feat(sdk): don't require client_id in the auth token (#544)

mkleene · web-flow · commit a1e70f9db0d6 · 2024-04-12T18:28:54.000Z
This isn't a claim that is in any spec, except for token exchange drafts

Instead we should allow the roles specified in the token to dictate
access to resources.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -41,7 +41,6 @@ The server configuration is used to define how the application runs its server.
 | `tls.key` | The path to the tls key. | |
 | `auth.audience` | The audience for the IDP. | |
 | `auth.issuer` | The issuer for the IDP. | |
-| `auth.clients` | A list of client id's that are allowed. | |
 
 Example:
 
@@ -58,9 +57,6 @@ server:
     enabled: true
     audience: https://example.com
     issuer: https://example.com
-    clients:
-      - client_id
-      - client_id2
 ```
 
 ## Database Configuration
diff --git a/opentdf-example-no-kas.yaml b/opentdf-example-no-kas.yaml
@@ -18,8 +18,6 @@ server:
     enabled: false
     audience: "http://localhost:8080"
     issuer: http://localhost:8888/auth/realms/tdf
-    clients:
-      - "opentdf"
   grpc:
     reflectionEnabled: true # Default is false
   hsm:
diff --git a/opentdf-example.yaml b/opentdf-example.yaml
@@ -25,9 +25,6 @@ server:
     enabled: true
     audience: "http://localhost:8080"
     issuer: http://localhost:8888/auth/realms/opentdf
-    clients:
-      - "opentdf"
-      - "opentdf-sdk"
     policy:
       ## Default policy for all requests
       default: #"role:readonly"
diff --git a/service/internal/auth/authn.go b/service/internal/auth/authn.go
@@ -295,7 +295,6 @@ func (a Authentication) checkToken(ctx context.Context, authHeader []string, dpo
 		jwt.WithValidate(true),
 		jwt.WithIssuer(issuer),
 		jwt.WithAudience(oidc.Audience),
-		jwt.WithValidator(jwt.ValidatorFunc(a.claimsValidator)),
 	)
 
 	if err != nil {
@@ -447,45 +446,3 @@ func validateDPoP(accessToken jwt.Token, acessTokenRaw string, dpopInfo dpopInfo
 	}
 	return &dpopKey, nil
 }
-
-// claimsValidator is a custom validator to check extra claims in the token.
-// right now it only checks for client_id
-func (a Authentication) claimsValidator(_ context.Context, token jwt.Token) jwt.ValidationError {
-	var (
-		clientID string
-	)
-
-	// Need to check for cid and client_id as this claim seems to be different between idp's
-	cidClaim, cidExists := token.Get("cid")
-	clientIDClaim, clientIDExists := token.Get("client_id")
-
-	// Check to see if we have a client id claim
-	switch {
-	case cidExists:
-		if cid, ok := cidClaim.(string); ok {
-			clientID = cid
-			break
-		}
-	case clientIDExists:
-		if cid, ok := clientIDClaim.(string); ok {
-			clientID = cid
-			break
-		}
-	default:
-		return jwt.NewValidationError(fmt.Errorf("client id required"))
-	}
-
-	// Check if the client id is allowed in list of clients
-	foundClientID := false
-	for _, c := range a.oidcConfigurations[token.Issuer()].Clients {
-		if c == clientID {
-			foundClientID = true
-			break
-		}
-	}
-	if !foundClientID {
-		return jwt.NewValidationError(fmt.Errorf("invalid client id"))
-	}
-
-	return nil
-}
diff --git a/service/internal/auth/authn_test.go b/service/internal/auth/authn_test.go
@@ -142,7 +142,6 @@ func (s *AuthSuite) SetupTest() {
 	auth, err := NewAuthenticator(AuthNConfig{
 		Issuer:   s.server.URL,
 		Audience: "test",
-		Clients:  []string{"client1", "client2", "client3"},
 	}, nil)
 
 	s.Require().NoError(err)
@@ -254,69 +253,6 @@ func (s *AuthSuite) Test_CheckToken_When_Audience_Invalid_Expect_Error() {
 	s.Equal("\"aud\" not satisfied", err.Error())
 }
 
-func (s *AuthSuite) Test_CheckToken_When_ClientID_Missing_Expect_Error() {
-	tok := jwt.New()
-	s.Require().NoError(tok.Set(jwt.ExpirationKey, time.Now().Add(time.Hour)))
-	s.Require().NoError(tok.Set("iss", s.server.URL))
-	s.Require().NoError(tok.Set("aud", "test"))
-	signedTok, err := jwt.Sign(tok, jwt.WithKey(jwa.RS256, s.key))
-
-	s.NotNil(signedTok)
-	s.Require().NoError(err)
-
-	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{})
-	s.Require().Error(err)
-	s.Equal("client id required", err.Error())
-}
-
-func (s *AuthSuite) Test_CheckToken_When_ClientID_Invalid_Expect_Error() {
-	tok := jwt.New()
-	s.Require().NoError(tok.Set(jwt.ExpirationKey, time.Now().Add(time.Hour)))
-	s.Require().NoError(tok.Set("iss", s.server.URL))
-	s.Require().NoError(tok.Set("aud", "test"))
-	s.Require().NoError(tok.Set("client_id", "invalid"))
-	signedTok, err := jwt.Sign(tok, jwt.WithKey(jwa.RS256, s.key))
-
-	s.NotNil(signedTok)
-	s.Require().NoError(err)
-
-	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{})
-	s.Require().Error(err)
-	s.Equal("invalid client id", err.Error())
-}
-
-func (s *AuthSuite) Test_CheckToken_When_CID_Invalid_Expect_Error() {
-	tok := jwt.New()
-	s.Require().NoError(tok.Set(jwt.ExpirationKey, time.Now().Add(time.Hour)))
-	s.Require().NoError(tok.Set("iss", s.server.URL))
-	s.Require().NoError(tok.Set("aud", "test"))
-	s.Require().NoError(tok.Set("cid", "invalid"))
-	signedTok, err := jwt.Sign(tok, jwt.WithKey(jwa.RS256, s.key))
-
-	s.NotNil(signedTok)
-	s.Require().NoError(err)
-
-	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{})
-	s.Require().Error(err)
-	s.Equal("invalid client id", err.Error())
-}
-
-func (s *AuthSuite) Test_CheckToken_When_CID_Invalid_INT_Expect_Error() {
-	tok := jwt.New()
-	s.Require().NoError(tok.Set(jwt.ExpirationKey, time.Now().Add(time.Hour)))
-	s.Require().NoError(tok.Set("iss", s.server.URL))
-	s.Require().NoError(tok.Set("aud", "test"))
-	s.Require().NoError(tok.Set("cid", 1))
-	signedTok, err := jwt.Sign(tok, jwt.WithKey(jwa.RS256, s.key))
-
-	s.NotNil(signedTok)
-	s.Require().NoError(err)
-
-	_, _, err = s.auth.checkToken(context.Background(), []string{fmt.Sprintf("Bearer %s", string(signedTok))}, dpopInfo{})
-	s.Require().Error(err)
-	s.Equal("invalid client id", err.Error())
-}
-
 func (s *AuthSuite) Test_CheckToken_When_Valid_No_DPoP_Expect_Error() {
 	tok := jwt.New()
 	s.Require().NoError(tok.Set(jwt.ExpirationKey, time.Now().Add(time.Hour)))
diff --git a/service/internal/auth/config.go b/service/internal/auth/config.go
@@ -10,9 +10,8 @@ type Config struct {
 
 // AuthNConfig is the configuration need for the platform to validate tokens
 type AuthNConfig struct {
-	Issuer            string   `yaml:"issuer" json:"issuer"`
-	Audience          string   `yaml:"audience" json:"audience"`
-	Clients           []string `yaml:"clients" json:"clients"`
+	Issuer            string `yaml:"issuer" json:"issuer"`
+	Audience          string `yaml:"audience" json:"audience"`
 	OIDCConfiguration `yaml:"-" json:"-"`
 	Policy            PolicyConfig `yaml:"policy" json:"policy" mapstructure:"policy"`
 }
@@ -34,9 +33,5 @@ func (c AuthNConfig) validateAuthNConfig() error {
 		return fmt.Errorf("config Auth.Audience is required")
 	}
 
-	if len(c.Clients) == 0 {
-		return fmt.Errorf("config Auth.Clients is required")
-	}
-
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -10,9 +10,8 @@ type Config struct {`
`10`	`10`
`11`	`11`	`// AuthNConfig is the configuration need for the platform to validate tokens`
`12`	`12`	`type AuthNConfig struct {`
`13`		- Issuer string `yaml:"issuer" json:"issuer"`
`14`		- Audience string `yaml:"audience" json:"audience"`
`15`		- Clients []string `yaml:"clients" json:"clients"`
	`13`	+ Issuer string `yaml:"issuer" json:"issuer"`
	`14`	+ Audience string `yaml:"audience" json:"audience"`
`16`	`15`	OIDCConfiguration `yaml:"-" json:"-"`
`17`	`16`	Policy PolicyConfig `yaml:"policy" json:"policy" mapstructure:"policy"`
`18`	`17`	`}`
`@@ -34,9 +33,5 @@ func (c AuthNConfig) validateAuthNConfig() error {`
`34`	`33`	`return fmt.Errorf("config Auth.Audience is required")`
`35`	`34`	`}`
`36`	`35`
`37`		`- if len(c.Clients) == 0 {`
`38`		`- return fmt.Errorf("config Auth.Clients is required")`
`39`		`- }`
`40`		`-`
`41`	`36`	`return nil`
`42`	`37`	`}`