Merge pull request #214 from DIMO-Network/feature/si-2529-add-audienc…

…e-to-privilege-tokens

Adds audience field to sign token messages.

.github/workflows/ci.yaml

@@ -64,7 +64,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18
+          go-version: "1.20"
 
       - name: Checkout code
         uses: actions/checkout@v3

Makefile

@@ -20,7 +20,7 @@ GOLANGCI_VERSION   = 1.52.0
 GOTESTSUM_VERSION ?= 1.9.0
 
 PROTOC_VERSION             = 21.12
-PROTOC_GEN_GO_VERSION      = 1.28.1
+PROTOC_GEN_GO_VERSION      = 1.30.0
 PROTOC_GEN_GO_GRPC_VERSION = 1.3.0
 
 KIND_VERSION    = 0.17.0

api/v2/api.proto

@@ -169,6 +169,7 @@ message SignTokenResp {
 message SignTokenReq {
   string subject = 1;
   google.protobuf.Struct custom_claims = 2;
+  repeated string audience = 3;
 }
 
 // Dex represents the dex gRPC service.

connector/web3/web3.go

@@ -4,14 +4,16 @@ package web3
 import (
 	"errors"
 	"fmt"
-	"github.com/dexidp/dex/connector"
-	"github.com/dexidp/dex/pkg/log"
+
 	"github.com/ethereum/go-ethereum/accounts"
 	"github.com/ethereum/go-ethereum/accounts/abi/bind"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/common/hexutil"
 	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/ethereum/go-ethereum/ethclient"
+
+	"github.com/dexidp/dex/connector"
+	"github.com/dexidp/dex/pkg/log"
 )
 
 type Config struct {
@@ -136,6 +138,6 @@ func signHash(data []byte) []byte {
 	return accounts.TextHash(data)
 }
 
-func createEthClient(rpcUrl string) (bind.ContractBackend, error) {
-	return ethclient.Dial(rpcUrl)
+func createEthClient(rpcURL string) (bind.ContractBackend, error) {
+	return ethclient.Dial(rpcURL)
 }

connector/web3/web3_test.go

@@ -4,7 +4,9 @@ import (
 	"crypto/ecdsa"
 	"errors"
 	"fmt"
-	"github.com/dexidp/dex/connector"
+	"math/big"
+	"testing"
+
 	"github.com/ethereum/go-ethereum/accounts"
 	"github.com/ethereum/go-ethereum/accounts/abi/bind"
 	"github.com/ethereum/go-ethereum/accounts/abi/bind/backends"
@@ -14,8 +16,8 @@ import (
 	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
-	"math/big"
-	"testing"
+
+	"github.com/dexidp/dex/connector"
 )
 
 type BkTest struct {

server/api.go

@@ -379,6 +379,7 @@ func (d dexAPI) SignToken(ctx context.Context, req *api.SignTokenReq) (*api.Sign
 		"iat": issuedAt.Unix(),
 		"exp": expiry.Unix(),
 		"iss": d.serverConfig.Issuer,
+		"aud": req.Audience,
 	}
 
 	claims := req.CustomClaims.AsMap()

server/handlers.go

@@ -7,15 +7,11 @@ import (
 	"crypto/subtle"
 	"encoding/base64"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"github.com/ethereum/go-ethereum/accounts/abi/bind"
-	"github.com/ethereum/go-ethereum/ethclient"
 	"html/template"
 	"math/big"
 	"net/http"
 	"net/url"
-	"os"
 	"path"
 	"regexp"
 	"sort"
@@ -26,12 +22,12 @@ import (
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/gorilla/mux"
+	"github.com/spruceid/siwe-go"
 	jose "gopkg.in/square/go-jose.v2"
 
 	"github.com/dexidp/dex/connector"
 	"github.com/dexidp/dex/server/internal"
 	"github.com/dexidp/dex/storage"
-	"github.com/spruceid/siwe-go"
 )
 
 const (
@@ -270,7 +266,6 @@ func (s *Server) handleGenerateChallenge(w http.ResponseWriter, r *http.Request)
 
 	siweMessage, err := siwe.InitMessage(s.issuerURL.Host, addr.Hex(), s.issuerURL.String(), nonce, options)
 	if err != nil {
-		//asd
 		s.renderErrorJSON(w, http.StatusInternalServerError, err.Error())
 		return
 	}
@@ -1892,16 +1887,3 @@ func usernamePrompt(conn connector.PasswordConnector) string {
 	}
 	return "Username"
 }
-
-func createEthClient() (bind.ContractBackend, error) {
-	rpcUrl := os.Getenv("ETH_RPC_CLIENT")
-	if rpcUrl != "" {
-		client, err := ethclient.Dial(rpcUrl)
-		if err != nil {
-			return nil, err
-		}
-		return client, nil
-	}
-
-	return nil, errors.New("could not initialize eth client with url")
-}

server/oauth2.go

@@ -94,7 +94,7 @@ func tokenErr(w http.ResponseWriter, typ, description string, statusCode int) er
 	return nil
 }
 
-// nolint
+//nolint
 const (
 	errInvalidRequest          = "invalid_request"
 	errUnauthorizedClient      = "unauthorized_client"