willdot.net / cocoon
forked from hailey.at/cocoon
An atproto PDS written in Go
fork atom

fix unmarshaling of key inside of oauth metadata (#27)

authored by hailey.at and committed by

GitHub 195e3b04 71d0a03d

+31 -19
unified split
+11 -3
oauth/client/manager.go
··· 57 } 58 59 var jwks jwk.Key 60 - if metadata.JWKS != nil { 61 // TODO: this is kinda bad but whatever for now. there could obviously be more than one jwk, and we need to 62 // make sure we use the right one 63 - k, err := helpers.ParseJWKFromBytes((*metadata.JWKS)[0]) 64 if err != nil { 65 return nil, err 66 } 67 jwks = k 68 } else if metadata.JWKSURI != nil { 69 maybeJwks, err := cm.getClientJwks(ctx, clientId, *metadata.JWKSURI) ··· 72 } 73 74 jwks = maybeJwks 75 } 76 77 return &Client{ ··· 262 return nil, errors.New("private_key_jwt auth method requires jwks or jwks_uri") 263 } 264 265 - if metadata.JWKS != nil && len(*metadata.JWKS) == 0 { 266 return nil, errors.New("private_key_jwt auth method requires atleast one key in jwks") 267 } 268
··· 57 } 58 59 var jwks jwk.Key 60 + if metadata.JWKS != nil && len(metadata.JWKS.Keys) > 0 { 61 // TODO: this is kinda bad but whatever for now. there could obviously be more than one jwk, and we need to 62 // make sure we use the right one 63 + b, err := json.Marshal(metadata.JWKS.Keys[0]) 64 if err != nil { 65 return nil, err 66 } 67 + 68 + k, err := helpers.ParseJWKFromBytes(b) 69 + if err != nil { 70 + return nil, err 71 + } 72 + 73 jwks = k 74 } else if metadata.JWKSURI != nil { 75 maybeJwks, err := cm.getClientJwks(ctx, clientId, *metadata.JWKSURI) ··· 78 } 79 80 jwks = maybeJwks 81 + } else { 82 + return nil, fmt.Errorf("no valid jwks found in oauth client metadata") 83 } 84 85 return &Client{ ··· 270 return nil, errors.New("private_key_jwt auth method requires jwks or jwks_uri") 271 } 272 273 + if metadata.JWKS != nil && len(metadata.JWKS.Keys) == 0 { 274 return nil, errors.New("private_key_jwt auth method requires atleast one key in jwks") 275 } 276
+20 -16
oauth/client/metadata.go
··· 1 package client 2 3 type Metadata struct { 4 - ClientID string `json:"client_id"` 5 - ClientName string `json:"client_name"` 6 - ClientURI string `json:"client_uri"` 7 - LogoURI string `json:"logo_uri"` 8 - TOSURI string `json:"tos_uri"` 9 - PolicyURI string `json:"policy_uri"` 10 - RedirectURIs []string `json:"redirect_uris"` 11 - GrantTypes []string `json:"grant_types"` 12 - ResponseTypes []string `json:"response_types"` 13 - ApplicationType string `json:"application_type"` 14 - DpopBoundAccessTokens bool `json:"dpop_bound_access_tokens"` 15 - JWKSURI *string `json:"jwks_uri,omitempty"` 16 - JWKS *[][]byte `json:"jwks,omitempty"` 17 - Scope string `json:"scope"` 18 - TokenEndpointAuthMethod string `json:"token_endpoint_auth_method"` 19 - TokenEndpointAuthSigningAlg string `json:"token_endpoint_auth_signing_alg"` 20 }
··· 1 package client 2 3 type Metadata struct { 4 + ClientID string `json:"client_id"` 5 + ClientName string `json:"client_name"` 6 + ClientURI string `json:"client_uri"` 7 + LogoURI string `json:"logo_uri"` 8 + TOSURI string `json:"tos_uri"` 9 + PolicyURI string `json:"policy_uri"` 10 + RedirectURIs []string `json:"redirect_uris"` 11 + GrantTypes []string `json:"grant_types"` 12 + ResponseTypes []string `json:"response_types"` 13 + ApplicationType string `json:"application_type"` 14 + DpopBoundAccessTokens bool `json:"dpop_bound_access_tokens"` 15 + JWKSURI *string `json:"jwks_uri,omitempty"` 16 + JWKS *MetadataJwks `json:"jwks,omitempty"` 17 + Scope string `json:"scope"` 18 + TokenEndpointAuthMethod string `json:"token_endpoint_auth_method"` 19 + TokenEndpointAuthSigningAlg string `json:"token_endpoint_auth_signing_alg"` 20 + } 21 + 22 + type MetadataJwks struct { 23 + Keys []any `json:"keys"` 24 }