From cd23241de246761321d128fbabc66f54681ef825 Mon Sep 17 00:00:00 2001 From: Shivam-nagar23 Date: Fri, 23 May 2025 11:09:34 +0530 Subject: [PATCH 1/3] licensemanager issuer --- authenticator/middleware/sessionmanager.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/authenticator/middleware/sessionmanager.go b/authenticator/middleware/sessionmanager.go index 3e0fdb653..58cea2054 100644 --- a/authenticator/middleware/sessionmanager.go +++ b/authenticator/middleware/sessionmanager.go @@ -47,6 +47,8 @@ const ( // ApiTokenClaimIssuer is the issuer who generated api-token for APIs ApiTokenClaimIssuer = "apiTokenIssuer" + LicenseManagerClaimIssuer = "licenseManagerIssuer" + // invalidLoginError, for security purposes, doesn't say whether the username or password was invalid. This does not mitigate the potential for timing attacks to determine which is which. invalidLoginError = "Invalid username or password" blankPasswordError = "Blank passwords are not allowed" @@ -221,6 +223,8 @@ func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, error) { return mgr.Parse(tokenString) case ApiTokenClaimIssuer: return mgr.ParseApiToken(tokenString) + case LicenseManagerClaimIssuer: + return mgr.ParseApiToken(tokenString) default: // IDP signed token prov, err := mgr.provider() From f806431c8fd9313567b08fb74cf353889daa9f78 Mon Sep 17 00:00:00 2001 From: Shivam-nagar23 Date: Fri, 23 May 2025 11:19:13 +0530 Subject: [PATCH 2/3] Refactor ParseApiToken to validate issuer. Updated the ParseApiToken method to include an expectedIssuer parameter and validate the token's issuer against it. Adjusted corresponding method calls to supply the correct issuer value for improved security and consistency. --- authenticator/middleware/sessionmanager.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/authenticator/middleware/sessionmanager.go b/authenticator/middleware/sessionmanager.go index 58cea2054..2dc2196e6 100644 --- a/authenticator/middleware/sessionmanager.go +++ b/authenticator/middleware/sessionmanager.go @@ -190,7 +190,7 @@ func (mgr *SessionManager) Parse(tokenString string) (jwt.Claims, error) { } // ParseApiToken tries to parse the provided string and returns the token claims for api-token user. -func (mgr *SessionManager) ParseApiToken(tokenString string) (jwt.Claims, error) { +func (mgr *SessionManager) ParseApiToken(tokenString string, expectedIssuer string) (jwt.Claims, error) { var claims jwt.MapClaims token, err := jwt.ParseWithClaims(tokenString, &claims, func(token *jwt.Token) (interface{}, error) { @@ -203,6 +203,10 @@ func (mgr *SessionManager) ParseApiToken(tokenString string) (jwt.Claims, error) if !token.Valid { return nil, errors.New("token is invalid") } + // Validate that the issuer matches the expected one + if claims["iss"] != expectedIssuer { + return nil, fmt.Errorf("invalid issuer: expected %s, got %s", expectedIssuer, claims["iss"]) + } return token.Claims, nil } @@ -222,9 +226,9 @@ func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, error) { // Argo CD signed token return mgr.Parse(tokenString) case ApiTokenClaimIssuer: - return mgr.ParseApiToken(tokenString) + return mgr.ParseApiToken(tokenString, ApiTokenClaimIssuer) case LicenseManagerClaimIssuer: - return mgr.ParseApiToken(tokenString) + return mgr.ParseApiToken(tokenString, LicenseManagerClaimIssuer) default: // IDP signed token prov, err := mgr.provider() From 294d4faad6e9266f318114c6a4da4444c9d09c48 Mon Sep 17 00:00:00 2001 From: Shivam-nagar23 Date: Fri, 23 May 2025 13:48:05 +0530 Subject: [PATCH 3/3] removed expected issuer --- authenticator/middleware/sessionmanager.go | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/authenticator/middleware/sessionmanager.go b/authenticator/middleware/sessionmanager.go index 2dc2196e6..58cea2054 100644 --- a/authenticator/middleware/sessionmanager.go +++ b/authenticator/middleware/sessionmanager.go @@ -190,7 +190,7 @@ func (mgr *SessionManager) Parse(tokenString string) (jwt.Claims, error) { } // ParseApiToken tries to parse the provided string and returns the token claims for api-token user. -func (mgr *SessionManager) ParseApiToken(tokenString string, expectedIssuer string) (jwt.Claims, error) { +func (mgr *SessionManager) ParseApiToken(tokenString string) (jwt.Claims, error) { var claims jwt.MapClaims token, err := jwt.ParseWithClaims(tokenString, &claims, func(token *jwt.Token) (interface{}, error) { @@ -203,10 +203,6 @@ func (mgr *SessionManager) ParseApiToken(tokenString string, expectedIssuer stri if !token.Valid { return nil, errors.New("token is invalid") } - // Validate that the issuer matches the expected one - if claims["iss"] != expectedIssuer { - return nil, fmt.Errorf("invalid issuer: expected %s, got %s", expectedIssuer, claims["iss"]) - } return token.Claims, nil } @@ -226,9 +222,9 @@ func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, error) { // Argo CD signed token return mgr.Parse(tokenString) case ApiTokenClaimIssuer: - return mgr.ParseApiToken(tokenString, ApiTokenClaimIssuer) + return mgr.ParseApiToken(tokenString) case LicenseManagerClaimIssuer: - return mgr.ParseApiToken(tokenString, LicenseManagerClaimIssuer) + return mgr.ParseApiToken(tokenString) default: // IDP signed token prov, err := mgr.provider()