From 050517a485e769e7f0893cd21f07057ea47635c1 Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Mon, 16 Sep 2024 12:53:04 +0200 Subject: [PATCH] add JWT handler wih optional JQ filtering in liboauth2-sts 4.1.0dev depend on liboauth2 >= 2.1.0; bump to 4.1.0dev Signed-off-by: Hans Zandbelt --- ChangeLog | 5 +++++ Makefile.am | 1 + README.md | 33 +++++++++++++-------------------- configure.ac | 6 +++--- src/liboauth2-sts | 2 +- src/mod_sts.c | 6 +++--- sts.conf | 21 ++++++++++++++++++++- 7 files changed, 46 insertions(+), 28 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8442b9e..799c58d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +09/16/2024 +- add JWT handler wih optional JQ filtering in liboauth2-sts 4.1.0dev +- depend on liboauth2 >= 2.1.0 +- bump to 4.1.0dev + 08/22/2024 - change LICENSE to Apache 2.0 - depend on liboauth2 >= 2.0.0 diff --git a/Makefile.am b/Makefile.am index 7666ff5..da7557e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -25,6 +25,7 @@ lib_LTLIBRARIES = @PACKAGE_NAME@.la src/liboauth2-sts/src/ropc.c \ src/liboauth2-sts/src/cc.c \ src/liboauth2-sts/src/otx.c \ + src/liboauth2-sts/src/jwt.c \ src/@PACKAGE_NAME@.c @PACKAGE_NAME@_la_LDFLAGS = -module diff --git a/README.md b/README.md index b4b6e21..5ad7de1 100644 --- a/README.md +++ b/README.md @@ -78,8 +78,6 @@ mechanism to obtain an OAuth 2.0 access token that can be used to authenticate t WS-Trust STS using HTTP Basic authentication. ```apache -LogLevel sts:debug - STSExchange wstrust https://pingfed:9031/pf/sts.wst \ auth=basic&username=wstrust&password=2Federate&\ @@ -87,17 +85,12 @@ applies_to=urn:pingfed&\ value_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&\ token_type=urn:bogus:token&\ ssl_verify=false - - ProxyPass http://echo:8080 - ProxyPassReverse http://echo:8080 ``` OAuth 2.0 Resource Owner Password Credentials based STS using `client_secret_basic` authentication. ```apache -LogLevel sts:debug - STSExchange ropc https://pingfed:9031/as/token.oauth2 \ auth=client_secret_basic&\ @@ -105,17 +98,12 @@ client_id=sts0&\ client_secret=2Federate&\ username=dummy&\ ssl_verify=false - - ProxyPass http://echo:8080 - ProxyPassReverse http://echo:8080 ``` OAuth 2.0 Client Credentials token retrieval using `client_secret_basic` authentication. ```apache -LogLevel sts:debug - SetEnvIfExpr true dummy=dummy STSAcceptSourceTokenIn environment name=dummy @@ -125,27 +113,32 @@ auth=client_secret_basic&\ client_id=cc_client&\ client_secret=mysecret&\ ssl_verify=false - - ProxyPass http://echo:8080 - ProxyPassReverse http://echo:8080 ``` OAuth 2.0 Token Exchange using `client_secret_basic` authentication. - ```apache -LogLevel sts:debug - STSExchange otx https://keycloak:8443/auth/realms/master/protocol/openid-connect/token \ auth=client_secret_basic&\ client_id=otxclient&\ client_secret=2Federate&\ ssl_verify=false + +``` - ProxyPass http://echo:8080 - ProxyPassReverse http://echo:8080 +JWT generation from a incoming access token verified by mod_oauth2. The JSON payload is passed between the modules in an environment variable. + +```apache + + AuthType oauth2 + Require valid-user + OAuth2TokenVerify introspect https://pingfed:9031/as/introspect.oauth2 introspect.ssl_verify=false&introspect.auth=client_secret_basic&client_id=rs0&client_secret=2Federate + OAuth2TargetPass json_payload_claim=payload&headers=false + STSAcceptSourceTokenIn environment name=OAUTH2_CLAIM_payload + STSExchange jwt "{\"kty\":\"RSA\",\"kid\":\"IbLjLR7-C1q0-ypkueZxGIJwBQNaLg46DZMpnPW1kps\",\"e\":\"AQAB\",\"n\":\"iGeTXbfV5bMppx7o7qMLCuVIKqbBa_qOzBiNNpe0K8rjg7-1z9GCuSlqbZtM0_5BQ6bGonnSPD--PowhFdivS4WNA33O0Kl1tQ0wdH3TOnwueIO9ahfW4q0BGFvMObneK-tjwiNMj1l-cZt8pvuS-3LtTWIzC-hTZM4caUmy5olm5PVdmru6C6V5rxkbYBPITFSzl5mpuo_C6RV_MYRwAh60ghs2OEvIWDrJkZnYaF7sjHC9j-4kfcM5oY7Zhg8KuHyloudYNzlqjVAPd0MbkLkh1pa8fmHsnN6cgfXYtFK7Z8WjYDUAhTH1JjZCVSFN55A-51dgD4cQNzieLEEkJw\",\"d\":\"Xc9d-kZERQVC0Dzh1b0sCwJE75Bf1fMr4hHAjJsovjV641ElqRdd4Borp9X2sJVcLTq1wWgmvmjYXgvhdTTg2f-vS4dqhPcGjM3VVUhzzPU6wIdZ7W0XzC1PY4E-ozTBJ1Nr-EhujuftnhRhVjYOkAAqU94FXVsaf2mBAKg-8WzrWx2MeWjfLcE79DmSL9Iw2areKVRGlKddIIPnHb-Mw9HB7ZCyVTC1v5sqhQPy6qPo8XHdQju_EYRlIOMksU8kcb20R_ezib_rHuVwJVlTNk6MvFUIj4ayXdX13Qy4kTBRiQM7pumPaypEE4CrAfTWP0AYnEwz_FGluOpMZNzoAQ\"}" + STSPassTargetTokenIn header ``` diff --git a/configure.ac b/configure.ac index 70ff15c..3327086 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([mod_sts],[4.0.0],[hans.zandbelt@openidc.com]) +AC_INIT([mod_sts],[4.1.0dev],[hans.zandbelt@openidc.com]) AM_INIT_AUTOMAKE([foreign no-define subdir-objects]) AC_CONFIG_MACRO_DIRS([m4]) @@ -27,11 +27,11 @@ AC_SUBST(APR_LIBS) AC_SUBST(APACHE_CFLAGS) AC_ARG_VAR(APXS_OPTS, [additional command line options to pass to apxs]) -PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 2.0.0]) +PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 2.1.0]) AC_SUBST(OAUTH2_CFLAGS) AC_SUBST(OAUTH2_LIBS) -PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 2.0.0]) +PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 2.1.0]) AC_SUBST(OAUTH2_APACHE_CFLAGS) AC_SUBST(OAUTH2_APACHE_LIBS) diff --git a/src/liboauth2-sts b/src/liboauth2-sts index db142c3..9b535a0 160000 --- a/src/liboauth2-sts +++ b/src/liboauth2-sts @@ -1 +1 @@ -Subproject commit db142c38fb07674e420996ed7223a00c9b04e8ab +Subproject commit 9b535a0396d86eb6759dcb5948c1ae4eb328c809 diff --git a/src/mod_sts.c b/src/mod_sts.c index d382b49..fb097a7 100644 --- a/src/mod_sts.c +++ b/src/mod_sts.c @@ -126,8 +126,8 @@ OAUTH2_APACHE_CMD_ARGS2(sts, oauth2_sts_cfg_t, accept_source_token_in, sts_cfg_set_accept_source_token_in, cfg) OAUTH2_APACHE_CMD_ARGS2(sts, oauth2_sts_cfg_t, pass_target_token_in, sts_cfg_set_pass_target_token_in, cfg) -OAUTH2_APACHE_CMD_ARGS3(sts, oauth2_sts_cfg_t, exchange, sts_cfg_set_exchange, - cfg) +OAUTH2_APACHE_CMD_ARGSV4(sts, oauth2_sts_cfg_t, exchange, sts_cfg_set_exchange, + cfg) // clang-format off @@ -153,7 +153,7 @@ static const command_rec OAUTH2_APACHE_COMMANDS(sts)[] = { pass_target_token_in, "Configures in which way the target token is passed to the application."), - OAUTH2_APACHE_CMD_ARGS(sts, 23, + OAUTH2_APACHE_CMD_ARGS(sts, _ARGV, STSExchange, exchange, "Configures the token exchange protocol and parameters."), diff --git a/sts.conf b/sts.conf index 0127049..7fe0104 100644 --- a/sts.conf +++ b/sts.conf @@ -1,12 +1,13 @@ # Set mode/protocol, endpoint URL and options for calling the STS # -#STSExchange +#STSExchange [] # # =[ wstrust | ropc | otx | disabled ] # wstrust : WS-Trust # ropc : OAuth 2.0 Resource Owner Password Credentials grant # cc : OAuth 2.0 Client Credentials grant # otx : OAuth 2.0 Token Exchange +# jwt : JWT token generation, optionally with JQ processing # disabled : don't perform any attempt to exchange a token # # = @@ -157,6 +158,24 @@ # subject_token_type urn:ietf:params:oauth:token-type:access_token # i.e. set the source token to an OAuth 2.0 access token +# +# JWT token generation, optionally with JQ processing +# (=jwt) +# +# +# Set the JWK that is used to sign the JWT, must be a private key. +# +# JWT Options: +# +# alg= +# iss= +# sub= +# client_id= +# aud= +# jq.cache.name= +# +# +# JQ filter to be applied to the input JSON object before signing the JWT # # Source Token Settings