Skip to content

chore: DSPX-1226 use key ids per attribute #634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Jul 9, 2025
Merged

chore: DSPX-1226 use key ids per attribute #634

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
b566072
chore: DSPX-1236 allow using proper endpoints for OIDC
ntrevino-virtru Jun 10, 2025
2ab1e4b
Merge remote-tracking branch 'refs/remotes/origin/main' into chore/ds…
ntrevino-virtru Jun 12, 2025
9c1f5ef
Use platformUrl instead of policyEndpoint
ntrevino-virtru Jun 13, 2025
34324e1
Add additional key types.
ntrevino-virtru Jun 13, 2025
65c4a4e
Use updated protos.
ntrevino-virtru Jun 16, 2025
1136a16
Refactor KAS info cache
ntrevino-virtru Jun 17, 2025
bd7197f
Fix tests.
ntrevino-virtru Jun 20, 2025
3056cfd
Merge remote-tracking branch 'origin/main' into chore/dspx-1226/use-k…
ntrevino-virtru Jun 20, 2025
c206f87
Add fetch tests to support branch coverage.
ntrevino-virtru Jun 23, 2025
c7e3a2f
Add keys to cache when they are able to be pre-loaded.
ntrevino-virtru Jun 26, 2025
52ccc1a
Update cache key joining to use separators.
ntrevino-virtru Jun 30, 2025
057f2e3
Merge remote-tracking branch 'refs/remotes/origin/main' into chore/ds…
ntrevino-virtru Jun 30, 2025
eab1aa5
Add tests and update key function.
ntrevino-virtru Jul 9, 2025
09550d9
Merge remote-tracking branch 'origin/main' into chore/dspx-1226/use-k…
ntrevino-virtru Jul 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions lib/src/auth/oidc-clientcredentials-provider.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ export class OIDCClientCredentialsProvider implements AuthProvider {
clientId,
clientSecret,
oidcOrigin,
oidcTokenEndpoint,
oidcUserInfoEndpoint,
}: Partial<ClientSecretCredentials> & Omit<ClientSecretCredentials, 'exchange'>) {
if (!clientId || !clientSecret) {
throw new ConfigurationError('clientId & clientSecret required for client credentials flow');
Expand All @@ -19,6 +21,8 @@ export class OIDCClientCredentialsProvider implements AuthProvider {
clientId,
clientSecret,
oidcOrigin,
oidcTokenEndpoint,
oidcUserInfoEndpoint,
});
}

Expand Down
6 changes: 5 additions & 1 deletion lib/src/auth/oidc-externaljwt-provider.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ export class OIDCExternalJwtProvider implements AuthProvider {
clientId,
externalJwt,
oidcOrigin,
oidcTokenEndpoint,
oidcUserInfoEndpoint,
}: Partial<ExternalJwtCredentials> & Omit<ExternalJwtCredentials, 'exchange'>) {
if (!clientId || !externalJwt) {
throw new ConfigurationError('external JWT exchange reequires client id and jwt');
Expand All @@ -18,8 +20,10 @@ export class OIDCExternalJwtProvider implements AuthProvider {
this.oidcAuth = new AccessToken({
exchange: 'external',
clientId,
oidcOrigin,
externalJwt,
oidcOrigin,
oidcTokenEndpoint,
oidcUserInfoEndpoint,
});

this.externalJwt = externalJwt;
Expand Down
6 changes: 5 additions & 1 deletion lib/src/auth/oidc-refreshtoken-provider.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ export class OIDCRefreshTokenProvider implements AuthProvider {
clientId,
refreshToken,
oidcOrigin,
oidcTokenEndpoint,
oidcUserInfoEndpoint,
}: Partial<RefreshTokenCredentials> & Omit<RefreshTokenCredentials, 'exchange'>) {
if (!clientId || !refreshToken) {
throw new ConfigurationError('refresh token or client id missing');
Expand All @@ -18,8 +20,10 @@ export class OIDCRefreshTokenProvider implements AuthProvider {
this.oidcAuth = new AccessToken({
exchange: 'refresh',
clientId,
refreshToken: refreshToken,
refreshToken,
oidcOrigin,
oidcTokenEndpoint,
oidcUserInfoEndpoint,
});
this.refreshToken = refreshToken;
}
Expand Down
19 changes: 12 additions & 7 deletions lib/src/auth/oidc.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ export type CommonCredentials = {
clientId: string;
/** The endpoint of the OIDC IdP to authenticate against, ex. 'https://virtru.com/auth' */
oidcOrigin: string;
oidcTokenEndpoint?: string;
oidcUserInfoEndpoint?: string;
/** Whether or not DPoP is enabled. */
dpopEnabled?: boolean;

Expand Down Expand Up @@ -89,6 +91,8 @@ export class AccessToken {
data?: AccessTokenResponse;

baseUrl: string;
tokenEndpoint: string;
userInfoEndpoint: string;

signingKey?: CryptoKeyPair;

Expand Down Expand Up @@ -119,6 +123,9 @@ export class AccessToken {
this.config = cfg;
this.request = request;
this.baseUrl = rstrip(cfg.oidcOrigin, '/');
this.tokenEndpoint = cfg.oidcTokenEndpoint || `${this.baseUrl}/protocol/openid-connect/token`;
this.userInfoEndpoint =
cfg.oidcUserInfoEndpoint || `${this.baseUrl}/protocol/openid-connect/userinfo`;
this.signingKey = cfg.signingKey;
}

Expand All @@ -128,21 +135,20 @@ export class AccessToken {
* @returns
*/
async info(accessToken: string): Promise<unknown> {
const url = `${this.baseUrl}/protocol/openid-connect/userinfo`;
const headers = {
...this.extraHeaders,
Authorization: `Bearer ${accessToken}`,
} as Record<string, string>;
if (this.config.dpopEnabled && this.signingKey) {
headers.DPoP = await dpopFn(this.signingKey, url, 'POST');
headers.DPoP = await dpopFn(this.signingKey, this.userInfoEndpoint, 'POST');
}
const response = await (this.request || fetch)(url, {
const response = await (this.request || fetch)(this.userInfoEndpoint, {
headers,
});
if (!response.ok) {
console.error(await response.text());
throw new TdfError(
`auth info fail: GET [${url}] => ${response.status} ${response.statusText}`
`auth info fail: GET [${this.userInfoEndpoint}] => ${response.status} ${response.statusText}`
);
}

Expand Down Expand Up @@ -171,7 +177,6 @@ export class AccessToken {
}

async accessTokenLookup(cfg: OIDCCredentials) {
const url = `${this.baseUrl}/protocol/openid-connect/token`;
let body;
switch (cfg.exchange) {
case 'client':
Expand All @@ -198,11 +203,11 @@ export class AccessToken {
};
break;
}
const response = await this.doPost(url, body);
const response = await this.doPost(this.tokenEndpoint, body);
if (!response.ok) {
console.error(await response.text());
throw new TdfError(
`token/code exchange fail: POST [${url}] => ${response.status} ${response.statusText}`
`token/code exchange fail: POST [${this.tokenEndpoint}] => ${response.status} ${response.statusText}`
);
}
return response.json();
Expand Down
6 changes: 6 additions & 0 deletions lib/src/auth/providers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ export const clientSecretAuthProvider = async (
clientId: clientConfig.clientId,
clientSecret: clientConfig.clientSecret,
oidcOrigin: clientConfig.oidcOrigin,
oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
});
};

Expand All @@ -62,6 +64,8 @@ export const externalAuthProvider = async (
clientId: clientConfig.clientId,
externalJwt: clientConfig.externalJwt,
oidcOrigin: clientConfig.oidcOrigin,
oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
});
};

Expand All @@ -86,6 +90,8 @@ export const refreshAuthProvider = async (
clientId: clientConfig.clientId,
refreshToken: clientConfig.refreshToken,
oidcOrigin: clientConfig.oidcOrigin,
oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
});
};

Expand Down
2 changes: 1 addition & 1 deletion lib/src/opentdf.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,6 @@ export type MimeType = `${string}/${string}`;
export type SplitStep = {
// Which KAS to use to rewrap this segment of the key
kas: string;

// An identifier for a key segment.
// Leave empty to share the key.
sid?: string;
Expand Down Expand Up @@ -336,6 +335,7 @@ export class OpenTDF {
authProvider,
dpopKeys,
kasEndpoint: this.platformUrl || 'https://disallow.all.invalid',
platformUrl,
policyEndpoint,
});
this.dpopKeys =
Expand Down
4 changes: 4 additions & 0 deletions lib/src/platform/entityresolution/entity_resolution_pb.ts
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/src/platform/policy/attributes/attributes_pb.ts
View file
Open in desktop

Large diffs are not rendered by default.

Loading
Loading