Removing cache for signed JWT to OP

pamiel · pamiel · commit ba4649e633f6 · 2018-11-05T17:44:36.000+01:00
diff --git a/README.md b/README.md
@@ -128,7 +128,7 @@ http {
              client_id = "<client_id>",
              client_secret = "<client_secret>",
              -- o If token_endpoint_auth_method is set to "private_key_jwt" authentication to Token endpoint is using client_id, client_rsa_private_key and client_rsa_private_key_id to compute a signed JWT
-             --   client_rsa_private_key is the RSA private key to be used to sign the JWT generated by lua-restu-openidc for authentication to the OP
+             --   client_rsa_private_key is the RSA private key to be used to sign the JWT generated by lua-resty-openidc for authentication to the OP
              --   client_rsa_private_key_id (optional) is the key id to be set in the JWT header to identify which public key the OP shall use to verify the JWT signature
              --client_id = "<client_id>",
              --client_rsa_private_key=[[-----BEGIN RSA PRIVATE KEY-----
@@ -137,10 +137,9 @@ MIIEogIBAAKCAQEAiThmpvXBYdur716D2q7fYKirKxzZIU5QrkBGDvUOwg5izcTv
 h2JHukolz9xf6qN61QMLSd83+kwoBr2drp6xg3eGDLIkQCQLrkY=
 -----END RSA PRIVATE KEY-----]],
              --client_rsa_private_key_id="key id#1",
-             --   Computation of RSA signature is far more time-consuming than simply using a client_secret for the other authentication modes. In order to counter-balance the performance decrease,
-             --   the signed JWT generated for authentication to the OP are cached for reuse. Default life duration of the JWT in the cache is 1 hour but can be overwritten. Value of 0 means: not cached.
-             --client_jwt_assertion_expires_in = 60 * 60,  -- 1h, expressed in seconds
-             --   Note that the signed JWT tokens for authentication to the OP have an expiration that is 60 seconds after the expected cache life time.
+             --   Life duration expressed in seconds of the signed JWT generated by lua-resty-openidc for authentication to the OP.
+             --   (used when token_endpoint_auth_method is set to "private_key_jwt" authentication). Default is 60 seconds.
+             --client_jwt_assertion_expires_in = 60,
              -- When using https to any OP endpoints, enforcement of SSL certificate check can be mandated ("yes") or not ("no").
              --ssl_verify = "no",
 
diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
@@ -53,6 +53,7 @@ local cjson = require("cjson")
 local cjson_s = require("cjson.safe")
 local http = require("resty.http")
 local r_session = require("resty.session")
+local r_jwt = require("resty.jwt")
 local string = string
 local ipairs = ipairs
 local pairs = pairs
@@ -387,30 +388,6 @@ local function openidc_configure_proxy(httpc, proxy_opts)
   end
 end
 
--- build client assertion for the 'private_key_jwt' authentication mode to the token endpoint
-local function get_client_assertion(opts, endpoint, private_key, key_id)
-  local cache_key = endpoint.."~"..opts.client_id.."~"..((string.len(private_key) > 200) and private_key:sub(98, 161) or private_key).."~"..(key_id and key_id or "")
-
-  local assertion = openidc_cache_get ("jwks", cache_key)
-
-  if not assertion then
-    local exptime = opts.client_jwt_assertion_expires_in or 60 * 60 -- expiration of the assertion in the cache
-    local jwt_validity = 60 -- assertion is valid for 60 seconds after its expiration: assuming the check by the OP will not be done later than 60 sec after the assertion retrieval.
-
-    local now = ngx.time()
-    local assertion_header  = {typ = "JWT", alg = "RS256", kid = key_id}
-    local assertion_payload = {sub = opts.client_id, iss = opts.client_id, aud = endpoint,
-                               exp = now + exptime + jwt_validity, jti = now, iat = now}
-
-    local jwt = require("resty.jwt")
-    assertion = jwt:sign(private_key, { header = assertion_header, payload = assertion_payload })
-
-    openidc_cache_set("jwks", cache_key, assertion, exptime)
-  end
-
-  return assertion
-end
-
 -- make a call to the token endpoint
 function openidc.call_token_endpoint(opts, endpoint, body, auth, endpoint_name, ignore_body_on_success)
   local ignore_body_on_success = ignore_body_on_success or false
@@ -430,18 +407,24 @@ function openidc.call_token_endpoint(opts, endpoint, body, auth, endpoint_name,
         headers.Authorization = "Basic " .. b64(ngx.escape_uri(opts.client_id) .. ":")
       end
       log(DEBUG, "client_secret_basic: authorization header '" .. headers.Authorization .. "'")
-    end
-    if auth == "client_secret_post" then
+
+    elseif auth == "client_secret_post" then
       body.client_id = opts.client_id
       if opts.client_secret then
         body.client_secret = opts.client_secret
       end
       log(DEBUG, "client_secret_post: client_id and client_secret being sent in POST body")
-    end
-    if auth == "private_key_jwt" then
+
+    elseif auth == "private_key_jwt" then
       body.client_id=opts.client_id
       body.client_assertion_type="urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
-      body.client_assertion=get_client_assertion(opts, endpoint, opts.client_rsa_private_key, opts.client_rsa_private_key_id)
+
+      local now = ngx.time()
+      local assertion_header  = {typ = "JWT", alg = "RS256", kid = opts.client_rsa_private_key_id}
+      local assertion_payload = {sub = opts.client_id, iss = opts.client_id, aud = endpoint, jti = ngx.var.request_id,
+                               exp = now + (opts.client_jwt_assertion_expires_in and opts.client_jwt_assertion_expires_in or 60), iat = now}
+
+      body.client_assertion=r_jwt:sign(opts.client_rsa_private_key, { header = assertion_header, payload = assertion_payload })
       log(DEBUG, "private_key_jwt: client_id, client_assertion_type and client_assertion being sent in POST body")
     end
   end
@@ -895,7 +878,6 @@ end
 -- parse a JWT and verify its signature (if present)
 local function openidc_load_jwt_and_verify_crypto(opts, jwt_string, asymmetric_secret,
 symmetric_secret, expected_algs, ...)
-  local jwt = require("resty.jwt")
   local enc_hdr, enc_payload, enc_sign = string.match(jwt_string, '^(.+)%.(.+)%.(.*)$')
   if enc_payload and (not enc_sign or enc_sign == "") then
     local jwt = openidc_load_jwt_none_alg(enc_hdr, enc_payload)
@@ -909,7 +891,7 @@ symmetric_secret, expected_algs, ...)
     end -- otherwise the JWT is invalid and load_jwt produces an error
   end
 
-  local jwt_obj = jwt:load_jwt(jwt_string, nil)
+  local jwt_obj = r_jwt:load_jwt(jwt_string, nil)
   if not jwt_obj.valid then
     local reason = "invalid jwt"
     if jwt_obj.reason then
@@ -957,7 +939,7 @@ symmetric_secret, expected_algs, ...)
     jwt_validators.set_system_leeway(opts.iat_slack and opts.iat_slack or 120)
   end
 
-  jwt_obj = jwt:verify_jwt_obj(secret, jwt_obj, ...)
+  jwt_obj = r_jwt:verify_jwt_obj(secret, jwt_obj, ...)
   if jwt_obj then
     log(DEBUG, "jwt: ", cjson.encode(jwt_obj), " ,valid: ", jwt_obj.valid, ", verified: ", jwt_obj.verified)
   end
