ORGANIC-443. !!Hacks introduced (not for production)!! Reimplemented jwt validation with Okta's golang lib. Made a few hacks to get it working.

Author: thomasyip

api/auth.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"net/http"
 
-	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/sirupsen/logrus"
+	"github.com/okta/okta-jwt-verifier-golang"
 )
 
 // requireAuthentication checks incoming requests for tokens presented using the Authorization header
@@ -35,14 +35,35 @@ func (a *API) extractBearerToken(w http.ResponseWriter, r *http.Request) (string
 }
 
 func (a *API) parseJWTClaims(bearer string, r *http.Request) (context.Context, error) {
+	// Reimplemented to use Okta lib
+	// Original validation only work for HS256 algo,
+	// Okta supports RS256 only which requires public key downloading and caching (key rotation)
 	config := getConfig(r.Context())
-	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
-	token, err := p.ParseWithClaims(bearer, &GatewayClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return []byte(config.JWT.Secret), nil
-	})
+
+	toValidate := map[string]string{}
+	toValidate["aud"] = config.JWT.AUD
+	toValidate["cid"] = config.JWT.CID
+
+	jwtVerifierSetup := jwtverifier.JwtVerifier{
+		Issuer: config.JWT.Issuer,
+		ClaimsToValidate: toValidate,
+	}
+
+	verifier := jwtVerifierSetup.New()
+
+	_, err := verifier.VerifyAccessToken(bearer)
+
+	// @TODO? WARNING: Should be roles and other claims be checked here?
+
 	if err != nil {
 		return nil, unauthorizedError("Invalid token: %v", err)
 	}
 
-	return withToken(r.Context(), token), nil
+	logrus.Infof("parseJWTClaims passed")
+
+	// return nil, because the `github.go` is coded to send personal token
+	// both github oauth generates its own id, so oauth pass-thru is impossible
+	// we can improve the gateway to talk oauth with github.com, but we will
+	// still return nil here.
+	return nil, nil
 }

api/github.go

@@ -74,6 +74,9 @@ func (gh *GitHubGateway) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 	ctx = withProxyTarget(ctx, target)
 	ctx = withAccessToken(ctx, config.GitHub.AccessToken)
+
+	log := getLogEntry(r)
+	log.Infof("proxy.ServeHTTP: %+v\n", r.WithContext(ctx))
 	gh.proxy.ServeHTTP(w, r.WithContext(ctx))
 }
 
@@ -82,8 +85,12 @@ func (gh *GitHubGateway) authenticate(w http.ResponseWriter, r *http.Request) er
 	claims := getClaims(ctx)
 	config := getConfig(ctx)
 
+	log := getLogEntry(r)
+	log.Infof("authenticate context: %v+", ctx)
 	if claims == nil {
-		return errors.New("Access to endpoint not allowed: no claims found in Bearer token")
+		// @TODO? WARNING: the check should be done in auth.go, imo.
+		// Having the jwt in the context (and thus, sent to github.com) is not necessary
+		// return errors.New("Access to endpoint not allowed: no claims found in Bearer token")
 	}
 
 	if !allowedRegexp.MatchString(r.URL.Path) {

conf/configuration.go

@@ -46,6 +46,9 @@ type DBConfiguration struct {
 // JWTConfiguration holds all the JWT related configuration.
 type JWTConfiguration struct {
 	Secret string `json:"secret" required:"true"`
+	CID    string `envconfig:"CLIENT_ID" json:"client_id,omitempty"`
+	Issuer string `envconfig:"ISSUER" json:"issuer,omitempty"`
+	AUD    string `envconfig:"AUD" json:"aud,omitempty"`
 }
 
 // GlobalConfiguration holds all the configuration that applies to all instances.

glide.lock

@@ -2,6 +2,8 @@ package: github.com/netlify/git-gateway
 import:
 - package: github.com/dgrijalva/jwt-go
   version: v3.0.0
+- package: github.com/okta/okta-jwt-verifier-golang
+  version: 04702def3e1b9b1c6b419c9c3aae1ec184a5d4b2
 - package: github.com/jinzhu/gorm
   version: 5b8c0dd6b92d9caa8036c31dcb117f2df7cceefa
 - package: github.com/pborman/uuid