Decoupled code from DefaultSigningKey.

KN4CK3R · KN4CK3R · commit bd54abd2bc71 · 2021-08-19T20:38:16.000Z
diff --git a/routers/web/user/oauth.go b/routers/web/user/oauth.go
@@ -133,7 +133,7 @@ type AccessTokenResponse struct {
 	IDToken      string    `json:"id_token,omitempty"`
 }
 
-func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) {
+func newAccessTokenResponse(grant *models.OAuth2Grant, serverKey, clientKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) {
 	if setting.OAuth2.InvalidateRefreshTokens {
 		if err := grant.IncreaseCounter(); err != nil {
 			return nil, &AccessTokenError{
@@ -151,7 +151,7 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSign
 			ExpiresAt: expirationDate.AsTime().Unix(),
 		},
 	}
-	signedAccessToken, err := accessToken.SignToken()
+	signedAccessToken, err := accessToken.SignToken(serverKey)
 	if err != nil {
 		return nil, &AccessTokenError{
 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
@@ -169,7 +169,7 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSign
 			ExpiresAt: refreshExpirationDate,
 		},
 	}
-	signedRefreshToken, err := refreshToken.SignToken()
+	signedRefreshToken, err := refreshToken.SignToken(serverKey)
 	if err != nil {
 		return nil, &AccessTokenError{
 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
@@ -225,7 +225,7 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSign
 			idToken.EmailVerified = user.IsActive
 		}
 
-		signedIDToken, err = idToken.SignToken(signingKey)
+		signedIDToken, err = idToken.SignToken(clientKey)
 		if err != nil {
 			return nil, &AccessTokenError{
 				ErrorCode:        AccessTokenErrorCodeInvalidRequest,
@@ -541,24 +541,25 @@ func AccessTokenOAuth(ctx *context.Context) {
 		}
 	}
 
-	signingKey := oauth2.DefaultSigningKey
-	if signingKey.IsSymmetric() {
-		clientKey, err := oauth2.CreateJWTSingingKey(signingKey.SigningMethod().Alg(), []byte(form.ClientSecret))
+	serverKey := oauth2.DefaultSigningKey
+	clientKey := serverKey
+	if serverKey.IsSymmetric() {
+		var err error
+		clientKey, err = oauth2.CreateJWTSingingKey(serverKey.SigningMethod().Alg(), []byte(form.ClientSecret))
 		if err != nil {
 			handleAccessTokenError(ctx, AccessTokenError{
 				ErrorCode:        AccessTokenErrorCodeInvalidRequest,
 				ErrorDescription: "Error creating signing key",
 			})
 			return
 		}
-		signingKey = clientKey
 	}
 
 	switch form.GrantType {
 	case "refresh_token":
-		handleRefreshToken(ctx, form, signingKey)
+		handleRefreshToken(ctx, form, serverKey, clientKey)
 	case "authorization_code":
-		handleAuthorizationCode(ctx, form, signingKey)
+		handleAuthorizationCode(ctx, form, serverKey, clientKey)
 	default:
 		handleAccessTokenError(ctx, AccessTokenError{
 			ErrorCode:        AccessTokenErrorCodeUnsupportedGrantType,
@@ -567,8 +568,8 @@ func AccessTokenOAuth(ctx *context.Context) {
 	}
 }
 
-func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, signingKey oauth2.JWTSigningKey) {
-	token, err := oauth2.ParseToken(form.RefreshToken)
+func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
+	token, err := oauth2.ParseToken(form.RefreshToken, serverKey)
 	if err != nil {
 		handleAccessTokenError(ctx, AccessTokenError{
 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
@@ -595,15 +596,15 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, signin
 		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)
 		return
 	}
-	accessToken, tokenErr := newAccessTokenResponse(grant, signingKey)
+	accessToken, tokenErr := newAccessTokenResponse(grant, serverKey, clientKey)
 	if tokenErr != nil {
 		handleAccessTokenError(ctx, *tokenErr)
 		return
 	}
 	ctx.JSON(http.StatusOK, accessToken)
 }
 
-func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, signingKey oauth2.JWTSigningKey) {
+func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)
 	if err != nil {
 		handleAccessTokenError(ctx, AccessTokenError{
@@ -657,7 +658,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
 			ErrorDescription: "cannot proceed your request",
 		})
 	}
-	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, signingKey)
+	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, serverKey, clientKey)
 	if tokenErr != nil {
 		handleAccessTokenError(ctx, *tokenErr)
 		return
diff --git a/routers/web/user/oauth_test.go b/routers/web/user/oauth_test.go
@@ -18,9 +18,8 @@ func createAndParseToken(t *testing.T, grant *models.OAuth2Grant) *oauth2.OIDCTo
 	signingKey, err := oauth2.CreateJWTSingingKey("HS256", make([]byte, 32))
 	assert.NoError(t, err)
 	assert.NotNil(t, signingKey)
-	oauth2.DefaultSigningKey = signingKey
 
-	response, terr := newAccessTokenResponse(grant, signingKey)
+	response, terr := newAccessTokenResponse(grant, signingKey, signingKey)
 	assert.Nil(t, terr)
 	assert.NotNil(t, response)
 
diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go
@@ -29,9 +29,9 @@ func CheckOAuthAccessToken(accessToken string) int64 {
 	if !strings.Contains(accessToken, ".") {
 		return 0
 	}
-	token, err := oauth2.ParseToken(accessToken)
+	token, err := oauth2.ParseToken(accessToken, oauth2.DefaultSigningKey)
 	if err != nil {
-		log.Trace("ParseOAuth2Token: %v", err)
+		log.Trace("oauth2.ParseToken: %v", err)
 		return 0
 	}
 	var grant *models.OAuth2Grant
diff --git a/services/auth/source/oauth2/token.go b/services/auth/source/oauth2/token.go
@@ -40,12 +40,12 @@ type Token struct {
 }
 
 // ParseToken parses a signed jwt string
-func ParseToken(jwtToken string) (*Token, error) {
+func ParseToken(jwtToken string, signingKey JWTSigningKey) (*Token, error) {
 	parsedToken, err := jwt.ParseWithClaims(jwtToken, &Token{}, func(token *jwt.Token) (interface{}, error) {
-		if token.Method == nil || token.Method.Alg() != DefaultSigningKey.SigningMethod().Alg() {
+		if token.Method == nil || token.Method.Alg() != signingKey.SigningMethod().Alg() {
 			return nil, fmt.Errorf("unexpected signing algo: %v", token.Header["alg"])
 		}
-		return DefaultSigningKey.VerifyKey(), nil
+		return signingKey.VerifyKey(), nil
 	})
 	if err != nil {
 		return nil, err
@@ -59,11 +59,11 @@ func ParseToken(jwtToken string) (*Token, error) {
 }
 
 // SignToken signs the token with the JWT secret
-func (token *Token) SignToken() (string, error) {
+func (token *Token) SignToken(signingKey JWTSigningKey) (string, error) {
 	token.IssuedAt = time.Now().Unix()
-	jwtToken := jwt.NewWithClaims(DefaultSigningKey.SigningMethod(), token)
-	DefaultSigningKey.PreProcessToken(jwtToken)
-	return jwtToken.SignedString(DefaultSigningKey.SignKey())
+	jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)
+	signingKey.PreProcessToken(jwtToken)
+	return jwtToken.SignedString(signingKey.SignKey())
 }
 
 // OIDCToken represents an OpenID Connect id_token

Original file line number	Diff line number	Diff line change
`@@ -29,9 +29,9 @@ func CheckOAuthAccessToken(accessToken string) int64 {`
`29`	`29`	`if !strings.Contains(accessToken, ".") {`
`30`	`30`	`return 0`
`31`	`31`	`}`
`32`		`- token, err := oauth2.ParseToken(accessToken)`
	`32`	`+ token, err := oauth2.ParseToken(accessToken, oauth2.DefaultSigningKey)`
`33`	`33`	`if err != nil {`
`34`		`- log.Trace("ParseOAuth2Token: %v", err)`
	`34`	`+ log.Trace("oauth2.ParseToken: %v", err)`
`35`	`35`	`return 0`
`36`	`36`	`}`
`37`	`37`	`var grant *models.OAuth2Grant`