Add support for encrypted request object (#42)

Author: mbilski

README.md

@@ -69,6 +69,7 @@ The available flags are:
       --auth-method string          token endpoint authentication method
       --client-id string            client identifier
       --client-secret string        client secret
+      --encrypted-request-object    pass request parameters as encrypted jwt
       --encryption-key string       path or url to encryption key in jwks format
       --grant-type string           grant type
   -h, --help                        help for oauthc

cmd/log.go

@@ -10,6 +10,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/go-jose/go-jose/v3"
 	"github.com/go-jose/go-jose/v3/jwt"
 
 	"github.com/cloudentity/oauth2c/internal/oauth2"
@@ -277,10 +278,11 @@ func LogJARM(request oauth2.Request) {
 
 func LogRequestObject(r oauth2.Request) {
 	var (
-		request       = r.URL.Query().Get("request")
-		requestClaims map[string]interface{}
-		token         *jwt.JSONWebToken
-		err           error
+		request        = r.URL.Query().Get("request")
+		requestClaims  map[string]interface{}
+		token          *jwt.JSONWebToken
+		encryptedToken *jose.JSONWebEncryption
+		err            error
 	)
 
 	if request == "" {
@@ -292,10 +294,15 @@ func LogRequestObject(r oauth2.Request) {
 	}
 
 	if request != "" {
-		if token, requestClaims, err = oauth2.UnsafeParseJWT(request); err != nil {
+		if token, requestClaims, err = oauth2.UnsafeParseJWT(r.RequestObject); err != nil {
 			pterm.Error.Println(err)
 		} else {
-			pterm.DefaultBox.WithTitle("Request object").Printfln("request = JWT-%s(payload)", token.Headers[0].Algorithm)
+			if encryptedToken, err = jose.ParseEncrypted(request); err == nil {
+				pterm.DefaultBox.WithTitle("Request object").Printfln("request = JWE-%s(JWT-%s(payload))", encryptedToken.Header.Algorithm, token.Headers[0].Algorithm)
+			} else {
+				pterm.DefaultBox.WithTitle("Request object").Printfln("request = JWT-%s(payload)", token.Headers[0].Algorithm)
+			}
+
 			pterm.Println()
 			pterm.Println("Payload")
 			LogJson(requestClaims)
@@ -348,6 +355,17 @@ func LogKey(name string, key interface{}) {
 	pterm.Println(name)
 
 	switch key := key.(type) {
+	case *rsa.PublicKey:
+		p := bytes.Buffer{}
+
+		if err = pem.Encode(&p, &pem.Block{
+			Type:  "RSA PUBLIC KEY",
+			Bytes: x509.MarshalPKCS1PublicKey(key),
+		}); err != nil {
+			pterm.Error.Println(err)
+		}
+
+		pterm.FgGray.Printfln(p.String())
 	case *rsa.PrivateKey:
 		p := bytes.Buffer{}
 
@@ -358,6 +376,23 @@ func LogKey(name string, key interface{}) {
 			pterm.Error.Println(err)
 		}
 
+		pterm.FgGray.Printfln(p.String())
+	case *ecdsa.PublicKey:
+		b, err := x509.MarshalPKIXPublicKey(key)
+
+		if err != nil {
+			pterm.Error.Println(err)
+		}
+
+		p := bytes.Buffer{}
+
+		if err = pem.Encode(&p, &pem.Block{
+			Type:  "EC PUBLIC KEY",
+			Bytes: b,
+		}); err != nil {
+			pterm.Error.Println(err)
+		}
+
 		pterm.FgGray.Printfln(p.String())
 	case *ecdsa.PrivateKey:
 		b, err := x509.MarshalECPrivateKey(key)

cmd/oauth2.go

@@ -58,6 +58,7 @@ func NewOAuth2Cmd() (cmd *OAuth2Cmd) {
 	cmd.PersistentFlags().BoolVar(&cconfig.PKCE, "pkce", false, "enable proof key for code exchange (PKCE)")
 	cmd.PersistentFlags().BoolVar(&cconfig.PAR, "par", false, "enable pushed authorization requests (PAR)")
 	cmd.PersistentFlags().BoolVar(&cconfig.RequestObject, "request-object", false, "pass request parameters as jwt")
+	cmd.PersistentFlags().BoolVar(&cconfig.EncryptedRequestObject, "encrypted-request-object", false, "pass request parameters as encrypted jwt")
 	cmd.PersistentFlags().StringVar(&cconfig.Assertion, "assertion", "", "claims for jwt bearer assertion")
 	cmd.PersistentFlags().StringVar(&cconfig.SigningKey, "signing-key", "", "path or url to signing key in jwks format")
 	cmd.PersistentFlags().StringVar(&cconfig.EncryptionKey, "encryption-key", "", "path or url to encryption key in jwks format")

internal/oauth2/jwe.go

@@ -9,16 +9,16 @@ import (
 
 type EncrypterProvider func() (jose.Encrypter, interface{}, error)
 
-func JWEEncrypter(clientConfig ClientConfig, hc *http.Client) EncrypterProvider {
+func JWEEncrypter(keyPath string, hc *http.Client) EncrypterProvider {
 	return func() (encrypter jose.Encrypter, _ interface{}, err error) {
 		var key jose.JSONWebKey
 
-		if clientConfig.EncryptionKey == "" {
+		if keyPath == "" {
 			return nil, nil, errors.New("no encryption key path")
 		}
 
-		if key, err = ReadKey(EncryptionKey, clientConfig.EncryptionKey, hc); err != nil {
-			return nil, nil, errors.Wrapf(err, "failed to read encryption key from %s", clientConfig.EncryptionKey)
+		if key, err = ReadKey(EncryptionKey, keyPath, hc); err != nil {
+			return nil, nil, errors.Wrapf(err, "failed to read encryption key from %s", keyPath)
 		}
 
 		if encrypter, err = jose.NewEncrypter(

internal/oauth2/jwt.go

@@ -32,16 +32,16 @@ func UnsafeParseJWT(token string) (*jwt.JSONWebToken, map[string]interface{}, er
 
 type SignerProvider func() (jose.Signer, interface{}, error)
 
-func JWKSigner(clientConfig ClientConfig, hc *http.Client) SignerProvider {
+func JWKSigner(keyPath string, hc *http.Client) SignerProvider {
 	return func() (signer jose.Signer, _ interface{}, err error) {
 		var key jose.JSONWebKey
 
-		if clientConfig.SigningKey == "" {
+		if keyPath == "" {
 			return nil, nil, errors.New("no signing key path")
 		}
 
-		if key, err = ReadKey(SigningKey, clientConfig.SigningKey, hc); err != nil {
-			return nil, nil, errors.Wrapf(err, "failed to read signing key from %s", clientConfig.SigningKey)
+		if key, err = ReadKey(SigningKey, keyPath, hc); err != nil {
+			return nil, nil, errors.Wrapf(err, "failed to read signing key from %s", keyPath)
 		}
 
 		if signer, err = jose.NewSigner(jose.SigningKey{

internal/oauth2/jwt_test.go

@@ -23,9 +23,7 @@ func TestSignJWT(t *testing.T) {
 		},
 	)
 
-	jwt, _, err := SignJWT(claims, JWKSigner(ClientConfig{
-		SigningKey: "../../data/key.json",
-	}, http.DefaultClient))
+	jwt, _, err := SignJWT(claims, JWKSigner("../../data/key.json", http.DefaultClient))
 	require.NoError(t, err)
 
 	jws, err := jose.ParseSigned(jwt)

internal/oauth2/oauth2.go

@@ -54,31 +54,32 @@ const CodeVerifierLength = 43
 var CodeChallengeEncoder = base64.RawURLEncoding
 
 type ClientConfig struct {
-	IssuerURL        string
-	GrantType        string
-	ClientID         string
-	ClientSecret     string
-	Scopes           []string
-	AuthMethod       string
-	PKCE             bool
-	PAR              bool
-	RequestObject    bool
-	Insecure         bool
-	ResponseType     []string
-	ResponseMode     string
-	Username         string
-	Password         string
-	RefreshToken     string
-	Assertion        string
-	SigningKey       string
-	EncryptionKey    string
-	SubjectToken     string
-	SubjectTokenType string
-	ActorToken       string
-	ActorTokenType   string
-	TLSCert          string
-	TLSKey           string
-	TLSRootCA        string
+	IssuerURL              string
+	GrantType              string
+	ClientID               string
+	ClientSecret           string
+	Scopes                 []string
+	AuthMethod             string
+	PKCE                   bool
+	PAR                    bool
+	RequestObject          bool
+	EncryptedRequestObject bool
+	Insecure               bool
+	ResponseType           []string
+	ResponseMode           string
+	Username               string
+	Password               string
+	RefreshToken           string
+	Assertion              string
+	SigningKey             string
+	EncryptionKey          string
+	SubjectToken           string
+	SubjectTokenType       string
+	ActorToken             string
+	ActorTokenType         string
+	TLSCert                string
+	TLSKey                 string
+	TLSRootCA              string
 }
 
 func RequestAuthorization(addr string, cconfig ClientConfig, sconfig ServerConfig, hc *http.Client) (r Request, codeVerifier string, err error) {
@@ -358,7 +359,7 @@ func RequestToken(
 
 		if assertion, request.SigningKey, err = SignJWT(
 			AssertionClaims(sconfig, cconfig),
-			JWKSigner(cconfig, hc),
+			JWKSigner(cconfig.SigningKey, hc),
 		); err != nil {
 			return request, response, err
 		}

internal/oauth2/request.go

@@ -19,6 +19,7 @@ type Request struct {
 	Headers       map[string][]string
 	Form          url.Values
 	JARM          map[string]interface{}
+	RequestObject string
 	SigningKey    interface{}
 	EncryptionKey interface{}
 	Cert          *x509.Certificate
@@ -64,33 +65,35 @@ func (r *Request) AuthorizeRequest(
 		r.Form.Set("code_challenge_method", "S256")
 	}
 
-	if cconfig.RequestObject {
-		var request string
-
+	if cconfig.RequestObject || cconfig.EncryptedRequestObject {
 		claims := RequestObjectClaims(r.Form, sconfig, cconfig)
 
 		if cconfig.SigningKey != "" {
-			if request, r.SigningKey, err = SignJWT(claims, JWKSigner(cconfig, hc)); err != nil {
+			if r.RequestObject, r.SigningKey, err = SignJWT(claims, JWKSigner(cconfig.SigningKey, hc)); err != nil {
 				return "", err
 			}
 		} else {
-			if request, r.SigningKey, err = PlaintextJWT(claims); err != nil {
-				return "", err
-			}
-		}
-
-		if cconfig.EncryptionKey != "" {
-			if request, r.EncryptionKey, err = EncryptJWT(request, JWEEncrypter(cconfig, hc)); err != nil {
+			if r.RequestObject, r.SigningKey, err = PlaintextJWT(claims); err != nil {
 				return "", err
 			}
 		}
 
 		r.Form = url.Values{
 			"client_id": {cconfig.ClientID},
-			"request":   {request},
+			"request":   {r.RequestObject},
 			"scope":     {"openid"},
 		}
 
+		if cconfig.EncryptedRequestObject {
+			var encryptedRequestObject string
+
+			if encryptedRequestObject, r.EncryptionKey, err = EncryptJWT(r.RequestObject, JWEEncrypter(sconfig.JWKsURI, hc)); err != nil {
+				return "", err
+			}
+
+			r.Form.Set("request", encryptedRequestObject)
+		}
+
 		if len(cconfig.Scopes) > 0 {
 			r.Form.Set("scope", strings.Join(cconfig.Scopes, " "))
 		}
@@ -129,7 +132,7 @@ func (r *Request) AuthenticateClient(
 
 		if clientAssertion, r.SigningKey, err = SignJWT(
 			ClientAssertionClaims(sconfig, cconfig),
-			JWKSigner(cconfig, hc),
+			JWKSigner(cconfig.SigningKey, hc),
 		); err != nil {
 			return endpoint, err
 		}