Use ID token for OAuth authentication, not Access Token

apache · Jul 7, 2023 · a23adbc · a23adbc
1 parent 72e93a1
commit a23adbc
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -62,6 +62,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - [#7469](https://github.com/apache/trafficcontrol/pull/7469) *Traffic Ops* Changed logic to not report empty or missing cookies into TO error.log.
 - [#7586](https://github.com/apache/trafficcontrol/pull/7586) *Traffic Ops* Add permission to Operations Role to read from dnsseckeys endpoint.
 - [#7600](https://github.com/apache/trafficcontrol/pull/7600) *t3c* changed default go-direct command line arg to be old to avoid unexpected config changes upon upgrade.
+- [#7621](https://github.com/apache/trafficcontrol/pull/7621) *Traffic Ops* Use ID token for OAuth authentication, not Access Token
 
 ### Fixed
 - [#7608](https://github.com/apache/trafficcontrol/pull/7608) *Traffic Monitor* Use stats_over_http(plugin.system_stats.timestamp_ms) timestamp field to calculate bandwidth for TM's caches.

diff --git a/lib/go-rfc/jwt.go b/lib/go-rfc/jwt.go
@@ -0,0 +1,28 @@
+package rfc
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+const (
+	// AccessToken is the access_token parameter name described in RFC 6749 <https://datatracker.ietf.org/doc/html/rfc6749#section-1.4>.
+	AccessToken = "access_token"
+
+	// IDToken is the id_token parameter name described in OpenID Connect Core <https://openid.net/specs/openid-connect-core-1_0.html#IDToken>.
+	IDToken = "id_token"
+)
diff --git a/traffic_ops/traffic_ops_golang/api/api.go b/traffic_ops/traffic_ops_golang/api/api.go
@@ -83,10 +83,7 @@ const (
 	TrafficVaultContextKey = "tv"
 )
 
-const (
-	MojoCookie  = "mojoCookie"
-	AccessToken = "access_token"
-)
+const MojoCookie = "mojoCookie"
 
 const influxServersQuery = `
 SELECT (host_name||'.'||domain_name) as fqdn,
@@ -1091,7 +1088,7 @@ func GetUserFromReq(w http.ResponseWriter, r *http.Request, secret string) (auth
 				continue
 			}
 			switch givenCookie.Name {
-			case AccessToken:
+			case rfc.AccessToken:
 				bearerCookie, readToken, err := getCookieFromAccessToken(givenCookie.Value, secret)
 				if err != nil {
 					return auth.CurrentUser{}, errors.New("unauthorized, please log in."), err, http.StatusUnauthorized
@@ -1155,7 +1152,7 @@ func GetUserFromReq(w http.ResponseWriter, r *http.Request, secret string) (auth
 		}
 
 		http.SetCookie(w, &http.Cookie{
-			Name:     AccessToken,
+			Name:     rfc.AccessToken,
 			Value:    string(jwtSigned),
 			Path:     "/",
 			MaxAge:   newCookie.MaxAge,

diff --git a/traffic_ops/traffic_ops_golang/cdni/shared.go b/traffic_ops/traffic_ops_golang/cdni/shared.go
@@ -115,7 +115,7 @@ func getBearerToken(r *http.Request) string {
 	}
 	for _, cookie := range r.Cookies() {
 		switch cookie.Name {
-		case api.AccessToken:
+		case rfc.AccessToken:
 			return cookie.Value
 		}
 	}

diff --git a/traffic_ops/traffic_ops_golang/login/login.go b/traffic_ops/traffic_ops_golang/login/login.go
@@ -263,7 +263,7 @@ func LoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 		}
 
 		http.SetCookie(w, &http.Cookie{
-			Name:     api.AccessToken,
+			Name:     rfc.AccessToken,
 			Value:    string(jwtSigned),
 			Path:     "/",
 			MaxAge:   httpCookie.MaxAge,
@@ -461,15 +461,15 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 		if err := json.Unmarshal(buf.Bytes(), &result); err != nil {
 			log.Warnf("Error parsing JSON response from oAuth: %s", err)
 			encodedToken = buf.String()
-		} else if _, ok := result[api.AccessToken]; !ok {
+		} else if _, ok := result[rfc.IDToken]; !ok {
 			sysErr := fmt.Errorf("Missing access token in response: %s\n", buf.String())
 			usrErr := errors.New("Bad response from OAuth2.0 provider")
 			api.HandleErr(w, r, nil, http.StatusBadGateway, usrErr, sysErr)
 			return
 		} else {
-			switch t := result[api.AccessToken].(type) {
+			switch t := result[rfc.IDToken].(type) {
 			case string:
-				encodedToken = result[api.AccessToken].(string)
+				encodedToken = result[rfc.IDToken].(string)
 			default:
 				sysErr := fmt.Errorf("Incorrect type of access_token! Expected 'string', got '%v'\n", t)
 				usrErr := errors.New("Bad response from OAuth2.0 provider")