MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

JWKS should be parsed before usage (#14842)

Browse Source 
fixes #14811
This commit is contained in:
Harshavardhana
2022-04-30 15:23:53 -07:00
committed by GitHub
parent 85f3a9f3b0
commit c3f689a7d9
3 changed files with 17 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
internal/config/identity/openid/jwt.go
View File

@@ -26,7 +26,6 @@ import (
"errors"
"fmt"
"io"
"net"
"net/http"
"strconv"
"strings"
@@ -775,12 +774,11 @@ func LookupConfig(kvsMap map[string]config.KVS, transport http.RoundTripper, clo
}
seenClientIDs.Add(p.ClientID)
var configURLDomain string
p.URL, err = xnet.ParseHTTPURL(configURL)
if err != nil {
return c, err
}
configURLDomain, _, _ = net.SplitHostPort(p.URL.Host)
configURLDomain := p.URL.Hostname()
p.DiscoveryDoc, err = parseDiscoveryDoc(p.URL, transport, closeRespFn)
if err != nil {
return c, err
@@ -809,7 +807,17 @@ func LookupConfig(kvsMap map[string]config.KVS, transport http.RoundTripper, clo
// `iampolicy.PolicyName` as the claim name explicitly and sets
// a role policy, this check is thwarted, but we will be using
// the role policy anyway.
return c, config.Errorf("Role Policy (=`%s`) and Claim Name (=`%s`) cannot both be set.", p.RolePolicy, p.ClaimName)
return c, config.Errorf("Role Policy (=`%s`) and Claim Name (=`%s`) cannot both be set", p.RolePolicy, p.ClaimName)
}
jwksURL := p.DiscoveryDoc.JwksURI
if jwksURL == "" {
return c, config.Errorf("no JWKS URI found in your provider's discovery doc (config_url=%s)", configURL)
}
p.JWKS.URL, err = xnet.ParseHTTPURL(jwksURL)
if err != nil {
return c, err
}
if p.RolePolicy != "" {
@@ -821,9 +829,9 @@ func LookupConfig(kvsMap map[string]config.KVS, transport http.RoundTripper, clo
domain := configURLDomain
if domain == "" {
// Attempt to parse the JWKs URI.
domain, _, _ = net.SplitHostPort(p.JWKS.URL.Host)
domain = p.JWKS.URL.Hostname()
if domain == "" {
return c, config.Errorf("unable to generate a domain from the OpenID config.")
return c, config.Errorf("unable to generate a domain from the OpenID config")
}
}
if p.ClientID == "" {
@@ -850,16 +858,6 @@ func LookupConfig(kvsMap map[string]config.KVS, transport http.RoundTripper, clo
return c, config.Errorf("A role policy or claim name must be specified")
}
jwksURL := p.DiscoveryDoc.JwksURI
if jwksURL == "" {
return c, config.Errorf("no JWKS URI found in your provider's discovery doc (config_url=%s)", configURL)
}
p.JWKS.URL, err = xnet.ParseHTTPURL(jwksURL)
if err != nil {
return c, err
}
if err = p.initializeProvider(getCfgVal, c.transport); err != nil {
return c, err
}