Openid Connect implementation

.gitignore

@@ -4,3 +4,4 @@ db/*
 .envrc
 static/dist/
 node_modules/
+keys/*.pem

Cargo.toml

@@ -32,3 +32,8 @@ tempfile = "3.1"
 parking_lot = { version = "0.12" }
 thiserror = "1.0"
 validator = { version = "0.16", features = [ "derive" ] }
+jsonwebtoken = "9.1"
+openssl = "0.10"
+
+[build-dependencies]
+openssl = "0.10"

Rocket.toml

@@ -17,6 +17,7 @@ maximum_pending_users = 25
 
 [debug]
 secret_key = "1vwCFFPSdQya895gNiO556SzmfShG6MokstgttLvwjw="
+ec_private_key = "keys/jwt_key.pem"
 bcrypt_cost = 4
 seed_database = true
 
@@ -29,6 +30,8 @@ port = 8000
 # Values you want to fill in for production use
 # admin_email = # Email address to send admin notifications to (e.g. [email protected])
 # secret_key =  # used to encrypt cookies (generate a new one!)
+# ec_private_key = # Path to ECDSA private key for signing jwt's. Key Algo needs to be ES384 in PKCS#8 form.
+#   generate by running: openssl ecparam -genkey -noout -name secp384r1 | openssl pkcs8 -topk8 -nocrypt -out ec-private.pem)
 # base_url =    # URL where the application is hosten (e.g. https://auth.zeus.gent)
 # mail_from =   # From header to set when sending emails (e.g. [email protected])
 # mail_server = # domain of the SMTP server used to send mail (e.g. smtp.zeus.gent)

build.rs

@@ -0,0 +1,18 @@
+use std::fs::File;
+use std::io::Write;
+use std::path::Path;
+
+use openssl::ec::{EcGroup, EcKey};
+use openssl::nid::Nid;
+use openssl::pkey::PKey;
+
+fn main() {
+	let path = Path::new("keys/jwt_key.pem");
+	if !path.exists() {
+		let group = EcGroup::from_curve_name(Nid::SECP384R1).unwrap();
+		let pkey = PKey::from_ec_key(EcKey::generate(&group).unwrap()).unwrap();
+		let mut f = File::create(path).unwrap();
+		let pem = pkey.private_key_to_pem_pkcs8().unwrap();
+		f.write_all(&pem).unwrap();
+	}
+}

src/config.rs

@@ -14,6 +14,7 @@ pub struct Config {
 	pub secure_token_length: usize,
 	pub bcrypt_cost: u32,
 	pub base_url: String,
+	pub ec_private_key: String,
 	pub mail_queue_size: usize,
 	pub mail_queue_wait_seconds: u64,
 	pub mail_from: String,

src/controllers/oauth_controller.rs

@@ -1,3 +1,4 @@
+use jsonwebtoken::jwk::JwkSet;
 use rocket::form::Form;
 use rocket::http::{Cookie, CookieJar};
 use rocket::response::{Redirect, Responder};
@@ -10,6 +11,7 @@ use crate::ephemeral::session::UserSession;
 use crate::errors::Either::{Left, Right};
 use crate::errors::*;
 use crate::http_authentication::BasicAuthentication;
+use crate::jwt::JWTBuilder;
 use crate::models::client::*;
 use crate::models::session::*;
 use crate::models::user::*;
@@ -161,6 +163,7 @@ pub struct UserToken {
 	pub client_id:    i32,
 	pub client_name:  String,
 	pub redirect_uri: String,
+	pub scope:        Option<String>,
 }
 
 #[get("/oauth/grant")]
@@ -215,6 +218,7 @@ async fn authorization_granted(
 	let authorization_code = token_store
 		.create_token(UserToken {
 			user_id:      user.id,
+			scope:        state.scope.clone(),
 			username:     user.username.clone(),
 			client_id:    state.client_id.clone(),
 			client_name:  state.client_name.clone(),
@@ -240,6 +244,8 @@ fn authorization_denied(state: AuthState) -> Redirect {
 pub struct TokenSuccess {
 	access_token: String,
 	token_type:   String,
+	#[serde(skip_serializing_if = "Option::is_none")]
+	id_token:     Option<String>,
 	expires_in:   i64,
 }
 
@@ -258,6 +264,7 @@ pub async fn token(
 	form: Form<TokenFormData>,
 	config: &State<Config>,
 	token_state: &State<TokenStore<UserToken>>,
+	jwt_builder: &State<JWTBuilder>,
 	db: DbConn,
 ) -> Result<Json<TokenSuccess>> {
 	let data = form.into_inner();
@@ -306,13 +313,37 @@ pub async fn token(
 		)))
 	} else {
 		let user = User::find(token.user_id, &db).await?;
-		let session =
-			Session::create_client_session(&user, &client, &config, &db)
-				.await?;
+		let id_token = token
+			.scope
+			.as_ref()
+			.map(|scope| -> Option<String> {
+				match scope.contains("openid") {
+					true => {
+						jwt_builder.encode_id_token(&client, &user, config).ok()
+					},
+					false => None,
+				}
+			})
+			.flatten();
+
+		let session = Session::create_client_session(
+			&user,
+			&client,
+			token.scope,
+			&config,
+			&db,
+		)
+		.await?;
 		Ok(Json(TokenSuccess {
 			access_token: session.key.unwrap().clone(),
-			token_type:   String::from("bearer"),
-			expires_in:   config.client_session_seconds,
+			token_type: String::from("bearer"),
+			id_token,
+			expires_in: config.client_session_seconds,
 		}))
 	}
 }
+
+#[get("/oauth/jwks")]
+pub async fn jwks(jwt_builder: &State<JWTBuilder>) -> Json<JwkSet> {
+	Json(jwt_builder.jwks.clone())
+}

src/errors.rs

@@ -214,6 +214,8 @@ pub enum InternalError {
 	BincodeError(#[from] Box<bincode::ErrorKind>),
 	#[error("B64 decode error")]
 	Base64DecodeError(#[from] base64::DecodeError),
+	#[error("JWT error")]
+	JWTError(#[from] jsonwebtoken::errors::Error),
 }
 pub type InternalResult<T> = std::result::Result<T, InternalError>;