diff --git a/foundation/auth/Cargo.toml b/foundation/auth/Cargo.toml index f5c4a37f..c1b5d38b 100644 --- a/foundation/auth/Cargo.toml +++ b/foundation/auth/Cargo.toml @@ -17,7 +17,7 @@ tracing = "0.1" reqwest = { version = "0.12.4", features = ["json", "charset"], default-features = false } serde = { version = "1.0", features = ["derive"] } serde_json = { version = "1.0" } -jsonwebtoken = { version = "9.2.0" } +jsonwebtoken = { version = "10.2", features = ["rust_crypto"] } thiserror = "2.0" async-trait = "0.1" home = "0.5" diff --git a/foundation/auth/src/token_source/compute_identity_source.rs b/foundation/auth/src/token_source/compute_identity_source.rs index 1ecf2558..7f5699be 100644 --- a/foundation/auth/src/token_source/compute_identity_source.rs +++ b/foundation/auth/src/token_source/compute_identity_source.rs @@ -1,5 +1,4 @@ use async_trait::async_trait; -use jsonwebtoken::Validation; use serde::Deserialize; use time::OffsetDateTime; use urlencoding::encode; @@ -20,8 +19,6 @@ use crate::token_source::{default_http_client, TokenSource}; pub struct ComputeIdentitySource { token_url: String, client: reqwest::Client, - decoding_key: jsonwebtoken::DecodingKey, - validation: jsonwebtoken::Validation, } impl std::fmt::Debug for ComputeIdentitySource { @@ -39,12 +36,6 @@ impl ComputeIdentitySource { Err(_e) => METADATA_IP.to_string(), }; - // Only used to extract the expiry without checking the signature. - let mut validation = Validation::default(); - validation.insecure_disable_signature_validation(); - validation.set_audience(&[audience]); - let decoding_key = jsonwebtoken::DecodingKey::from_secret(b""); - Ok(ComputeIdentitySource { token_url: format!( "http://{}/computeMetadata/v1/instance/service-accounts/default/identity?audience={}&format=full", @@ -52,8 +43,6 @@ impl ComputeIdentitySource { encode(audience) ), client: default_http_client(), - decoding_key, - validation, }) } } @@ -75,14 +64,12 @@ impl TokenSource for ComputeIdentitySource { .text() .await?; - let exp = jsonwebtoken::decode::(&jwt, &self.decoding_key, &self.validation)? - .claims - .exp; - + // Only used to extract the expiry without checking the signature. + let token = jsonwebtoken::dangerous::insecure_decode::(jwt.as_bytes())?; Ok(Token { access_token: jwt, token_type: "Bearer".into(), - expiry: OffsetDateTime::from_unix_timestamp(exp).ok(), + expiry: OffsetDateTime::from_unix_timestamp(token.claims.exp).ok(), }) } } diff --git a/foundation/auth/src/token_source/mod.rs b/foundation/auth/src/token_source/mod.rs index d0469b81..248ab261 100644 --- a/foundation/auth/src/token_source/mod.rs +++ b/foundation/auth/src/token_source/mod.rs @@ -66,16 +66,10 @@ impl InternalIdToken { }) } - fn get_exp(&self, audience: &str) -> Result { - let mut validation = jsonwebtoken::Validation::default(); - validation.insecure_disable_signature_validation(); - validation.set_audience(&[audience]); - let decoding_key = jsonwebtoken::DecodingKey::from_secret(b""); - Ok( - jsonwebtoken::decode::(self.id_token.as_str(), &decoding_key, &validation)? - .claims - .exp, - ) + fn get_exp(&self, _audience: &str) -> Result { + //skips all checks, so audience has to be manually checked if necessary + let token = jsonwebtoken::dangerous::insecure_decode::(self.id_token.as_bytes())?; + Ok(token.claims.exp) } }