Improve validation of jwt

dlcs · Jan 16, 2024 · a7be86b · a7be86b
1 parent e60d64e
commit a7be86b
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 8 deletions.
diff --git a/src/IIIFAuth2/IIIFAuth2.API.Tests/Utils/StringX.cs b/src/IIIFAuth2/IIIFAuth2.API.Tests/Utils/StringX.cs
@@ -0,0 +1,33 @@
+using IIIFAuth2.API.Utils;
+
+namespace IIIFAuth2.API.Tests.Utils;
+
+public class StringX
+{
+    [Fact]
+    public void EnsureEndsWith_ReturnsProvidedValue_IfAlreadyEndsWith()
+    {
+        // Arrange
+        const string val = "vultureprince";
+
+        // Act
+        var actual = val.EnsureEndsWith("ce");
+
+        // Assert
+        actual.Should().Be(val);
+    }
+
+    [Fact]
+    public void EnsureEndsWith_AppendsValue_IfAlreadyEndsWith()
+    {
+        // Arrange
+        const string val = "vultureprince";
+        const string expected = "vultureprince/";
+
+        // Act
+        var actual = val.EnsureEndsWith("/");
+
+        // Assert
+        actual.Should().Be(expected);
+    }
+}
diff --git a/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/Auth0Client.cs b/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/Auth0Client.cs
@@ -60,9 +60,13 @@ public async Task<IReadOnlyCollection<string>> GetDlcsRolesForCode(OidcConfigura
     {
         var auth0Token = await GetAuth0Token(oidcConfiguration, accessService, code, cancellationToken);
 
+        // For auth0 "iss" = auth0 domain (ending in /) and "aud" = clientId 
+        var issuer = oidcConfiguration.Domain.EnsureEndsWith("/");
+        var audience = oidcConfiguration.ClientId;
+
         var claimsPrincipal =
             await jwtTokenHandler.GetClaimsFromToken(auth0Token.IdToken, oidcConfiguration.Domain,
-                oidcConfiguration.Issuer, cancellationToken);
+                issuer, audience, cancellationToken);
 
         if (claimsPrincipal == null) return Array.Empty<string>();
 

diff --git a/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/JwtTokenParser.cs b/src/IIIFAuth2/IIIFAuth2.API/Infrastructure/Auth/RoleProvisioning/Oidc/JwtTokenParser.cs
@@ -14,10 +14,11 @@ public interface IJwtTokenHandler
     /// </summary>
     /// <param name="jwtToken">JWT id token string</param>
     /// <param name="domain">Base domain where jwks can be found</param>
-    /// <param name="issuer">Base domain where jwks can be found</param>
+    /// <param name="issuer">Valid "iss" value</param>
+    /// <param name="audience">Valid "aud" value</param>
     /// <param name="cancellationToken">Current cancellation token</param>
     /// <returns><see cref="ClaimsPrincipal"/> if jwt is valid, else null</returns>
-    Task<ClaimsPrincipal?> GetClaimsFromToken(string jwtToken, string domain, string issuer,
+    Task<ClaimsPrincipal?> GetClaimsFromToken(string jwtToken, string domain, string issuer, string audience,
         CancellationToken cancellationToken);
 }
 
@@ -33,10 +34,10 @@ public JwtTokenHandler(HttpClient httpClient, IAppCache appCache, ILogger<JwtTok
         this.appCache = appCache;
         this.logger = logger;
     }
-    
+
     /// <inheritdoc />
     public async Task<ClaimsPrincipal?> GetClaimsFromToken(string jwtToken, string domain, string issuer,
-        CancellationToken cancellationToken)
+        string audience, CancellationToken cancellationToken)
     {
         try
         {
@@ -49,8 +50,9 @@ public JwtTokenHandler(HttpClient httpClient, IAppCache appCache, ILogger<JwtTok
                 IssuerSigningKeys = jwks.GetSigningKeys(),
                 ValidateIssuer = true,
                 ValidIssuer = issuer,
+                ValidateAudience = true,
+                ValidAudience = audience,
                 ValidateLifetime = true,
-                ValidateAudience = false,
                 ValidateActor = false,
                 ValidateTokenReplay = false,
             };
@@ -68,7 +70,7 @@ public JwtTokenHandler(HttpClient httpClient, IAppCache appCache, ILogger<JwtTok
 
         return null;
     }
-    
+
     private async Task<JsonWebKeySet> GetWebKeySetForDomain(string auth0Domain, CancellationToken cancellationToken)
     {
         var cacheKey = $"{auth0Domain}:jwks";

diff --git a/src/IIIFAuth2/IIIFAuth2.API/Models/Domain/RoleProviderConfiguration.cs b/src/IIIFAuth2/IIIFAuth2.API/Models/Domain/RoleProviderConfiguration.cs
@@ -75,7 +75,6 @@ public class OidcConfiguration : IProviderConfiguration
     public string ClientSecret { get; set; } = null!;
     public string? Scopes { get; set; }
     public string ClaimType { get; set; } = null!;
-    public string Issuer { get; set; }
 
     /// <summary>
     /// How to handle an unknown claim value 

diff --git a/src/IIIFAuth2/IIIFAuth2.API/Utils/StringX.cs b/src/IIIFAuth2/IIIFAuth2.API/Utils/StringX.cs
@@ -0,0 +1,13 @@
+namespace IIIFAuth2.API.Utils;
+
+public static class StringX
+{
+    /// <summary>
+    /// Ensure that strings ends with provided value, adding it if not.
+    /// </summary>
+    /// <param name="str">String to check</param>
+    /// <param name="endsWith">Value to ensure string ends with</param>
+    /// <returns>Provided string if it already ends with value, or provided string with value appended</returns>
+    public static string EnsureEndsWith(this string str, string endsWith)
+        => str.EndsWith(endsWith) ? str : $"{str}{endsWith}";
+}