|
@@ -7,9 +7,10 @@ extern crate time;
|
|
|
extern crate url;
|
|
extern crate url;
|
|
|
|
|
|
|
|
use bytes::Bytes;
|
|
use bytes::Bytes;
|
|
|
-use jsonwebtoken::{dangerous_insecure_decode};use openidconnect::core::{CoreClient, CoreProviderMetadata, CoreResponseType};
|
|
|
|
|
|
|
+use jsonwebtoken::{dangerous_insecure_decode};
|
|
|
|
|
+use openidconnect::core::{CoreClient, CoreProviderMetadata, CoreResponseType};
|
|
|
use openidconnect::reqwest::http_client;
|
|
use openidconnect::reqwest::http_client;
|
|
|
-use openidconnect::{AccessToken, AuthorizationCode, AuthenticationFlow, ClientId, CsrfToken, IssuerUrl, Nonce, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope, TokenResponse};
|
|
|
|
|
|
|
+use openidconnect::{AccessToken, AccessTokenHash, AuthorizationCode, AuthenticationFlow, ClientId, CsrfToken, IssuerUrl, Nonce, NonceVerifier, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope, TokenResponse};
|
|
|
use serde::{Deserialize, Serialize};
|
|
use serde::{Deserialize, Serialize};
|
|
|
use std::str::from_utf8;
|
|
use std::str::from_utf8;
|
|
|
use std::sync::{Arc, Mutex};
|
|
use std::sync::{Arc, Mutex};
|
|
@@ -168,80 +169,122 @@ impl ZeroIDC {
|
|
|
let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone();
|
|
let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone();
|
|
|
if let Some(refresh_token) = refresh_token {
|
|
if let Some(refresh_token) = refresh_token {
|
|
|
if now >= (exp - Duration::from_secs(30)) {
|
|
if now >= (exp - Duration::from_secs(30)) {
|
|
|
|
|
+ let nonce = (*inner_local.lock().unwrap()).nonce.clone();
|
|
|
let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
|
|
let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
|
|
|
let res = c.exchange_refresh_token(&refresh_token)
|
|
let res = c.exchange_refresh_token(&refresh_token)
|
|
|
.request(http_client);
|
|
.request(http_client);
|
|
|
|
|
|
|
|
- res
|
|
|
|
|
- });
|
|
|
|
|
-
|
|
|
|
|
- if let Some(res) = token_response {
|
|
|
|
|
match res {
|
|
match res {
|
|
|
Ok(res) => {
|
|
Ok(res) => {
|
|
|
- match res.id_token() {
|
|
|
|
|
- Some(id_token) => {
|
|
|
|
|
-
|
|
|
|
|
- let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())];
|
|
|
|
|
- #[cfg(debug_assertions)] {
|
|
|
|
|
- println!("New ID token: {}", id_token.to_string());
|
|
|
|
|
|
|
+ let n = match nonce {
|
|
|
|
|
+ Some(n) => n,
|
|
|
|
|
+ None => {
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ };
|
|
|
|
|
+
|
|
|
|
|
+ let id = match res.id_token() {
|
|
|
|
|
+ Some(t) => t,
|
|
|
|
|
+ None => {
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ };
|
|
|
|
|
+
|
|
|
|
|
+ let claims = match id.claims(&c.id_token_verifier(), &n) {
|
|
|
|
|
+ Ok(c) => c,
|
|
|
|
|
+ Err(_e) => {
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ };
|
|
|
|
|
+
|
|
|
|
|
+ let signing_algo = match id.signing_alg() {
|
|
|
|
|
+ Ok(s) => s,
|
|
|
|
|
+ Err(_) => {
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ };
|
|
|
|
|
+
|
|
|
|
|
+ if let Some(expected_hash) = claims.access_token_hash() {
|
|
|
|
|
+ let actual_hash = match AccessTokenHash::from_token(res.access_token(), &signing_algo) {
|
|
|
|
|
+ Ok(h) => h,
|
|
|
|
|
+ Err(e) => {
|
|
|
|
|
+ println!("Error hashing access token: {}", e);
|
|
|
|
|
+ return None;
|
|
|
}
|
|
}
|
|
|
- let client = reqwest::blocking::Client::new();
|
|
|
|
|
- let r = client.post((*inner_local.lock().unwrap()).auth_endpoint.clone())
|
|
|
|
|
- .form(¶ms)
|
|
|
|
|
- .send();
|
|
|
|
|
-
|
|
|
|
|
- match r {
|
|
|
|
|
- Ok(r) => {
|
|
|
|
|
- if r.status().is_success() {
|
|
|
|
|
- #[cfg(debug_assertions)] {
|
|
|
|
|
- println!("hit url: {}", r.url().as_str());
|
|
|
|
|
- println!("status: {}", r.status());
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- let access_token = res.access_token();
|
|
|
|
|
- let at = access_token.secret();
|
|
|
|
|
- let exp = dangerous_insecure_decode::<Exp>(&at);
|
|
|
|
|
-
|
|
|
|
|
- if let Ok(e) = exp {
|
|
|
|
|
- (*inner_local.lock().unwrap()).exp_time = e.claims.exp
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- (*inner_local.lock().unwrap()).access_token = Some(access_token.clone());
|
|
|
|
|
- if let Some(t) = res.refresh_token() {
|
|
|
|
|
- // println!("New Refresh Token: {}", t.secret());
|
|
|
|
|
- (*inner_local.lock().unwrap()).refresh_token = Some(t.clone());
|
|
|
|
|
- }
|
|
|
|
|
- #[cfg(debug_assertions)] {
|
|
|
|
|
- println!("Central post succeeded");
|
|
|
|
|
- }
|
|
|
|
|
- } else {
|
|
|
|
|
- println!("Central post failed: {}", r.status().to_string());
|
|
|
|
|
- println!("hit url: {}", r.url().as_str());
|
|
|
|
|
- println!("Status: {}", r.status());
|
|
|
|
|
- (*inner_local.lock().unwrap()).exp_time = 0;
|
|
|
|
|
- (*inner_local.lock().unwrap()).running = false;
|
|
|
|
|
- }
|
|
|
|
|
- },
|
|
|
|
|
- Err(e) => {
|
|
|
|
|
-
|
|
|
|
|
- println!("Central post failed: {}", e.to_string());
|
|
|
|
|
- println!("hit url: {}", e.url().unwrap().as_str());
|
|
|
|
|
- println!("Status: {}", e.status().unwrap());
|
|
|
|
|
- (*inner_local.lock().unwrap()).exp_time = 0;
|
|
|
|
|
- (*inner_local.lock().unwrap()).running = false;
|
|
|
|
|
|
|
+ };
|
|
|
|
|
+
|
|
|
|
|
+ if actual_hash != *expected_hash {
|
|
|
|
|
+ println!("token hash error");
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+ return Some(res);
|
|
|
|
|
+ },
|
|
|
|
|
+ Err(_e) => {
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ };
|
|
|
|
|
+ });
|
|
|
|
|
+
|
|
|
|
|
+ if let Some(Some(res)) = token_response{
|
|
|
|
|
+ match res.id_token() {
|
|
|
|
|
+ Some(id_token) => {
|
|
|
|
|
+ let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())];
|
|
|
|
|
+ #[cfg(debug_assertions)] {
|
|
|
|
|
+ println!("New ID token: {}", id_token.to_string());
|
|
|
|
|
+ }
|
|
|
|
|
+ let client = reqwest::blocking::Client::new();
|
|
|
|
|
+ let r = client.post((*inner_local.lock().unwrap()).auth_endpoint.clone())
|
|
|
|
|
+ .form(¶ms)
|
|
|
|
|
+ .send();
|
|
|
|
|
+
|
|
|
|
|
+ match r {
|
|
|
|
|
+ Ok(r) => {
|
|
|
|
|
+ if r.status().is_success() {
|
|
|
|
|
+ #[cfg(debug_assertions)] {
|
|
|
|
|
+ println!("hit url: {}", r.url().as_str());
|
|
|
|
|
+ println!("status: {}", r.status());
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ let access_token = res.access_token();
|
|
|
|
|
+ let at = access_token.secret();
|
|
|
|
|
+ let exp = dangerous_insecure_decode::<Exp>(&at);
|
|
|
|
|
+
|
|
|
|
|
+ if let Ok(e) = exp {
|
|
|
|
|
+ (*inner_local.lock().unwrap()).exp_time = e.claims.exp
|
|
|
}
|
|
}
|
|
|
|
|
+
|
|
|
|
|
+ (*inner_local.lock().unwrap()).access_token = Some(access_token.clone());
|
|
|
|
|
+ if let Some(t) = res.refresh_token() {
|
|
|
|
|
+ // println!("New Refresh Token: {}", t.secret());
|
|
|
|
|
+ (*inner_local.lock().unwrap()).refresh_token = Some(t.clone());
|
|
|
|
|
+ }
|
|
|
|
|
+ #[cfg(debug_assertions)] {
|
|
|
|
|
+ println!("Central post succeeded");
|
|
|
|
|
+ }
|
|
|
|
|
+ } else {
|
|
|
|
|
+ println!("Central post failed: {}", r.status().to_string());
|
|
|
|
|
+ println!("hit url: {}", r.url().as_str());
|
|
|
|
|
+ println!("Status: {}", r.status());
|
|
|
|
|
+ (*inner_local.lock().unwrap()).exp_time = 0;
|
|
|
|
|
+ (*inner_local.lock().unwrap()).running = false;
|
|
|
}
|
|
}
|
|
|
},
|
|
},
|
|
|
- None => {
|
|
|
|
|
- println!("No id token???");
|
|
|
|
|
|
|
+ Err(e) => {
|
|
|
|
|
+
|
|
|
|
|
+ println!("Central post failed: {}", e.to_string());
|
|
|
|
|
+ println!("hit url: {}", e.url().unwrap().as_str());
|
|
|
|
|
+ println!("Status: {}", e.status().unwrap());
|
|
|
|
|
+ (*inner_local.lock().unwrap()).exp_time = 0;
|
|
|
|
|
+ (*inner_local.lock().unwrap()).running = false;
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
},
|
|
},
|
|
|
- Err(e) => {
|
|
|
|
|
- println!("Error posting refresh token: {}", e)
|
|
|
|
|
|
|
+ None => {
|
|
|
|
|
+ println!("no id token?!?");
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
- }
|
|
|
|
|
|
|
+ }
|
|
|
} else {
|
|
} else {
|
|
|
println!("waiting to refresh");
|
|
println!("waiting to refresh");
|
|
|
}
|
|
}
|
|
@@ -367,7 +410,49 @@ impl ZeroIDC {
|
|
|
.request(http_client);
|
|
.request(http_client);
|
|
|
match r {
|
|
match r {
|
|
|
Ok(res) =>{
|
|
Ok(res) =>{
|
|
|
- return Some(res);
|
|
|
|
|
|
|
+ let n = match i.nonce.clone() {
|
|
|
|
|
+ Some(n) => n,
|
|
|
|
|
+ None => {
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ };
|
|
|
|
|
+
|
|
|
|
|
+ let id = match res.id_token() {
|
|
|
|
|
+ Some(t) => t,
|
|
|
|
|
+ None => {
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ };
|
|
|
|
|
+
|
|
|
|
|
+ let claims = match id.claims(&c.id_token_verifier(), &n) {
|
|
|
|
|
+ Ok(c) => c,
|
|
|
|
|
+ Err(_e) => {
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ };
|
|
|
|
|
+
|
|
|
|
|
+ let signing_algo = match id.signing_alg() {
|
|
|
|
|
+ Ok(s) => s,
|
|
|
|
|
+ Err(_) => {
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ };
|
|
|
|
|
+
|
|
|
|
|
+ if let Some(expected_hash) = claims.access_token_hash() {
|
|
|
|
|
+ let actual_hash = match AccessTokenHash::from_token(res.access_token(), &signing_algo) {
|
|
|
|
|
+ Ok(h) => h,
|
|
|
|
|
+ Err(e) => {
|
|
|
|
|
+ println!("Error hashing access token: {}", e);
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ };
|
|
|
|
|
+
|
|
|
|
|
+ if actual_hash != *expected_hash {
|
|
|
|
|
+ println!("token hash error");
|
|
|
|
|
+ return None;
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+ Some(res)
|
|
|
},
|
|
},
|
|
|
Err(_e) => {
|
|
Err(_e) => {
|
|
|
#[cfg(debug_assertions)] {
|
|
#[cfg(debug_assertions)] {
|
Grant Limberg