admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FSN#37583 Authenticatie via JWT

Browse Source 
svn path=/Website/trunk/; revision=30622
This commit is contained in:
Jos Groot Lipman
2016-09-07 15:23:50 +00:00
parent 6275a41384
commit 72696ccaea
2 changed files with 23 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
APPL/Shared/Login.inc
View File

@@ -918,23 +918,13 @@ function jwt_decode(token)
return { err: "Invalid JSON: " + e.description };
}
var now = new Date().getTime() / 1000;
// Support for nbf and exp claims.
// According to the RFC, they should be in seconds.
if (result.payload.nbf && now < result.payload.nbf) {
return { err: 'Token not yet active' };
}
if (result.payload.exp && now > result.payload.exp) {
return { err: 'Token expired' };
}
return result;
};
function jwt_verify(decoded_jwt, secret, skew)
function jwt_verify(decoded_jwt, secret, skew, duration)
{
skew = skew || 0;
duration = duration || 0;
if (decoded_jwt.header.alg != "HS256")
return { err: "Only HS256 is supported" };
@@ -945,14 +935,25 @@ function jwt_verify(decoded_jwt, secret, skew)
var now = new Date().getTime() / 1000;
if (claim.payload.iat)
{
var from = now - skew;
var to = now + skew;
if (claim.payload.iat < from) {
__DoLog("Token expired. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true), toDateTimeString(new Date(claim.payload.iat * 1000), true)));
// Support for nbf and exp claims.
// According to the RFC, they should be in seconds.
if (claim.payload.nbf && now + skew < claim.payload.nbf ) {
return { err: 'Token not yet active' };
}
if (claim.payload.exp && now > claim.payload.exp + skew) {
return { err: 'Token expired' };
}
if (claim.payload.iat > to) {
__DoLog("Token not yet active. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true), toDateTimeString(new Date(claim.payload.iat * 1000), true)));
// Onze eigen duration/expiration controleren we ook nog
if (claim.payload.iat + duration < now - skew) {
__DoLog("Token expired. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true),
toDateTimeString(new Date(claim.payload.iat * 1000), true)));
return { err: 'Token expired' };
}
if (claim.payload.iat > now + skew) {
__DoLog("Token not yet active. Now is {0}, got {1}".format(toDateTimeString(new Date(now * 1000), true),
toDateTimeString(new Date(claim.payload.iat * 1000), true)));
return { err: 'Token not yet active' };
}
}

6
APPL/Shared/loginTry.asp
View File

@@ -128,7 +128,7 @@ if (user_key < 0 && jwt)
if (oRs.Eof)
shared.internal_error("Unknown JWT issuer: " + claim.payload.iss);
var verify = jwt_verify(claim, oRs("fac_idp_secret").Value, oRs("fac_idp_clockskew").Value);
var verify = jwt_verify(claim, oRs("fac_idp_secret").Value, oRs("fac_idp_clockskew").Value, oRs("fac_idp_duration").Value);
if (verify.err)
shared.internal_error("Invalid JWT: " + verify.err);
@@ -239,7 +239,7 @@ if (user_key < 0 && getQParam("sso", ""))
}
if (!ip_ok)
shared.internal_error("IP {0} not allowed".format(ip)); // TODO of 400 code forbidden?
shared.internal_error("IP {0} not allowed for this IDP".format(ip)); // TODO of 400 code forbidden?
if (oRs("fac_idp_type").Value == 3) // die doet het verder zelf
{
@@ -259,8 +259,8 @@ if (user_key < 0 && getQParam("sso", ""))
var oCrypto = new ActiveXObject("SLNKDWF.Crypto"); // requires version 4.14
var sig = oCrypto.hex_hmac_sha256(oRs("fac_idp_secret").Value, return_to);
url += "&redirect_uri={0}&return_to={1}".format(safe.url(redirect_uri), safe.url(return_to));
Response.Redirect(url); // die stuurt ons wel terug
oRs.Close();
Response.Redirect(url); // die stuurt ons wel terug
Response.End;
}