technofab/jwt-authorizer
1
0
Fork 0
mirror of https://github.com/TECHNOFAB11/jwt-authorizer.git synced 2025-12-15 01:13:52 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: oidc issuer

Browse source
This commit is contained in:
cduvray 2023-01-28 21:20:56 +01:00
parent d8fb138d46
commit 43f2523ec6
9 changed files with 117 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

2
jwt-authorizer/docs/README.md
View file

@ -31,7 +31,7 @@ JWT authoriser Layer for Axum.
// adding the authorization layer
let app = Router::new().route("/protected", get(protected))
.layer(jwt_auth.layer().unwrap());
.layer(jwt_auth.layer().await.unwrap());
// proteced handler with user injection (mapping some jwt claims)
async fn protected(JwtClaims(user): JwtClaims<User>) -> Result<String, AuthError> {

4
jwt-authorizer/src/authorizer.rs
View file

@ -51,12 +51,14 @@ pub enum KeySourceType {
ED(String),
Secret(&'static str),
Jwks(String),
Discovery(String),
}
impl<C> Authorizer<C>
where
C: DeserializeOwned + Clone + Send + Sync,
{
// TODO: expose it in JwtAuthorizer
pub fn from_jwks(jwks: &str, claims_checker: Option<FnClaimsChecker<C>>) -> Result<Authorizer<C>, AuthError> {
let set: JwkSet = serde_json::from_str(jwks)?;
let k = DecodingKey::from_jwk(&set.keys[0])?;
@ -76,7 +78,7 @@ where
KeySourceType::EC(path) => DecodingKey::from_ec_der(&read_data(path.as_str())?),
KeySourceType::ED(path) => DecodingKey::from_ed_der(&read_data(path.as_str())?),
KeySourceType::Secret(secret) => DecodingKey::from_secret(secret.as_bytes()),
KeySourceType::Jwks(_) => panic!("bug: use from_jwks_url() to initialise Authorizer"), // should never hapen
_ => panic!("bug: use from_jwks_url() or from_oidc() to initialise Authorizer"), // should never hapen
};
Ok(Authorizer {

3
jwt-authorizer/src/error.rs
View file

@ -19,6 +19,9 @@ pub enum InitError {
#[error(transparent)]
KeyFileDecodingError(#[from] jsonwebtoken::errors::Error),
#[error("Builder Error {0}")]
DiscoveryError(String),
}
#[derive(Debug, Error)]

33
jwt-authorizer/src/layer.rs
View file

@ -17,7 +17,7 @@ use tower_service::Service;
use crate::authorizer::{Authorizer, FnClaimsChecker, KeySourceType};
use crate::error::InitError;
use crate::jwks::key_store_manager::Refresh;
use crate::{AuthError, RefreshStrategy};
use crate::{oidc, AuthError, RefreshStrategy};
/// Authorizer Layer builder
///
@ -37,7 +37,16 @@ impl<C> JwtAuthorizer<C>
where
C: Clone + DeserializeOwned + Send + Sync,
{
/// Build Authorizer Layer from a JWKS endpoint
/// Builds Authorizer Layer from a OpenId Connect discover metadata
pub fn from_oidc(issuer: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: Some(KeySourceType::Discovery(issuer.to_string())),
refresh: Default::default(),
claims_checker: None,
}
}
/// Builds Authorizer Layer from a JWKS endpoint
pub fn from_jwks_url(url: &'static str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: Some(KeySourceType::Jwks(url.to_owned())),
@ -46,7 +55,7 @@ where
}
}
/// Build Authorizer Layer from a RSA PEM file
/// Builds Authorizer Layer from a RSA PEM file
pub fn from_rsa_pem(path: &'static str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: Some(KeySourceType::RSA(path.to_owned())),
@ -55,7 +64,7 @@ where
}
}
/// Build Authorizer Layer from a EC PEM file
/// Builds Authorizer Layer from a EC PEM file
pub fn from_ec_pem(path: &'static str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: Some(KeySourceType::EC(path.to_owned())),
@ -64,7 +73,7 @@ where
}
}
/// Build Authorizer Layer from a EC PEM file
/// Builds Authorizer Layer from a EC PEM file
pub fn from_ed_pem(path: &'static str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: Some(KeySourceType::ED(path.to_owned())),
@ -73,7 +82,7 @@ where
}
}
/// Build Authorizer Layer from a secret phrase
/// Builds Authorizer Layer from a secret phrase
pub fn from_secret(secret: &'static str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: Some(KeySourceType::Secret(secret)),
@ -82,7 +91,7 @@ where
}
}
/// refresh configuration for jwk store
/// Refreshes configuration for jwk store
pub fn refresh(mut self, refresh: Refresh) -> JwtAuthorizer<C> {
if self.refresh.is_some() {
tracing::warn!("More than one refresh configuration found!");
@ -112,7 +121,7 @@ where
}
/// Build axum layer
pub fn layer(&self) -> Result<AsyncAuthorizationLayer<C>, InitError> {
pub async fn layer(&self) -> Result<AsyncAuthorizationLayer<C>, InitError> {
let auth = if let Some(ref key_source_type) = self.key_source_type {
match key_source_type {
KeySourceType::RSA(_) | KeySourceType::EC(_) | KeySourceType::ED(_) | KeySourceType::Secret(_) => {
@ -123,6 +132,14 @@ where
self.claims_checker.clone(),
self.refresh.unwrap_or_default(),
)?),
KeySourceType::Discovery(issuer_url) => {
let jwks_url = oidc::discover_jwks(issuer_url).await?;
Arc::new(Authorizer::from_jwks_url(
&jwks_url,
self.claims_checker.clone(),
self.refresh.unwrap_or_default(),
)?)
}
}
} else {
return Err(InitError::BuilderError(

1
jwt-authorizer/src/lib.rs
View file

@ -13,6 +13,7 @@ pub mod authorizer;
pub mod error;
pub mod jwks;
pub mod layer;
mod oidc;
/// Claims serialized using T
#[derive(Debug, Clone, Copy, Default)]

22
jwt-authorizer/src/oidc.rs Normal file
View file

@ -0,0 +1,22 @@
use serde::Deserialize;
use crate::error::InitError;
/// OpenId Connect discovery (simplified for test purposes)
#[derive(Deserialize, Clone)]
pub struct OidcDiscovery {
pub jwks_uri: String,
}
pub async fn discover_jwks(issuer: &str) -> Result<String, InitError> {
let discovery_url = format!("{}/.well-known/openid-configuration", issuer);
reqwest::Client::new()
.get(discovery_url)
.send()
.await
.map_err(|e| InitError::DiscoveryError(e.to_string()))?
.json::<OidcDiscovery>()
.await
.map_err(|e| InitError::DiscoveryError(e.to_string()))
.map(|d| d.jwks_uri)
}