that appears more than once among the usable keys — a duplicate + // kid (or, worse, multiple keys with NO kid, which all collapse to the "" entry) + // is ambiguous: silently keeping whichever came last would verify assertions + // against an arbitrary key and reject valid ones signed by the shadowed key. + // Removing ambiguous kids makes those lookups fail closed instead. + for kid, n := range seen { + if n > 1 { + delete(keys, kid) + } + } + if len(keys) == 0 { + return keySet{}, fmt.Errorf("%w: no usable keys", ErrFetch) + } + ks := keySet{keys: keys} + // A no-kid token may only be verified when the document had exactly one usable + // key in total. Compute this from the pre-dedup usable count, NOT the surviving + // map length: a document with several usable keys (e.g. two no-kid keys plus a + // distinct-kid key) collapses to a one-entry map after dropping the ambiguous + // "" entry, yet a no-kid token against it is still ambiguous and must be rejected. + if usable == 1 { + ks.soleKey = lastKey + } + return ks, nil +} + +// publicKey converts a JWK into a crypto.PublicKey. Only RSA and EC P-256 keys +// are supported (matching the RS256/ES256 algorithms AuthGate verifies). Keys +// whose JWK `use`/`alg` mark them for a non-signing purpose are rejected so a +// token cannot point its `kid` at an encryption (or otherwise-scoped) key and +// have it accepted as an ID-JAG signing key — enforcing JWK key-use separation +// (RFC 7517 §4.2/§4.4). An absent `use`/`alg` is treated as unrestricted. +func (k jwk) publicKey() (crypto.PublicKey, error) { + if k.Use != "" && k.Use != "sig" { + return nil, ErrUnsupportedKey + } + // RFC 7517 §4.3: when key_ops is present it enumerates the permitted + // operations. A key that does not list "verify" must not be used to verify a + // signature — even if `use`/`alg` are absent — so an encryption/wrapping key + // cannot be repurposed as an ID-JAG signing key. + if len(k.KeyOps) > 0 && !slices.Contains(k.KeyOps, "verify") { + return nil, ErrUnsupportedKey + } + switch k.Kty { + case "RSA": + // AuthGate verifies RSA assertions with RS256 only, and the verifier does + // not cross-check the JWT header alg against the JWK. A key advertising any + // other RSA alg (PS256, RS384, …) is therefore not usable for our + // verification — accepting it would let an RS256 ID-JAG be verified with a + // key the IdP pinned to a different alg. Allow only an absent or RS256 alg. + if k.Alg != "" && k.Alg != "RS256" { + return nil, ErrUnsupportedKey + } + nBytes, err := decodeB64(k.N) + if err != nil { + return nil, ErrUnsupportedKey + } + eBytes, err := decodeB64(k.E) + if err != nil { + return nil, ErrUnsupportedKey + } + if len(nBytes) == 0 || len(eBytes) == 0 { + return nil, ErrUnsupportedKey + } + e := new(big.Int).SetBytes(eBytes) + // The exponent must fit in a 32-bit signed int (safe int() conversion on + // 386/arm) AND be a valid RSA signing exponent: odd and ≥ 3. e=1 makes the + // verification exponentiation the identity map, so ANY forged signature + // verifies — a hostile/MITM'd JWKS advertising e=1 would let the RAS accept + // attacker-minted ID-JAGs. Even exponents are not valid RSA exponents (e must + // be coprime with the even φ(n)). Reject both before trusting the key. + if e.BitLen() > 31 || e.Cmp(big.NewInt(3)) < 0 || e.Bit(0) == 0 { + return nil, ErrUnsupportedKey + } + n := new(big.Int).SetBytes(nBytes) + // Reject weak moduli (matches the 2048-bit floor AuthGate enforces on its + // own RS256 signing key); a small modulus from a compromised/MITM'd JWKS + // could be factored to forge assertions. + if n.BitLen() < minRSAModulusBits { + return nil, ErrUnsupportedKey + } + return &rsa.PublicKey{N: n, E: int(e.Int64())}, nil + case "EC": + if k.Crv != "P-256" { + return nil, ErrUnsupportedKey + } + // P-256 signs with ES256; reject a key advertising any other alg. + if k.Alg != "" && k.Alg != "ES256" { + return nil, ErrUnsupportedKey + } + xBytes, err := decodeB64(k.X) + if err != nil { + return nil, ErrUnsupportedKey + } + yBytes, err := decodeB64(k.Y) + if err != nil { + return nil, ErrUnsupportedKey + } + const coordLen = 32 // P-256 coordinate byte length + if len(xBytes) == 0 || len(xBytes) > coordLen || + len(yBytes) == 0 || len(yBytes) > coordLen { + return nil, ErrUnsupportedKey + } + // Validate the point is on the curve via the non-deprecated crypto/ecdh + // API: build an uncompressed SEC1 point (0x04 || X || Y, left-padded to + // 32 bytes) and let NewPublicKey perform the on-curve check. + point := make([]byte, 1+2*coordLen) + point[0] = 0x04 + copy(point[1+coordLen-len(xBytes):1+coordLen], xBytes) + copy(point[1+2*coordLen-len(yBytes):], yBytes) + if _, err := ecdh.P256().NewPublicKey(point); err != nil { + return nil, ErrUnsupportedKey + } + return &ecdsa.PublicKey{ + Curve: elliptic.P256(), + X: new(big.Int).SetBytes(xBytes), + Y: new(big.Int).SetBytes(yBytes), + }, nil + default: + return nil, ErrUnsupportedKey + } +} + +// decodeB64 decodes a base64url (no padding) JWK parameter. +func decodeB64(s string) ([]byte, error) { + return base64.RawURLEncoding.DecodeString(s) +} diff --git a/internal/jwks/remote_security_test.go b/internal/jwks/remote_security_test.go new file mode 100644 index 00000000..112ec2b9 --- /dev/null +++ b/internal/jwks/remote_security_test.go @@ -0,0 +1,374 @@ +package jwks + +import ( + "context" + "crypto/rand" + "crypto/rsa" + "encoding/base64" + "errors" + "math/big" + "net/http" + "net/http/httptest" + "net/url" + "testing" + "time" +) + +// rsaJWKSCustom renders a single-key RSA JWKS with caller-chosen use/alg so a +// test can exercise key-use separation. +func rsaJWKSCustom(pub *rsa.PublicKey, kid, use, alg string) string { + n := base64.RawURLEncoding.EncodeToString(pub.N.Bytes()) + e := base64.RawURLEncoding.EncodeToString(big.NewInt(int64(pub.E)).Bytes()) + return `{"keys":[{"kty":"RSA","use":"` + use + `","alg":"` + alg + `","kid":"` + kid + + `","n":"` + n + `","e":"` + e + `"}]}` +} + +func TestIsSafeJWKSURL(t *testing.T) { + cases := []struct { + raw string + want bool + }{ + {"https://idp.example.com/jwks", true}, + {"http://idp.example.com/jwks", false}, // cleartext non-loopback: rejected + {"http://127.0.0.1:8080/jwks", true}, // loopback http: allowed + {"http://localhost/jwks", true}, + {"http://[::1]/jwks", true}, + {"ftp://idp.example.com/jwks", false}, // non-http scheme + } + for _, c := range cases { + u, err := url.Parse(c.raw) + if err != nil { + t.Fatalf("parse %q: %v", c.raw, err) + } + if got := isSafeJWKSURL(u); got != c.want { + t.Errorf("isSafeJWKSURL(%q) = %v, want %v", c.raw, got, c.want) + } + } +} + +// TestFetcher_RejectsInsecureRedirect pins the redirect-validation fix: a JWKS +// endpoint that 302-redirects to cleartext http on a non-loopback host must be +// refused, not followed. Without the CheckRedirect policy the default client +// would fetch the attacker-controlled key set over plaintext and accept it, +// letting a network attacker forge ID-JAG assertions. The httptest server runs +// on loopback (the allowed initial hop); only the redirect target is insecure, +// so this isolates the redirect check. CheckRedirect fires before any request to +// the target, so no real network call to example.com is made. +func TestFetcher_RejectsInsecureRedirect(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + http.Redirect(w, &http.Request{}, "http://idp.attacker.example/jwks", http.StatusFound) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + _, err := f.GetKey(context.Background(), srv.URL, "rsa-1") + if !errors.Is(err, ErrFetch) { + t.Fatalf("expected ErrFetch on insecure redirect, got %v", err) + } +} + +// TestFetcher_FollowsLoopbackRedirect confirms the policy is not overbroad: a +// redirect to another loopback http endpoint (which startup validation also +// permits) is still followed and the served key is returned. +func TestFetcher_FollowsLoopbackRedirect(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + final := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(rsaJWKS(&key.PublicKey, "rsa-1"))) + })) + defer final.Close() + redir := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + http.Redirect(w, &http.Request{}, final.URL, http.StatusFound) + })) + defer redir.Close() + + f := NewFetcher(5*time.Second, time.Hour) + got, err := f.GetKey(context.Background(), redir.URL, "rsa-1") + if err != nil { + t.Fatalf("GetKey via loopback redirect: %v", err) + } + if pub, ok := got.(*rsa.PublicKey); !ok || pub.N.Cmp(key.PublicKey.N) != 0 { + t.Fatalf("returned key does not match the published RSA key") + } +} + +// TestFetcher_RejectsNonSigningUse pins the JWK-use-separation fix: a key +// explicitly marked use=enc must never be trusted as an ID-JAG signing key. With +// only that key published, GetKey fails closed (no usable keys); on the old code +// it would have happily returned the encryption key for signature verification. +func TestFetcher_RejectsNonSigningUse(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(rsaJWKSCustom(&key.PublicKey, "enc-1", "enc", "RSA-OAEP"))) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + if _, err := f.GetKey(context.Background(), srv.URL, "enc-1"); !errors.Is(err, ErrFetch) { + t.Fatalf("expected ErrFetch (no usable keys) for use=enc key, got %v", err) + } +} + +// TestFetcher_RejectsNonSigningAlg covers the alg branch: a key with no `use` +// but an encryption `alg` is still rejected. +func TestFetcher_RejectsNonSigningAlg(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(rsaJWKSCustom(&key.PublicKey, "k1", "", "RSA-OAEP-256"))) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + if _, err := f.GetKey(context.Background(), srv.URL, "k1"); !errors.Is(err, ErrFetch) { + t.Fatalf("expected ErrFetch for encryption-alg key, got %v", err) + } +} + +// TestFetcher_RejectsNonVerifyKeyOps pins the key_ops branch: a JWK that +// enumerates key_ops without "verify" (e.g. an encryption/wrapping key) must not +// be usable for signature verification, even with `use`/`alg` absent. +func TestFetcher_RejectsNonVerifyKeyOps(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + n := base64.RawURLEncoding.EncodeToString(key.PublicKey.N.Bytes()) + e := base64.RawURLEncoding.EncodeToString(big.NewInt(int64(key.PublicKey.E)).Bytes()) + doc := `{"keys":[{"kty":"RSA","kid":"k1","key_ops":["encrypt","wrapKey"],"n":"` + + n + `","e":"` + e + `"}]}` + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(doc)) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + if _, err := f.GetKey(context.Background(), srv.URL, "k1"); !errors.Is(err, ErrFetch) { + t.Fatalf("expected ErrFetch for key_ops without verify, got %v", err) + } +} + +// TestFetcher_AcceptsVerifyKeyOps confirms a key that lists "verify" in key_ops +// is still accepted. +func TestFetcher_AcceptsVerifyKeyOps(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + n := base64.RawURLEncoding.EncodeToString(key.PublicKey.N.Bytes()) + e := base64.RawURLEncoding.EncodeToString(big.NewInt(int64(key.PublicKey.E)).Bytes()) + doc := `{"keys":[{"kty":"RSA","kid":"k1","key_ops":["verify"],"n":"` + + n + `","e":"` + e + `"}]}` + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(doc)) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + got, err := f.GetKey(context.Background(), srv.URL, "k1") + if err != nil { + t.Fatalf("verify key_ops key should resolve: %v", err) + } + if _, ok := got.(*rsa.PublicKey); !ok { + t.Fatalf("expected *rsa.PublicKey, got %T", got) + } +} + +// TestFetcher_RejectsUnsafeRSAExponent pins the exponent fix: an RSA JWK whose +// public exponent is e=1 must be rejected. With e=1 the RSA verification +// exponentiation is the identity map, so any forged signature would verify — a +// hostile JWKS could then mint ID-JAGs this RAS accepts. The modulus is a real +// 2048-bit key so only the exponent is at fault. +func TestFetcher_RejectsUnsafeRSAExponent(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + n := base64.RawURLEncoding.EncodeToString(key.PublicKey.N.Bytes()) + // e = 1 (single byte 0x01). + e := base64.RawURLEncoding.EncodeToString([]byte{0x01}) + doc := `{"keys":[{"kty":"RSA","use":"sig","alg":"RS256","kid":"k1","n":"` + + n + `","e":"` + e + `"}]}` + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(doc)) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + if _, err := f.GetKey(context.Background(), srv.URL, "k1"); !errors.Is(err, ErrFetch) { + t.Fatalf("expected ErrFetch for e=1 RSA key, got %v", err) + } +} + +// TestFetcher_RejectsEvenRSAExponent rejects an even exponent (e=4), which is not +// a valid RSA exponent (must be coprime with the even φ(n)). +func TestFetcher_RejectsEvenRSAExponent(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + n := base64.RawURLEncoding.EncodeToString(key.PublicKey.N.Bytes()) + e := base64.RawURLEncoding.EncodeToString([]byte{0x04}) + doc := `{"keys":[{"kty":"RSA","use":"sig","alg":"RS256","kid":"k1","n":"` + + n + `","e":"` + e + `"}]}` + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(doc)) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + if _, err := f.GetKey(context.Background(), srv.URL, "k1"); !errors.Is(err, ErrFetch) { + t.Fatalf("expected ErrFetch for even RSA exponent, got %v", err) + } +} + +// TestFetcher_RejectsDuplicateKid pins the ambiguous-kid fix: a JWKS with two +// different keys sharing the same kid is ambiguous — silently keeping the last one +// would verify assertions against an arbitrary key and reject valid ones signed by +// the shadowed key. The duplicated kid must become unresolvable (fail closed). +func TestFetcher_RejectsDuplicateKid(t *testing.T) { + k1, _ := rsa.GenerateKey(rand.Reader, 2048) + k2, _ := rsa.GenerateKey(rand.Reader, 2048) + jwkOf := func(p *rsa.PublicKey, kid string) string { + n := base64.RawURLEncoding.EncodeToString(p.N.Bytes()) + e := base64.RawURLEncoding.EncodeToString(big.NewInt(int64(p.E)).Bytes()) + return `{"kty":"RSA","use":"sig","alg":"RS256","kid":"` + kid + + `","n":"` + n + `","e":"` + e + `"}` + } + doc := `{"keys":[` + jwkOf(&k1.PublicKey, "dup") + `,` + jwkOf(&k2.PublicKey, "dup") + `]}` + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(doc)) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + // Both keys share kid "dup" → ambiguous → dropped → no usable keys. + if _, err := f.GetKey(context.Background(), srv.URL, "dup"); !errors.Is(err, ErrFetch) { + t.Fatalf("expected ErrFetch for duplicate kid, got %v", err) + } +} + +// TestFetcher_RejectsMultipleNoKidKeys covers the empty-kid collision: two keys +// with no kid both collapse to the "" map entry. Without the fix the set would +// look like it has exactly one key, so a no-kid assertion would verify against +// whichever came last. They must be dropped, leaving the set empty (fail closed). +func TestFetcher_RejectsMultipleNoKidKeys(t *testing.T) { + k1, _ := rsa.GenerateKey(rand.Reader, 2048) + k2, _ := rsa.GenerateKey(rand.Reader, 2048) + jwkNoKid := func(p *rsa.PublicKey) string { + n := base64.RawURLEncoding.EncodeToString(p.N.Bytes()) + e := base64.RawURLEncoding.EncodeToString(big.NewInt(int64(p.E)).Bytes()) + return `{"kty":"RSA","use":"sig","alg":"RS256","n":"` + n + `","e":"` + e + `"}` + } + doc := `{"keys":[` + jwkNoKid(&k1.PublicKey) + `,` + jwkNoKid(&k2.PublicKey) + `]}` + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(doc)) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + if _, err := f.GetKey(context.Background(), srv.URL, ""); !errors.Is(err, ErrFetch) { + t.Fatalf("expected ErrFetch for multiple no-kid keys, got %v", err) + } +} + +// TestFetcher_NoKidAmbiguousWithSurvivingKey pins the no-kid ambiguity fix: a +// JWKS with two no-kid keys PLUS one distinct-kid key collapses to a one-entry map +// after the ambiguous "" entry is dropped. A no-kid token must still be rejected +// (the original document had multiple usable keys), even though the surviving map +// has length 1 — so no-kid acceptance is based on the original usable count, not +// the post-dedup length. The distinct-kid key must still resolve. +func TestFetcher_NoKidAmbiguousWithSurvivingKey(t *testing.T) { + k1, _ := rsa.GenerateKey(rand.Reader, 2048) + k2, _ := rsa.GenerateKey(rand.Reader, 2048) + k3, _ := rsa.GenerateKey(rand.Reader, 2048) + jwkOf := func(p *rsa.PublicKey, kid string) string { + n := base64.RawURLEncoding.EncodeToString(p.N.Bytes()) + e := base64.RawURLEncoding.EncodeToString(big.NewInt(int64(p.E)).Bytes()) + kidField := "" + if kid != "" { + kidField = `"kid":"` + kid + `",` + } + return `{"kty":"RSA","use":"sig","alg":"RS256",` + kidField + + `"n":"` + n + `","e":"` + e + `"}` + } + doc := `{"keys":[` + jwkOf(&k1.PublicKey, "") + `,` + jwkOf(&k2.PublicKey, "") + `,` + + jwkOf(&k3.PublicKey, "real") + `]}` + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(doc)) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + // No-kid token must NOT verify against the surviving distinct-kid key. + if _, err := f.GetKey(context.Background(), srv.URL, ""); err == nil { + t.Fatal("expected error for no-kid lookup against an ambiguous JWKS, got nil") + } + // The distinct-kid key is still usable. + if _, err := f.GetKey(context.Background(), srv.URL, "real"); err != nil { + t.Fatalf("distinct-kid key should resolve: %v", err) + } +} + +// TestFetcher_SingleNoKidKeyResolves is the positive control for soleKey: a JWKS +// with exactly one usable key (no kid) lets a no-kid token verify against it. +func TestFetcher_SingleNoKidKeyResolves(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + n := base64.RawURLEncoding.EncodeToString(key.PublicKey.N.Bytes()) + e := base64.RawURLEncoding.EncodeToString(big.NewInt(int64(key.PublicKey.E)).Bytes()) + doc := `{"keys":[{"kty":"RSA","use":"sig","alg":"RS256","n":"` + n + `","e":"` + e + `"}]}` + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(doc)) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + got, err := f.GetKey(context.Background(), srv.URL, "") + if err != nil { + t.Fatalf("single no-kid key should resolve for a no-kid token: %v", err) + } + if _, ok := got.(*rsa.PublicKey); !ok { + t.Fatalf("expected *rsa.PublicKey, got %T", got) + } +} + +// TestFetcher_RejectsNonRS256RSAAlg pins the exact-alg fix: AuthGate verifies RSA +// with RS256 only, so an RSA JWK advertising PS256 (or RS384/RS512) must be +// rejected — otherwise an RS256 ID-JAG could be verified with a key the IdP pinned +// to a different alg. +func TestFetcher_RejectsNonRS256RSAAlg(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + n := base64.RawURLEncoding.EncodeToString(key.PublicKey.N.Bytes()) + e := base64.RawURLEncoding.EncodeToString(big.NewInt(int64(key.PublicKey.E)).Bytes()) + doc := `{"keys":[{"kty":"RSA","use":"sig","alg":"PS256","kid":"k1","n":"` + + n + `","e":"` + e + `"}]}` + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(doc)) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + if _, err := f.GetKey(context.Background(), srv.URL, "k1"); !errors.Is(err, ErrFetch) { + t.Fatalf("expected ErrFetch for PS256 RSA key, got %v", err) + } +} + +// TestFetcher_MixedKeysSkipsEncKeepsSig proves the skip is per-key: a JWKS with +// both an encryption key and a signing key drops only the former. The signing +// key still resolves; the encryption key's kid does not. +func TestFetcher_MixedKeysSkipsEncKeepsSig(t *testing.T) { + encKey, _ := rsa.GenerateKey(rand.Reader, 2048) + sigKey, _ := rsa.GenerateKey(rand.Reader, 2048) + enc := func(p *rsa.PublicKey, kid, use, alg string) string { + n := base64.RawURLEncoding.EncodeToString(p.N.Bytes()) + e := base64.RawURLEncoding.EncodeToString(big.NewInt(int64(p.E)).Bytes()) + return `{"kty":"RSA","use":"` + use + `","alg":"` + alg + `","kid":"` + kid + + `","n":"` + n + `","e":"` + e + `"}` + } + doc := `{"keys":[` + + enc(&encKey.PublicKey, "enc-1", "enc", "RSA-OAEP") + `,` + + enc(&sigKey.PublicKey, "sig-1", "sig", "RS256") + `]}` + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(doc)) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + got, err := f.GetKey(context.Background(), srv.URL, "sig-1") + if err != nil { + t.Fatalf("signing key should resolve: %v", err) + } + if pub, ok := got.(*rsa.PublicKey); !ok || pub.N.Cmp(sigKey.PublicKey.N) != 0 { + t.Fatalf("returned key is not the published signing key") + } + // The encryption key must not be usable even though its kid was advertised. + if _, err := f.GetKey(context.Background(), srv.URL, "enc-1"); !errors.Is(err, ErrKeyNotFound) { + t.Fatalf("expected ErrKeyNotFound for skipped enc key, got %v", err) + } +} diff --git a/internal/jwks/remote_test.go b/internal/jwks/remote_test.go new file mode 100644 index 00000000..b4ce5966 --- /dev/null +++ b/internal/jwks/remote_test.go @@ -0,0 +1,156 @@ +package jwks + +import ( + "context" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "encoding/base64" + "math/big" + "net/http" + "net/http/httptest" + "sync/atomic" + "testing" + "time" +) + +// rsaJWKS renders a JWKS document for an RSA public key with the given kid. +func rsaJWKS(pub *rsa.PublicKey, kid string) string { + n := base64.RawURLEncoding.EncodeToString(pub.N.Bytes()) + e := base64.RawURLEncoding.EncodeToString(big.NewInt(int64(pub.E)).Bytes()) + return `{"keys":[{"kty":"RSA","use":"sig","alg":"RS256","kid":"` + kid + + `","n":"` + n + `","e":"` + e + `"}]}` +} + +func ecJWKS(pub *ecdsa.PublicKey, kid string) string { + x := base64.RawURLEncoding.EncodeToString(pub.X.Bytes()) + y := base64.RawURLEncoding.EncodeToString(pub.Y.Bytes()) + return `{"keys":[{"kty":"EC","use":"sig","alg":"ES256","crv":"P-256","kid":"` + kid + + `","x":"` + x + `","y":"` + y + `"}]}` +} + +func TestFetcher_GetKey_RSA(t *testing.T) { + key, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + t.Fatal(err) + } + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(rsaJWKS(&key.PublicKey, "rsa-1"))) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + got, err := f.GetKey(context.Background(), srv.URL, "rsa-1") + if err != nil { + t.Fatalf("GetKey: %v", err) + } + pub, ok := got.(*rsa.PublicKey) + if !ok || pub.N.Cmp(key.PublicKey.N) != 0 { + t.Fatalf("returned key does not match the published RSA key") + } +} + +func TestFetcher_GetKey_EC(t *testing.T) { + key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatal(err) + } + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(ecJWKS(&key.PublicKey, "ec-1"))) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + got, err := f.GetKey(context.Background(), srv.URL, "ec-1") + if err != nil { + t.Fatalf("GetKey: %v", err) + } + if _, ok := got.(*ecdsa.PublicKey); !ok { + t.Fatalf("expected *ecdsa.PublicKey, got %T", got) + } +} + +func TestFetcher_UnknownKidRefetches(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + var hits int32 + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + n := atomic.AddInt32(&hits, 1) + // First response advertises kid "old"; later responses advertise "new" + // (key rotation). The fetcher should re-fetch when "new" is unknown. + kid := "old" + if n > 1 { + kid = "new" + } + _, _ = w.Write([]byte(rsaJWKS(&key.PublicKey, kid))) + })) + defer srv.Close() + + f := NewFetcher(5*time.Second, time.Hour) + if _, err := f.GetKey(context.Background(), srv.URL, "old"); err != nil { + t.Fatalf("first GetKey: %v", err) + } + if _, err := f.GetKey(context.Background(), srv.URL, "new"); err != nil { + t.Fatalf("rotated GetKey: %v", err) + } + if atomic.LoadInt32(&hits) < 2 { + t.Fatalf("expected a refetch on unknown kid, hits=%d", hits) + } +} + +// A failed unknown-kid refetch (e.g. transient IdP JWKS outage) must NOT evict +// the still-fresh cached keys: assertions signed with the previously cached key +// must keep verifying until the endpoint recovers. +func TestFetcher_UnknownKidKeepsCacheOnRefetchFailure(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + var down atomic.Bool + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + if down.Load() { + w.WriteHeader(http.StatusInternalServerError) + return + } + _, _ = w.Write([]byte(rsaJWKS(&key.PublicKey, "old"))) + })) + defer srv.Close() + + f := NewFetcher(2*time.Second, time.Hour) + if _, err := f.GetKey(context.Background(), srv.URL, "old"); err != nil { + t.Fatalf("first GetKey: %v", err) + } + + // IdP JWKS endpoint goes down; a token with an unknown kid forces a refetch. + down.Store(true) + if _, err := f.GetKey(context.Background(), srv.URL, "unknown"); err == nil { + t.Fatal("expected refetch failure while the endpoint is down") + } + + // The cached "old" key must survive the failed refetch. + if _, err := f.GetKey(context.Background(), srv.URL, "old"); err != nil { + t.Fatalf("cached key must survive a failed refetch: %v", err) + } +} + +func TestFetcher_FetchFailsClosed(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusInternalServerError) + })) + defer srv.Close() + + f := NewFetcher(2*time.Second, time.Hour) + if _, err := f.GetKey(context.Background(), srv.URL, "any"); err == nil { + t.Fatal("expected an error when the JWKS endpoint is unavailable") + } +} + +func TestFetcher_UnknownKidNotFound(t *testing.T) { + key, _ := rsa.GenerateKey(rand.Reader, 2048) + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + _, _ = w.Write([]byte(rsaJWKS(&key.PublicKey, "only"))) + })) + defer srv.Close() + + f := NewFetcher(2*time.Second, time.Hour) + if _, err := f.GetKey(context.Background(), srv.URL, "missing"); err == nil { + t.Fatal("expected ErrKeyNotFound for an absent kid") + } +} diff --git a/internal/models/audit_log.go b/internal/models/audit_log.go index a002b5d0..92d3b39a 100644 --- a/internal/models/audit_log.go +++ b/internal/models/audit_log.go @@ -74,6 +74,10 @@ const ( // Client Credentials Flow events (RFC 6749 §4.4) EventClientCredentialsTokenIssued EventType = "CLIENT_CREDENTIALS_TOKEN_ISSUED" //nolint:gosec // G101: false positive + // Enterprise-Managed Authorization (ID-JAG) events + EventIDJAGTokenIssued EventType = "ID_JAG_TOKEN_ISSUED" //nolint:gosec // G101: false positive, event type constant — RAS role issued an access token from an ID-JAG + EventIDJAGIssued EventType = "ID_JAG_ISSUED" // IdP role minted an ID-JAG via token-exchange + // Token Introspection events (RFC 7662) EventTokenIntrospected EventType = "TOKEN_INTROSPECTED" diff --git a/internal/models/oauth_application.go b/internal/models/oauth_application.go index 5d7b3011..62f2398c 100644 --- a/internal/models/oauth_application.go +++ b/internal/models/oauth_application.go @@ -75,6 +75,8 @@ type OAuthApplication struct { EnableDeviceFlow bool `gorm:"not null;default:true"` EnableAuthCodeFlow bool `gorm:"not null;default:false"` EnableClientCredentialsFlow bool `gorm:"not null;default:false"` // Client Credentials Grant (RFC 6749 §4.4); confidential clients only + EnableIDJAGFlow bool `gorm:"not null;default:false"` // Enterprise-Managed Authorization (ID-JAG) jwt-bearer grant; default-deny + AllowedIDJAGIssuers StringArray `gorm:"type:json"` // Per-client trusted-IdP issuer allowlist for ID-JAG; empty = any TRUSTED_IDPS issuer is accepted Status string `gorm:"not null;default:'active'"` // ClientStatusPending / ClientStatusActive / ClientStatusInactive TokenProfile string `gorm:"not null;default:'standard';size:20"` // "short" / "standard" / "long"; resolves to a TTL preset in config Project string `gorm:"size:64"` // Optional project identifier injected as JWT "project" claim. Format: a single alnum, or 2–64 chars matching ^[a-zA-Z0-9][a-zA-Z0-9_.-]{0,62}[a-zA-Z0-9]$ (validated in services). diff --git a/internal/services/client.go b/internal/services/client.go index cd0b03f6..662ce150 100644 --- a/internal/services/client.go +++ b/internal/services/client.go @@ -30,8 +30,14 @@ var serviceAccountPattern = regexp.MustCompile( const pendingClientsCountCacheKey = "clients:pending_count" +// grantTypeJWTBearerURN is the GrantTypes token recorded when the +// Enterprise-Managed Authorization (ID-JAG) flow is enabled on a client. +const grantTypeJWTBearerURN = "urn:ietf:params:oauth:grant-type:jwt-bearer" + // buildGrantTypes derives the GrantTypes string from per-flow enable flags. -func buildGrantTypes(enableDevice, enableAuthCode, enableClientCredentials bool) string { +func buildGrantTypes( + enableDevice, enableAuthCode, enableClientCredentials, enableIDJAG bool, +) string { var grants []string if enableDevice { grants = append(grants, "device_code") @@ -42,6 +48,9 @@ func buildGrantTypes(enableDevice, enableAuthCode, enableClientCredentials bool) if enableClientCredentials { grants = append(grants, "client_credentials") } + if enableIDJAG { + grants = append(grants, grantTypeJWTBearerURN) + } return strings.Join(grants, " ") } @@ -94,6 +103,11 @@ var ( "each redirect URI pattern must be an absolute http/https URI with a host, a path " + "more specific than \"/\", no query/fragment/userinfo, and no wildcard or regex characters", ) + ErrInvalidIDJAGIssuer = errors.New( + "each allowed ID-JAG issuer must be an absolute http/https URL with a host; " + + "it must also exactly match an issuer configured in TRUSTED_IDPS, which is " + + "enforced when an assertion is presented (not at save time)", + ) ErrTooManyRedirectURIPatterns = fmt.Errorf( "a client may have at most %d redirect URI patterns", maxRedirectURIPatterns, @@ -226,6 +240,25 @@ func validateAllowedResources(resources []string) error { return nil } +// validateIDJAGIssuers checks that every per-client ID-JAG issuer-allowlist +// entry is an absolute http/https URL with a host. Empty slice is valid (the +// client accepts any TRUSTED_IDPS issuer). The exact `iss` string is matched at +// runtime against the assertion, so entries are stored verbatim. +func validateIDJAGIssuers(issuers []string) error { + for _, raw := range issuers { + u, err := url.Parse(strings.TrimSpace(raw)) + if err != nil { + return ErrInvalidIDJAGIssuer + } + // Reuse the shared scheme/host/fragment check (strict=false: an issuer is + // not a redirect URI, so the loopback-http rule does not apply). + if err := validateRedirectURIScheme(u, raw, false, ErrInvalidIDJAGIssuer); err != nil { + return err + } + } + return nil +} + // validateRedirectURIScheme applies the RFC 6749 + OAuth 2.1 scheme/host/fragment // rules shared by exact redirect URIs and redirect URI patterns: an absolute // http/https URI, a non-empty host, and no fragment. When strict is true it also @@ -340,13 +373,15 @@ type CreateClientRequest struct { RedirectURIPatterns []string // Origin-locked path-prefix patterns; validated via validateRedirectURIPatterns. Empty = exact-match-only. CreatedBy string ClientType core.ClientType - EnableDeviceFlow bool // Enable Device Authorization Grant (RFC 8628) - EnableAuthCodeFlow bool // Enable Authorization Code Flow (RFC 6749) - EnableClientCredentialsFlow bool // Enable Client Credentials Grant (RFC 6749 §4.4); confidential clients only - IsAdminCreated bool // When true: Status=active; when false: Status=pending - TokenProfile string // "short" / "standard" / "long"; empty = standard - Project string // Optional; injected as JWT "project" claim. Validated by util.IsValidProjectIdentifier. - ServiceAccount string // Optional; injected as JWT "service_account" claim. Validated by serviceAccountPattern. + EnableDeviceFlow bool // Enable Device Authorization Grant (RFC 8628) + EnableAuthCodeFlow bool // Enable Authorization Code Flow (RFC 6749) + EnableClientCredentialsFlow bool // Enable Client Credentials Grant (RFC 6749 §4.4); confidential clients only + EnableIDJAGFlow bool // Enable Enterprise-Managed Authorization (ID-JAG) jwt-bearer grant + AllowedIDJAGIssuers []string // Per-client trusted-IdP issuer allowlist; empty = any TRUSTED_IDPS issuer + IsAdminCreated bool // When true: Status=active; when false: Status=pending + TokenProfile string // "short" / "standard" / "long"; empty = standard + Project string // Optional; injected as JWT "project" claim. Validated by util.IsValidProjectIdentifier. + ServiceAccount string // Optional; injected as JWT "service_account" claim. Validated by serviceAccountPattern. } type UpdateClientRequest struct { @@ -360,10 +395,12 @@ type UpdateClientRequest struct { ClientType core.ClientType EnableDeviceFlow bool EnableAuthCodeFlow bool - EnableClientCredentialsFlow bool // Enable Client Credentials Grant (RFC 6749 §4.4); confidential clients only - TokenProfile string // "short" / "standard" / "long"; empty = standard - Project string // Optional; injected as JWT "project" claim. Validated by util.IsValidProjectIdentifier. - ServiceAccount string // Optional; injected as JWT "service_account" claim. Validated by serviceAccountPattern. + EnableClientCredentialsFlow bool // Enable Client Credentials Grant (RFC 6749 §4.4); confidential clients only + EnableIDJAGFlow bool // Enable Enterprise-Managed Authorization (ID-JAG) jwt-bearer grant + AllowedIDJAGIssuers []string // Per-client trusted-IdP issuer allowlist; empty = any TRUSTED_IDPS issuer + TokenProfile string // "short" / "standard" / "long"; empty = standard + Project string // Optional; injected as JWT "project" claim. Validated by util.IsValidProjectIdentifier. + ServiceAccount string // Optional; injected as JWT "service_account" claim. Validated by serviceAccountPattern. } // normalizeTokenProfile validates and defaults an incoming token profile value. @@ -434,6 +471,9 @@ func (s *ClientService) CreateClient( ); err != nil { return nil, err } + if err := validateIDJAGIssuers(req.AllowedIDJAGIssuers); err != nil { + return nil, err + } // Generate client ID clientID := uuid.New().String() @@ -445,16 +485,22 @@ func (s *ClientService) CreateClient( } enableClientCredentials := req.EnableClientCredentialsFlow + enableIDJAG := req.EnableIDJAGFlow - // If neither flow is explicitly enabled, default to device flow + // If no flow is explicitly enabled, default to device flow enableDevice := req.EnableDeviceFlow enableAuthCode := req.EnableAuthCodeFlow - if !enableDevice && !enableAuthCode && !enableClientCredentials { + if !enableDevice && !enableAuthCode && !enableClientCredentials && !enableIDJAG { enableDevice = true } // Derive GrantTypes string from the enabled flows - grantTypes := buildGrantTypes(enableDevice, enableAuthCode, enableClientCredentials) + grantTypes := buildGrantTypes( + enableDevice, + enableAuthCode, + enableClientCredentials, + enableIDJAG, + ) // Determine approval status based on creator role. // Admin-created clients are immediately active; user-created clients require approval. @@ -477,6 +523,8 @@ func (s *ClientService) CreateClient( EnableDeviceFlow: enableDevice, EnableAuthCodeFlow: enableAuthCode, EnableClientCredentialsFlow: enableClientCredentials, + EnableIDJAGFlow: enableIDJAG, + AllowedIDJAGIssuers: models.StringArray(req.AllowedIDJAGIssuers), Status: clientStatus, TokenProfile: tokenProfile, Project: project, @@ -536,9 +584,11 @@ type clientSnapshot struct { tokenProfile string project string serviceAccount string + allowedIDJAGIssuers []string enableDeviceFlow bool enableAuthCodeFlow bool enableClientCredentialsFlow bool + enableIDJAGFlow bool } func snapshotClient(c *models.OAuthApplication) clientSnapshot { @@ -554,9 +604,11 @@ func snapshotClient(c *models.OAuthApplication) clientSnapshot { tokenProfile: models.ResolveTokenProfile(c.TokenProfile), project: c.Project, serviceAccount: c.ServiceAccount, + allowedIDJAGIssuers: slices.Clone([]string(c.AllowedIDJAGIssuers)), enableDeviceFlow: c.EnableDeviceFlow, enableAuthCodeFlow: c.EnableAuthCodeFlow, enableClientCredentialsFlow: c.EnableClientCredentialsFlow, + enableIDJAGFlow: c.EnableIDJAGFlow, } } @@ -601,6 +653,8 @@ func buildClientDiff(before, after clientSnapshot) models.AuditDetails { before.enableClientCredentialsFlow, after.enableClientCredentialsFlow, ) + addIfChanged("enable_idjag_flow", before.enableIDJAGFlow, after.enableIDJAGFlow) + addIfChanged("allowed_idjag_issuers", before.allowedIDJAGIssuers, after.allowedIDJAGIssuers) return diff } @@ -632,7 +686,8 @@ func (s *ClientService) UpdateClient( clientType := req.ClientType.OrDefault() - if !req.EnableDeviceFlow && !req.EnableAuthCodeFlow && !req.EnableClientCredentialsFlow { + if !req.EnableDeviceFlow && !req.EnableAuthCodeFlow && + !req.EnableClientCredentialsFlow && !req.EnableIDJAGFlow { return ErrAtLeastOneGrantRequired } @@ -670,6 +725,9 @@ func (s *ClientService) UpdateClient( ); err != nil { return err } + if err := validateIDJAGIssuers(req.AllowedIDJAGIssuers); err != nil { + return err + } client, err := s.store.GetClient(clientID) if err != nil { @@ -695,6 +753,7 @@ func (s *ClientService) UpdateClient( client.RedirectURIs = models.StringArray(req.RedirectURIs) client.AllowedResources = models.StringArray(req.AllowedResources) client.RedirectURIPatterns = models.StringArray(req.RedirectURIPatterns) + client.AllowedIDJAGIssuers = models.StringArray(req.AllowedIDJAGIssuers) client.Status = req.Status client.ClientType = clientType.String() client.TokenProfile = tokenProfile @@ -703,13 +762,16 @@ func (s *ClientService) UpdateClient( // Rebuild GrantTypes from enablement flags enableClientCredentials := req.EnableClientCredentialsFlow + enableIDJAG := req.EnableIDJAGFlow client.EnableDeviceFlow = req.EnableDeviceFlow client.EnableAuthCodeFlow = req.EnableAuthCodeFlow client.EnableClientCredentialsFlow = enableClientCredentials + client.EnableIDJAGFlow = enableIDJAG client.GrantTypes = buildGrantTypes( req.EnableDeviceFlow, req.EnableAuthCodeFlow, enableClientCredentials, + enableIDJAG, ) err = s.store.UpdateClient(client) @@ -864,6 +926,7 @@ func (s *ClientService) GetClient( cached.RedirectURIs = append(models.StringArray(nil), c.RedirectURIs...) cached.AllowedResources = append(models.StringArray(nil), c.AllowedResources...) cached.RedirectURIPatterns = append(models.StringArray(nil), c.RedirectURIPatterns...) + cached.AllowedIDJAGIssuers = append(models.StringArray(nil), c.AllowedIDJAGIssuers...) return cached, nil }, ) diff --git a/internal/services/client_user.go b/internal/services/client_user.go index 4016a468..66ff4ad8 100644 --- a/internal/services/client_user.go +++ b/internal/services/client_user.go @@ -57,10 +57,6 @@ func (s *ClientService) UserUpdateClient( clientType := req.ClientType.OrDefault() - if !req.EnableDeviceFlow && !req.EnableAuthCodeFlow && !req.EnableClientCredentialsFlow { - return ErrAtLeastOneGrantRequired - } - if req.EnableClientCredentialsFlow && clientType != core.ClientTypeConfidential { return ErrClientCredentialsRequireConfidential } @@ -95,6 +91,34 @@ func (s *ClientService) UserUpdateClient( return ErrClientOwnershipRequired } + // The ID-JAG flow is admin-managed and its security depends on the client + // type: confidential clients MUST present a secret to redeem (RAS) or mint + // (IdP) ID-JAGs. If the owner could downgrade an admin-enabled ID-JAG + // confidential client to public via this self-service form, both paths would + // stop requiring the secret — bypassing the admin's authentication + // requirement. Lock the client type to the stored value while ID-JAG is on, + // and re-check the client-credentials/confidential constraint against it. + if client.EnableIDJAGFlow { + clientType = core.ClientType(client.ClientType) + if req.EnableClientCredentialsFlow && clientType != core.ClientTypeConfidential { + return ErrClientCredentialsRequireConfidential + } + // Scopes are the ceiling AND the omitted-scope default for ID-JAGs issued on + // the jwt-bearer redemption path, so letting the owner edit them here would + // let them broaden an admin-enabled ID-JAG client's downstream authority + // (within the standard user scope set) without admin review. Lock scopes to + // the stored value, mirroring the client-type freeze above. + req.Scopes = client.Scopes + } + + // A client must retain at least one usable grant. The user-facing form does + // not expose the ID-JAG flow, so fold the persisted value in — otherwise an + // admin-configured ID-JAG-only client could not be saved by its owner. + if !req.EnableDeviceFlow && !req.EnableAuthCodeFlow && + !req.EnableClientCredentialsFlow && !client.EnableIDJAGFlow { + return ErrAtLeastOneGrantRequired + } + before := snapshotClient(client) client.ClientName = strings.TrimSpace(req.ClientName) @@ -109,10 +133,13 @@ func (s *ClientService) UserUpdateClient( client.EnableAuthCodeFlow = req.EnableAuthCodeFlow enableClientCredentials := req.EnableClientCredentialsFlow client.EnableClientCredentialsFlow = enableClientCredentials + // The user-facing app form does not expose the ID-JAG flow; preserve whatever + // an admin configured on the client. client.GrantTypes = buildGrantTypes( req.EnableDeviceFlow, req.EnableAuthCodeFlow, enableClientCredentials, + client.EnableIDJAGFlow, ) if err := s.store.UpdateClient(client); err != nil { diff --git a/internal/services/client_user_test.go b/internal/services/client_user_test.go index 21e2886c..883c7918 100644 --- a/internal/services/client_user_test.go +++ b/internal/services/client_user_test.go @@ -306,6 +306,98 @@ func TestUserUpdateClient_CCOnlyConfidentialClient(t *testing.T) { assert.Equal(t, "client_credentials", updated.GrantTypes) } +// An admin-enabled ID-JAG confidential client must not be downgradable to public +// by its owner via the self-service form: doing so would bypass the client-secret +// requirement on ID-JAG redemption/minting. +func TestUserUpdateClient_IDJAGClientTypeLocked(t *testing.T) { + s := setupTestStore(t) + svc := NewClientService(s, NewNoopAuditService(), nil, 0, nil, 0) + ownerID := uuid.New().String() + + resp, err := svc.CreateClient(context.Background(), CreateClientRequest{ + ClientName: "MCP Confidential", + UserID: ownerID, + CreatedBy: ownerID, + ClientType: core.ClientTypeConfidential, + IsAdminCreated: false, + }) + require.NoError(t, err) + + // Admin enables the ID-JAG flow on this confidential client. + stored, err := s.GetClient(resp.ClientID) + require.NoError(t, err) + stored.EnableIDJAGFlow = true + require.NoError(t, s.UpdateClient(stored)) + + // The owner tries to downgrade it to public via the self-service form. + err = svc.UserUpdateClient( + context.Background(), + resp.ClientID, + ownerID, + UserUpdateClientRequest{ + ClientName: "MCP Confidential", + ClientType: core.ClientTypePublic, // attempted downgrade + EnableAuthCodeFlow: true, + RedirectURIs: []string{"https://app.example.com/callback"}, + Scopes: "email", + }, + ) + require.NoError(t, err) + + updated, err := svc.GetClient(context.Background(), resp.ClientID) + require.NoError(t, err) + assert.Equal(t, core.ClientTypeConfidential.String(), updated.ClientType, + "ID-JAG client type must stay confidential despite the owner's downgrade attempt") + assert.True(t, updated.EnableIDJAGFlow, "admin-set ID-JAG flow must be preserved") +} + +// An admin-enabled ID-JAG client's scopes are the ceiling/default for issued +// ID-JAGs, so the owner must not be able to broaden them via the self-service +// form without admin review. +func TestUserUpdateClient_IDJAGScopesLocked(t *testing.T) { + s := setupTestStore(t) + svc := NewClientService(s, NewNoopAuditService(), nil, 0, nil, 0) + ownerID := uuid.New().String() + + resp, err := svc.CreateClient(context.Background(), CreateClientRequest{ + ClientName: "MCP Confidential", + UserID: ownerID, + CreatedBy: ownerID, + ClientType: core.ClientTypeConfidential, + Scopes: "openid", + IsAdminCreated: false, + }) + require.NoError(t, err) + + // Admin enables the ID-JAG flow and pins the scopes to "openid". + stored, err := s.GetClient(resp.ClientID) + require.NoError(t, err) + stored.EnableIDJAGFlow = true + stored.Scopes = "openid" + require.NoError(t, s.UpdateClient(stored)) + + // The owner tries to broaden the scopes via the self-service form (all values + // are valid user scopes, so only the ID-JAG freeze should keep them pinned). + err = svc.UserUpdateClient( + context.Background(), + resp.ClientID, + ownerID, + UserUpdateClientRequest{ + ClientName: "MCP Confidential", + ClientType: core.ClientTypeConfidential, + EnableAuthCodeFlow: true, + RedirectURIs: []string{"https://app.example.com/callback"}, + Scopes: "openid profile email", // attempted broadening + }, + ) + require.NoError(t, err) + + updated, err := svc.GetClient(context.Background(), resp.ClientID) + require.NoError(t, err) + assert.Equal(t, "openid", updated.Scopes, + "ID-JAG client scopes must stay pinned despite the owner's broadening attempt") +} + // ============================================================ // UserDeleteClient – ownership + active block // ============================================================ diff --git a/internal/services/idjag_validator.go b/internal/services/idjag_validator.go new file mode 100644 index 00000000..5247225b --- /dev/null +++ b/internal/services/idjag_validator.go @@ -0,0 +1,247 @@ +package services + +import ( + "context" + "crypto" + "errors" + "fmt" + "slices" + "strings" + "sync" + "time" + + "github.com/go-authgate/authgate/internal/cache" + "github.com/go-authgate/authgate/internal/config" + "github.com/go-authgate/authgate/internal/core" + "github.com/go-authgate/authgate/internal/jwks" + "github.com/go-authgate/authgate/internal/models" + "github.com/go-authgate/authgate/internal/token" + "github.com/go-authgate/authgate/internal/util" +) + +// Enterprise-Managed Authorization (ID-JAG) errors. The handler layer maps +// these to RFC 6749 OAuth error codes (see handlers/token.go). +var ( + // ErrIDJAGDisabled — the master switch (IDJAG_ENABLED) is off. + ErrIDJAGDisabled = errors.New("idjag: jwt-bearer grant is not enabled") + // ErrIDJAGInvalidRequest — a required request parameter is missing. + ErrIDJAGInvalidRequest = errors.New("idjag: invalid request") + // ErrIDJAGInvalidClient — the presented client is unknown or inactive. + ErrIDJAGInvalidClient = errors.New("idjag: invalid client") + // ErrIDJAGFlowDisabled — the client does not have the ID-JAG flow enabled. + ErrIDJAGFlowDisabled = errors.New("idjag: flow is not enabled for this client") + // ErrIDJAGUntrustedIssuer — the assertion issuer is not in TRUSTED_IDPS (or + // not permitted by the client's AllowedIDJAGIssuers allowlist). + ErrIDJAGUntrustedIssuer = errors.New("idjag: assertion issuer is not trusted") + // ErrIDJAGInvalidAssertion — the assertion is malformed, has a bad + // signature, a wrong audience, is expired, or fails another claim check. + ErrIDJAGInvalidAssertion = errors.New("idjag: assertion is invalid") + // ErrIDJAGMissingClaim — the assertion lacks a required claim. + ErrIDJAGMissingClaim = errors.New("idjag: assertion is missing a required claim") + // ErrIDJAGReplay — the assertion's jti has already been used (single-use). + ErrIDJAGReplay = errors.New("idjag: assertion has already been used") +) + +// validatedIDJAG holds the trusted claims extracted from a verified ID-JAG. +type validatedIDJAG struct { + Issuer string + Subject string + Resource string + ClientID string + Scope string + Email string + FullName string + Username string + JTI string + ExpiresAt time.Time +} + +// idjagValidator verifies external ID-JAG assertions against the configured set +// of trusted IdPs: signature (via fetched JWKS), issuer/audience/expiry, the +// required claim set, and single-use jti replay protection. +type idjagValidator struct { + trustedByIssuer map[string]config.TrustedIDP + fetcher *jwks.Fetcher + jtiCache core.Cache[struct{}] + defaultAudience string // BaseURL (trailing slash stripped) — the per-IdP audience fallback + // jtiMu serializes the check-then-set in consumeJTI so two concurrent + // presentations of the same jti cannot both observe a cache miss and both + // succeed. The cache exposes no atomic set-if-absent, so this lock is what + // makes single-use enforcement actually single-use on a single instance. + jtiMu sync.Mutex +} + +// newIDJAGValidator builds a validator from config. fetcher and jtiCache are +// injected so tests can supply lightweight in-memory implementations. +func newIDJAGValidator( + cfg *config.Config, + fetcher *jwks.Fetcher, + jtiCache core.Cache[struct{}], +) *idjagValidator { + byIssuer := make(map[string]config.TrustedIDP, len(cfg.TrustedIDPs)) + for _, idp := range cfg.TrustedIDPs { + byIssuer[strings.TrimSpace(idp.Issuer)] = idp + } + return &idjagValidator{ + trustedByIssuer: byIssuer, + fetcher: fetcher, + jtiCache: jtiCache, + defaultAudience: strings.TrimRight(cfg.BaseURL, "/"), + } +} + +// Validate verifies an ID-JAG assertion for the given client and returns its +// trusted claims. The client is needed to enforce its per-client issuer +// allowlist. Every failure returns one of the ErrIDJAG* sentinels. +func (v *idjagValidator) Validate( + ctx context.Context, + assertion string, + client *models.OAuthApplication, +) (*validatedIDJAG, error) { + // 1. Read the (untrusted) issuer to select the trusted IdP + its JWKS. + issuer, err := token.ParseExternalIssuer(assertion) + if err != nil { + return nil, fmt.Errorf("%w: %v", ErrIDJAGInvalidAssertion, err) + } + issuer = strings.TrimSpace(issuer) + idp, ok := v.trustedByIssuer[issuer] + if !ok { + return nil, fmt.Errorf("%w: %q", ErrIDJAGUntrustedIssuer, issuer) + } + // Per-client issuer allowlist (empty = any trusted IdP is accepted). + if allow := []string(client.AllowedIDJAGIssuers); len(allow) > 0 && + !slices.Contains(allow, issuer) { + return nil, fmt.Errorf( + "%w: %q not permitted for this client", + ErrIDJAGUntrustedIssuer, + issuer, + ) + } + + // 2. Verify the signature against the IdP's JWKS (RS256/ES256 only). The jwt + // library also enforces exp/nbf here. + claims, err := token.VerifyExternalJWT( + assertion, + func(kid, _ string) (crypto.PublicKey, error) { + return v.fetcher.GetKey(ctx, idp.JWKSURI, kid) + }, + ) + if err != nil { + return nil, fmt.Errorf("%w: %v", ErrIDJAGInvalidAssertion, err) + } + + // 3. Audience must be EXACTLY the value the IdP minted this assertion for + // (this AuthGate instance acting as RAS). The ID-JAG profile requires `aud` + // to be the single RAS identifier (string or one-element array) — a + // multi-audience assertion would otherwise be redeemable at every RAS it + // lists, defeating per-RAS isolation. Reject anything that is not exactly one + // matching audience. + expectedAud := strings.TrimSpace(idp.Audience) + if expectedAud == "" { + expectedAud = v.defaultAudience + } + audList := util.AudienceFromClaims(claims) + if len(audList) != 1 || audList[0] != expectedAud { + return nil, fmt.Errorf("%w: audience mismatch", ErrIDJAGInvalidAssertion) + } + + // 4. Required claims. The security-critical four MUST be present; scope is + // optional (the issuance path falls back to the client's registered scopes). + jti := claimString(claims, "jti") + subject := claimString(claims, "sub") + resource := claimString(claims, "resource") + clientID := claimString(claims, "client_id") + if jti == "" || subject == "" || resource == "" || clientID == "" { + return nil, fmt.Errorf( + "%w: jti, sub, resource and client_id are required", ErrIDJAGMissingClaim, + ) + } + + exp, err := claimExpiry(claims) + if err != nil { + return nil, fmt.Errorf("%w: %v", ErrIDJAGInvalidAssertion, err) + } + + // NOTE: the single-use jti is intentionally NOT consumed here. The caller + // (IssueTokenFromIDJAG) consumes it via consumeJTI only after the remaining + // authorization checks pass (client_id binding, resource allowlist) — so a + // request that will be rejected for one of those reasons does not burn the + // jti and cause the legitimate redemption to be seen as a replay. + return &validatedIDJAG{ + Issuer: issuer, + Subject: subject, + Resource: resource, + ClientID: clientID, + Scope: claimString(claims, "scope"), + Email: claimString(claims, "email"), + FullName: firstNonEmptyClaim(claims, "name", "full_name"), + Username: claimString(claims, "preferred_username"), + JTI: jti, + ExpiresAt: exp, + }, nil +} + +// consumeJTI atomically records the jti as used, rejecting a second presentation +// with ErrIDJAGReplay. The check-then-set is guarded by jtiMu so concurrent +// presentations of the same assertion cannot both pass (the cache has no atomic +// set-if-absent). A cache backend error fails closed (the assertion is rejected) +// rather than silently disabling replay protection. +// +// The cache key is the hash of issuer+jti with a NUL separator so neither a ':' +// in an issuer URL nor a crafted jti can make two distinct (issuer, jti) pairs +// collide onto one key. +func (v *idjagValidator) consumeJTI( + ctx context.Context, + issuer, jti string, + exp time.Time, +) error { + v.jtiMu.Lock() + defer v.jtiMu.Unlock() + + key := "idjag:jti:" + util.SHA256Hex(issuer+"\x00"+jti) + _, err := v.jtiCache.Get(ctx, key) + switch { + case err == nil: + return ErrIDJAGReplay + case errors.Is(err, cache.ErrCacheMiss): + // not seen — fall through to record it + default: + return fmt.Errorf("%w: replay store unavailable", ErrIDJAGInvalidAssertion) + } + ttl := time.Until(exp) + if ttl <= 0 { + // The assertion is already expired; signature verification should have + // caught this, but never store a non-positive TTL. + return fmt.Errorf("%w: expired", ErrIDJAGInvalidAssertion) + } + if err := v.jtiCache.Set(ctx, key, struct{}{}, ttl); err != nil { + return fmt.Errorf("%w: replay store unavailable", ErrIDJAGInvalidAssertion) + } + return nil +} + +// claimString returns a string-typed claim, or "" when absent or not a string. +func claimString(claims map[string]any, key string) string { + s, _ := claims[key].(string) + return strings.TrimSpace(s) +} + +// firstNonEmptyClaim returns the first non-empty string claim among keys. +func firstNonEmptyClaim(claims map[string]any, keys ...string) string { + for _, k := range keys { + if s := claimString(claims, k); s != "" { + return s + } + } + return "" +} + +// claimExpiry extracts the `exp` claim as a time. The jwt library decodes JSON +// numeric claims as float64. +func claimExpiry(claims map[string]any) (time.Time, error) { + exp, ok := claims["exp"].(float64) + if !ok { + return time.Time{}, errors.New("missing or invalid exp claim") + } + return time.Unix(int64(exp), 0), nil +} diff --git a/internal/services/token.go b/internal/services/token.go index 1f5f0330..e4d67336 100644 --- a/internal/services/token.go +++ b/internal/services/token.go @@ -7,6 +7,7 @@ import ( "log" "maps" "slices" + "sync" "time" "github.com/go-authgate/authgate/internal/cache" @@ -63,6 +64,12 @@ type TokenService struct { // and NewLocalTokenProvider apply, ensuring every layer sees the same // prefix. privateClaimPrefix string + + // idjagOnce/idjagVal lazily construct the ID-JAG validator (JWKS fetcher + + // jti replay cache) on first use of the jwt-bearer grant, so the common + // token paths and all existing test constructors pay nothing for it. + idjagOnce sync.Once + idjagVal *idjagValidator } func NewTokenService( diff --git a/internal/services/token_idjag_exchange.go b/internal/services/token_idjag_exchange.go new file mode 100644 index 00000000..f5bd8067 --- /dev/null +++ b/internal/services/token_idjag_exchange.go @@ -0,0 +1,291 @@ +package services + +import ( + "context" + "errors" + "slices" + "strings" + "time" + + "github.com/go-authgate/authgate/internal/core" + "github.com/go-authgate/authgate/internal/models" + "github.com/go-authgate/authgate/internal/token" + "github.com/go-authgate/authgate/internal/util" +) + +// ID-JAG issuance (IdP role) errors. Mapped to OAuth error codes by the handler. +var ( + // ErrIDJAGIssuanceDisabled — IDJAG_ISSUANCE_ENABLED is off. + ErrIDJAGIssuanceDisabled = errors.New("idjag: token-exchange issuance is not enabled") + // ErrIDJAGInvalidSubjectToken — the subject_token is missing, malformed, + // expired, or not an AuthGate ID Token. + ErrIDJAGInvalidSubjectToken = errors.New("idjag: subject_token is invalid") + // ErrIDJAGInvalidSubjectTokenType — subject_token_type is not id_token. + ErrIDJAGInvalidSubjectTokenType = errors.New("idjag: unsupported subject_token_type") + // ErrIDJAGAudienceNotAllowed — the requested audience is not in + // IDJAG_ALLOWED_AUDIENCES. + ErrIDJAGAudienceNotAllowed = errors.New("idjag: requested audience is not allowed") +) + +// IDJAGExchangeRequest holds the parsed token-exchange parameters for minting an +// ID-JAG (RFC 8693 profile). +type IDJAGExchangeRequest struct { + SubjectToken string + SubjectTokenType string + Audience string // the downstream RAS + Resource string // the MCP/resource server target + Scope string + ClientID string + ClientSecret string +} + +// IDJAGResult is the outcome of a successful ID-JAG mint. +type IDJAGResult struct { + Assertion string + ExpiresAt time.Time +} + +// IssueIDJAG implements the IdP role of Enterprise-Managed Authorization: it +// exchanges an AuthGate-issued ID Token (subject_token) for an ID-JAG targeted at +// a downstream RAS (audience) and bound to a resource. Default-deny: the master +// switch must be on and the audience must appear in IDJAG_ALLOWED_AUDIENCES. +// Any failure is audited (security visibility) before being returned. +func (s *TokenService) IssueIDJAG( + ctx context.Context, + req IDJAGExchangeRequest, +) (*IDJAGResult, error) { + result, err := s.issueIDJAG(ctx, req) + if err != nil { + s.auditIDJAGIssuanceFailure(ctx, req.ClientID, err) + } + return result, err +} + +func (s *TokenService) issueIDJAG( + ctx context.Context, + req IDJAGExchangeRequest, +) (*IDJAGResult, error) { + if !s.config.IDJAGIssuanceEnabled { + return nil, ErrIDJAGIssuanceDisabled + } + + // 1. subject_token_type must be an ID Token. + if !isIDTokenType(req.SubjectTokenType) { + return nil, ErrIDJAGInvalidSubjectTokenType + } + + // 2. Authenticate the requesting client (the IdP only mints for known clients). + client, err := s.clientService.GetClientWithSecret(ctx, req.ClientID) + if err != nil || client == nil || !client.IsActive() { + return nil, ErrInvalidClientCredentials + } + // Per-client opt-in (default-deny): even with IDJAG_ISSUANCE_ENABLED on + // globally, the admin must enable the Enterprise-Managed Authorization flow on + // this specific client before it can mint ID-JAGs. Without this, every active + // auth-code client with an allowed resource would silently become eligible. + // Mirrors the RAS (jwt-bearer) path's EnableIDJAGFlow gate. + if !client.EnableIDJAGFlow { + return nil, ErrIDJAGFlowDisabled + } + if core.ClientType(client.ClientType) == core.ClientTypeConfidential { + if !client.ValidateClientSecret([]byte(req.ClientSecret)) { + return nil, ErrInvalidClientCredentials + } + } + + // 3. Validate the subject_token as an AuthGate-signed ID Token bound to the + // requesting client (rejects access/refresh tokens, ID-JAGs, and ID Tokens + // minted for a different client). + subject, err := s.subjectFromIDToken(req.SubjectToken, req.ClientID) + if err != nil { + return nil, err + } + // Re-check the subject is still an active user. Disabling a user revokes + // stored tokens but NOT already-issued ID tokens (which are stateless), so a + // disabled account could otherwise keep minting fresh ID-JAGs from a lingering + // ID token until it expires. + subjectUser, err := s.store.GetUserByID(subject) + if err != nil { + return nil, ErrIDJAGInvalidSubjectToken + } + if !subjectUser.IsActive { + return nil, ErrAccessDenied + } + // The user's consent for this client must still be active, and it is the + // authority that bounds the minted ID-JAG. ID tokens are stateless/ + // non-revocable, so without this check a client could keep minting fresh + // ID-JAGs from a lingering ID token after the user revoked the app's + // authorization (which revokes the linked access/refresh tokens but not the + // already-issued ID token). GetUserAuthorization only returns active grants. + // The grant's Scopes/Resource are enforced below so the assertion can never + // exceed what the user actually approved. + auth, err := s.store.GetUserAuthorization(subject, client.ID) + if err != nil { + return nil, ErrAccessDenied + } + + // 4. Audience must be explicitly allowlisted (empty allowlist = deny-all). + audience := strings.TrimSpace(req.Audience) + if audience == "" { + return nil, ErrIDJAGInvalidRequest + } + if !slices.Contains(s.config.IDJAGAllowedAudiences, audience) { + return nil, ErrIDJAGAudienceNotAllowed + } + + // 5. Resource is required, must be a syntactically valid RFC 8707 value, AND + // must be in the client's allowlist — the IdP must not mint an assertion for + // a resource the admin did not authorize for this client (deny-all when the + // allowlist is empty), mirroring the RAS and other resource-bearing grants. + resource := strings.TrimSpace(req.Resource) + if resource == "" { + return nil, ErrIDJAGInvalidRequest + } + if _, err := util.ValidateResourceIndicators([]string{resource}); err != nil { + return nil, ErrInvalidTarget + } + if err := validateClientResource(client, []string{resource}); err != nil { + return nil, err // wraps ErrInvalidTarget + } + // Beyond the admin-controlled client allowlist (a ceiling), bind the resource + // to the user's grant: the minted ID-JAG resource MUST be one the user + // actually approved. The resource is always present here (required above), so + // an empty consent resource set means the user approved NO audience binding — + // and minting a resource-bound ID-JAG off it would widen consent from + // "no audience" to a specific one without re-consent. This mirrors ExchangeCode + // (authorization.go), which rejects adding a token-time resource to an + // empty-resource grant, and SaveUserAuthorization, which records an empty + // resource as "no audience binding approved". slices.Contains over an empty + // set is false, so this also rejects the empty-consent case. + if !slices.Contains([]string(auth.Resource), resource) { + return nil, ErrInvalidTarget + } + + // 6. The minted scope is bound to the user's actual grant AND the client's + // CURRENT registration. An explicit request must be a subset of the granted + // scope. An omitted scope DEFAULTS to the granted scope rather than being left + // empty: GenerateIDJAG omits an empty scope claim, and the RAS treats an + // omitted scope as the client's FULL registered scope set — so leaving it empty + // (or accepting a scope within the registration but outside the grant) would let + // a client widen a narrow user consent into a broader downstream token. + // + // Bound the stored grant to the client's current registration first: an admin + // may have narrowed client.Scopes after the user consented, and an ID-JAG must + // never carry a scope the client no longer holds. intersectScopes keeps only + // scopes present in BOTH, so the default and subset check below operate on the + // narrowed set (and the empty-scope guard rejects a fully-revoked overlap). + grantedScope := intersectScopes(client.Scopes, auth.Scopes) + scope := strings.TrimSpace(req.Scope) + if scope == "" { + scope = grantedScope + } else if !util.IsScopeSubset(grantedScope, scope) { + return nil, token.ErrInvalidScope + } + // Never mint an ID-JAG with an empty effective scope. A grant can carry blank + // Scopes (e.g. a client later saved with no scopes, whose consent then defaults + // to that blank value), which would leave the minted scope empty after the + // default above. GenerateIDJAG omits an empty scope claim and the RAS treats an + // omitted assertion scope as the client's FULL registered scope set — so an + // empty grant would silently widen into broad downstream access. A consent with + // no scopes has nothing to delegate; reject it. + if scope == "" { + return nil, token.ErrInvalidScope + } + + // 7. Mint + sign the ID-JAG with AuthGate's own key. + assertion, expiresAt, err := s.tokenProvider.GenerateIDJAG(token.IDJAGClaims{ + Issuer: strings.TrimRight(s.config.BaseURL, "/"), + Subject: subject, + Audience: audience, + Resource: resource, + ClientID: req.ClientID, + Scope: scope, + Expiry: s.config.IDJAGExpiration, + }) + if err != nil { + return nil, err + } + + s.auditService.Log(ctx, core.AuditLogEntry{ + EventType: models.EventIDJAGIssued, + Severity: models.SeverityInfo, + ActorUserID: subject, + ResourceType: models.ResourceToken, + Action: "ID-JAG minted via token-exchange", + Details: models.AuditDetails{ + "client_id": req.ClientID, + "audience": audience, + "resource": resource, + }, + Success: true, + }) + + return &IDJAGResult{Assertion: assertion, ExpiresAt: expiresAt}, nil +} + +// auditIDJAGIssuanceFailure records a rejected token-exchange (ID-JAG mint) +// attempt. Mirrors the RAS-path failure audit so credential-stuffing and +// audience-probing leave a trail. The raw subject_token is never logged. +func (s *TokenService) auditIDJAGIssuanceFailure( + ctx context.Context, + clientID string, + cause error, +) { + _ = s.auditService.LogSync(ctx, core.AuditLogEntry{ + EventType: models.EventIDJAGIssued, + Severity: models.SeverityWarning, + ResourceType: models.ResourceToken, + Action: "ID-JAG token-exchange rejected", + Details: models.AuditDetails{ + "client_id": clientID, + "reason": cause.Error(), + }, + Success: false, + ErrorMessage: cause.Error(), + }) +} + +// subjectFromIDToken verifies the subject_token against AuthGate's signing key +// and confirms it is a genuine AuthGate ID Token issued to the requesting client, +// then returns its `sub`. It rejects: +// - access/refresh tokens (they carry a "type" claim); +// - ID-JAGs and access tokens (they carry a "resource" claim); +// - any token whose `aud` is not the requesting client_id — which both prevents +// one client from exchanging another client's ID Token and excludes ID-JAGs +// (whose `aud` is a downstream RAS, never a client_id), so a minted ID-JAG +// cannot be replayed as a subject_token to re-mint/re-target assertions. +func (s *TokenService) subjectFromIDToken(idToken, clientID string) (string, error) { + if strings.TrimSpace(idToken) == "" { + return "", ErrIDJAGInvalidSubjectToken + } + result, err := s.tokenProvider.ParseJWT(idToken) + if err != nil { + return "", ErrIDJAGInvalidSubjectToken + } + if t, _ := result.Claims["type"].(string); t != "" { + return "", ErrIDJAGInvalidSubjectToken + } + if _, hasResource := result.Claims["resource"]; hasResource { + return "", ErrIDJAGInvalidSubjectToken + } + if !slices.Contains(util.AudienceFromClaims(result.Claims), clientID) { + return "", ErrIDJAGInvalidSubjectToken + } + subject, _ := result.Claims["sub"].(string) + subject = strings.TrimSpace(subject) + if subject == "" { + return "", ErrIDJAGInvalidSubjectToken + } + return subject, nil +} + +// isIDTokenType reports whether the token-exchange subject_token_type names an +// ID Token. Both the full URN and the bare "id_token" shorthand are accepted. +func isIDTokenType(t string) bool { + switch strings.TrimSpace(t) { + case token.TokenTypeIDToken, "id_token": + return true + default: + return false + } +} diff --git a/internal/services/token_idjag_exchange_test.go b/internal/services/token_idjag_exchange_test.go new file mode 100644 index 00000000..f65d3084 --- /dev/null +++ b/internal/services/token_idjag_exchange_test.go @@ -0,0 +1,318 @@ +package services + +import ( + "context" + "testing" + "time" + + "github.com/go-authgate/authgate/internal/cache" + "github.com/go-authgate/authgate/internal/config" + "github.com/go-authgate/authgate/internal/core" + "github.com/go-authgate/authgate/internal/metrics" + "github.com/go-authgate/authgate/internal/models" + "github.com/go-authgate/authgate/internal/store" + "github.com/go-authgate/authgate/internal/token" + + "github.com/google/uuid" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +const ( + idjagTestAudience = "https://ras.example.com" + idjagTestResource = "https://api.example.com" +) + +func newIssuanceTokenService( + t *testing.T, +) (*TokenService, *store.Store, *token.LocalTokenProvider, *config.Config) { + t.Helper() + s := setupTestStore(t) + cfg := &config.Config{ + JWTExpiration: 1 * time.Hour, + JWTSecret: "test-secret", + BaseURL: "http://localhost:8080", + IDJAGIssuanceEnabled: true, + IDJAGAllowedAudiences: []string{idjagTestAudience}, + IDJAGExpiration: 5 * time.Minute, + } + localProvider, err := token.NewLocalTokenProvider(cfg) + require.NoError(t, err) + clientService := NewClientService(s, nil, nil, 0, nil, 0) + svc := NewTokenService( + s, + cfg, + nil, + localProvider, + NewNoopAuditService(), + metrics.NewNoopMetrics(), + cache.NewNoopCache[models.AccessToken](), + clientService, + ) + return svc, s, localProvider, cfg +} + +// idjagIssuanceFixture wires up an IdP-role-eligible client, an active user, a +// consent grant with the given scopes, and a matching ID Token usable as the +// token-exchange subject_token. grantScopes may be empty to model a blank-scope +// consent. +func idjagIssuanceFixture( + t *testing.T, + s *store.Store, + provider *token.LocalTokenProvider, + grantScopes string, +) (clientID, subjectToken string) { + t.Helper() + client := &models.OAuthApplication{ + ClientID: uuid.New().String(), + ClientName: "MCP Client", + UserID: uuid.New().String(), + Scopes: "read write", + GrantTypes: "authorization_code", + ClientType: core.ClientTypePublic.String(), + EnableIDJAGFlow: true, + AllowedResources: models.StringArray{idjagTestResource}, + Status: models.ClientStatusActive, + } + require.NoError(t, s.CreateClient(client)) + + user := &models.User{ + ID: uuid.New().String(), + Username: "idjag-user-" + uuid.New().String()[:8], + Email: uuid.New().String()[:8] + "@example.com", + IsActive: true, + } + require.NoError(t, s.CreateUser(user)) + + require.NoError(t, s.UpsertUserAuthorization(&models.UserAuthorization{ + UUID: uuid.New().String(), + UserID: user.ID, + ApplicationID: client.ID, + ClientID: client.ClientID, + Scopes: grantScopes, + Resource: models.StringArray{idjagTestResource}, + IsActive: true, + })) + + idToken, err := provider.GenerateIDToken(core.IDTokenParams{ + Issuer: "http://localhost:8080", + Subject: user.ID, + Audience: client.ClientID, + AuthTime: time.Now(), + Expiry: 1 * time.Hour, + }) + require.NoError(t, err) + return client.ClientID, idToken +} + +// idjagIssuanceFixtureNoResourceConsent is like idjagIssuanceFixture but saves +// the consent grant with an EMPTY resource set (the user approved no audience +// binding), while the client allowlist still permits idjagTestResource. +func idjagIssuanceFixtureNoResourceConsent( + t *testing.T, + s *store.Store, + provider *token.LocalTokenProvider, +) (clientID, subjectToken string) { + t.Helper() + client := &models.OAuthApplication{ + ClientID: uuid.New().String(), + ClientName: "MCP Client", + UserID: uuid.New().String(), + Scopes: "read write", + GrantTypes: "authorization_code", + ClientType: core.ClientTypePublic.String(), + EnableIDJAGFlow: true, + AllowedResources: models.StringArray{idjagTestResource}, + Status: models.ClientStatusActive, + } + require.NoError(t, s.CreateClient(client)) + + user := &models.User{ + ID: uuid.New().String(), + Username: "idjag-user-" + uuid.New().String()[:8], + Email: uuid.New().String()[:8] + "@example.com", + IsActive: true, + } + require.NoError(t, s.CreateUser(user)) + + require.NoError(t, s.UpsertUserAuthorization(&models.UserAuthorization{ + UUID: uuid.New().String(), + UserID: user.ID, + ApplicationID: client.ID, + ClientID: client.ClientID, + Scopes: "read", + Resource: nil, // no audience binding approved + IsActive: true, + })) + + idToken, err := provider.GenerateIDToken(core.IDTokenParams{ + Issuer: "http://localhost:8080", + Subject: user.ID, + Audience: client.ClientID, + AuthTime: time.Now(), + Expiry: 1 * time.Hour, + }) + require.NoError(t, err) + return client.ClientID, idToken +} + +// idjagIssuanceFixtureNarrowedClient creates a client whose CURRENT registration +// is clientScopes, but records a consent grant for grantScopes (simulating an +// admin narrowing the client after the user consented). Both bind idjagTestResource. +func idjagIssuanceFixtureNarrowedClient( + t *testing.T, + s *store.Store, + provider *token.LocalTokenProvider, + clientScopes, grantScopes string, +) (clientID, subjectToken string) { + t.Helper() + client := &models.OAuthApplication{ + ClientID: uuid.New().String(), + ClientName: "MCP Client", + UserID: uuid.New().String(), + Scopes: clientScopes, + GrantTypes: "authorization_code", + ClientType: core.ClientTypePublic.String(), + EnableIDJAGFlow: true, + AllowedResources: models.StringArray{idjagTestResource}, + Status: models.ClientStatusActive, + } + require.NoError(t, s.CreateClient(client)) + + user := &models.User{ + ID: uuid.New().String(), + Username: "idjag-user-" + uuid.New().String()[:8], + Email: uuid.New().String()[:8] + "@example.com", + IsActive: true, + } + require.NoError(t, s.CreateUser(user)) + + require.NoError(t, s.UpsertUserAuthorization(&models.UserAuthorization{ + UUID: uuid.New().String(), + UserID: user.ID, + ApplicationID: client.ID, + ClientID: client.ClientID, + Scopes: grantScopes, + Resource: models.StringArray{idjagTestResource}, + IsActive: true, + })) + + idToken, err := provider.GenerateIDToken(core.IDTokenParams{ + Issuer: "http://localhost:8080", + Subject: user.ID, + Audience: client.ClientID, + AuthTime: time.Now(), + Expiry: 1 * time.Hour, + }) + require.NoError(t, err) + return client.ClientID, idToken +} + +func idjagExchangeReq(clientID, subjectToken, scope string) IDJAGExchangeRequest { + return IDJAGExchangeRequest{ + SubjectToken: subjectToken, + SubjectTokenType: "id_token", + Audience: idjagTestAudience, + Resource: idjagTestResource, + Scope: scope, + ClientID: clientID, + } +} + +// TestIssueIDJAG_RejectsEmptyGrantedScope pins the scope-widening fix: when the +// user's consent grant carries no scopes and the token-exchange request omits +// `scope`, the minted scope would default to "" — and because GenerateIDJAG omits +// an empty scope claim while the RAS redemption path treats an omitted scope as +// the client's FULL registered scope set, a no-scope consent would silently widen +// into broad downstream access. IssueIDJAG must reject this with invalid_scope +// instead of minting. On the old code it minted a scopeless ID-JAG. +func TestIssueIDJAG_RejectsEmptyGrantedScope(t *testing.T) { + svc, s, provider, _ := newIssuanceTokenService(t) + clientID, subjectToken := idjagIssuanceFixture(t, s, provider, "") // blank-scope consent + + _, err := svc.IssueIDJAG(context.Background(), idjagExchangeReq(clientID, subjectToken, "")) + require.Error(t, err) + assert.ErrorIs(t, err, token.ErrInvalidScope) +} + +// TestIssueIDJAG_OmittedScopeDefaultsToGrant is the positive control: with a +// non-empty grant and an omitted request scope, the mint succeeds and the +// assertion is bound to the granted scope (not left empty). +func TestIssueIDJAG_OmittedScopeDefaultsToGrant(t *testing.T) { + svc, s, provider, _ := newIssuanceTokenService(t) + clientID, subjectToken := idjagIssuanceFixture(t, s, provider, "read") + + res, err := svc.IssueIDJAG(context.Background(), idjagExchangeReq(clientID, subjectToken, "")) + require.NoError(t, err) + require.NotNil(t, res) + assert.NotEmpty(t, res.Assertion) + + // The minted assertion must carry the granted scope, proving it was not left + // empty (which the RAS would widen to the client's full registration). + parsed, err := provider.ParseJWT(res.Assertion) + require.NoError(t, err) + assert.Equal(t, "read", parsed.Claims["scope"]) +} + +// TestIssueIDJAG_ScopeBoundToNarrowedClient pins the registration-binding fix: +// when an admin narrows the client's registered scopes after the user consented, +// an ID-JAG must never carry a scope the client no longer holds. The consent here +// granted "read write" but the client registration is now just "read". An explicit +// request for "write" (still in the stale grant, but no longer registered) must be +// rejected; on the old code it minted because the check used only auth.Scopes. +func TestIssueIDJAG_ScopeBoundToNarrowedClient(t *testing.T) { + svc, s, provider, _ := newIssuanceTokenService(t) + clientID, subjectToken := idjagIssuanceFixtureNarrowedClient( + t, + s, + provider, + "read", + "read write", + ) + + _, err := svc.IssueIDJAG( + context.Background(), + idjagExchangeReq(clientID, subjectToken, "write"), + ) + require.Error(t, err) + assert.ErrorIs(t, err, token.ErrInvalidScope) +} + +// TestIssueIDJAG_OmittedScopeIntersectsClientRegistration confirms the omitted-scope +// default is the intersection of the grant and the CURRENT client registration, not +// the whole stale grant: consent "read write", client now "read" → minted scope "read". +func TestIssueIDJAG_OmittedScopeIntersectsClientRegistration(t *testing.T) { + svc, s, provider, _ := newIssuanceTokenService(t) + clientID, subjectToken := idjagIssuanceFixtureNarrowedClient( + t, + s, + provider, + "read", + "read write", + ) + + res, err := svc.IssueIDJAG(context.Background(), idjagExchangeReq(clientID, subjectToken, "")) + require.NoError(t, err) + parsed, err := provider.ParseJWT(res.Assertion) + require.NoError(t, err) + assert.Equal(t, "read", parsed.Claims["scope"], + "omitted scope must intersect the grant with the current client registration") +} + +// TestIssueIDJAG_RejectsResourceWithoutResourceConsent pins the resource +// consent-widening fix: an active grant saved with NO resource set means the user +// approved no audience binding. The ID-JAG resource is always required, so minting +// one for any client-allowlisted resource off such a grant would widen consent +// from "no audience" to a specific one without re-consent — mirroring the behavior +// ExchangeCode/SaveUserAuthorization already enforce. IssueIDJAG must reject it +// with invalid_target even though the resource is in the client allowlist. On the +// old code (which skipped the grant check when auth.Resource was empty) this +// minted an assertion. +func TestIssueIDJAG_RejectsResourceWithoutResourceConsent(t *testing.T) { + svc, s, provider, _ := newIssuanceTokenService(t) + clientID, subjectToken := idjagIssuanceFixtureNoResourceConsent(t, s, provider) + + _, err := svc.IssueIDJAG(context.Background(), idjagExchangeReq(clientID, subjectToken, "read")) + require.Error(t, err) + assert.ErrorIs(t, err, ErrInvalidTarget) +} diff --git a/internal/services/token_jwt_bearer.go b/internal/services/token_jwt_bearer.go new file mode 100644 index 00000000..768780d4 --- /dev/null +++ b/internal/services/token_jwt_bearer.go @@ -0,0 +1,318 @@ +package services + +import ( + "context" + "errors" + "fmt" + "log" + "strings" + "time" + + "github.com/go-authgate/authgate/internal/cache" + "github.com/go-authgate/authgate/internal/core" + "github.com/go-authgate/authgate/internal/jwks" + "github.com/go-authgate/authgate/internal/models" + "github.com/go-authgate/authgate/internal/util" + + "github.com/google/uuid" +) + +// idjagAuthSource is the auth_source tag applied to users auto-provisioned from +// an ID-JAG. The issuer is appended so the (external_id=sub, auth_source) lookup +// key uniquely identifies a (issuer, subject) pair — the find-or-create key the +// plan requires. +func idjagAuthSource(issuer string) string { + return "idjag:" + issuer +} + +// idjag lazily constructs the ID-JAG validator (JWKS fetcher + jti replay cache) +// from config on first use. Safe for concurrent callers. +func (s *TokenService) idjag() *idjagValidator { + s.idjagOnce.Do(func() { + fetcher := jwks.NewFetcher(s.config.JWKSFetchTimeout, s.config.JWKSCacheTTL) + // Memory-backed jti store: per-instance replay protection. The background + // reaper evicts expired jti entries so the map cannot grow without bound — + // each jti is unique and never re-read, so lazy expiry alone (which only + // evicts on a Get of the same key) would leak. Multi-pod deployments + // needing cross-instance protection should front AuthGate with a shared + // store; documented. + jtiCache := cache.NewMemoryCache[struct{}]() + s.idjagVal = newIDJAGValidator(s.config, fetcher, jtiCache) + }) + return s.idjagVal +} + +// IssueTokenFromIDJAG implements the RAS role of Enterprise-Managed Authorization +// (the urn:ietf:params:oauth:grant-type:jwt-bearer grant). It validates an ID-JAG +// minted by a trusted external IdP, auto-provisions the asserted user, and issues +// an AuthGate access token whose `aud` is bound to the assertion's `resource`. +// +// No refresh token is issued (matching client_credentials): an assertion grant is +// not a delegation to persist — the client must present a fresh ID-JAG to obtain +// another access token. +func (s *TokenService) IssueTokenFromIDJAG( + ctx context.Context, + assertion, clientID, clientSecret string, +) (*models.AccessToken, error) { + if !s.config.IDJAGEnabled { + return nil, ErrIDJAGDisabled + } + if strings.TrimSpace(assertion) == "" || strings.TrimSpace(clientID) == "" { + return nil, ErrIDJAGInvalidRequest + } + + // 1. Resolve the client (uncached — may need the secret for confidential + // authentication); it must be active and have the flow enabled. + client, err := s.clientService.GetClientWithSecret(ctx, clientID) + if err != nil || client == nil || !client.IsActive() { + s.auditIDJAGFailure(ctx, clientID, "", ErrIDJAGInvalidClient) + return nil, ErrIDJAGInvalidClient + } + if !client.EnableIDJAGFlow { + s.auditIDJAGFailure(ctx, clientID, "", ErrIDJAGFlowDisabled) + return nil, ErrIDJAGFlowDisabled + } + // A confidential client MUST authenticate with its secret, just like the + // token-exchange and client_credentials paths — otherwise anyone who obtains + // the assertion plus the public client_id could redeem a confidential + // client's ID-JAG. Public clients have no secret and are bound to the + // assertion's client_id claim alone (checked after validation). + if core.ClientType(client.ClientType) == core.ClientTypeConfidential && + !client.ValidateClientSecret([]byte(clientSecret)) { + s.auditIDJAGFailure(ctx, clientID, "", ErrInvalidClientCredentials) + return nil, ErrInvalidClientCredentials + } + + // 2. Validate the assertion (signature, issuer, audience, expiry, claims, + // single-use jti). + v, err := s.idjag().Validate(ctx, assertion, client) + if err != nil { + s.auditIDJAGFailure(ctx, clientID, idjagIssuerForAudit(v), err) + return nil, err + } + + // 3. Bind the assertion to the presenting client: the assertion's client_id + // claim MUST equal the client authenticating at the token endpoint. + if v.ClientID != clientID { + bindErr := fmt.Errorf("%w: assertion client_id does not match", ErrIDJAGInvalidAssertion) + s.auditIDJAGFailure(ctx, clientID, v.Issuer, bindErr) + return nil, bindErr + } + + // 4. The requested resource MUST be in the client's RFC 8707 allowlist. + resource := []string{v.Resource} + if err := validateClientResource(client, resource); err != nil { + s.auditIDJAGFailure(ctx, clientID, v.Issuer, err) + return nil, err // wraps ErrInvalidTarget + } + + // 4b. Consume the single-use jti only now that all authorization checks have + // passed — so a request rejected above (wrong client_id, disallowed resource) + // does not burn the jti and make the legitimate redemption look like a replay. + if err := s.idjag().consumeJTI(ctx, v.Issuer, v.JTI, v.ExpiresAt); err != nil { + s.auditIDJAGFailure(ctx, clientID, v.Issuer, err) + return nil, err + } + + // 5. Auto-provision the asserted user (find-or-create on issuer+sub). + user, err := s.provisionIDJAGUser(v) + if err != nil { + log.Printf( + "[IDJAG] user provisioning failed issuer=%s client=%s: %v", + v.Issuer, + clientID, + err, + ) + return nil, fmt.Errorf("idjag user provisioning failed: %w", err) + } + // A subject auto-provisioned earlier may have since been disabled by an admin + // (UpsertExternalUser preserves IsActive on the update path). Disabling a user + // must stop them from minting fresh tokens, so reject before issuing. + if !user.IsActive { + s.auditIDJAGFailure(ctx, clientID, v.Issuer, ErrAccessDenied) + return nil, ErrAccessDenied + } + + // 6. Effective scope: the assertion's scope narrowed to the client's + // registered scopes (the issued token must never exceed the client's + // registration), or the full registered set when the assertion omits scope. + scope := client.Scopes + if v.Scope != "" { + scope = intersectScopes(client.Scopes, v.Scope) + } + + // 7. Issue an access token bound to the resource. No refresh token. + start := time.Now() + accessTTL, _ := s.ttlForClient(client) + result, providerErr := s.tokenProvider.GenerateToken( + ctx, + user.ID, + clientID, + scope, + accessTTL, + s.composeIssuanceClaims(client, user.ID, nil), + resource, + ) + if providerErr != nil { + log.Printf( + "[IDJAG] access token generation failed provider=%s: %v", + s.tokenProvider.Name(), providerErr, + ) + return nil, fmt.Errorf("token generation failed: %w", providerErr) + } + + accessToken := &models.AccessToken{ + ID: uuid.New().String(), + TokenHash: util.SHA256Hex(result.TokenString), + RawToken: result.TokenString, + TokenType: result.TokenType, + TokenCategory: models.TokenCategoryAccess, + Status: models.TokenStatusActive, + UserID: user.ID, + ClientID: clientID, + Scopes: scope, + ExpiresAt: result.ExpiresAt, + Resource: models.StringArray(effectiveAudience(resource, s.config.JWTAudience)), + } + if err := s.store.CreateAccessToken(accessToken); err != nil { + return nil, fmt.Errorf("failed to save access token: %w", err) + } + + s.metrics.RecordTokenIssued( + models.TokenCategoryAccess, + "jwt_bearer", + time.Since(start), + s.tokenProvider.Name(), + ) + + s.auditService.Log(ctx, core.AuditLogEntry{ + EventType: models.EventIDJAGTokenIssued, + Severity: models.SeverityInfo, + ActorUserID: user.ID, + ResourceType: models.ResourceToken, + ResourceID: accessToken.ID, + Action: "Access token issued from ID-JAG (jwt-bearer grant)", + Details: models.AuditDetails{ + "client_id": clientID, + "issuer": v.Issuer, + "resource": v.Resource, + "scopes": scope, + }, + Success: true, + }) + + return accessToken, nil +} + +// provisionIDJAGUser finds or creates the local user backing an ID-JAG subject, +// keyed on (issuer, sub). Provisioned users are always non-admin (UpsertExternalUser +// never sets a role, so the model default "user" applies) and tagged with an +// idjag: auth_source. A synthetic, deterministic username/email keyed on +// (issuer, sub) is used so the same subject always maps to the same row. +func (s *TokenService) provisionIDJAGUser(v *validatedIDJAG) (*models.User, error) { + // Use a 32-hex (128-bit) prefix of the (issuer, sub) hash. The suffix only + // guarantees uniqueness of the synthetic username/email — matching of an + // existing subject is done on (external_id, auth_source) by UpsertExternalUser. + // A short prefix risks a birthday collision between two distinct (issuer, sub) + // pairs: the second would fail to match by external identity yet hit the unique + // username/email constraints, turning an otherwise valid jwt-bearer grant into a + // token-endpoint failure. 128 bits pushes that bound to ~2^64 subjects. + suffix := util.SHA256Hex(v.Issuer + "|" + v.Subject)[:32] + + username := sanitizeUsername(firstNonEmpty(v.Username, emailLocalPart(v.Email), v.Subject)) + if username == "" { + username = "idjag" + } + // Append a stable per-subject suffix so two different IdP subjects can never + // collide on username, while the same subject is idempotent across logins. + username = username + "-" + suffix + + // Always use a deterministic synthetic email keyed on (issuer, sub). The + // assertion's `email` claim is self-asserted (AuthGate does not verify it) and + // could collide with an existing local/OAuth user's unique email — passing it + // to UpsertExternalUser would fail the create with a duplicate-key error and + // turn an otherwise valid grant into a token-endpoint failure. The synthetic + // address is unique per (issuer, sub) and never clashes with a real account. + email := "idjag-" + suffix + "@idjag.local" + + return s.store.UpsertExternalUser( + username, + v.Subject, + idjagAuthSource(v.Issuer), + email, + v.FullName, + ) +} + +// auditIDJAGFailure records a failed jwt-bearer attempt. Untrusted issuer and +// signature/assertion failures are CRITICAL/ERROR security events written +// synchronously; the rest are WARNINGs. The raw assertion is never logged. +func (s *TokenService) auditIDJAGFailure( + ctx context.Context, + clientID, issuer string, + cause error, +) { + severity := models.SeverityWarning + switch { + case errors.Is(cause, ErrIDJAGUntrustedIssuer): + severity = models.SeverityCritical + case errors.Is(cause, ErrIDJAGInvalidAssertion): + severity = models.SeverityError + } + details := models.AuditDetails{ + "client_id": clientID, + "reason": cause.Error(), + } + if issuer != "" { + details["issuer"] = issuer + } + _ = s.auditService.LogSync(ctx, core.AuditLogEntry{ + EventType: models.EventIDJAGTokenIssued, + Severity: severity, + ResourceType: models.ResourceToken, + Action: "ID-JAG jwt-bearer grant rejected", + Details: details, + Success: false, + ErrorMessage: cause.Error(), + }) +} + +// idjagIssuerForAudit returns the issuer from a (possibly nil) validated result. +func idjagIssuerForAudit(v *validatedIDJAG) string { + if v == nil { + return "" + } + return v.Issuer +} + +// firstNonEmpty returns the first non-empty string argument. +func firstNonEmpty(vals ...string) string { + for _, v := range vals { + if v != "" { + return v + } + } + return "" +} + +// emailLocalPart returns the part before "@" in an email, or "" if absent. +func emailLocalPart(email string) string { + if i := strings.IndexByte(email, '@'); i > 0 { + return email[:i] + } + return "" +} + +// intersectScopes returns the space-separated scopes present in BOTH allowed and +// requested, preserving requested order. Used to bound an issued/minted token's +// scope to the client's registered set without ever widening it. +func intersectScopes(allowed, requested string) string { + allowedSet := util.ScopeSet(allowed) + var out []string + for sc := range strings.FieldsSeq(requested) { + if allowedSet[sc] { + out = append(out, sc) + } + } + return strings.Join(out, " ") +} diff --git a/internal/services/token_jwt_bearer_test.go b/internal/services/token_jwt_bearer_test.go new file mode 100644 index 00000000..dddbb75d --- /dev/null +++ b/internal/services/token_jwt_bearer_test.go @@ -0,0 +1,99 @@ +package services + +import ( + "testing" + "time" + + "github.com/go-authgate/authgate/internal/cache" + "github.com/go-authgate/authgate/internal/config" + "github.com/go-authgate/authgate/internal/metrics" + "github.com/go-authgate/authgate/internal/models" + "github.com/go-authgate/authgate/internal/store" + "github.com/go-authgate/authgate/internal/token" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func newIDJAGTokenService(t *testing.T) (*TokenService, *store.Store) { + t.Helper() + s := setupTestStore(t) + cfg := &config.Config{ + JWTExpiration: 1 * time.Hour, + JWTSecret: "test-secret", + BaseURL: "http://localhost:8080", + } + localProvider, err := token.NewLocalTokenProvider(cfg) + require.NoError(t, err) + clientService := NewClientService(s, nil, nil, 0, nil, 0) + svc := NewTokenService( + s, + cfg, + nil, + localProvider, + NewNoopAuditService(), + metrics.NewNoopMetrics(), + cache.NewNoopCache[models.AccessToken](), + clientService, + ) + return svc, s +} + +// TestProvisionIDJAGUser_Idempotent verifies that the same (issuer, sub) always +// maps to the same local row across repeated calls — the deterministic synthetic +// username/email keyed on (issuer, sub) must be stable so a returning subject is +// matched, not duplicated. +func TestProvisionIDJAGUser_Idempotent(t *testing.T) { + svc, _ := newIDJAGTokenService(t) + v := &validatedIDJAG{ + Issuer: "https://idp.example.com", + Subject: "user-123", + Email: "alice@corp.example.com", + FullName: "Alice", + Username: "alice", + } + + first, err := svc.provisionIDJAGUser(v) + require.NoError(t, err) + second, err := svc.provisionIDJAGUser(v) + require.NoError(t, err) + + assert.Equal(t, first.ID, second.ID, "same (issuer, sub) must resolve to the same user row") + assert.Equal(t, first.Username, second.Username) + assert.Equal(t, first.Email, second.Email) +} + +// TestProvisionIDJAGUser_DistinctSubjectsNoCollision pins the fix for the Codex +// P3 finding: two different (issuer, sub) pairs whose human-readable username part +// is identical must still provision two distinct rows. The synthetic suffix is a +// 32-hex (128-bit) prefix of the (issuer, sub) hash, so the second call cannot +// collide with the first's unique username/email constraints. On the old 10-hex +// (40-bit) suffix the collision space was small enough that high-scale deployments +// could fail an otherwise valid jwt-bearer grant with a duplicate-key error. +func TestProvisionIDJAGUser_DistinctSubjectsNoCollision(t *testing.T) { + svc, _ := newIDJAGTokenService(t) + + // Same issuer + same human-readable username claim, different subjects. + a, err := svc.provisionIDJAGUser(&validatedIDJAG{ + Issuer: "https://idp.example.com", + Subject: "subject-aaa", + Username: "shared-name", + Email: "shared@corp.example.com", + }) + require.NoError(t, err) + + b, err := svc.provisionIDJAGUser(&validatedIDJAG{ + Issuer: "https://idp.example.com", + Subject: "subject-bbb", + Username: "shared-name", + Email: "shared@corp.example.com", + }) + require.NoError(t, err) + + assert.NotEqual(t, a.ID, b.ID, "distinct subjects must provision distinct rows") + assert.NotEqual(t, a.Username, b.Username, "synthetic usernames must not collide") + assert.NotEqual(t, a.Email, b.Email, "synthetic emails must not collide") + + // The suffix is 32 hex chars; both synthetic emails carry it. + assert.Len(t, a.Email, len("idjag-")+32+len("@idjag.local")) +} diff --git a/internal/templates/admin_client_form.templ b/internal/templates/admin_client_form.templ index ad869959..d05345c7 100644 --- a/internal/templates/admin_client_form.templ +++ b/internal/templates/admin_client_form.templ @@ -26,6 +26,7 @@ templ AdminClientForm(props ClientFormPageProps) { ScopePresetsOnly: false, ShowAllowedResources: true, ShowRedirectURIPatterns: true, + ShowIDJAG: true, })
diff --git a/internal/templates/client_shared.templ b/internal/templates/client_shared.templ index ea492d6c..66b331a6 100644 --- a/internal/templates/client_shared.templ +++ b/internal/templates/client_shared.templ @@ -254,6 +254,21 @@ templ ClientFormCommonFields(props ClientFormFieldsProps) { } + if props.ShowIDJAG { + + }
if props.ShowClientCredentials { At least one grant type must be selected. Client Credentials Flow requires a confidential client. @@ -394,6 +409,34 @@ templ ClientFormCommonFields(props ClientFormFieldsProps) { } + if props.ShowIDJAG { + +
+ + if props.Client != nil { + + } else { + + } +
+
+ +
+ + Restricts which trusted IdP iss values this client may present an ID-JAG from. + Each entry must also appear in the server's TRUSTED_IDPS. Leave empty to accept + any trusted IdP. Press Enter to add; paste multiple separated by commas or newlines. + +
+ }
diff --git a/internal/templates/props.go b/internal/templates/props.go index 4be3776b..4b177c5d 100644 --- a/internal/templates/props.go +++ b/internal/templates/props.go @@ -222,6 +222,8 @@ type ClientDisplay struct { EnableDeviceFlow bool EnableAuthCodeFlow bool EnableClientCredentialsFlow bool + EnableIDJAGFlow bool // Enterprise-Managed Authorization (ID-JAG) jwt-bearer grant + AllowedIDJAGIssuers string // Comma-separated per-client trusted-IdP issuer allowlist (admin-managed) Status string // "pending", "active", "inactive" TokenProfile string // "short", "standard", or "long" Project string // Optional; emitted as JWT "project" claim @@ -439,6 +441,7 @@ type ClientFormFieldsProps struct { ScopePresetsOnly bool // Restrict scopes to preset chips only (user form) ShowAllowedResources bool // Render the RFC 8707 AllowedResources tag picker (admin form only) ShowRedirectURIPatterns bool // Render the origin-locked redirect URI pattern tag picker (admin form only) + ShowIDJAG bool // Render the Enterprise-Managed Authorization (ID-JAG) toggle + issuer allowlist (admin form only) } // UsersPageProps contains properties for the admin users list page diff --git a/internal/token/external_verify.go b/internal/token/external_verify.go new file mode 100644 index 00000000..2a05a2cd --- /dev/null +++ b/internal/token/external_verify.go @@ -0,0 +1,83 @@ +package token + +import ( + "crypto" + "crypto/ecdsa" + "crypto/rsa" + "errors" + "fmt" + + "github.com/golang-jwt/jwt/v5" +) + +var ( + // ErrExternalUnsupportedAlg is returned when an external JWT is signed with + // an algorithm AuthGate will not accept. Only the asymmetric RS256/ES256 are + // validatable — AuthGate shares no symmetric secret with a third-party IdP, + // so HS256 (and "none") are rejected outright. + ErrExternalUnsupportedAlg = errors.New("external token uses an unsupported signing algorithm") + // ErrExternalInvalid is returned when an external JWT is malformed, expired, + // or its signature does not verify against the resolved key. + ErrExternalInvalid = errors.New("external token is invalid") +) + +// externalValidMethods is the closed set of signing algorithms accepted for +// externally-issued JWTs (ID-JAG assertions). Asymmetric only. +var externalValidMethods = []string{"RS256", "ES256"} + +// KeyResolver resolves the public verification key for an external JWT from its +// header parameters. Implementations fetch from a remote JWKS by kid. The +// returned key must be an *rsa.PublicKey or *ecdsa.PublicKey. +type KeyResolver func(kid, alg string) (crypto.PublicKey, error) + +// ParseExternalIssuer extracts the `iss` claim from an UNVERIFIED token. The +// caller uses it to select the trusted IdP (and its JWKS endpoint) before the +// signature is checked — the value MUST NOT be trusted until VerifyExternalJWT +// succeeds against that IdP's keys. +func ParseExternalIssuer(tokenString string) (string, error) { + claims := jwt.MapClaims{} + if _, _, err := jwt.NewParser().ParseUnverified(tokenString, claims); err != nil { + return "", fmt.Errorf("%w: %v", ErrExternalInvalid, err) + } + iss, _ := claims["iss"].(string) + return iss, nil +} + +// VerifyExternalJWT verifies tokenString's signature with a key resolved via +// resolve, restricted to RS256/ES256. The jwt library validates exp/nbf/iat. +// Returns the verified claims, or ErrExternalInvalid / ErrExternalUnsupportedAlg +// on failure. This path is independent of AuthGate's own signing key. +func VerifyExternalJWT(tokenString string, resolve KeyResolver) (jwt.MapClaims, error) { + claims := jwt.MapClaims{} + keyFunc := func(t *jwt.Token) (any, error) { + alg, _ := t.Header["alg"].(string) + kid, _ := t.Header["kid"].(string) + key, err := resolve(kid, alg) + if err != nil { + return nil, err + } + // Defense-in-depth: the resolved key type must match the header alg. + switch alg { + case "RS256": + if _, ok := key.(*rsa.PublicKey); !ok { + return nil, fmt.Errorf("%w: %q key type mismatch", ErrExternalUnsupportedAlg, alg) + } + case "ES256": + if _, ok := key.(*ecdsa.PublicKey); !ok { + return nil, fmt.Errorf("%w: %q key type mismatch", ErrExternalUnsupportedAlg, alg) + } + default: + return nil, fmt.Errorf("%w: %q", ErrExternalUnsupportedAlg, alg) + } + return key, nil + } + + parser := jwt.NewParser(jwt.WithValidMethods(externalValidMethods)) + if _, err := parser.ParseWithClaims(tokenString, claims, keyFunc); err != nil { + if errors.Is(err, ErrExternalUnsupportedAlg) { + return nil, err + } + return nil, fmt.Errorf("%w: %v", ErrExternalInvalid, err) + } + return claims, nil +} diff --git a/internal/token/idjag.go b/internal/token/idjag.go new file mode 100644 index 00000000..f7cbf7af --- /dev/null +++ b/internal/token/idjag.go @@ -0,0 +1,63 @@ +package token + +import ( + "time" + + "github.com/golang-jwt/jwt/v5" + "github.com/google/uuid" +) + +// Token type URNs used by the RFC 8693 token-exchange flow that mints ID-JAGs. +const ( + // TokenTypeIDJAG identifies an Identity Assertion JWT Authorization Grant + // (the MCP Enterprise-Managed Authorization extension). + TokenTypeIDJAG = "urn:ietf:params:oauth:token-type:id-jag" + // TokenTypeIDToken identifies an OIDC ID Token (the accepted subject_token + // type for ID-JAG issuance). + TokenTypeIDToken = "urn:ietf:params:oauth:token-type:id_token" +) + +// IDJAGClaims carries the inputs for minting an ID-JAG. AuthGate (acting as IdP) +// assembles these from a validated subject ID Token plus the token-exchange +// request parameters; the values are server-attested at signing time. +type IDJAGClaims struct { + Issuer string // iss — AuthGate's issuer identifier + Subject string // sub — the end-user the assertion vouches for + Audience string // aud — the downstream RAS the assertion is targeted at + Resource string // resource — the MCP/resource server the RAS should bind the access token to + ClientID string // client_id — the MCP client that will redeem the assertion + Scope string // scope — optional; omitted when empty + Expiry time.Duration +} + +// GenerateIDJAG signs an ID-JAG with AuthGate's own signing key (the same key +// exposed via /.well-known/jwks.json), so a downstream RAS can verify it through +// AuthGate's JWKS. Returns the compact JWT and its absolute expiry. +func (p *LocalTokenProvider) GenerateIDJAG(c IDJAGClaims) (string, time.Time, error) { + now := time.Now() + expiry := c.Expiry + if expiry <= 0 { + expiry = 5 * time.Minute + } + expiresAt := now.Add(expiry) + + claims := jwt.MapClaims{ + "iss": c.Issuer, + "sub": c.Subject, + "aud": c.Audience, + "jti": uuid.New().String(), + "iat": now.Unix(), + "exp": expiresAt.Unix(), + "resource": c.Resource, + "client_id": c.ClientID, + } + if c.Scope != "" { + claims["scope"] = c.Scope + } + + signed, err := p.signClaims(claims) + if err != nil { + return "", time.Time{}, err + } + return signed, expiresAt, nil +}