static char * test_proto_validate_nonce(request_rec *r) {
oidc_cfg *c = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
const char *nonce = "avSk7S69G4kEE8Km4bPiOjrfChHt6nO4Z397Lp_bQnc,";
/*
* {
* "typ": "JWT",
* "alg": "RS256",
* "x5t": "Z1NCjojeiHAib-Gm8vFE6ya6lPM"
* }
* {
* "nonce": "avSk7S69G4kEE8Km4bPiOjrfChHt6nO4Z397Lp_bQnc,",
* "iat": 1411580876,
* "at_hash": "yTqsoONZbuWbN6TbgevuDQ",
* "sub": "6343a29c-5399-44a7-9b35-4990f4377c96",
* "amr": "password",
* "auth_time": 1411577267,
* "idp": "idsrv",
* "name": "ksonaty",
* "iss": "https://agsync.com",
* "aud": "agsync_implicit",
* "exp": 1411584475,
* "nbf": 1411580875
* }
*/
char *s_jwt =
apr_pstrdup(r->pool,
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IloxTkNqb2plaUhBaWItR204dkZFNnlhNmxQTSJ9.eyJub25jZSI6ImF2U2s3UzY5RzRrRUU4S200YlBpT2pyZkNoSHQ2bk80WjM5N0xwX2JRbmMsIiwiaWF0IjoxNDExNTgwODc2LCJhdF9oYXNoIjoieVRxc29PTlpidVdiTjZUYmdldnVEUSIsInN1YiI6IjYzNDNhMjljLTUzOTktNDRhNy05YjM1LTQ5OTBmNDM3N2M5NiIsImFtciI6InBhc3N3b3JkIiwiYXV0aF90aW1lIjoxNDExNTc3MjY3LCJpZHAiOiJpZHNydiIsIm5hbWUiOiJrc29uYXR5IiwiaXNzIjoiaHR0cHM6Ly9hZ3N5bmMuY29tIiwiYXVkIjoiYWdzeW5jX2ltcGxpY2l0IiwiZXhwIjoxNDExNTg0NDc1LCJuYmYiOjE0MTE1ODA4NzV9.lEG-DgHHa0JuOEuOTBvCqyexjRVcKXBnJJm289o2HyTgclpH80DsOMED9RlXCFfuDY7nw9i2cxUmIMAV42AdTxkMPomK3chytcajvpAZJirlk653bo9GTDXJSKZr5fwyEu--qahsoT5t9qvoWyFdYkvmMHFw1-mAHDGgVe23voc9jPuFFIhRRqIn4e8ikzN4VQeEV1UXJD02kYYFn2TRWURgiFyVeTr2r0MTn-auCEsFS_AfR1Bl_kmpMfqwrsicf5MTBvfPJeuSMt3t3d3LOGBkg36_z21X-ZRN7wy1KTjagr7iQ_y5csIpmtqs_QM55TTB9dW1HIosJPhiuMEJEA");
apr_jwt_t *jwt = NULL;
apr_jwt_error_t err;
TST_ASSERT_ERR("apr_jwt_parse",
apr_jwt_parse(r->pool, s_jwt, &jwt, NULL, &err), r->pool, err);
TST_ASSERT("oidc_proto_validate_nonce (1)",
oidc_proto_validate_nonce(r, c, &c->provider, nonce, jwt));
TST_ASSERT("oidc_proto_validate_nonce (2)",
oidc_proto_validate_nonce( r, c, &c->provider, nonce, jwt) == FALSE);
apr_jwt_destroy(jwt);
return 0;
}
/*
* check whether the provided JWT is a valid id_token for the specified "provider"
*/
static apr_byte_t oidc_proto_validate_idtoken(request_rec *r,
oidc_provider_t *provider, apr_jwt_t *jwt, const char *nonce) {
oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r,
"oidc_proto_validate_idtoken: entering jwt.header=\"%s\", jwt.payload=\%s\", nonce=%s",
jwt->header.value.str, jwt->payload.value.str, nonce);
/* if a nonce is not passed, we're doing a ("code") flow where the nonce is optional */
if (nonce != NULL) {
/* if present, verify the nonce */
if (oidc_proto_validate_nonce(r, cfg, provider, nonce, jwt) == FALSE)
return FALSE;
}
/* issuer is mandatory in id_token */
if (jwt->payload.iss == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"oidc_proto_validate_idtoken: response JSON object did not contain an \"iss\" string");
return FALSE;
}
/* check if the issuer matches the requested value */
if (oidc_util_issuer_match(provider->issuer, jwt->payload.iss) == FALSE) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"oidc_proto_validate_idtoken: configured issuer (%s) does not match received \"iss\" value in id_token (%s)",
provider->issuer, jwt->payload.iss);
return FALSE;
}
/* check exp */
if (oidc_proto_validate_exp(r, jwt) == FALSE)
return FALSE;
/* check iat */
if (oidc_proto_validate_iat(r, provider, jwt) == FALSE)
return FALSE;
/* check if the required-by-spec "sub" claim is present */
if (jwt->payload.sub == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"oidc_proto_validate_idtoken: id_token JSON payload did not contain the required-by-spec \"sub\" string value");
return FALSE;
}
/* verify the "aud" and "azp" values */
if (oidc_proto_validate_aud_and_azp(r, cfg, provider,
&jwt->payload) == FALSE)
return FALSE;
return TRUE;
}
