[WIP] Signed JWT support #14
Conversation
jwt.go
Outdated
| claims := ServiceProviderJwt{ | ||
| ServerJwt: ServerJwt{ | ||
| ServerName: serverName, | ||
| Type: humanName, |
There was a problem hiding this comment.
Typeshould (in the case of disclosures) be the fixed stringverification_request, seeNewServiceProviderJwt()- You can actually reuse
NewServiceProviderJwt()to build the JWT before signing it - We should have similar functions for signing and issuance (reusing
NewSignatureRequestorJwt()andNewIdentityProviderJwt()
As to the serverName and humanName, that has now become a little messy:
- The variable
humanNameshould be assigned to the fieldServerName, whose name is inappropriate (I thinkJwtIssuerwould be better - The variable
serverNameshould go into the JWTkidheader.
There was a problem hiding this comment.
Ah, somehow I managed to miss NewServiceProviderJwt(). I've now reused this function.
We should have similar functions for signing and issuance [...]
Yes, I'll add them later. I would prefer getting this one right first.
The variable serverName should go into the JWT kid header.
Does this work? At least the Java implementation appears to use iss, not kid (verified by decoding the JWT for BIG name/birthdate disclosure).
There was a problem hiding this comment.
Originally we indeed used only iss; this was (1) shown to the user in the IRMA app and (2) the API server used this to lookup the verifier's public key with which to verify its JWTs. At some point we split these into two, so now:
- The API server uses the
kidakaserverNamefield in the header for the public key lookup issakahumanNameis what is shown to the user in the IRMA app.
For example, here is the header from a decoded IRMATube JWT obtained by clicking on a movie:
{
"typ": "JWT",
"alg": "RS256",
"kid": "irmatube"
}Body:
{
"iat": 1529269092,
"iss": "IRMATube",
"sub": "verification_request",
"sprequest": { "truncated" }
}These are made by this PHP library.
|
I've updated the PR with some bigger changes, to hopefully improve the structure of the code. An example JWT I've produced is: TODO:
|
|
Could you please not force push branches, especially when they are tied to pull requests. It makes it very hard to figure out what the feedback is about. Just add new commits on top of each other. To solve merge conflicts you can merge master back in (instead of rebasing). |
|
Ok, will avoid that now. Some projects actually want you to force-push so that's why I did it. EDIT: the commit is here: 0ec9427 |
|
Any update on this? I need this for the new DUO issuer. |
requests.go
Outdated
| @@ -427,3 +443,24 @@ func (jwt *SignatureRequestorJwt) IrmaSession() IrmaSession { return jwt.Request | |||
|
|
|||
| // IrmaSession returns an IRMA session object. | |||
| func (jwt *IdentityProviderJwt) IrmaSession() IrmaSession { return jwt.Request.Request } | |||
|
|
|||
| // Sign returns the signed and serialized JWT. | |||
| func (claims *ServiceProviderJwt) Sign(serverName string, sk *rsa.PrivateKey) (string, error) { | |||
There was a problem hiding this comment.
The receiver of *ServiceProviderJwt struct methods is earlier called jwt, and it is not idiomatic in Go to use different receiver names for the same struct. We should probably switch to claims on every method of ServiceProviderJwt and its parent and siblings (to avoid the name clash with the jwt package).
There was a problem hiding this comment.
I've also updated the other two receivers.
aykevl
force-pushed
the
aykevl-jwt
branch
3 times, most recently
from
561c2d5 to
188c7da
Compare
|
I added the dependency, but avoided the |
|
Added a method to verify and parse a disjunction JWT. |
|
Closed in favor of #21. |
Work-in-progress PR for verified JWT support in irmago.
Example JWT that I get out of it: