Fix: removed issuer validation

HollererJ · HollererJ · commit 74f782d4e7ab · 2023-11-13T15:38:19.000+01:00
diff --git a/auth/auth.go b/auth/auth.go
@@ -26,7 +26,6 @@ type KeycloakRealmInfo struct {
 	RealmId               string // RealmId is the realm name that is passed to services via env vars
 	AuthServerInternalUrl string // AuthServerInternalUrl should point to keycloak auth server on internal (not public) network, e.g. http://keycloak:8080/auth; used for contacting keycloak for realm certificate for JWT
 	AuthServerPublicUrl   string // AuthServerPublicUrl should point to keycloak auth server on public (not internal) network, e.g. http://localhost:28080/auth; used to validate issuer field in JWT
-	tokenIssuer           string
 }
 
 func (i *KeycloakRealmInfo) validate() error {
@@ -41,7 +40,7 @@ func (i *KeycloakRealmInfo) validate() error {
 		errs = append(errs, fmt.Errorf("couldn't parse auth server internal url: %w", err))
 	}
 
-	authUrl, err := url.ParseRequestURI(i.AuthServerPublicUrl)
+	_, err = url.ParseRequestURI(i.AuthServerPublicUrl)
 	if err != nil {
 		errs = append(errs, fmt.Errorf("couldn't parse auth server public url: %w", err))
 	}
@@ -50,8 +49,6 @@ func (i *KeycloakRealmInfo) validate() error {
 		return fmt.Errorf("\n%w", errors.Join(errs...))
 	}
 
-	i.tokenIssuer = authUrl.JoinPath("/realms/" + i.RealmId).String()
-
 	return nil
 }
 
@@ -154,10 +151,6 @@ func (a *KeycloakAuthorizer) ParseJWT(ctx context.Context, token string) (UserCo
 	}
 	claims := jwtToken.Claims.(*customClaims)
 
-	if claims.RegisteredClaims.Issuer != a.realmInfo.tokenIssuer {
-		return UserContext{}, fmt.Errorf("invalid domain of issuer of token %q", claims.RegisteredClaims.Issuer)
-	}
-
 	if _, _, err := a.client.DecodeAccessToken(ctx, token, a.realmInfo.RealmId); err != nil {
 		return UserContext{}, fmt.Errorf("validation of token failed: %w", err)
 	}
diff --git a/auth/auth_test.go b/auth/auth_test.go
@@ -86,13 +86,6 @@ func TestParseJWT(t *testing.T) {
 
 	FakeCertResponse(t, authorizer)
 
-	t.Run("No realm info", func(t *testing.T) {
-		userContext, err := authorizer.ParseJWT(context.Background(), noRealmToken)
-
-		assert.ErrorContains(t, err, "invalid domain of issuer")
-		assert.Zero(t, userContext)
-	})
-
 	t.Run("Wrong algorithm", func(t *testing.T) {
 		userContext, err := authorizer.ParseJWT(context.Background(), invalidAlgorithmToken)
 
@@ -125,20 +118,6 @@ func TestParseJWT(t *testing.T) {
 		assert.Zero(t, userContext)
 	})
 
-	t.Run("Invalid issuer", func(t *testing.T) {
-		userContext, err := authorizer.ParseJWT(context.Background(), invalidIssuerToken)
-
-		assert.ErrorContains(t, err, "invalid domain of issuer")
-		assert.Zero(t, userContext)
-	})
-
-	t.Run("Invalid realm", func(t *testing.T) {
-		userContext, err := authorizer.ParseJWT(context.Background(), invalidRealmToken)
-
-		assert.ErrorContains(t, err, "invalid domain of issuer")
-		assert.Zero(t, userContext)
-	})
-
 	t.Run("OK", func(t *testing.T) {
 		userContext, err := authorizer.ParseJWT(context.Background(), validToken)
 

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,6 @@ type KeycloakRealmInfo struct {`
`26`	`26`	`RealmId string // RealmId is the realm name that is passed to services via env vars`
`27`	`27`	`AuthServerInternalUrl string // AuthServerInternalUrl should point to keycloak auth server on internal (not public) network, e.g. http://keycloak:8080/auth; used for contacting keycloak for realm certificate for JWT`
`28`	`28`	`AuthServerPublicUrl string // AuthServerPublicUrl should point to keycloak auth server on public (not internal) network, e.g. http://localhost:28080/auth; used to validate issuer field in JWT`
`29`		`- tokenIssuer string`
`30`	`29`	`}`
`31`	`30`
`32`	`31`	`func (i *KeycloakRealmInfo) validate() error {`
`@@ -41,7 +40,7 @@ func (i *KeycloakRealmInfo) validate() error {`
`41`	`40`	`errs = append(errs, fmt.Errorf("couldn't parse auth server internal url: %w", err))`
`42`	`41`	`}`
`43`	`42`
`44`		`- authUrl, err := url.ParseRequestURI(i.AuthServerPublicUrl)`
	`43`	`+ _, err = url.ParseRequestURI(i.AuthServerPublicUrl)`
`45`	`44`	`if err != nil {`
`46`	`45`	`errs = append(errs, fmt.Errorf("couldn't parse auth server public url: %w", err))`
`47`	`46`	`}`
`@@ -50,8 +49,6 @@ func (i *KeycloakRealmInfo) validate() error {`
`50`	`49`	`return fmt.Errorf("\n%w", errors.Join(errs...))`
`51`	`50`	`}`
`52`	`51`
`53`		`- i.tokenIssuer = authUrl.JoinPath("/realms/" + i.RealmId).String()`
`54`		`-`
`55`	`52`	`return nil`
`56`	`53`	`}`
`57`	`54`
`@@ -154,10 +151,6 @@ func (a *KeycloakAuthorizer) ParseJWT(ctx context.Context, token string) (UserCo`
`154`	`151`	`}`
`155`	`152`	`claims := jwtToken.Claims.(*customClaims)`
`156`	`153`
`157`		`- if claims.RegisteredClaims.Issuer != a.realmInfo.tokenIssuer {`
`158`		`- return UserContext{}, fmt.Errorf("invalid domain of issuer of token %q", claims.RegisteredClaims.Issuer)`
`159`		`- }`
`160`		`-`
`161`	`154`	`if _, _, err := a.client.DecodeAccessToken(ctx, token, a.realmInfo.RealmId); err != nil {`
`162`	`155`	`return UserContext{}, fmt.Errorf("validation of token failed: %w", err)`
`163`	`156`	`}`