add JWT handler wih optional JQ filtering in liboauth2-sts 4.1.0dev

depend on liboauth2 >= 2.1.0; bump to 4.1.0dev Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Sep 16, 2024 · 050517a · 050517a
1 parent 5a7640d
commit 050517a
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 28 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+09/16/2024
+- add JWT handler wih optional JQ filtering in liboauth2-sts 4.1.0dev
+- depend on liboauth2 >= 2.1.0
+- bump to 4.1.0dev
+
 08/22/2024
 - change LICENSE to Apache 2.0
 - depend on liboauth2 >= 2.0.0

diff --git a/Makefile.am b/Makefile.am
@@ -25,6 +25,7 @@ lib_LTLIBRARIES = @[email protected]
 	src/liboauth2-sts/src/ropc.c \
 	src/liboauth2-sts/src/cc.c \
 	src/liboauth2-sts/src/otx.c \
+	src/liboauth2-sts/src/jwt.c \
 	src/@[email protected]	
 @PACKAGE_NAME@_la_LDFLAGS = -module
 

diff --git a/README.md b/README.md
@@ -78,44 +78,32 @@ mechanism to obtain an OAuth 2.0 access token that can be used to authenticate t
 WS-Trust STS using HTTP Basic authentication.
 
 ```apache
-LogLevel sts:debug
-
 <Location /sts/wstrust>	
 	STSExchange wstrust https://pingfed:9031/pf/sts.wst \
 auth=basic&username=wstrust&password=2Federate&\
 applies_to=urn:pingfed&\
 value_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&\
 token_type=urn:bogus:token&\
 ssl_verify=false
-
-	ProxyPass http://echo:8080
-	ProxyPassReverse http://echo:8080
 </Location>
 ```
 
 OAuth 2.0 Resource Owner Password Credentials based STS using `client_secret_basic` authentication.
 
 ```apache
-LogLevel sts:debug
-
 <Location /sts/ropc>
 	STSExchange ropc https://pingfed:9031/as/token.oauth2 \
 auth=client_secret_basic&\
 client_id=sts0&\
 client_secret=2Federate&\
 username=dummy&\
 ssl_verify=false
-
-	ProxyPass http://echo:8080
-	ProxyPassReverse http://echo:8080
 </Location>
 ```
 
 OAuth 2.0 Client Credentials token retrieval using `client_secret_basic` authentication.
 
 ```apache
-LogLevel sts:debug
-
 <Location /sts/cc>
 	SetEnvIfExpr true dummy=dummy
 	STSAcceptSourceTokenIn environment name=dummy
@@ -125,27 +113,32 @@ auth=client_secret_basic&\
 client_id=cc_client&\
 client_secret=mysecret&\
 ssl_verify=false
-
-	ProxyPass http://echo:8080
-	ProxyPassReverse http://echo:8080
 </Location>
 ```
 
 OAuth 2.0 Token Exchange using `client_secret_basic` authentication.
 
-
 ```apache
-LogLevel sts:debug
-
 <Location /sts/otx>
 	STSExchange otx https://keycloak:8443/auth/realms/master/protocol/openid-connect/token \
 auth=client_secret_basic&\
 client_id=otxclient&\
 client_secret=2Federate&\
 ssl_verify=false
+</Location>
+```
 
-	ProxyPass http://echo:8080
-	ProxyPassReverse http://echo:8080
+JWT generation from a incoming access token verified by mod_oauth2. The JSON payload is passed between the modules in an environment variable.
+
+```apache
+<Location /sts/jwk>
+	AuthType oauth2
+	Require valid-user
+	OAuth2TokenVerify introspect https://pingfed:9031/as/introspect.oauth2 introspect.ssl_verify=false&introspect.auth=client_secret_basic&client_id=rs0&client_secret=2Federate
+	OAuth2TargetPass json_payload_claim=payload&headers=false
+	STSAcceptSourceTokenIn environment name=OAUTH2_CLAIM_payload
+	STSExchange jwt "{\"kty\":\"RSA\",\"kid\":\"IbLjLR7-C1q0-ypkueZxGIJwBQNaLg46DZMpnPW1kps\",\"e\":\"AQAB\",\"n\":\"iGeTXbfV5bMppx7o7qMLCuVIKqbBa_qOzBiNNpe0K8rjg7-1z9GCuSlqbZtM0_5BQ6bGonnSPD--PowhFdivS4WNA33O0Kl1tQ0wdH3TOnwueIO9ahfW4q0BGFvMObneK-tjwiNMj1l-cZt8pvuS-3LtTWIzC-hTZM4caUmy5olm5PVdmru6C6V5rxkbYBPITFSzl5mpuo_C6RV_MYRwAh60ghs2OEvIWDrJkZnYaF7sjHC9j-4kfcM5oY7Zhg8KuHyloudYNzlqjVAPd0MbkLkh1pa8fmHsnN6cgfXYtFK7Z8WjYDUAhTH1JjZCVSFN55A-51dgD4cQNzieLEEkJw\",\"d\":\"Xc9d-kZERQVC0Dzh1b0sCwJE75Bf1fMr4hHAjJsovjV641ElqRdd4Borp9X2sJVcLTq1wWgmvmjYXgvhdTTg2f-vS4dqhPcGjM3VVUhzzPU6wIdZ7W0XzC1PY4E-ozTBJ1Nr-EhujuftnhRhVjYOkAAqU94FXVsaf2mBAKg-8WzrWx2MeWjfLcE79DmSL9Iw2areKVRGlKddIIPnHb-Mw9HB7ZCyVTC1v5sqhQPy6qPo8XHdQju_EYRlIOMksU8kcb20R_ezib_rHuVwJVlTNk6MvFUIj4ayXdX13Qy4kTBRiQM7pumPaypEE4CrAfTWP0AYnEwz_FGluOpMZNzoAQ\"}"
+	STSPassTargetTokenIn header
 </Location>
 ```
 

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_sts],[4.0.0],[[email protected]])
+AC_INIT([mod_sts],[4.1.0dev],[[email protected]])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -27,11 +27,11 @@ AC_SUBST(APR_LIBS)
 AC_SUBST(APACHE_CFLAGS)
 AC_ARG_VAR(APXS_OPTS, [additional command line options to pass to apxs])
 
-PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 2.0.0])
+PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 2.1.0])
 AC_SUBST(OAUTH2_CFLAGS)
 AC_SUBST(OAUTH2_LIBS)
 
-PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 2.0.0])
+PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 2.1.0])
 AC_SUBST(OAUTH2_APACHE_CFLAGS)
 AC_SUBST(OAUTH2_APACHE_LIBS)
 

diff --git a/src/liboauth2-sts b/src/liboauth2-sts
diff --git a/src/mod_sts.c b/src/mod_sts.c
@@ -126,8 +126,8 @@ OAUTH2_APACHE_CMD_ARGS2(sts, oauth2_sts_cfg_t, accept_source_token_in,
 			sts_cfg_set_accept_source_token_in, cfg)
 OAUTH2_APACHE_CMD_ARGS2(sts, oauth2_sts_cfg_t, pass_target_token_in,
 			sts_cfg_set_pass_target_token_in, cfg)
-OAUTH2_APACHE_CMD_ARGS3(sts, oauth2_sts_cfg_t, exchange, sts_cfg_set_exchange,
-			cfg)
+OAUTH2_APACHE_CMD_ARGSV4(sts, oauth2_sts_cfg_t, exchange, sts_cfg_set_exchange,
+			 cfg)
 
 // clang-format off
 
@@ -153,7 +153,7 @@ static const command_rec OAUTH2_APACHE_COMMANDS(sts)[] = {
 		pass_target_token_in,
 		"Configures in which way the target token is passed to the application."),
 
-	OAUTH2_APACHE_CMD_ARGS(sts, 23,
+	OAUTH2_APACHE_CMD_ARGS(sts, _ARGV,
 		STSExchange,
 		exchange,
 		"Configures the token exchange protocol and parameters."),

diff --git a/sts.conf b/sts.conf
@@ -1,12 +1,13 @@
 # Set mode/protocol, endpoint URL and options for calling the STS
 #
-#STSExchange <type> <endpoint> <options>
+#STSExchange <type> <endpoint|jwk> <options> [<expression>]
 #
 # <type>=[ wstrust | ropc | otx | disabled ]
 # wstrust       : WS-Trust
 # ropc          : OAuth 2.0 Resource Owner Password Credentials grant
 # cc            : OAuth 2.0 Client Credentials grant
 # otx           : OAuth 2.0 Token Exchange
+# jwt           : JWT token generation, optionally with JQ processing
 # disabled      : don't perform any attempt to exchange a token
 #
 # <endpoint> = <string>
@@ -157,6 +158,24 @@
 #   subject_token_type urn:ietf:params:oauth:token-type:access_token
 # i.e. set the source token to an OAuth 2.0 access token
 
+#
+# JWT token generation, optionally with JQ processing
+# (<type>=jwt)
+#
+# <jwk>
+# Set the JWK that is used to sign the JWT, must be a private key.
+#
+# JWT Options:
+#
+# alg=<sting>
+# iss=<string>
+# sub=<string>
+# client_id=<string>
+# aud=<string>
+# jq.cache.name=<string>
+#
+# <expression>
+# JQ filter to be applied to the input JSON object before signing the JWT
 
 #
 # Source Token Settings