gnunet

Main GNUnet Logic
Log | Files | Refs | Submodules | README | LICENSE

oidc_helper.h (6929B)

      1 /*
      2    This file is part of GNUnet
      3    Copyright (C) 2010-2015 GNUnet e.V.
      4 
      5    GNUnet is free software: you can redistribute it and/or modify it
      6    under the terms of the GNU Affero General Public License as published
      7    by the Free Software Foundation, either version 3 of the License,
      8    or (at your option) any later version.
      9 
     10    GNUnet is distributed in the hope that it will be useful, but
     11    WITHOUT ANY WARRANTY; without even the implied warranty of
     12    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     13    Affero General Public License for more details.
     14 
     15    You should have received a copy of the GNU Affero General Public License
     16    along with this program.  If not, see <http://www.gnu.org/licenses/>.
     17 
     18    SPDX-License-Identifier: AGPL3.0-or-later
     19  */
     20 
     21 /**
     22  * @file reclaim/oidc_helper.h
     23  * @brief helper library for OIDC related functions
     24  * @author Martin Schanzenbach
     25  */
     26 
     27 #ifndef JWT_H
     28 #define JWT_H
     29 
     30 #include "gnunet_util_lib.h"
     31 #include "gnunet_reclaim_service.h"
     32 #define JWT_ALG "alg"
     33 #define JWT_TYP "typ"
     34 #define JWT_TYP_VALUE "jwt"
     35 
     36 #define JWT_ALG_VALUE_HMAC "HS512"
     37 #define JWT_ALG_VALUE_RSA "RS256"
     38 
     39 #define SERVER_ADDRESS "http://localhost:7776"
     40 
     41 enum OIDC_VerificationOptions
     42 {
     43   /**
     44    * Strict verification
     45    */
     46   OIDC_VERIFICATION_DEFAULT = 0,
     47 
     48   /**
     49    * Do not check code verifier even if expected
     50    */
     51   OIDC_VERIFICATION_NO_CODE_VERIFIER = 1
     52 };
     53 
     54 /**
     55  * Create a JWT using RSA256 algorithm from attributes
     56  *
     57  * @param rp_uri the RP URI
     58  * @param sub_key the public key of the subject
     59  * @param attrs the attribute list
     60  * @param presentations credential presentation list (may be empty)
     61  * @param expiration_time the validity of the token
     62  * @param secret_rsa_key the key used to sign the JWT
     63  * @return a new base64-encoded JWT string.
     64  */
     65 char *
     66 OIDC_generate_id_token_rsa (const char *rp_uri,
     67                             const struct GNUNET_CRYPTO_BlindablePublicKey *
     68                             sub_key,
     69                             const struct GNUNET_RECLAIM_AttributeList *attrs,
     70                             const struct
     71                             GNUNET_RECLAIM_PresentationList *presentations,
     72                             const struct GNUNET_TIME_Relative *expiration_time,
     73                             const char *nonce,
     74                             const json_t *secret_rsa_key);
     75 
     76 /**
     77  * Create a JWT using HMAC (HS256) from attributes
     78  *
     79  * @param rp_uri the RP URI
     80  * @param sub_key the public key of the subject
     81  * @param attrs the attribute list
     82  * @param presentations credential presentation list (may be empty)
     83  * @param expiration_time the validity of the token
     84  * @param secret_key the key used to sign the JWT
     85  * @return a new base64-encoded JWT string.
     86  */
     87 char*
     88 OIDC_generate_id_token_hmac (const char *rp_uri,
     89                              const struct GNUNET_CRYPTO_BlindablePublicKey *
     90                              sub_key,
     91                              const struct GNUNET_RECLAIM_AttributeList *attrs,
     92                              const struct
     93                              GNUNET_RECLAIM_PresentationList *presentations,
     94                              const struct GNUNET_TIME_Relative *expiration_time,
     95                              const char *nonce,
     96                              const char *secret_key);
     97 
     98 /**
     99  * Builds an OIDC authorization code including
    100  * a reclaim ticket and nonce
    101  *
    102  * @param issuer the issuer
    103  * @param ticket the ticket to include in the code
    104  * @param attrs list of attributes to share
    105  * @param presentations credential presentation list
    106  * @param nonce the nonce to include in the code
    107  * @param code_challenge PKCE code challenge
    108  * @param opts verification options
    109  * @return a new authorization code (caller must free)
    110  */
    111 char*
    112 OIDC_build_authz_code (const struct GNUNET_CRYPTO_BlindablePrivateKey *issuer,
    113                        const struct GNUNET_RECLAIM_Ticket *ticket,
    114                        const struct GNUNET_RECLAIM_AttributeList *attrs,
    115                        const struct
    116                        GNUNET_RECLAIM_PresentationList *presentations,
    117                        const char *nonce,
    118                        const char *code_challenge);
    119 
    120 /**
    121  * Parse reclaim ticket and nonce from
    122  * authorization code.
    123  * This also verifies the signature in the code.
    124  *
    125  * @param rp_uri the RP URI
    126  * @param code the string representation of the code
    127  * @param code_verfier PKCE code verifier
    128  * @param ticket where to store the ticket
    129  * @param attrs the attributes found in the code
    130  * @param presentations credential presentation list
    131  * @param nonce where to store the nonce
    132  * @return GNUNET_OK if successful, else GNUNET_SYSERR
    133  */
    134 int
    135 OIDC_parse_authz_code (const char *rp_uri,
    136                        const struct GNUNET_CRYPTO_BlindablePublicKey *cid,
    137                        const char *code,
    138                        const char *code_verifier,
    139                        struct GNUNET_RECLAIM_Ticket *ticket,
    140                        struct GNUNET_RECLAIM_AttributeList **attrs,
    141                        struct GNUNET_RECLAIM_PresentationList **presentations,
    142                        char **nonce,
    143                        enum OIDC_VerificationOptions opts, char **emsg);
    144 
    145 /**
    146  * Build a token response for a token request
    147  * TODO: Maybe we should add the scope here?
    148  *
    149  * @param access_token the access token to include
    150  * @param id_token the id_token to include
    151  * @param expiration_time the expiration time of the token(s)
    152  * @param token_response where to store the response
    153  */
    154 void
    155 OIDC_build_token_response (const char *access_token,
    156                            const char *id_token,
    157                            const struct GNUNET_TIME_Relative *expiration_time,
    158                            char **token_response);
    159 
    160 /**
    161  * Generate a new access token
    162  */
    163 char*
    164 OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket,
    165                        const char *rp_uri);
    166 
    167 /**
    168  * Parse an access token
    169  */
    170 int
    171 OIDC_access_token_parse (const char *token,
    172                          struct GNUNET_RECLAIM_Ticket **ticket,
    173                          char **rp_uri);
    174 
    175 
    176 /**
    177  * Checks if a claim is implicitly requested through standard
    178  * scope(s)
    179  *
    180  * @param scopes the scopes which have been requested
    181  * @param attr the attribute name to check
    182  * @return GNUNET_YES if attribute is implicitly requested
    183  */
    184 enum GNUNET_GenericReturnValue
    185 OIDC_check_scopes_for_claim_request (const char *scopes,
    186                                      const char *attr);
    187 
    188 
    189 /**
    190  * Generate userinfo JSON as string
    191  *
    192  * @param sub_key the subject (user)
    193  * @param attrs user attribute list
    194  * @param presentations credential presentation list
    195  * @return Userinfo JSON
    196  */
    197 char *
    198 OIDC_generate_userinfo (const struct GNUNET_CRYPTO_BlindablePublicKey *sub_key,
    199                         const struct GNUNET_RECLAIM_AttributeList *attrs,
    200                         const struct
    201                         GNUNET_RECLAIM_PresentationList *presentations);
    202 
    203 #endif