mirror of
https://github.com/wso2/open-mcp-auth-proxy.git
synced 2025-06-27 17:13:31 +00:00
Fix minor formatting issues
This commit is contained in:
NipuniBhagya
parent
5b1daaefc3
commit
6a1c9c5883
3 changed files with 4 additions and 18 deletions
|
|
@ -60,4 +60,3 @@ bearer_methods_supported:
|
||||||
- header
|
- header
|
||||||
- body
|
- body
|
||||||
- query
|
- query
|
||||||
|
|
||||||
|
|
@ -20,9 +20,6 @@ func (d *ScopeValidator) ValidateAccess(
|
||||||
claims *TokenClaims,
|
claims *TokenClaims,
|
||||||
requiredScopes any,
|
requiredScopes any,
|
||||||
) AccessControlResult {
|
) AccessControlResult {
|
||||||
|
|
||||||
logger.Info("Required scopes: %v", requiredScopes)
|
|
||||||
|
|
||||||
var scopeStr string
|
var scopeStr string
|
||||||
switch v := requiredScopes.(type) {
|
switch v := requiredScopes.(type) {
|
||||||
case string:
|
case string:
|
||||||
|
|
@ -45,7 +42,6 @@ func (d *ScopeValidator) ValidateAccess(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.Info("Token scopes: %v", claims.Scopes)
|
|
||||||
for _, tokenScope := range claims.Scopes {
|
for _, tokenScope := range claims.Scopes {
|
||||||
if _, ok := required[tokenScope]; ok {
|
if _, ok := required[tokenScope]; ok {
|
||||||
return AccessControlResult{DecisionAllow, ""}
|
return AccessControlResult{DecisionAllow, ""}
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ import (
|
||||||
"github.com/golang-jwt/jwt/v4"
|
"github.com/golang-jwt/jwt/v4"
|
||||||
"github.com/wso2/open-mcp-auth-proxy/internal/authz"
|
"github.com/wso2/open-mcp-auth-proxy/internal/authz"
|
||||||
"github.com/wso2/open-mcp-auth-proxy/internal/config"
|
"github.com/wso2/open-mcp-auth-proxy/internal/config"
|
||||||
logger "github.com/wso2/open-mcp-auth-proxy/internal/logging"
|
"github.com/wso2/open-mcp-auth-proxy/internal/logging"
|
||||||
)
|
)
|
||||||
|
|
||||||
type TokenClaims struct {
|
type TokenClaims struct {
|
||||||
|
|
@ -52,9 +52,9 @@ func FetchJWKS(jwksURL string) error {
|
||||||
if parsed.Kty != "RSA" {
|
if parsed.Kty != "RSA" {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
pk, err := parseRSAPublicKey(parsed.N, parsed.E)
|
pubKey, err := parseRSAPublicKey(parsed.N, parsed.E)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
publicKeys[parsed.Kid] = pk
|
publicKeys[parsed.Kid] = pubKey
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
logger.Info("Loaded %d public keys.", len(publicKeys))
|
logger.Info("Loaded %d public keys.", len(publicKeys))
|
||||||
|
|
@ -81,10 +81,6 @@ func parseRSAPublicKey(nStr, eStr string) (*rsa.PublicKey, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// ValidateJWT checks the Bearer token according to the Mcp-Protocol-Version.
|
// ValidateJWT checks the Bearer token according to the Mcp-Protocol-Version.
|
||||||
// - isLatestSpec: whether to use the latest spec validation
|
|
||||||
// - authHeader: the full "Authorization" header
|
|
||||||
// - audience: the resource identifier to check "aud" against
|
|
||||||
// - requiredScopes: the scopes required (empty ⇒ skip scope check)
|
|
||||||
func ValidateJWT(
|
func ValidateJWT(
|
||||||
isLatestSpec bool,
|
isLatestSpec bool,
|
||||||
authHeader, audience string,
|
authHeader, audience string,
|
||||||
|
|
@ -94,7 +90,7 @@ func ValidateJWT(
|
||||||
return nil, errors.New("empty bearer token")
|
return nil, errors.New("empty bearer token")
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- parse & verify signature ---
|
// Parse & verify the signature
|
||||||
token, err := jwt.Parse(tokenStr, func(token *jwt.Token) (interface{}, error) {
|
token, err := jwt.Parse(tokenStr, func(token *jwt.Token) (interface{}, error) {
|
||||||
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
|
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
|
||||||
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
||||||
|
|
@ -116,19 +112,15 @@ func ValidateJWT(
|
||||||
return nil, errors.New("token not valid")
|
return nil, errors.New("token not valid")
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- extract raw claims ---
|
|
||||||
claimsMap, ok := token.Claims.(jwt.MapClaims)
|
claimsMap, ok := token.Claims.(jwt.MapClaims)
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, errors.New("unexpected claim type")
|
return nil, errors.New("unexpected claim type")
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- v1: skip audience check entirely ---
|
|
||||||
if !isLatestSpec {
|
if !isLatestSpec {
|
||||||
// we still want to return an empty set of scopes for policy to see
|
|
||||||
return &authz.TokenClaims{Scopes: nil}, nil
|
return &authz.TokenClaims{Scopes: nil}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- v2: enforce audience ---
|
|
||||||
audRaw, exists := claimsMap["aud"]
|
audRaw, exists := claimsMap["aud"]
|
||||||
if !exists {
|
if !exists {
|
||||||
return nil, errors.New("aud claim missing")
|
return nil, errors.New("aud claim missing")
|
||||||
|
|
@ -153,7 +145,6 @@ func ValidateJWT(
|
||||||
return nil, errors.New("aud claim has unexpected type")
|
return nil, errors.New("aud claim has unexpected type")
|
||||||
}
|
}
|
||||||
|
|
||||||
// --- collect all scopes from the token, if any ---
|
|
||||||
rawScope := claimsMap["scope"]
|
rawScope := claimsMap["scope"]
|
||||||
scopeList := []string{}
|
scopeList := []string{}
|
||||||
if s, ok := rawScope.(string); ok {
|
if s, ok := rawScope.(string); ok {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue