From fd695717e31540577aded2791b699a2c4790ae83 Mon Sep 17 00:00:00 2001 From: David Leifker Date: Mon, 28 Nov 2022 18:01:46 -0600 Subject: [PATCH 1/2] fix(security): require unsigned/encrypted jwt tokens --- .../sso/oidc/OidcAuthorizationGenerator.java | 40 ++++++++++++++++++- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/datahub-frontend/app/auth/sso/oidc/OidcAuthorizationGenerator.java b/datahub-frontend/app/auth/sso/oidc/OidcAuthorizationGenerator.java index 723601d7f3fb1..0ffb60b809926 100644 --- a/datahub-frontend/app/auth/sso/oidc/OidcAuthorizationGenerator.java +++ b/datahub-frontend/app/auth/sso/oidc/OidcAuthorizationGenerator.java @@ -1,7 +1,17 @@ package auth.sso.oidc; +import java.text.ParseException; import java.util.Map.Entry; +import com.nimbusds.jose.Algorithm; +import com.nimbusds.jose.Header; +import com.nimbusds.jose.JWEAlgorithm; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.util.Base64URL; +import com.nimbusds.jose.util.JSONObjectUtils; +import com.nimbusds.jwt.EncryptedJWT; +import com.nimbusds.jwt.SignedJWT; +import net.minidev.json.JSONObject; import org.pac4j.core.authorization.generator.AuthorizationGenerator; import org.pac4j.core.context.WebContext; import org.pac4j.core.profile.AttributeLocation; @@ -12,7 +22,6 @@ import org.slf4j.LoggerFactory; import com.nimbusds.jwt.JWT; -import com.nimbusds.jwt.JWTParser; public class OidcAuthorizationGenerator implements AuthorizationGenerator { @@ -31,7 +40,7 @@ public OidcAuthorizationGenerator(final ProfileDefinition profileDef, final Oidc public CommonProfile generate(WebContext context, CommonProfile profile) { if (oidcConfigs.getExtractJwtAccessTokenClaims().orElse(false)) { try { - final JWT jwt = JWTParser.parse(((OidcProfile) profile).getAccessToken().getValue()); + final JWT jwt = parse(((OidcProfile) profile).getAccessToken().getValue()); for (final Entry entry : jwt.getJWTClaimsSet().getClaims().entrySet()) { final String claimName = entry.getKey(); @@ -46,5 +55,32 @@ public CommonProfile generate(WebContext context, CommonProfile profile) { return profile; } + + private static JWT parse(final String s) throws ParseException { + final int firstDotPos = s.indexOf("."); + + if (firstDotPos == -1) { + throw new ParseException("Invalid JWT serialization: Missing dot delimiter(s)", 0); + } + + Base64URL header = new Base64URL(s.substring(0, firstDotPos)); + JSONObject jsonObject; + + try { + jsonObject = JSONObjectUtils.parse(header.decodeToString()); + } catch (ParseException e) { + throw new ParseException("Invalid unsecured/JWS/JWE header: " + e.getMessage(), 0); + } + + Algorithm alg = Header.parseAlgorithm(jsonObject); + + if (alg instanceof JWSAlgorithm) { + return SignedJWT.parse(s); + } else if (alg instanceof JWEAlgorithm) { + return EncryptedJWT.parse(s); + } else { + throw new AssertionError("Unexpected algorithm type: " + alg); + } + } } From ad976b9d3a7c3283088a68390159c2ebf3180cdb Mon Sep 17 00:00:00 2001 From: David Leifker Date: Thu, 8 Dec 2022 21:08:13 -0600 Subject: [PATCH 2/2] Add import --- .../app/auth/sso/oidc/OidcAuthorizationGenerator.java | 1 + 1 file changed, 1 insertion(+) diff --git a/datahub-frontend/app/auth/sso/oidc/OidcAuthorizationGenerator.java b/datahub-frontend/app/auth/sso/oidc/OidcAuthorizationGenerator.java index 567921d6bdba6..3f864ed5abddf 100644 --- a/datahub-frontend/app/auth/sso/oidc/OidcAuthorizationGenerator.java +++ b/datahub-frontend/app/auth/sso/oidc/OidcAuthorizationGenerator.java @@ -11,6 +11,7 @@ import com.nimbusds.jose.util.Base64URL; import com.nimbusds.jose.util.JSONObjectUtils; import com.nimbusds.jwt.EncryptedJWT; +import com.nimbusds.jwt.JWTParser; import com.nimbusds.jwt.SignedJWT; import net.minidev.json.JSONObject; import org.pac4j.core.authorization.generator.AuthorizationGenerator;