taldir

Directory service to resolve wallet mailboxes by messenger addresses
Log | Files | Refs | Submodules | README | LICENSE
commit bf45794b22dc3afb823b36dcc9affe518a011840
parent 3f833d11deaf1abda39fe04aa77ff8b7b067d64f
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date:   Tue, 23 Dec 2025 12:39:22 +0900

Make JWT algos configurable

Diffstat:

Mpkg/taldir/oidc_validator.go | 17++++++++++++-----


Mtaldir.conf.example | 1+


2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/pkg/taldir/oidc_validator.go b/pkg/taldir/oidc_validator.go
@@ -67,6 +67,9 @@ type OidcValidator struct {
 	// JWKS endpoint
 	jwksEndpoint string
 
+	// Supported JWK algos
+	jwtAlgos []jose.SignatureAlgorithm
+
 	// OIDC authorization endpoint
 	authorizationEndpoint string
 
@@ -157,26 +160,24 @@ func (t OidcValidator) ProcessOidcCallback(r *http.Request) (string, string, err
 
 	req, err = http.NewRequest("POST", t.tokenEndpoint, strings.NewReader(data.Encode()))
 	if err != nil {
-		return "", "", fmt.Errorf("failed to create token request")
+		return "", "", fmt.Errorf("failed to create token request: %v", err)
 	}
 	req.SetBasicAuth(t.clientID, t.clientSecret)
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	client = &http.Client{}
 	resp, err = client.Do(req)
 	if err != nil {
-		return "", "", fmt.Errorf("failed to execute token request")
+		return "", "", fmt.Errorf("failed to execute token request: %v", err)
 	}
 	if resp.StatusCode != http.StatusOK {
 		return "", "", fmt.Errorf("unexpected response code %d", resp.StatusCode)
 	}
-	// TODO unmarshal JSON, retrieve/check against state, return hAlias and challenge
-
 	var tokenResponse OidcTokenResponse
 	err = json.NewDecoder(resp.Body).Decode(&tokenResponse)
 	if err != nil {
 		return "", "", fmt.Errorf("unable to parse token response: %v", err)
 	}
-	token, err := jwt.ParseSigned(tokenResponse.IDToken, []jose.SignatureAlgorithm{jose.RS256})
+	token, err := jwt.ParseSigned(tokenResponse.IDToken, t.jwtAlgos)
 	if err != nil {
 		return "", "", fmt.Errorf("unable to parse token: %v", err)
 	}
@@ -206,6 +207,11 @@ func makeOidcValidator(cfg *TaldirConfig, name string, landingPageTpl *template.
 	// FIXME escape URI?
 	redirectURI := fmt.Sprintf("%s/oidc_validator/%s", baseURL, name)
 	sec := cfg.Ini.Section("taldir-validator-" + name)
+	algos := strings.Split(sec.Key("jwt_algos").MustString("RS256"), ",")
+	algoCast := make([]jose.SignatureAlgorithm, 0)
+	for _,a := range algos {
+		algoCast = append(algoCast, jose.SignatureAlgorithm(a))
+	}
 	return OidcValidator{
 		name:                  name,
 		config:                cfg,
@@ -219,5 +225,6 @@ func makeOidcValidator(cfg *TaldirConfig, name string, landingPageTpl *template.
 		validAliasRegex:       sec.Key("valid_alias_regex").MustString(""),
 		redirectURI:           redirectURI,
 		authorizationsState:   make(map[string]*AuthorizationsState, 0),
+		jwtAlgos:              algoCast,
 	}
 }
diff --git a/taldir.conf.example b/taldir.conf.example
@@ -43,5 +43,6 @@ client_id=test
 client_secret=testsecret
 scope=openid email
 valid_alias_regex='^\S+@\S+\.\S+$'
+jwt_algos=RS256,ES256