Verify access key as part of PAA verification

2025-08-16 13:43:46 +02:00 · 2020-08-20 14:46:01 +02:00 · 2020-08-20 14:46:01 +02:00 · db00ce7be0
commit db00ce7be0
parent 93c558786f
2 changed files with 15 additions and 2 deletions
--- a/main.go
+++ b/main.go
@ -41,8 +41,7 @@ func main() {
 	security.UserSigningKey = []byte(conf.Security.UserTokenSigningKey)

 	// set oidc config
-	ctx := context.Background()
-	provider, err := oidc.NewProvider(ctx, conf.OpenId.ProviderUrl)
+	provider, err := oidc.NewProvider(context.Background(), conf.OpenId.ProviderUrl)
 	if err != nil {
 		log.Fatalf("Cannot get oidc provider: %s", err)
 	}
@ -58,6 +57,8 @@ func main() {
 		Endpoint: provider.Endpoint(),
 		Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
 	}
+	security.OIDCProvider = provider
+	security.Oauth2Config = oauthConfig

 	api := &api.Config{
 		GatewayAddress:       conf.Server.GatewayAddress,
--- a/security/jwt.go
+++ b/security/jwt.go
@ -6,8 +6,10 @@ import (
 	"fmt"
 	"github.com/bolkedebruin/rdpgw/common"
 	"github.com/bolkedebruin/rdpgw/protocol"
+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/square/go-jose/v3"
 	"github.com/square/go-jose/v3/jwt"
+	"golang.org/x/oauth2"
 	"log"
 	"time"
 )
@ -17,6 +19,8 @@ var (
 	EncryptionKey     []byte
 	UserSigningKey    []byte
 	UserEncryptionKey []byte
+	OIDCProvider	  *oidc.Provider
+	Oauth2Config	  oauth2.Config
 )

 var ExpiryTime time.Duration = 5
@ -58,6 +62,14 @@ func VerifyPAAToken(ctx context.Context, tokenString string) (bool, error) {
 		return false, err
 	}

+	// validate the access token
+	tokenSource := Oauth2Config.TokenSource(ctx, &oauth2.Token{AccessToken: custom.AccessToken})
+	_, err = OIDCProvider.UserInfo(ctx, tokenSource)
+	if err != nil {
+		log.Printf("Cannot get user info for access token: %s", err)
+		return false, err
+	}
+
 	s := getSessionInfo(ctx)

 	s.RemoteServer = custom.RemoteServer