Skip to content

Commit

Permalink
add JWT handler wih optional JQ filtering in liboauth2-sts 4.1.0dev
Browse files Browse the repository at this point in the history
depend on liboauth2 >= 2.1.0; bump to 4.1.0dev

Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
  • Loading branch information
zandbelt committed Sep 16, 2024
1 parent 5a7640d commit 050517a
Show file tree
Hide file tree
Showing 7 changed files with 46 additions and 28 deletions.
5 changes: 5 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
09/16/2024
- add JWT handler wih optional JQ filtering in liboauth2-sts 4.1.0dev
- depend on liboauth2 >= 2.1.0
- bump to 4.1.0dev

08/22/2024
- change LICENSE to Apache 2.0
- depend on liboauth2 >= 2.0.0
Expand Down
1 change: 1 addition & 0 deletions Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ lib_LTLIBRARIES = @PACKAGE_NAME@.la
src/liboauth2-sts/src/ropc.c \
src/liboauth2-sts/src/cc.c \
src/liboauth2-sts/src/otx.c \
src/liboauth2-sts/src/jwt.c \
src/@PACKAGE_NAME@.c
@PACKAGE_NAME@_la_LDFLAGS = -module

Expand Down
33 changes: 13 additions & 20 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,44 +78,32 @@ mechanism to obtain an OAuth 2.0 access token that can be used to authenticate t
WS-Trust STS using HTTP Basic authentication.

```apache
LogLevel sts:debug
<Location /sts/wstrust>
STSExchange wstrust https://pingfed:9031/pf/sts.wst \
auth=basic&username=wstrust&password=2Federate&\
applies_to=urn:pingfed&\
value_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&\
token_type=urn:bogus:token&\
ssl_verify=false
ProxyPass http://echo:8080
ProxyPassReverse http://echo:8080
</Location>
```

OAuth 2.0 Resource Owner Password Credentials based STS using `client_secret_basic` authentication.

```apache
LogLevel sts:debug
<Location /sts/ropc>
STSExchange ropc https://pingfed:9031/as/token.oauth2 \
auth=client_secret_basic&\
client_id=sts0&\
client_secret=2Federate&\
username=dummy&\
ssl_verify=false
ProxyPass http://echo:8080
ProxyPassReverse http://echo:8080
</Location>
```

OAuth 2.0 Client Credentials token retrieval using `client_secret_basic` authentication.

```apache
LogLevel sts:debug
<Location /sts/cc>
SetEnvIfExpr true dummy=dummy
STSAcceptSourceTokenIn environment name=dummy
Expand All @@ -125,27 +113,32 @@ auth=client_secret_basic&\
client_id=cc_client&\
client_secret=mysecret&\
ssl_verify=false
ProxyPass http://echo:8080
ProxyPassReverse http://echo:8080
</Location>
```

OAuth 2.0 Token Exchange using `client_secret_basic` authentication.


```apache
LogLevel sts:debug
<Location /sts/otx>
STSExchange otx https://keycloak:8443/auth/realms/master/protocol/openid-connect/token \
auth=client_secret_basic&\
client_id=otxclient&\
client_secret=2Federate&\
ssl_verify=false
</Location>
```

ProxyPass http://echo:8080
ProxyPassReverse http://echo:8080
JWT generation from a incoming access token verified by mod_oauth2. The JSON payload is passed between the modules in an environment variable.

```apache
<Location /sts/jwk>
AuthType oauth2
Require valid-user
OAuth2TokenVerify introspect https://pingfed:9031/as/introspect.oauth2 introspect.ssl_verify=false&introspect.auth=client_secret_basic&client_id=rs0&client_secret=2Federate
OAuth2TargetPass json_payload_claim=payload&headers=false
STSAcceptSourceTokenIn environment name=OAUTH2_CLAIM_payload
STSExchange jwt "{\"kty\":\"RSA\",\"kid\":\"IbLjLR7-C1q0-ypkueZxGIJwBQNaLg46DZMpnPW1kps\",\"e\":\"AQAB\",\"n\":\"iGeTXbfV5bMppx7o7qMLCuVIKqbBa_qOzBiNNpe0K8rjg7-1z9GCuSlqbZtM0_5BQ6bGonnSPD--PowhFdivS4WNA33O0Kl1tQ0wdH3TOnwueIO9ahfW4q0BGFvMObneK-tjwiNMj1l-cZt8pvuS-3LtTWIzC-hTZM4caUmy5olm5PVdmru6C6V5rxkbYBPITFSzl5mpuo_C6RV_MYRwAh60ghs2OEvIWDrJkZnYaF7sjHC9j-4kfcM5oY7Zhg8KuHyloudYNzlqjVAPd0MbkLkh1pa8fmHsnN6cgfXYtFK7Z8WjYDUAhTH1JjZCVSFN55A-51dgD4cQNzieLEEkJw\",\"d\":\"Xc9d-kZERQVC0Dzh1b0sCwJE75Bf1fMr4hHAjJsovjV641ElqRdd4Borp9X2sJVcLTq1wWgmvmjYXgvhdTTg2f-vS4dqhPcGjM3VVUhzzPU6wIdZ7W0XzC1PY4E-ozTBJ1Nr-EhujuftnhRhVjYOkAAqU94FXVsaf2mBAKg-8WzrWx2MeWjfLcE79DmSL9Iw2areKVRGlKddIIPnHb-Mw9HB7ZCyVTC1v5sqhQPy6qPo8XHdQju_EYRlIOMksU8kcb20R_ezib_rHuVwJVlTNk6MvFUIj4ayXdX13Qy4kTBRiQM7pumPaypEE4CrAfTWP0AYnEwz_FGluOpMZNzoAQ\"}"
STSPassTargetTokenIn header
</Location>
```

Expand Down
6 changes: 3 additions & 3 deletions configure.ac
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
AC_INIT([mod_sts],[4.0.0],[hans.zandbelt@openidc.com])
AC_INIT([mod_sts],[4.1.0dev],[hans.zandbelt@openidc.com])

AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
AC_CONFIG_MACRO_DIRS([m4])
Expand Down Expand Up @@ -27,11 +27,11 @@ AC_SUBST(APR_LIBS)
AC_SUBST(APACHE_CFLAGS)
AC_ARG_VAR(APXS_OPTS, [additional command line options to pass to apxs])

PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 2.0.0])
PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 2.1.0])
AC_SUBST(OAUTH2_CFLAGS)
AC_SUBST(OAUTH2_LIBS)

PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 2.0.0])
PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 2.1.0])
AC_SUBST(OAUTH2_APACHE_CFLAGS)
AC_SUBST(OAUTH2_APACHE_LIBS)

Expand Down
2 changes: 1 addition & 1 deletion src/liboauth2-sts
6 changes: 3 additions & 3 deletions src/mod_sts.c
Original file line number Diff line number Diff line change
Expand Up @@ -126,8 +126,8 @@ OAUTH2_APACHE_CMD_ARGS2(sts, oauth2_sts_cfg_t, accept_source_token_in,
sts_cfg_set_accept_source_token_in, cfg)
OAUTH2_APACHE_CMD_ARGS2(sts, oauth2_sts_cfg_t, pass_target_token_in,
sts_cfg_set_pass_target_token_in, cfg)
OAUTH2_APACHE_CMD_ARGS3(sts, oauth2_sts_cfg_t, exchange, sts_cfg_set_exchange,
cfg)
OAUTH2_APACHE_CMD_ARGSV4(sts, oauth2_sts_cfg_t, exchange, sts_cfg_set_exchange,
cfg)

// clang-format off

Expand All @@ -153,7 +153,7 @@ static const command_rec OAUTH2_APACHE_COMMANDS(sts)[] = {
pass_target_token_in,
"Configures in which way the target token is passed to the application."),

OAUTH2_APACHE_CMD_ARGS(sts, 23,
OAUTH2_APACHE_CMD_ARGS(sts, _ARGV,
STSExchange,
exchange,
"Configures the token exchange protocol and parameters."),
Expand Down
21 changes: 20 additions & 1 deletion sts.conf
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
# Set mode/protocol, endpoint URL and options for calling the STS
#
#STSExchange <type> <endpoint> <options>
#STSExchange <type> <endpoint|jwk> <options> [<expression>]
#
# <type>=[ wstrust | ropc | otx | disabled ]
# wstrust : WS-Trust
# ropc : OAuth 2.0 Resource Owner Password Credentials grant
# cc : OAuth 2.0 Client Credentials grant
# otx : OAuth 2.0 Token Exchange
# jwt : JWT token generation, optionally with JQ processing
# disabled : don't perform any attempt to exchange a token
#
# <endpoint> = <string>
Expand Down Expand Up @@ -157,6 +158,24 @@
# subject_token_type urn:ietf:params:oauth:token-type:access_token
# i.e. set the source token to an OAuth 2.0 access token

#
# JWT token generation, optionally with JQ processing
# (<type>=jwt)
#
# <jwk>
# Set the JWK that is used to sign the JWT, must be a private key.
#
# JWT Options:
#
# alg=<sting>
# iss=<string>
# sub=<string>
# client_id=<string>
# aud=<string>
# jq.cache.name=<string>
#
# <expression>
# JQ filter to be applied to the input JSON object before signing the JWT

#
# Source Token Settings
Expand Down

0 comments on commit 050517a

Please sign in to comment.