From 3e5c0a1df84b3e7871178fea350d1c2ec2537c6d Mon Sep 17 00:00:00 2001 From: Alexey Shchepin Date: Mon, 1 Jul 2019 05:01:55 +0300 Subject: [PATCH] Authentication using JWT tokens --- src/ejabberd_auth_jwt.erl | 130 ++++++++++++++++++++++++++++++++++++++ src/ejabberd_options.erl | 7 +- 2 files changed, 135 insertions(+), 2 deletions(-) create mode 100644 src/ejabberd_auth_jwt.erl diff --git a/src/ejabberd_auth_jwt.erl b/src/ejabberd_auth_jwt.erl new file mode 100644 index 000000000..6be151405 --- /dev/null +++ b/src/ejabberd_auth_jwt.erl @@ -0,0 +1,130 @@ +%%%---------------------------------------------------------------------- +%%% File : ejabberd_auth_jwt.erl +%%% Author : Mickael Remond +%%% Purpose : Authentification using JWT tokens +%%% Created : 16 Mar 2019 by Mickael Remond +%%% +%%% +%%% ejabberd, Copyright (C) 2002-2019 ProcessOne +%%% +%%% This program is free software; you can redistribute it and/or +%%% modify it under the terms of the GNU General Public License as +%%% published by the Free Software Foundation; either version 2 of the +%%% License, or (at your option) any later version. +%%% +%%% This program is distributed in the hope that it will be useful, +%%% but WITHOUT ANY WARRANTY; without even the implied warranty of +%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +%%% General Public License for more details. +%%% +%%% You should have received a copy of the GNU General Public License along +%%% with this program; if not, write to the Free Software Foundation, Inc., +%%% 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +%%% +%%%---------------------------------------------------------------------- + +-module(ejabberd_auth_jwt). + +-author('mremond@process-one.net'). + +-behaviour(ejabberd_auth). + +-export([start/1, stop/1, check_password/4, + store_type/1, plain_password_required/1 + %,opt_type/1, options/0, globals/0 + ]). + +-include("xmpp.hrl"). +-include("logger.hrl"). + +%%%---------------------------------------------------------------------- +%%% API +%%%---------------------------------------------------------------------- +start(_Host) -> ok. + +stop(_Host) -> ok. + +plain_password_required(_Host) -> true. + +store_type(_Host) -> external. + +-spec check_password(binary(), binary(), binary(), binary()) -> boolean(). +check_password(User, AuthzId, Server, Token) -> + %% MREMOND: Should we move the AuthzId check at a higher level in + %% the call stack? + if AuthzId /= <<>> andalso AuthzId /= User -> + false; + true -> + if Token == <<"">> -> false; + true -> + check_jwt_token(User, Server, Token) + end + end. + +%%%---------------------------------------------------------------------- +%%% Internal functions +%%%---------------------------------------------------------------------- +check_jwt_token(User, Server, Token) -> + JWK = get_jwk(Server), + try jose_jwt:verify(JWK, Token) of + {true, {jose_jwt, Fields}, Signature} -> + ?DEBUG("jwt verify: ~p - ~p~n", [Fields, Signature]), + case maps:find(<<"exp">>, Fields) of + error -> + %% No expiry in token => We consider token invalid: + false; + {ok, Exp} -> + Now = erlang:system_time(second), + if + true orelse Exp > Now -> + case maps:find(<<"jid">>, Fields) of + error -> + false; + {ok, SJID} -> + try + JID = jid:decode(SJID), + (JID#jid.luser == User) andalso + (JID#jid.lserver == Server) + catch error:{bad_jid, _} -> + false + end + end; + true -> + %% return false, if token has expired + false + end + end; + {false, _, _} -> + false + catch + error:{badarg, _} -> + false + end. + +get_jwk(Host) -> + jose_jwk:from_binary(ejabberd_config:get_option({jwt_key, Host})). + +%%%---------------------------------------------------------------------- +%%% Options for JWT authentication modules +%%%---------------------------------------------------------------------- +%-spec opt_type(atom()) -> fun((any()) -> any()) | [atom()]. +% +%%%% name: jwt_key +%%%% type: binary +%%%% description: JWT key used to validate JWT tokens. +%%%% Default: none +%%%% Mandatory: yes +%opt_type(jwt_key) -> fun iolist_to_binary/1; +% +%%%% Available options: +%opt_type(_) -> [jwt_key]. +% +%options() -> +% [{jwt_key, <<"">>}]. +% +%globals() -> +% [jwt_key]. + +%% TODO: auth0 username is defined in 'jid' field, but we should +%% allow customizing the name of the field containing the username +%% to adapt to custom claims. diff --git a/src/ejabberd_options.erl b/src/ejabberd_options.erl index 80a0e4f21..2e061f1c4 100644 --- a/src/ejabberd_options.erl +++ b/src/ejabberd_options.erl @@ -407,7 +407,9 @@ opt_type(websocket_origin) -> opt_type(websocket_ping_interval) -> econf:timeout(second); opt_type(websocket_timeout) -> - econf:timeout(second). + econf:timeout(second); +opt_type(jwt_key) -> + econf:binary(). %% We only define the types of options that cannot be derived %% automatically by tools/opt_type.sh script @@ -638,7 +640,8 @@ options() -> {validate_stream, false}, {websocket_origin, []}, {websocket_ping_interval, timer:seconds(60)}, - {websocket_timeout, timer:minutes(5)}]. + {websocket_timeout, timer:minutes(5)}, + {jwt_key, <<"">>}]. -spec globals() -> [atom()]. globals() ->