Fixed token fetch from IDP

server: fix error reporting and logic for /keys handler

cmd/serve.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	opaal "davidallendj/opaal/internal"
+	"davidallendj/opaal/internal/oidc"
 	"errors"
 	"fmt"
 	"net/http"
@@ -9,9 +10,13 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var exampleCmd = &cobra.Command{
+var (
+	endpoints oidc.Endpoints
+)
+
+var serveCmd = &cobra.Command{
 	Use:   "serve",
-	Short: "Start an simple identity provider server",
+	Short: "Start an simple, bare minimal identity provider server",
 	Long:  "The built-in identity provider is not (nor meant to be) a complete OIDC implementation and behaves like an external IdP",
 	Run: func(cmd *cobra.Command, args []string) {
 		s := opaal.NewServerWithConfig(&config)
@@ -21,11 +26,15 @@ var exampleCmd = &cobra.Command{
 		if errors.Is(err, http.ErrServerClosed) {
 			fmt.Printf("Identity provider server closed.\n")
 		} else if err != nil {
-			fmt.Errorf("failed to start server: %v", err)
+			fmt.Printf("failed to start server: %v", err)
 		}
 	},
 }
 
 func init() {
-	rootCmd.AddCommand(exampleCmd)
+	serveCmd.Flags().StringVar(&endpoints.Authorization, "endpoints.authorization", "", "set the authorization endpoint for the identity provider")
+	serveCmd.Flags().StringVar(&endpoints.Token, "endpoints.token", "", "set the token endpoint for the identity provider")
+	serveCmd.Flags().StringVar(&endpoints.JwksUri, "endpoints.jwks_uri", "", "set the JWKS endpoints for the identity provider")
+
+	rootCmd.AddCommand(serveCmd)
 }

internal/config.go

@@ -2,6 +2,7 @@ package opaal
 
 import (
 	"davidallendj/opaal/internal/oauth"
+	"davidallendj/opaal/internal/oidc"
 	"log"
 	"os"
 	"path/filepath"
@@ -72,11 +73,18 @@ type Config struct {
 }
 
 func NewConfig() Config {
-	return Config{
+	config := Config{
 		Version: goutil.GetCommit(),
 		Server: server.Server{
 			Host: "127.0.0.1",
 			Port: 3333,
+			Issuer: server.IdentityProviderServer{
+				Endpoints: oidc.Endpoints{
+					Authorization: "",
+					Token:         "",
+					JwksUri:       "",
+				},
+			},
 		},
 		Options: Options{
 			RunOnce:     true,
@@ -99,6 +107,7 @@ func NewConfig() Config {
 			},
 		},
 	}
+	return config
 }
 
 func LoadConfig(path string) Config {

internal/flows/jwt_bearer.go

@@ -51,6 +51,9 @@ func NewJwtBearerFlow(eps JwtBearerFlowEndpoints, params JwtBearerFlowParams) (s
 	if client == nil {
 		return "", fmt.Errorf("invalid client (client is nil)")
 	}
+	if verbose {
+		fmt.Printf("ID token (IDP): %s\n access token (IDP): %s", accessToken, idToken)
+	}
 	if accessToken != "" {
 		_, err := jws.Verify([]byte(accessToken), jws.WithKeySet(client.Provider.KeySet), jws.WithValidateKey(true))
 		if err != nil {

internal/login.go

@@ -42,8 +42,9 @@ func Login(config *Config) error {
 			AuthProvider: &oidc.IdentityProvider{
 				Issuer: config.Authorization.Endpoints.Issuer,
 				Endpoints: oidc.Endpoints{
-					Config:  config.Authorization.Endpoints.Config,
+					Config:        config.Authorization.Endpoints.Config,
-					JwksUri: config.Authorization.Endpoints.JwksUri,
+					Authorization: config.Authorization.Endpoints.Authorize,
+					JwksUri:       config.Authorization.Endpoints.JwksUri,
 				},
 			},
 			JwtBearerEndpoints: flows.JwtBearerFlowEndpoints{

internal/new.go

@@ -90,9 +90,11 @@ func NewServerWithConfig(conf *Config) *server.Server {
 		},
 		Host: host,
 		Port: port,
-		Issuer: server.Issuer{
+		Issuer: server.IdentityProviderServer{
-			Host: conf.Server.Issuer.Host,
+			Host:      conf.Server.Issuer.Host,
-			Port: conf.Server.Issuer.Port,
+			Port:      conf.Server.Issuer.Port,
+			Endpoints: conf.Server.Issuer.Endpoints,
+			Clients:   conf.Server.Issuer.Clients,
 		},
 	}
 	return server

internal/oauth/authenticate.go

@@ -109,12 +109,14 @@ func (client *Client) FetchTokenFromAuthenticationServer(code string, state stri
 	}
 	res, err := http.PostForm(client.Provider.Endpoints.Token, body)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get ID token: %s", err)
+		return nil, fmt.Errorf("failed to get ID token: %v", err)
 	}
+	b, err := io.ReadAll(res.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %v", err)
+	}
+	fmt.Printf("%s\n", string(b))
 	defer res.Body.Close()
 
-	// domain, _ := url.Parse("http://127.0.0.1")
+	return b, nil
-	// client.Jar.SetCookies(domain, res.Cookies())
-
-	return io.ReadAll(res.Body)
 }

internal/oidc/oidc.go

@@ -164,3 +164,25 @@ func (p *IdentityProvider) FetchJwks() error {
 
 	return nil
 }
+
+func (p *IdentityProvider) UpdateEndpoints(other *IdentityProvider) {
+	UpdateEndpoints(&p.Endpoints, &other.Endpoints)
+}
+
+func UpdateEndpoints(eps *Endpoints, other *Endpoints) {
+	// only update endpoints that are not empty
+	var UpdateIfEmpty = func(ep *string, s string) {
+		if ep != nil {
+			if *ep == "" {
+				*ep = s
+			}
+		}
+	}
+	UpdateIfEmpty(&eps.Config, other.Config)
+	UpdateIfEmpty(&eps.Authorization, other.Authorization)
+	UpdateIfEmpty(&eps.Token, other.Token)
+	UpdateIfEmpty(&eps.Revocation, other.Revocation)
+	UpdateIfEmpty(&eps.Introspection, other.Introspection)
+	UpdateIfEmpty(&eps.UserInfo, other.UserInfo)
+	UpdateIfEmpty(&eps.JwksUri, other.JwksUri)
+}

internal/server/idp.go

@@ -3,7 +3,6 @@ package server
 import (
 	"crypto/rand"
 	"crypto/rsa"
-	"davidallendj/opaal/internal/oauth"
 	"davidallendj/opaal/internal/oidc"
 	"encoding/json"
 	"fmt"
@@ -22,6 +21,22 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jwt"
 )
 
+// TODO: make this a completely separate server
+type IdentityProviderServer struct {
+	Host      string             `yaml:"host"`
+	Port      int                `yaml:"port"`
+	Endpoints oidc.Endpoints     `yaml:"endpoints"`
+	Clients   []RegisteredClient `yaml:"clients"`
+}
+
+// NOTE: could we use a oauth.Client here instead??
+type RegisteredClient struct {
+	Id           string   `yaml:"id"`
+	Secret       string   `yaml:"secret"`
+	Name         string   `yaml:"name"`
+	RedirectUris []string `yaml:"redirect-uris"`
+}
+
 func (s *Server) StartIdentityProvider() error {
 	// NOTE: this example does NOT implement CSRF tokens nor use them
 
@@ -29,14 +44,16 @@ func (s *Server) StartIdentityProvider() error {
 	var (
 		r = chi.NewRouter()
 		// clients  = []oauth.Client{}
-		callback    = ""
 		activeCodes = []string{}
 	)
 
-	// check if callback is set
+	// update endpoints that have values set
-	if s.Callback == "" {
+	defaultEps := oidc.Endpoints{
-		callback = "/oidc/callback"
+		Authorization: "http://" + s.Addr + "/oauth2/authorize",
+		Token:         "http://" + s.Addr + "/oauth2/token",
+		JwksUri:       "http://" + s.Addr + "/.well-known/jwks.json",
 	}
+	oidc.UpdateEndpoints(&s.Issuer.Endpoints, &defaultEps)
 
 	// generate key pair used to sign JWKS and create JWTs
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
@@ -72,14 +89,13 @@ func (s *Server) StartIdentityProvider() error {
 		w.Write(b)
 	})
 
-	// TODO: create .well-known openid configuration
 	r.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
 		// create config JSON to serve with GET request
 		config := map[string]any{
 			"issuer":                 "http://" + s.Addr,
-			"authorization_endpoint": "http://" + s.Addr + "/oauth/authorize",
+			"authorization_endpoint": s.Issuer.Endpoints.Authorization,
-			"token_endpoint":         "http://" + s.Addr + "/oauth/token",
+			"token_endpoint":         s.Issuer.Endpoints.Token,
-			"jwks_uri":               "http://" + s.Addr + "/.well-known/jwks.json",
+			"jwks_uri":               s.Issuer.Endpoints.JwksUri,
 			"scopes_supported": []string{
 				"openid",
 				"profile",
@@ -131,21 +147,18 @@ func (s *Server) StartIdentityProvider() error {
 		username := r.Form.Get("username")
 		password := r.Form.Get("password")
 
+		if len(s.Issuer.Clients) <= 0 {
+			fmt.Printf("no registered clients found with identity provider (add them in config)\n")
+			return
+		}
+
 		// example username and password so do simplified authorization code flow
-		if username == "ochami" && password == "ochami" {
+		if username == "openchami" && password == "openchami" {
-			client := oauth.Client{
+			client := s.Issuer.Clients[0]
-				Id:     "ochami",
-				Secret: "ochami",
-				Name:   "ochami",
-				Provider: oidc.IdentityProvider{
-					Issuer: "http://127.0.0.1:3333",
-				},
-				RedirectUris: []string{fmt.Sprintf("http://%s:%d%s", s.Host, s.Port, callback)},
-			}
 
 			// check if there are any redirect URIs supplied
 			if len(client.RedirectUris) <= 0 {
-				fmt.Printf("no redirect URIs found")
+				fmt.Printf("no redirect URIs found for client %s (ID: %s)\n", client.Name, client.Id)
 				return
 			}
 			for _, url := range client.RedirectUris {
@@ -166,7 +179,7 @@ func (s *Server) StartIdentityProvider() error {
 			http.Redirect(w, r, "/browser/login", http.StatusUnauthorized)
 		}
 	})
-	r.HandleFunc("/oauth/token", func(w http.ResponseWriter, r *http.Request) {
+	r.HandleFunc("/oauth2/token", func(w http.ResponseWriter, r *http.Request) {
 		r.ParseForm()
 
 		// check for authorization code and make sure it's valid
@@ -240,7 +253,7 @@ func (s *Server) StartIdentityProvider() error {
 		fmt.Printf("bearer: %s\n", string(b))
 		w.Write(b)
 	})
-	r.HandleFunc("/oauth/authorize", func(w http.ResponseWriter, r *http.Request) {
+	r.HandleFunc("/oauth2/authorize", func(w http.ResponseWriter, r *http.Request) {
 		var (
 			responseType = r.URL.Query().Get("response_type")
 			clientId     = r.URL.Query().Get("client_id")
@@ -253,9 +266,13 @@ func (s *Server) StartIdentityProvider() error {
 			return
 		}
 
-		// check that we're using the default registered client
+		// find a valid client
-		if clientId != "ochami" {
+		index := slices.IndexFunc(s.Issuer.Clients, func(c RegisteredClient) bool {
-			fmt.Printf("invalid client\n")
+			fmt.Printf("%s ? %s\n", c.Id, clientId)
+			return c.Id == clientId
+		})
+		if index < 0 {
+			fmt.Printf("no valid client found")
 			return
 		}
 

internal/server/server.go

@@ -18,16 +18,11 @@ import (
 
 type Server struct {
 	*http.Server
-	Host     string `yaml:"host"`
+	Host     string                 `yaml:"host"`
-	Port     int    `yaml:"port"`
+	Port     int                    `yaml:"port"`
-	Callback string `yaml:"callback"`
+	Callback string                 `yaml:"callback"`
-	State    string `yaml:"state"`
+	State    string                 `yaml:"state"`
-	Issuer   Issuer `yaml:"issuer"`
+	Issuer   IdentityProviderServer `yaml:"issuer"`
-}
-
-type Issuer struct {
-	Host string `yaml:"host"`
-	Port int    `yaml:"port"`
 }
 
 type ServerParams struct {
@@ -62,7 +57,7 @@ func (s *Server) StartLogin(clients []oauth.Client, params ServerParams) error {
 
 	// make the login page SSO buttons and authorization URLs to write to stdout
 	buttons := ""
-	fmt.Printf("Login with external identity providers: \n")
+	fmt.Printf("Login with an identity provider: \n")
 	for i, client := range clients {
 		// fetch provider configuration before adding button
 		p, err := oidc.FetchServerConfig(client.Provider.Issuer)
@@ -79,8 +74,7 @@ func (s *Server) StartLogin(clients []oauth.Client, params ServerParams) error {
 
 		clients[i].Provider = *p
 		buttons += makeButton(fmt.Sprintf("/login?sso=%s", client.Id), client.Name)
-		url := client.BuildAuthorizationUrl(s.State)
+		fmt.Printf("\t%s: /login?sso=%s\n", client.Name, client.Id)
-		fmt.Printf("\t%s\n", url)
 	}
 
 	var code string
@@ -120,7 +114,9 @@ func (s *Server) StartLogin(clients []oauth.Client, params ServerParams) error {
 				client = &clients[index]
 
 				url := client.BuildAuthorizationUrl(s.State)
-				fmt.Printf("Redirect URL: %s\n", url)
+				if params.Verbose {
+					fmt.Printf("Redirect URL: %s\n", url)
+				}
 				http.Redirect(w, r, url, http.StatusFound)
 				return
 			}
@@ -145,38 +141,47 @@ func (s *Server) StartLogin(clients []oauth.Client, params ServerParams) error {
 			p    = params.AuthProvider
 			jwks []byte
 		)
-		// try and get the JWKS from param first
+
-		if p.Endpoints.JwksUri != "" {
+		fetchAndMarshal := func() (err error) {
-			err := p.FetchJwks()
+			err = p.FetchJwks()
 			if err != nil {
-				fmt.Printf("failed to fetch keys using JWKS url...trying to fetch config and try again...\n")
+				fmt.Printf("failed to fetch keys: %v\n", err)
+				return
 			}
 			jwks, err = json.Marshal(p.KeySet)
 			if err != nil {
 				fmt.Printf("failed to marshal JWKS: %v\n", err)
 			}
-		} else if p.Endpoints.Config != "" && jwks == nil {
+			return
-			// otherwise, try and fetch the whole config and try again
+		}
-			err := p.FetchServerConfig()
+
-			if err != nil {
+		// try and get the JWKS from param first
-				fmt.Printf("failed to fetch server config: %v\n", err)
+		if p.Endpoints.JwksUri != "" {
-				http.Redirect(w, r, "/error", http.StatusInternalServerError)
+			if err := fetchAndMarshal(); err != nil {
-				return
+				w.Write(jwks)
-			}
-			err = p.FetchJwks()
-			if err != nil {
-				fmt.Printf("failed to fetch JWKS after fetching server config: %v\n", err)
-				http.Redirect(w, r, "/error", http.StatusInternalServerError)
 				return
 			}
 		}
 
-		// forward the JWKS from the authorization server
+		// otherwise or if fetching the JWKS failed, try and fetch the whole config first and try again
-		if jwks == nil {
+		if p.Endpoints.Config != "" {
-			fmt.Printf("no JWKS was fetched from authorization server\n")
+			if err := p.FetchServerConfig(); err != nil {
-			http.Redirect(w, r, "/error", http.StatusInternalServerError)
+				fmt.Printf("failed to fetch server config: %v\n", err)
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				return
+			}
+		} else {
+			fmt.Printf("getting JWKS from param failed and endpoints config unavailable\n")
+			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 			return
 		}
+
+		if err := fetchAndMarshal(); err != nil {
+			fmt.Printf("failed to fetch and marshal JWKS after config update: %v\n", err)
+			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+			return
+		}
+
 		w.Write(jwks)
 	})
 	r.HandleFunc("/token", func(w http.ResponseWriter, r *http.Request) {

pages/login.html

@@ -7,7 +7,7 @@
 			<input type="password" id="password" name="password" title="password" placeholder="Enter your password..." /><br/>
 			<button type="submit" class="btn">Login</button><br/>
 			<a class="forgot" href="#">Forgot Username?</a><br/>
-			<label>(hint: try 'ochami' for both username and password)</label>
+			<label>(hint: try 'openchami' for both username and password)</label>
 		</form>
 	</div><!--end log form -->
 </html>