Feature/request object (#38)

Author: mbilski

README.md

@@ -74,6 +74,7 @@ The available flags are:
       --password string             resource owner password credentials grant flow password
       --pkce                        enable proof key for code exchange (PKCE)
       --refresh-token string        refresh token
+      --request-object              pass request parameters as jwt
       --response-mode string        response mode
       --response-types strings      response type
       --scopes strings              requested scopes

cmd/log.go

@@ -7,10 +7,11 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
-	"github.com/go-jose/go-jose/v3/jwt"
 	"strconv"
 	"strings"
 
+	"github.com/go-jose/go-jose/v3/jwt"
+
 	"github.com/cloudentity/oauth2c/internal/oauth2"
 	"github.com/grantae/certinfo"
 	"github.com/pterm/pterm"
@@ -274,6 +275,39 @@ func LogJARM(request oauth2.Request) {
 	}
 }
 
+func LogRequestObject(r oauth2.Request) {
+	var (
+		request       = r.URL.Query().Get("request")
+		requestClaims map[string]interface{}
+		token         *jwt.JSONWebToken
+		err           error
+	)
+
+	if silent {
+		return
+	}
+
+	if request != "" {
+		if token, requestClaims, err = oauth2.UnsafeParseJWT(request); err != nil {
+			pterm.Error.Println(err)
+		} else {
+			pterm.DefaultBox.WithTitle("Request object").Printfln("request = JWT-%s(payload)", token.Headers[0].Algorithm)
+			pterm.Println()
+			pterm.Println("Payload")
+			LogJson(requestClaims)
+			pterm.Println()
+
+			if r.SigningKey != nil {
+				LogKey("Signing key", r.SigningKey)
+			}
+
+			if r.EncryptionKey != nil {
+				LogKey("Encryption key", r.EncryptionKey)
+			}
+		}
+	}
+}
+
 func LogAssertion(request oauth2.Request, title string, name string) {
 	var (
 		assertion = request.Form.Get(name)
@@ -301,8 +335,15 @@ func LogAssertion(request oauth2.Request, title string, name string) {
 	LogJson(claims)
 	pterm.Println("")
 
-	pterm.Println("Key")
-	switch key := request.Key.(type) {
+	LogKey("Signing key", request.SigningKey)
+}
+
+func LogKey(name string, key interface{}) {
+	var err error
+
+	pterm.Println(name)
+
+	switch key := key.(type) {
 	case *rsa.PrivateKey:
 		p := bytes.Buffer{}
 
@@ -333,6 +374,8 @@ func LogAssertion(request oauth2.Request, title string, name string) {
 		pterm.FgGray.Printfln(p.String())
 	case []byte:
 		pterm.FgGray.Println(string(key))
+	case string:
+		pterm.FgGray.Println(key)
 	}
 
 	pterm.Println()
@@ -369,5 +412,7 @@ func LogSubjectTokenAndActorToken(request oauth2.Request) {
 		}
 	}
 
-	pterm.Println()
+	if subjectToken != "" || actorToken != "" {
+		pterm.Println()
+	}
 }

cmd/oauth2.go

@@ -57,6 +57,7 @@ func NewOAuth2Cmd() (cmd *OAuth2Cmd) {
 	cmd.PersistentFlags().StringSliceVar(&cconfig.Scopes, "scopes", []string{}, "requested scopes")
 	cmd.PersistentFlags().BoolVar(&cconfig.PKCE, "pkce", false, "enable proof key for code exchange (PKCE)")
 	cmd.PersistentFlags().BoolVar(&cconfig.PAR, "par", false, "enable pushed authorization requests (PAR)")
+	cmd.PersistentFlags().BoolVar(&cconfig.RequestObject, "request-object", false, "pass request parameters as jwt")
 	cmd.PersistentFlags().StringVar(&cconfig.Assertion, "assertion", "", "claims for jwt bearer assertion")
 	cmd.PersistentFlags().StringVar(&cconfig.SigningKey, "signing-key", "", "path or url to signing key in jwks format")
 	cmd.PersistentFlags().StringVar(&cconfig.EncryptionKey, "encryption-key", "", "path or url to encryption key in jwks format")

cmd/oauth2_authorize_code.go

@@ -36,14 +36,16 @@ func (c *OAuth2Cmd) AuthorizationCodeGrantFlow(clientConfig oauth2.ClientConfig,
 
 		LogSection("Request authorization")
 
+		LogRequestObject(parRequest)
 		LogRequest(authorizeRequest)
 	} else {
 		LogSection("Request authorization")
 
-		if authorizeRequest, codeVerifier, err = oauth2.RequestAuthorization(addr, clientConfig, serverConfig); err != nil {
+		if authorizeRequest, codeVerifier, err = oauth2.RequestAuthorization(addr, clientConfig, serverConfig, hc); err != nil {
 			return err
 		}
 
+		LogRequestObject(authorizeRequest)
 		LogRequest(authorizeRequest)
 	}
 

cmd/oauth2_implicit.go

@@ -19,7 +19,7 @@ func (c *OAuth2Cmd) ImplicitGrantFlow(clientConfig oauth2.ClientConfig, serverCo
 	// authorize endpoint
 	LogSection("Request authorization")
 
-	if authorizeRequest, _, err = oauth2.RequestAuthorization(addr, clientConfig, serverConfig); err != nil {
+	if authorizeRequest, _, err = oauth2.RequestAuthorization(addr, clientConfig, serverConfig, hc); err != nil {
 		return err
 	}
 

docs/examples.md

@@ -392,6 +392,28 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
 
 ## Extensions
 
+### Request Object
+
+The Request Object is a JWT that contains the parameters of an authorization request. It allows the request to be passed along as a single,
+self-contained parameter, and it can be optionally signed and/or encrypted for added security.
+
+<details>
+<summary>Show example</summary>
+
+``` sh
+oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
+  --client-id cauktionbud6q8ftlqq0 \
+  --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
+  --response-types code \
+  --response-mode query \
+  --grant-type authorization_code \
+  --auth-method client_secret_basic \
+  --scopes openid,email,offline_access \
+  --request-object
+```
+
+</details>
+
 ### PKCE
 
 The Proof Key for Code Exchange (PKCE) is an extension to the OAuth2 authorization code grant flow that

go.mod

@@ -4,7 +4,7 @@ go 1.19
 
 require (
 	github.com/go-jose/go-jose/v3 v3.0.0
-	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang-jwt/jwt/v4 v4.4.3
 	github.com/grantae/certinfo v0.0.0-20170412194111-59d56a35515b
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/imdario/mergo v0.3.13

go.sum

@@ -19,8 +19,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
 github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU=
+github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=

internal/oauth2/jwe.go

@@ -0,0 +1,58 @@
+package oauth2
+
+import (
+	"net/http"
+
+	"github.com/go-jose/go-jose/v3"
+	"github.com/pkg/errors"
+)
+
+type EncrypterProvider func() (jose.Encrypter, interface{}, error)
+
+func JWEEncrypter(clientConfig ClientConfig, hc *http.Client) EncrypterProvider {
+	return func() (encrypter jose.Encrypter, _ interface{}, err error) {
+		var key jose.JSONWebKey
+
+		if clientConfig.EncryptionKey == "" {
+			return nil, nil, errors.New("no encryption key path")
+		}
+
+		if key, err = ReadKey(EncryptionKey, clientConfig.EncryptionKey, hc); err != nil {
+			return nil, nil, errors.Wrapf(err, "failed to read encryption key from %s", clientConfig.EncryptionKey)
+		}
+
+		if encrypter, err = jose.NewEncrypter(
+			jose.A256GCM,
+			jose.Recipient{
+				Algorithm: jose.KeyAlgorithm(key.Algorithm),
+				Key:       key.Key,
+			},
+			(&jose.EncrypterOptions{}).WithType("JWT").WithContentType("JWT"),
+		); err != nil {
+			return nil, nil, errors.Wrapf(err, "failed to create an encrypter")
+		}
+
+		return encrypter, key.Key, nil
+	}
+}
+
+func EncryptJWT(token string, encrypterProvider EncrypterProvider) (nestedJWT string, key interface{}, err error) {
+	var (
+		encrypter jose.Encrypter
+		jwe       *jose.JSONWebEncryption
+	)
+
+	if encrypter, key, err = encrypterProvider(); err != nil {
+		return "", nil, err
+	}
+
+	if jwe, err = encrypter.Encrypt([]byte(token)); err != nil {
+		return "", nil, err
+	}
+
+	if nestedJWT, err = jwe.CompactSerialize(); err != nil {
+		return "", nil, err
+	}
+
+	return nestedJWT, key, nil
+}

internal/oauth2/jwt.go

@@ -3,10 +3,12 @@ package oauth2
 import (
 	"encoding/json"
 	"net/http"
+	"net/url"
 	"time"
 
 	"github.com/go-jose/go-jose/v3"
 	"github.com/go-jose/go-jose/v3/jwt"
+	golangjwt "github.com/golang-jwt/jwt/v4"
 	"github.com/pkg/errors"
 )
 
@@ -92,6 +94,25 @@ func AssertionClaims(serverConfig ServerConfig, clientConfig ClientConfig) Claim
 	}
 }
 
+func RequestObjectClaims(params url.Values, serverConfig ServerConfig, clientConfig ClientConfig) ClaimsProvider {
+	return func() (map[string]interface{}, error) {
+		claims := map[string]interface{}{
+			"iss": clientConfig.ClientID,
+			"aud": serverConfig.Issuer,
+		}
+
+		for key, values := range params {
+			if len(values) == 0 {
+				continue
+			}
+
+			claims[key] = values[0]
+		}
+
+		return claims, nil
+	}
+}
+
 func ClientAssertionClaims(serverConfig ServerConfig, clientConfig ClientConfig) ClaimsProvider {
 	return func() (map[string]interface{}, error) {
 		return map[string]interface{}{
@@ -135,3 +156,22 @@ func SignJWT(claimsProvider ClaimsProvider, signerProvider SignerProvider) (jwt
 
 	return jwt, key, nil
 }
+
+func PlaintextJWT(claimsProvider ClaimsProvider) (jwt string, key string, err error) {
+	var (
+		claims map[string]interface{}
+		t      *golangjwt.Token
+	)
+
+	if claims, err = claimsProvider(); err != nil {
+		return "", "", errors.Wrapf(err, "failed to build claims")
+	}
+
+	t = golangjwt.NewWithClaims(golangjwt.SigningMethodNone, golangjwt.MapClaims(claims))
+
+	if jwt, err = t.SignedString(golangjwt.UnsafeAllowNoneSignatureType); err != nil {
+		return "", "", err
+	}
+
+	return jwt, "none", nil
+}