2016-07-25 13:00:28 -07:00
package storage
import (
jose "gopkg.in/square/go-jose.v2"
var (
2016-10-05 16:03:29 -07:00
// ErrNotFound is the error returned by storages if a resource cannot be found.
ErrNotFound = errors.New("not found")
2016-07-25 13:00:28 -07:00
2016-10-05 16:03:29 -07:00
// ErrAlreadyExists is the error returned by storages if a resource ID is taken during a create.
ErrAlreadyExists = errors.New("ID already exists")
2016-07-25 13:00:28 -07:00
// Kubernetes only allows lower case letters for names.
// TODO(ericchiang): refactor ID creation onto the storage.
var encoding = base32.NewEncoding("abcdefghijklmnopqrstuvwxyz234567")
2016-08-02 21:57:36 -07:00
// NewID returns a random string which can be used as an ID for objects.
func NewID() string {
2016-10-03 17:38:32 -07:00
buff := make([]byte, 16) // 128 bit random ID.
2016-07-25 13:00:28 -07:00
if _, err := io.ReadFull(rand.Reader, buff); err != nil {
// Trim padding
return strings.TrimRight(encoding.EncodeToString(buff), "=")
2016-10-12 18:46:10 -07:00
// GCResult returns the number of objects deleted by garbage collection.
type GCResult struct {
AuthRequests int64
AuthCodes int64
2016-07-25 13:00:28 -07:00
// Storage is the storage interface used by the server. Implementations, at minimum
// require compare-and-swap atomic actions.
// Implementations are expected to perform their own garbage collection of
2016-08-01 22:53:12 -07:00
// expired objects (expect keys, which are handled by the server).
2016-07-25 13:00:28 -07:00
type Storage interface {
Close() error
2016-07-31 23:25:06 -07:00
// TODO(ericchiang): Let the storages set the IDs of these objects.
2016-07-25 13:00:28 -07:00
CreateAuthRequest(a AuthRequest) error
CreateClient(c Client) error
CreateAuthCode(c AuthCode) error
2016-08-02 21:57:36 -07:00
CreateRefresh(r RefreshToken) error
2016-10-05 16:03:29 -07:00
CreatePassword(p Password) error
2016-07-25 13:00:28 -07:00
// TODO(ericchiang): return (T, bool, error) so we can indicate not found
2016-07-31 23:25:06 -07:00
// requests that way instead of using ErrNotFound.
2016-07-25 13:00:28 -07:00
GetAuthRequest(id string) (AuthRequest, error)
GetAuthCode(id string) (AuthCode, error)
GetClient(id string) (Client, error)
GetKeys() (Keys, error)
2016-08-02 21:57:36 -07:00
GetRefresh(id string) (RefreshToken, error)
2016-10-05 16:03:29 -07:00
GetPassword(email string) (Password, error)
2016-07-25 13:00:28 -07:00
ListClients() ([]Client, error)
2016-08-02 21:57:36 -07:00
ListRefreshTokens() ([]RefreshToken, error)
2016-11-16 14:57:27 -08:00
ListPasswords() ([]Password, error)
2016-07-25 13:00:28 -07:00
// Delete methods MUST be atomic.
DeleteAuthRequest(id string) error
DeleteAuthCode(code string) error
DeleteClient(id string) error
DeleteRefresh(id string) error
2016-10-05 16:03:29 -07:00
DeletePassword(email string) error
2016-07-25 13:00:28 -07:00
2016-10-28 13:00:13 -07:00
// Update methods take a function for updating an object then performs that update within
// a transaction. "updater" functions may be called multiple times by a single update call.
// Because new fields may be added to resources, updaters should only modify existing
// fields on the old object rather then creating new structs. For example:
// updater := func(old storage.Client) (storage.Client, error) {
// old.Secret = newSecret
// return old, nil
// }
// if err := s.UpdateClient(clientID, updater); err != nil {
// // update failed, handle error
// }
2016-09-14 16:38:12 -07:00
2016-07-25 13:00:28 -07:00
UpdateClient(id string, updater func(old Client) (Client, error)) error
UpdateKeys(updater func(old Keys) (Keys, error)) error
UpdateAuthRequest(id string, updater func(a AuthRequest) (AuthRequest, error)) error
2016-10-05 16:03:29 -07:00
UpdatePassword(email string, updater func(p Password) (Password, error)) error
2016-09-14 16:38:12 -07:00
2016-10-12 18:46:10 -07:00
// GarbageCollect deletes all expired AuthCodes and AuthRequests.
GarbageCollect(now time.Time) (GCResult, error)
2016-07-25 13:00:28 -07:00
2016-09-14 16:38:12 -07:00
// Client represents an OAuth2 client.
2016-07-25 13:00:28 -07:00
// For further reading see:
// * Trusted peers: https://developers.google.com/identity/protocols/CrossClientAuth
// * Public clients: https://developers.google.com/api-client-library/python/auth/installed-app
type Client struct {
2016-09-14 16:38:12 -07:00
// Client ID and secret used to identify the client.
ID string `json:"id" yaml:"id"`
Secret string `json:"secret" yaml:"secret"`
// A registered set of redirect URIs. When redirecting from dex to the client, the URI
// requested to redirect to MUST match one of these values, unless the client is "public".
2016-08-05 09:50:22 -07:00
RedirectURIs []string `json:"redirectURIs" yaml:"redirectURIs"`
2016-07-25 13:00:28 -07:00
2016-09-14 16:38:12 -07:00
// TrustedPeers are a list of peers which can issue tokens on this client's behalf using
// the dynamic "oauth2:server:client_id:(client_id)" scope. If a peer makes such a request,
// this client's ID will appear as the ID Token's audience.
2016-07-25 13:00:28 -07:00
// Clients inherently trust themselves.
2016-08-05 09:50:22 -07:00
TrustedPeers []string `json:"trustedPeers" yaml:"trustedPeers"`
2016-07-25 13:00:28 -07:00
// Public clients must use either use a redirectURL or "urn:ietf:wg:oauth:2.0:oob"
2016-08-05 09:50:22 -07:00
Public bool `json:"public" yaml:"public"`
2016-07-25 13:00:28 -07:00
2016-09-14 16:38:12 -07:00
// Name and LogoURL used when displaying this client to the end user.
2016-08-05 09:50:22 -07:00
Name string `json:"name" yaml:"name"`
LogoURL string `json:"logoURL" yaml:"logoURL"`
2016-07-25 13:00:28 -07:00
2016-08-02 21:57:36 -07:00
// Claims represents the ID Token claims supported by the server.
type Claims struct {
2016-07-25 13:00:28 -07:00
UserID string
Username string
Email string
EmailVerified bool
Groups []string
// AuthRequest represents a OAuth2 client authorization request. It holds the state
// of a single auth flow up to the point that the user authorizes the client.
type AuthRequest struct {
2016-09-14 16:38:12 -07:00
// ID used to identify the authorization request.
ID string
// ID of the client requesting authorization from a user.
2016-07-25 13:00:28 -07:00
ClientID string
2016-09-14 16:38:12 -07:00
// Values parsed from the initial request. These describe the resources the client is
// requesting as well as values describing the form of the response.
2016-07-25 13:00:28 -07:00
ResponseTypes []string
Scopes []string
RedirectURI string
2016-09-14 16:38:12 -07:00
Nonce string
State string
2016-07-25 13:00:28 -07:00
// The client has indicated that the end user must be shown an approval prompt
// on all requests. The server cannot cache their initial action for subsequent
// attempts.
ForceApprovalPrompt bool
2016-09-14 16:38:12 -07:00
Expiry time.Time
// Has the user proved their identity through a backing identity provider?
// If false, the following fields are invalid.
LoggedIn bool
2016-07-25 13:00:28 -07:00
// The identity of the end user. Generally nil until the user authenticates
// with a backend.
2016-09-14 16:38:12 -07:00
Claims Claims
2016-08-02 21:14:24 -07:00
// The connector used to login the user and any data the connector wishes to persists.
// Set when the user authenticates.
ConnectorID string
ConnectorData []byte
2016-07-25 13:00:28 -07:00
// AuthCode represents a code which can be exchanged for an OAuth2 token response.
2016-09-14 16:38:12 -07:00
// This value is created once an end user has authorized a client, the server has
// redirect the end user back to the client, but the client hasn't exchanged the
// code for an access_token and id_token.
2016-07-25 13:00:28 -07:00
type AuthCode struct {
2016-09-14 16:38:12 -07:00
// Actual string returned as the "code" value.
2016-07-25 13:00:28 -07:00
ID string
2016-09-14 16:38:12 -07:00
// The client this code value is valid for. When exchanging the code for a
// token response, the client must use its client_secret to authenticate.
ClientID string
2016-08-02 21:14:24 -07:00
2016-09-14 16:38:12 -07:00
// As part of the OAuth2 spec when a client makes a token request it MUST
// present the same redirect_uri as the initial redirect. This values is saved
// to make this check.
// https://tools.ietf.org/html/rfc6749#section-4.1.3
RedirectURI string
2016-07-25 13:00:28 -07:00
2016-09-14 16:38:12 -07:00
// If provided by the client in the initial request, the provider MUST create
// a ID Token with this nonce in the JWT payload.
2016-07-25 13:00:28 -07:00
Nonce string
2016-09-14 16:38:12 -07:00
// Scopes authorized by the end user for the client.
2016-07-25 13:00:28 -07:00
Scopes []string
2016-09-14 16:38:12 -07:00
// Authentication data provided by an upstream source.
ConnectorID string
ConnectorData []byte
Claims Claims
2016-07-25 13:00:28 -07:00
Expiry time.Time
2016-09-14 16:38:12 -07:00
// RefreshToken is an OAuth2 refresh token which allows a client to request new
// tokens on the end user's behalf.
2016-08-02 21:57:36 -07:00
type RefreshToken struct {
2016-07-25 13:00:28 -07:00
// The actual refresh token.
RefreshToken string
// Client this refresh token is valid for.
2016-08-02 21:14:24 -07:00
ClientID string
2016-09-14 16:38:12 -07:00
// Authentication data provided by an upstream source.
2016-08-02 21:14:24 -07:00
ConnectorID string
ConnectorData []byte
2016-09-14 16:38:12 -07:00
Claims Claims
2016-07-25 13:00:28 -07:00
// Scopes present in the initial request. Refresh requests may specify a set
// of scopes different from the initial request when refreshing a token,
// however those scopes must be encompassed by this set.
Scopes []string
2016-09-14 16:38:12 -07:00
// Nonce value supplied during the initial redirect. This is required to be part
// of the claims of any future id_token generated by the client.
2016-07-25 13:00:28 -07:00
Nonce string
2016-10-05 16:03:29 -07:00
// Password is an email to password mapping managed by the storage.
type Password struct {
// Email and identifying name of the password. Emails are assumed to be valid and
// determining that an end-user controls the address is left to an outside application.
// Emails are case insensitive and should be standardized by the storage.
// Storages that don't support an extended character set for IDs, such as '.' and '@'
// (cough cough, kubernetes), must map this value appropriately.
2016-11-03 14:32:23 -07:00
Email string `json:"email"`
2016-10-05 16:03:29 -07:00
2016-10-27 16:28:11 -07:00
// Bcrypt encoded hash of the password. This package enforces a min cost value of 10
2016-11-03 14:32:23 -07:00
Hash []byte `json:"hash"`
2016-10-05 16:03:29 -07:00
// Optional username to display. NOT used during login.
2016-11-03 14:32:23 -07:00
Username string `json:"username"`
2016-10-05 16:03:29 -07:00
// Randomly generated user ID. This is NOT the primary ID of the Password object.
2016-11-03 14:32:23 -07:00
UserID string `json:"userID"`
2016-10-05 16:03:29 -07:00
2016-07-25 13:00:28 -07:00
// VerificationKey is a rotated signing key which can still be used to verify
// signatures.
type VerificationKey struct {
PublicKey *jose.JSONWebKey `json:"publicKey"`
Expiry time.Time `json:"expiry"`
// Keys hold encryption and signing keys.
type Keys struct {
// Key for creating and verifying signatures. These may be nil.
SigningKey *jose.JSONWebKey
SigningKeyPub *jose.JSONWebKey
2016-09-14 16:38:12 -07:00
2016-07-25 13:00:28 -07:00
// Old signing keys which have been rotated but can still be used to validate
// existing signatures.
VerificationKeys []VerificationKey
// The next time the signing key will rotate.
// For caching purposes, implementations MUST NOT update keys before this time.
NextRotation time.Time
// Sign creates a JWT using the signing key.
func (k Keys) Sign(payload []byte) (jws string, err error) {
if k.SigningKey == nil {
return "", fmt.Errorf("no key to sign payload with")
signingKey := jose.SigningKey{Key: k.SigningKey}
switch key := k.SigningKey.Key.(type) {
case *rsa.PrivateKey:
// TODO(ericchiang): Allow different cryptographic hashes.
signingKey.Algorithm = jose.RS256
case *ecdsa.PrivateKey:
switch key.Params() {
case elliptic.P256().Params():
signingKey.Algorithm = jose.ES256
case elliptic.P384().Params():
signingKey.Algorithm = jose.ES384
case elliptic.P521().Params():
signingKey.Algorithm = jose.ES512
return "", errors.New("unsupported ecdsa curve")
signer, err := jose.NewSigner(signingKey, &jose.SignerOptions{})
if err != nil {
return "", fmt.Errorf("new signier: %v", err)
signature, err := signer.Sign(payload)
if err != nil {
return "", fmt.Errorf("signing payload: %v", err)
return signature.CompactSerialize()