Skip to content

Commit ce39f2d

Browse files
EmyrkEmyrk
committed
Refactor code into a method
1 parent 74f9245 commit ce39f2d

File tree

2 files changed

+19
-7
lines changed

2 files changed

+19
-7
lines changed

cli/server.go

+4
Original file line numberDiff line numberDiff line change
@@ -589,6 +589,10 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
589589

590590
var useCfg httpmw.OAuth2Config = oauthCfg
591591
if cfg.OIDC.ClientKeyFile != "" {
592+
// PKI authentication is done in the params. If a
593+
// counter example is found, we can add a config option to
594+
// change this.
595+
oauthCfg.Endpoint.AuthStyle = oauth2.AuthStyleInParams
592596
if cfg.OIDC.ClientSecret != "" {
593597
return xerrors.Errorf("cannot specify both oidc client secret and oidc client key file")
594598
}

coderd/oauthpki/oidcpki.go

+15-7
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,18 @@ func (ja *Config) AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) strin
104104

105105
// Exchange includes the client_assertion signed JWT.
106106
func (ja *Config) Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
107+
signed, err := ja.jwtToken()
108+
if err != nil {
109+
return nil, xerrors.Errorf("failed jwt assertion: %w", err)
110+
}
111+
opts = append(opts,
112+
oauth2.SetAuthURLParam("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),
113+
oauth2.SetAuthURLParam("client_assertion", signed),
114+
)
115+
return ja.cfg.Exchange(ctx, code, opts...)
116+
}
117+
118+
func (ja *Config) jwtToken() (string, error) {
107119
now := time.Now()
108120
token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
109121
"iss": ja.clientID,
@@ -118,16 +130,12 @@ func (ja *Config) Exchange(ctx context.Context, code string, opts ...oauth2.Auth
118130

119131
signed, err := token.SignedString(ja.clientKey)
120132
if err != nil {
121-
return nil, xerrors.Errorf("failed to sign jwt assertion: %w", err)
133+
return "", xerrors.Errorf("sign jwt assertion: %w", err)
122134
}
123-
124-
opts = append(opts,
125-
oauth2.SetAuthURLParam("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),
126-
oauth2.SetAuthURLParam("client_assertion", signed),
127-
)
128-
return ja.cfg.Exchange(ctx, code, opts...)
135+
return signed, nil
129136
}
130137

131138
func (ja *Config) TokenSource(ctx context.Context, token *oauth2.Token) oauth2.TokenSource {
139+
// TODO: Hijack the http.Client to insert proper client auth assertions.
132140
return ja.cfg.TokenSource(ctx, token)
133141
}

0 commit comments

Comments
 (0)