tls_client_auth (#7)

mbilski · web-flow · commit c92c131ddf61 · 2022-11-17T13:17:40.000+01:00
diff --git a/README.md b/README.md
@@ -148,7 +148,7 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --grant-type urn:ietf:params:oauth:grant-type:jwt-bearer \
   --auth-method client_secret_basic \
   --scopes email \
-  --signing-key https://pastebin.com/raw/WMkzhjhm \
+  --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.json \
   --assertion '{"sub":"jdoe@example.com"}'
 ```
 
@@ -192,8 +192,20 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
 ``` sh
 oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --client-id 582af0afb0d74554aa7af47849edb222 \
-  --signing-key https://pastebin.com/raw/WMkzhjhm \
+  --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.json \
   --grant-type client_credentials \
   --auth-method private_key_jwt \
   --scopes introspect_tokens,revoke_tokens
 ```
+
+### TLS Client Auth
+
+``` sh
+oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
+  --client-id 3f07a8c2adea4c1ab353f3ca8e16b8fd \
+  --tls-cert https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/cert.pem \
+  --tls-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.pem \
+  --grant-type client_credentials \
+  --auth-method tls_client_auth \
+  --scopes introspect_tokens,revoke_tokens
+```
diff --git a/cmd/log.go b/cmd/log.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/cloudentity/oauth2c/internal/oauth2"
 	"github.com/golang-jwt/jwt"
+	"github.com/grantae/certinfo"
 	"github.com/pterm/pterm"
 	"github.com/tidwall/pretty"
 )
@@ -60,6 +61,13 @@ func LogRequest(r oauth2.Request) {
 	for k, vs := range r.Form {
 		pterm.Println(pterm.FgLightBlue.Sprintf("  %s: ", k) + strings.Join(vs, ", "))
 	}
+
+	if r.Cert != nil {
+		if info, err := certinfo.CertificateText(r.Cert); err == nil {
+			pterm.Println()
+			pterm.FgGray.Println(info)
+		}
+	}
 }
 
 func LogRequestln(request oauth2.Request) {
diff --git a/cmd/oauth2.go b/cmd/oauth2.go
@@ -10,6 +10,7 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/cloudentity/oauth2c/internal/oauth2"
 	"github.com/golang-jwt/jwt"
@@ -40,6 +41,9 @@ func init() {
 	OAuth2Cmd.PersistentFlags().BoolVar(&cconfig.NoPKCE, "no-pkce", false, "disable proof key for code exchange (PKCE)")
 	OAuth2Cmd.PersistentFlags().StringVar(&cconfig.Assertion, "assertion", "", "claims for jwt bearer assertion (standard claims such as iss, aud, iat, exp, jti are automatically generated)")
 	OAuth2Cmd.PersistentFlags().StringVar(&cconfig.SigningKey, "signing-key", "", "path or url to signing key in jwks format")
+	OAuth2Cmd.PersistentFlags().StringVar(&cconfig.TLSCert, "tls-cert", "", "path to tls cert pem file")
+	OAuth2Cmd.PersistentFlags().StringVar(&cconfig.TLSKey, "tls-key", "", "path to tls key pem file")
+	OAuth2Cmd.PersistentFlags().StringVar(&cconfig.TLSRootCA, "tls-root-ca", "", "path to tls root ca pem file")
 	OAuth2Cmd.PersistentFlags().BoolVar(&cconfig.Insecure, "insecure", false, "allow insecure connections")
 }
 
@@ -51,6 +55,7 @@ var OAuth2Cmd = &cobra.Command{
 		var (
 			config Config
 			data   []byte
+			cert   tls.Certificate
 			err    error
 		)
 
@@ -68,14 +73,31 @@ var OAuth2Cmd = &cobra.Command{
 			cconfig.IssuerURL = strings.TrimSuffix(args[0], oauth2.OpenIDConfigurationPath)
 		}
 
-		hc := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{
-					InsecureSkipVerify: cconfig.Insecure,
-				},
+		tr := &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: cconfig.Insecure,
+				MinVersion:         tls.VersionTLS12,
 			},
 		}
 
+		hc := &http.Client{Timeout: 10 * time.Second, Transport: tr}
+
+		if cconfig.TLSCert != "" && cconfig.TLSKey != "" {
+			if cert, err = oauth2.ReadKeyPair(cconfig.TLSCert, cconfig.TLSKey, hc); err != nil {
+				pterm.Error.PrintOnError(err)
+				os.Exit(1)
+			}
+
+			tr.TLSClientConfig.Certificates = []tls.Certificate{cert}
+		}
+
+		if cconfig.TLSRootCA != "" {
+			if tr.TLSClientConfig.RootCAs, err = oauth2.ReadRootCA(cconfig.TLSRootCA, hc); err != nil {
+				pterm.Error.PrintOnError(err)
+				os.Exit(1)
+			}
+		}
+
 		if err := Authorize(cconfig, hc); err != nil {
 			var oauth2Error *oauth2.Error
 
diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.19
 require (
 	github.com/go-jose/go-jose/v3 v3.0.0
 	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/grantae/certinfo v0.0.0-20170412194111-59d56a35515b
 	github.com/imdario/mergo v0.3.13
 	github.com/lithammer/shortuuid/v4 v4.0.0
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
diff --git a/go.sum b/go.sum
@@ -28,6 +28,8 @@ github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ=
 github.com/gookit/color v1.5.0 h1:1Opow3+BWDwqor78DcJkJCIwnkviFi+rrOANki9BUFw=
 github.com/gookit/color v1.5.0/go.mod h1:43aQb+Zerm/BWh2GnrgOQm7ffz7tvQXEKV6BFMl7wAo=
+github.com/grantae/certinfo v0.0.0-20170412194111-59d56a35515b h1:NGgE5ELokSf2tZ/bydyDUKrvd/jP8lrAoPNeBuMOTOk=
+github.com/grantae/certinfo v0.0.0-20170412194111-59d56a35515b/go.mod h1:zT/uzhdQGTqlwTq7Lpbj3JoJQWfPfIJ1tE0OidAmih8=
 github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
 github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
diff --git a/internal/oauth2/oauth2.go b/internal/oauth2/oauth2.go
@@ -3,6 +3,7 @@ package oauth2
 import (
 	"context"
 	"crypto/sha256"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -38,9 +39,8 @@ const (
 	ClientSecretPostAuthMethod  string = "client_secret_post"
 	ClientSecretJwtAuthMethod   string = "client_secret_jwt"
 	PrivateKeyJwtAuthMethod     string = "private_key_jwt"
-	// SelfSignedTLSAuthMethod     string = "self_signed_tls_client_auth"
-	// TLSClientAuthMethod         string = "tls_client_auth"
-	// NoneAuthMethod              string = "none"
+	SelfSignedTLSAuthMethod     string = "self_signed_tls_client_auth"
+	TLSClientAuthMethod         string = "tls_client_auth"
 )
 
 // client assertion types
@@ -69,6 +69,9 @@ type ClientConfig struct {
 	RefreshToken string
 	Assertion    string
 	SigningKey   string
+	TLSCert      string
+	TLSKey       string
+	TLSRootCA    string
 }
 
 func RequestAuthorization(addr string, cconfig ClientConfig, sconfig ServerConfig) (r Request, codeVerifier string, err error) {
@@ -233,10 +236,11 @@ func RequestToken(
 	opts ...RequestTokenOption,
 ) (request Request, response TokenResponse, err error) {
 	var (
-		req    *http.Request
-		resp   *http.Response
-		params RequestTokenParams
-		body   []byte
+		req      *http.Request
+		resp     *http.Response
+		params   RequestTokenParams
+		endpoint = sconfig.TokenEndpoint
+		body     []byte
 	)
 
 	for _, opt := range opts {
@@ -299,6 +303,15 @@ func RequestToken(
 
 		request.Form.Set("client_assertion_type", JwtBearerClientAssertion)
 		request.Form.Set("client_assertion", clientAssertion)
+	case TLSClientAuthMethod, SelfSignedTLSAuthMethod:
+		endpoint = sconfig.MTLsEndpointAliases.TokenEndpoint
+		request.Form.Set("client_id", cconfig.ClientID)
+
+		if tr, ok := hc.Transport.(*http.Transport); ok {
+			if len(tr.TLSClientConfig.Certificates) > 0 {
+				request.Cert, _ = x509.ParseCertificate(tr.TLSClientConfig.Certificates[0].Certificate[0])
+			}
+		}
 	}
 
 	if params.RedirectURL != "" {
@@ -316,7 +329,7 @@ func RequestToken(
 	if req, err = http.NewRequestWithContext(
 		ctx,
 		http.MethodPost,
-		sconfig.TokenEndpoint,
+		endpoint,
 		strings.NewReader(request.Form.Encode()),
 	); err != nil {
 		return request, response, err
diff --git a/internal/oauth2/signing_test.go b/internal/oauth2/signing_test.go
@@ -12,14 +12,14 @@ import (
 )
 
 func TestReadKey(t *testing.T) {
-	key, err := oauth2.ReadKey("./testdata/jwks-private.json", http.DefaultClient)
+	key, err := oauth2.ReadKey("../../data/key.json", http.DefaultClient)
 	require.NoError(t, err)
 
 	require.NotNil(t, key)
 }
 
 func TestSignJWT(t *testing.T) {
-	key, err := oauth2.ReadKey("./testdata/jwks-private.json", http.DefaultClient)
+	key, err := oauth2.ReadKey("../../data/key.json", http.DefaultClient)
 	require.NoError(t, err)
 
 	claims := oauth2.AssertionClaims(
@@ -33,7 +33,7 @@ func TestSignJWT(t *testing.T) {
 	)
 
 	jwt, _, err := oauth2.SignJWT(claims, oauth2.JWKSigner(oauth2.ClientConfig{
-		SigningKey: "./testdata/jwks-private.json",
+		SigningKey: "../../data/key.json",
 	}, http.DefaultClient))
 	require.NoError(t, err)
 
diff --git a/internal/oauth2/testdata/jwks-private.json b/internal/oauth2/testdata/jwks-private.json
diff --git a/internal/oauth2/tls.go b/internal/oauth2/tls.go
@@ -0,0 +1,73 @@
+package oauth2
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+)
+
+func ReadURL(location string, hc *http.Client) (data []byte, err error) {
+	var resp *http.Response
+
+	if resp, err = hc.Get(location); err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if data, err = io.ReadAll(resp.Body); err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("failed to read data from url %d: %s", resp.StatusCode, string(data))
+	}
+
+	return data, nil
+}
+
+func ReadKeyPair(cert string, key string, hc *http.Client) (keyPair tls.Certificate, err error) {
+	if strings.HasPrefix(cert, "http") && strings.HasPrefix(key, "http") {
+		var (
+			certPEM []byte
+			keyPEM  []byte
+		)
+
+		if certPEM, err = ReadURL(cert, hc); err != nil {
+			return tls.Certificate{}, err
+		}
+
+		if keyPEM, err = ReadURL(key, hc); err != nil {
+			return tls.Certificate{}, err
+		}
+
+		return tls.X509KeyPair(certPEM, keyPEM)
+	}
+
+	return tls.LoadX509KeyPair(cert, key)
+}
+
+func ReadRootCA(location string, hc *http.Client) (pool *x509.CertPool, err error) {
+	var rootCA []byte
+
+	if pool, err = x509.SystemCertPool(); err != nil {
+		return nil, err
+	}
+
+	if strings.HasPrefix(location, "http") {
+		if rootCA, err = ReadURL(location, hc); err != nil {
+			return nil, err
+		}
+	} else {
+		if rootCA, err = os.ReadFile(location); err != nil {
+			return nil, err
+		}
+	}
+
+	pool.AppendCertsFromPEM(rootCA)
+
+	return pool, nil
+}
diff --git a/internal/oauth2/tracing.go b/internal/oauth2/tracing.go
@@ -1,13 +1,17 @@
 package oauth2
 
-import "net/url"
+import (
+	"crypto/x509"
+	"net/url"
+)
 
 type Request struct {
 	Method  string
 	URL     *url.URL
 	Headers map[string][]string
 	Form    url.Values
 	Key     interface{}
+	Cert    *x509.Certificate
 }
 
 func (r *Request) Get(key string) string {
diff --git a/internal/oauth2/well_known.go b/internal/oauth2/well_known.go
@@ -17,6 +17,9 @@ type ServerConfig struct {
 	SupportedResponseModes            []string `json:"response_modes_supported"`
 	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
 	TokenEndpoint                     string   `json:"token_endpoint"`
+	MTLsEndpointAliases               struct {
+		TokenEndpoint string `json:"token_endpoint"`
+	} `json:"mtls_endpoint_aliases"`
 }
 
 func FetchOpenIDConfiguration(ctx context.Context, issuerURL string, hc *http.Client) (request Request, c ServerConfig, err error) {

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ import (`
`11`	`11`
`12`	`12`	`"github.com/cloudentity/oauth2c/internal/oauth2"`
`13`	`13`	`"github.com/golang-jwt/jwt"`
	`14`	`+ "github.com/grantae/certinfo"`
`14`	`15`	`"github.com/pterm/pterm"`
`15`	`16`	`"github.com/tidwall/pretty"`
`16`	`17`	`)`
`@@ -60,6 +61,13 @@ func LogRequest(r oauth2.Request) {`
`60`	`61`	`for k, vs := range r.Form {`
`61`	`62`	`pterm.Println(pterm.FgLightBlue.Sprintf(" %s: ", k) + strings.Join(vs, ", "))`
`62`	`63`	`}`
	`64`	`+`
	`65`	`+ if r.Cert != nil {`
	`66`	`+ if info, err := certinfo.CertificateText(r.Cert); err == nil {`
	`67`	`+ pterm.Println()`
	`68`	`+ pterm.FgGray.Println(info)`
	`69`	`+ }`
	`70`	`+ }`
`63`	`71`	`}`
`64`	`72`
`65`	`73`	`func LogRequestln(request oauth2.Request) {`
Original file line number	Diff line number	Diff line change
`@@ -12,14 +12,14 @@ import (`
`12`	`12`	`)`
`13`	`13`
`14`	`14`	`func TestReadKey(t *testing.T) {`
`15`		`- key, err := oauth2.ReadKey("./testdata/jwks-private.json", http.DefaultClient)`
	`15`	`+ key, err := oauth2.ReadKey("../../data/key.json", http.DefaultClient)`
`16`	`16`	`require.NoError(t, err)`
`17`	`17`
`18`	`18`	`require.NotNil(t, key)`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`func TestSignJWT(t *testing.T) {`
`22`		`- key, err := oauth2.ReadKey("./testdata/jwks-private.json", http.DefaultClient)`
	`22`	`+ key, err := oauth2.ReadKey("../../data/key.json", http.DefaultClient)`
`23`	`23`	`require.NoError(t, err)`
`24`	`24`
`25`	`25`	`claims := oauth2.AssertionClaims(`
`@@ -33,7 +33,7 @@ func TestSignJWT(t *testing.T) {`
`33`	`33`	`)`
`34`	`34`
`35`	`35`	`jwt, _, err := oauth2.SignJWT(claims, oauth2.JWKSigner(oauth2.ClientConfig{`
`36`		`- SigningKey: "./testdata/jwks-private.json",`
	`36`	`+ SigningKey: "../../data/key.json",`
`37`	`37`	`}, http.DefaultClient))`
`38`	`38`	`require.NoError(t, err)`
`39`	`39`