diff --git a/Cargo.toml b/Cargo.toml index abf54390..8eae52f8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,7 +15,7 @@ all-features = true maintenance = { status = "actively-developed" } [features] -default = ["reqwest", "rustls-tls"] +default = ["reqwest", "rustls-tls", "backchannel-logout"] curl = ["oauth2/curl"] reqwest = ["oauth2/reqwest"] ureq = ["oauth2/ureq"] @@ -23,6 +23,7 @@ native-tls = ["oauth2/native-tls"] rustls-tls = ["oauth2/rustls-tls"] accept-rfc3339-timestamps = [] nightly = [] +backchannel-logout = [] [dependencies] base64 = "0.13" diff --git a/src/backchannel_logout.rs b/src/backchannel_logout.rs new file mode 100644 index 00000000..4839bcd0 --- /dev/null +++ b/src/backchannel_logout.rs @@ -0,0 +1,536 @@ +//! This module implements components needed for [back-channel logout] +//! +//! [back-channel logout]: + +use std::collections::HashMap; + +use chrono::{DateTime, Utc}; +use serde::{de::Error, ser::SerializeMap, Deserialize, Serialize}; + +use crate::{ + helpers::{FilteredFlatten, FlattenFilter}, + jwt::{JsonWebToken, JsonWebTokenJsonPayloadSerde}, + types::helpers::{deserialize_string_or_vec, serde_utc_seconds}, + types::SessionIdentifier, + AdditionalClaims, Audience, IssuerUrl, JsonWebKeyId, JsonWebKeyType, + JweContentEncryptionAlgorithm, JwsSigningAlgorithm, SubjectIdentifier, +}; + +/// Back-Channel Logout Token +/// +/// Parses a JWT as a Logout Token as definied in [section 2.4] +/// +/// [section 2.4]: +#[derive(Debug, Clone, PartialEq)] +pub struct LogoutToken( + JsonWebToken, JsonWebTokenJsonPayloadSerde>, +) +where + AC: AdditionalClaims, + JE: JweContentEncryptionAlgorithm, + JS: JwsSigningAlgorithm, + JT: JsonWebKeyType; + +impl LogoutToken +where + AC: AdditionalClaims, + JE: JweContentEncryptionAlgorithm, + JS: JwsSigningAlgorithm, + JT: JsonWebKeyType, +{ + // TODO: implement signature verification & friends +} + +/// The Logout Token Claims as defined in [section 2.4] of the [OpenID Connect Back-Channel Logout spec][1] +/// +/// [1]: +#[derive(Debug, Clone, PartialEq, Serialize)] +pub struct LogoutTokenClaims { + /// The issuer of this token + iss: IssuerUrl, + /// The audience this token is intended for + aud: Vec, + /// Time at which this token was issued + #[serde(with = "serde_utc_seconds")] + iat: DateTime, + /// The unique identifier for this token. This can be used to detect + /// replay attacks. + jti: JsonWebKeyId, + #[serde(flatten)] + identifier: LogoutIdentifier, + events: HashMap, + additional_claims: FilteredFlatten, +} + +impl LogoutTokenClaims +where + AC: AdditionalClaims, +{ + /// The `iss` claim + pub fn issuer(&self) -> &IssuerUrl { + &self.iss + } + + /// The `aud` claim + pub fn audiences(&self) -> impl Iterator { + self.aud.iter() + } + + /// The `iat` claim + pub fn issue_time(&self) -> DateTime { + self.iat + } + + /// The `jti` claim. It's the unique identifier for this token and can be + /// used to detect replay attacks. + pub fn jti(&self) -> &JsonWebKeyId { + &self.jti + } + + /// As per spec, a [`LogoutToken`] MUST either have the `sub` or `sid` + /// claim and MAY contain both. You can match the [`Identifier`] to detect + /// which claims are present. + pub fn identifier(&self) -> &LogoutIdentifier { + &self.identifier + } + + /// A [`LogoutToken`] is compatible with the [SET standard from RFC 8417][1] + /// + /// [1]: + pub fn events(&self) -> &HashMap { + &self.events + } +} +impl<'de, AC> Deserialize<'de> for LogoutTokenClaims +where + AC: AdditionalClaims, +{ + fn deserialize(deserializer: D) -> Result + where + D: serde::Deserializer<'de>, + { + let value: serde_json::Value = serde_json::Value::deserialize(deserializer)?; + if let serde_json::Value::Object(ref map) = value { + if map.contains_key("nonce") { + return Err(::custom("nonce claim is prohibited")); + } + } + + #[derive(Deserialize)] + struct Repr { + /// The issuer of this token + iss: IssuerUrl, + /// The audience this token is intended for + #[serde(deserialize_with = "deserialize_string_or_vec")] + aud: Vec, + /// Time at which this token was issued + #[serde(with = "serde_utc_seconds")] + iat: DateTime, + /// The unique identifier for this token. This can be used to detect + /// replay attacks. + jti: JsonWebKeyId, + #[serde(flatten)] + identifier: LogoutIdentifier, + events: HashMap, + #[serde(bound = "AC: AdditionalClaims")] + #[serde(flatten)] + additional_claims: FilteredFlatten, + } + + let token: Repr = serde_json::from_value(value).map_err(::custom)?; + + token + .events + // according to the spec, this event must be included in the mapping + .get("http://schemas.openid.net/event/backchannel-logout") + .ok_or_else(|| { + ::custom("token is missing correct JSON Object in events claim") + })? + // and it must be a JSON object and MAY BE empty but is allowed to + // contain fields + .as_object() + .ok_or_else(|| ::custom("not a JSON Object"))?; + Ok(LogoutTokenClaims { + iss: token.iss, + aud: token.aud, + iat: token.iat, + jti: token.jti, + identifier: token.identifier, + events: token.events, + additional_claims: token.additional_claims, + }) + } +} + +/// A [`LogoutToken`] MUST contain either a `sub` or a `sid` claim and MAY +/// contain both. This enum represents these three possibilities. +#[derive(Debug, Hash, Clone, PartialEq, Eq)] +pub enum LogoutIdentifier { + /// Both, the `sid` and `sub` claims are present + Both { + /// The `sub` claim as in [`Identifier::Subject`] + subject: SubjectIdentifier, + /// The `sid` claim as in [`Identifier::Subject`] + session: SessionIdentifier, + }, + /// Only the `sid` claim is present + Session(SessionIdentifier), + /// Only the `sub` claim is present + Subject(SubjectIdentifier), +} + +impl LogoutIdentifier { + /// Directly return the [`SubjectIdentifier`] if the variant is either + /// [`Identifier::Subject`] or [`Identifier::Both`] + pub fn subject(&self) -> Option<&SubjectIdentifier> { + match self { + Self::Subject(s) => Some(s), + Self::Both { + subject, + session: _, + } => Some(subject), + Self::Session(_) => None, + } + } + + /// Directly return the [`SessionIdentifier`] if the variant is either + /// [`Identifier::Session`] or [`Identifier::Both`] + pub fn session(&self) -> Option<&SessionIdentifier> { + match self { + Self::Subject(_) => None, + Self::Both { + subject: _, + session, + } => Some(session), + Self::Session(s) => Some(s), + } + } +} + +impl FlattenFilter for LogoutIdentifier { + fn should_include(field_name: &str) -> bool { + !matches!(field_name, "sub" | "sid") + } +} +// serde does not have #[serde(flatten)] on enums with struct variants, so +impl<'de> Deserialize<'de> for LogoutIdentifier { + fn deserialize(deserializer: D) -> Result + where + D: serde::Deserializer<'de>, + { + // Both claims are set + #[derive(Deserialize)] + struct Both { + sub: SubjectIdentifier, + sid: SessionIdentifier, + } + + // Only one claim is set + #[derive(Deserialize)] + enum SidOrSub { + #[serde(rename = "sid")] + Session(SessionIdentifier), + #[serde(rename = "sub")] + Subject(SubjectIdentifier), + } + + #[derive(Deserialize)] + #[serde(untagged)] + enum Either { + Both(Both), + Single(SidOrSub), + } + + Ok(match Either::deserialize(deserializer)? { + Either::Both(both) => LogoutIdentifier::Both { + subject: both.sub, + session: both.sid, + }, + Either::Single(s) => match s { + SidOrSub::Subject(s) => LogoutIdentifier::Subject(s), + SidOrSub::Session(s) => LogoutIdentifier::Session(s), + }, + }) + } +} + +impl Serialize for LogoutIdentifier { + fn serialize(&self, serializer: S) -> Result + where + S: serde::Serializer, + { + let len = self.session().is_some() as usize + self.subject().is_some() as usize; + + let mut map = serializer.serialize_map(Some(len))?; + + if let Some(s) = self.session() { + map.serialize_entry("sid", s)?; + } + + if let Some(s) = self.subject() { + map.serialize_entry("sub", s)?; + } + + map.end() + } +} +#[cfg(test)] +mod tests { + use crate::EmptyAdditionalClaims; + + use super::{LogoutIdentifier, LogoutTokenClaims}; + + #[test] + fn deserialize_only_sid() { + let t: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "sid": "08a5019c-17e1-4977-8f42-65a12843ea02", + "events": { + "http://schemas.openid.net/event/backchannel-logout": {} + } + } + "#, + ) + .unwrap(); + assert!(matches!(t.identifier(), LogoutIdentifier::Session(_))); + } + + #[test] + fn deserialize_only_sub() { + let t: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "sub": "248289761001", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "events": { + "http://schemas.openid.net/event/backchannel-logout": {} + } + } + "#, + ) + .unwrap(); + assert!(matches!(t.identifier(), LogoutIdentifier::Subject(_))); + } + + #[test] + #[should_panic] + fn deserialize_missing_identifier() { + let _: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "events": { + "http://schemas.openid.net/event/backchannel-logout": {} + } + } + "#, + ) + .unwrap(); + } + + #[test] + fn deserialize_valid() { + let t: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "sub": "248289761001", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "sid": "08a5019c-17e1-4977-8f42-65a12843ea02", + "events": { + "http://schemas.openid.net/event/backchannel-logout": {} + } + } + "#, + ) + .unwrap(); + assert!(matches!( + t.identifier(), + LogoutIdentifier::Both { + subject: _, + session: _ + } + )) + } + + #[test] + #[should_panic] + fn deserialize_events_empty() { + let _: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "sub": "248289761001", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "sid": "08a5019c-17e1-4977-8f42-65a12843ea02", + "events": { + } + } + "#, + ) + .unwrap(); + } + + #[test] + #[should_panic] + fn deserialize_events_empty_array() { + let _: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "sub": "248289761001", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "sid": "08a5019c-17e1-4977-8f42-65a12843ea02", + "events": [] + } + "#, + ) + .unwrap(); + } + + #[test] + #[should_panic] + fn deserialize_events_missing() { + let _: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "sub": "248289761001", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "sid": "08a5019c-17e1-4977-8f42-65a12843ea02" + } + "#, + ) + .unwrap(); + } + + #[test] + #[should_panic] + fn deserialize_events_array() { + let _: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "sub": "248289761001", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "sid": "08a5019c-17e1-4977-8f42-65a12843ea02", + "events": [ + {"http://schemas.openid.net/event/backchannel-logout": {}} + ], + "nonce": "snsuigdbnfcjkn" + } + "#, + ) + .unwrap(); + } + #[test] + #[should_panic] + fn deserialize_nonce() { + let _: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "sub": "248289761001", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "sid": "08a5019c-17e1-4977-8f42-65a12843ea02", + "events": { + "http://schemas.openid.net/event/backchannel-logout": {} + }, + "nonce": "snsuigdbnfcjkn" + } + "#, + ) + .unwrap(); + } + + #[test] + fn deserialize_extra_field() { + let _: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "sub": "248289761001", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "sid": "08a5019c-17e1-4977-8f42-65a12843ea02", + "events": { + "http://schemas.openid.net/event/backchannel-logout": { + "foo": "bar" + } + } + } + "#, + ) + .unwrap(); + } + + #[test] + fn deserialize_multiple_events() { + let _: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "sub": "248289761001", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "sid": "08a5019c-17e1-4977-8f42-65a12843ea02", + "events": { + "http://schemas.openid.net/event/backchannel-logout": {}, + "http://schemas.example.org/event/foo": {} + } + } + "#, + ) + .unwrap(); + } + + #[test] + fn deserialize_multiple_events_extra_fields() { + let _: LogoutTokenClaims = serde_json::from_str( + r#" + { + "iss": "https://server.example.com", + "sub": "248289761001", + "aud": "s6BhdRkqt3", + "iat": 1471566154, + "jti": "bWJq", + "sid": "08a5019c-17e1-4977-8f42-65a12843ea02", + "events": { + "http://schemas.openid.net/event/backchannel-logout": { + "foo": "bar" + }, + "http://schemas.example.org/events/something": { + "faz": true + } + } + } + "#, + ) + .unwrap(); + } +} diff --git a/src/discovery.rs b/src/discovery.rs index b7a58951..3a395554 100644 --- a/src/discovery.rs +++ b/src/discovery.rs @@ -173,6 +173,13 @@ where #[serde(skip_serializing_if = "Option::is_none")] op_tos_uri: Option, + // backchannel logout support + // see + #[serde(skip_serializing_if = "Option::is_none")] + backchannel_logout_supported: Option, + #[serde(skip_serializing_if = "Option::is_none")] + backchannel_logout_session_supported: Option, + #[serde(bound(deserialize = "A: AdditionalProviderMetadata"), flatten)] additional_metadata: A, @@ -247,6 +254,8 @@ where require_request_uri_registration: None, op_policy_uri: None, op_tos_uri: None, + backchannel_logout_supported: None, + backchannel_logout_session_supported: None, additional_metadata, _phantom_jt: PhantomData, } @@ -302,6 +311,8 @@ where set_require_request_uri_registration -> require_request_uri_registration[Option], set_op_policy_uri -> op_policy_uri[Option], set_op_tos_uri -> op_tos_uri[Option], + set_backchannel_logout_supported -> backchannel_logout_supported[Option], + set_backchannel_logout_session_supported -> backchannel_logout_session_supported[Option], } ]; diff --git a/src/lib.rs b/src/lib.rs index 45bbf2c8..2fdd4739 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -655,6 +655,9 @@ mod macros; /// Baseline OpenID Connect implementation and types. pub mod core; +#[cfg(feature = "backchannel-logout")] +pub mod backchannel_logout; + /// OpenID Connect Dynamic Client Registration. pub mod registration; diff --git a/src/types.rs b/src/types.rs index c04b2cd6..0cd84145 100644 --- a/src/types.rs +++ b/src/types.rs @@ -1055,6 +1055,16 @@ new_type![ SubjectIdentifier(String) ]; +new_type![ + /// + /// String identifier for a Session. This represents a Session of a User + /// Agent or device for a logged-in End-User at an RP. Different sid values + /// are used to identify distinct sessions at an OP. The sid value need + /// only be unique in the context of a particular issuer. + #[derive(Deserialize, Eq, Hash, Ord, PartialOrd, Serialize)] + SessionIdentifier(String) +]; + new_url_type![ /// /// URL for the relying party's Terms of Service.