oauth: get signing key from provider

app/app.go

@@ -6,12 +6,11 @@ import (
 	"github.com/go-redis/redis/v8"
 	"github.com/jmoiron/sqlx"
 	"github.com/keratin/authn-server/app/data"
+	dataRedis "github.com/keratin/authn-server/app/data/redis"
 	"github.com/keratin/authn-server/lib/oauth"
 	"github.com/keratin/authn-server/ops"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
-
-	dataRedis "github.com/keratin/authn-server/app/data/redis"
 )
 
 type pinger func() bool
@@ -101,20 +100,21 @@ func NewApp(cfg *Config, logger logrus.FieldLogger) (*App, error) {
 	}
 
 	oauthProviders := map[string]oauth.Provider{}
+
 	if cfg.GoogleOauthCredentials != nil {
-		oauthProviders["google"] = *oauth.NewGoogleProvider(cfg.GoogleOauthCredentials)
+		oauthProviders["google"] = *oauth.NewGoogleProvider(cfg.GoogleOauthCredentials, cfg.OAuthSigningKey)
 	}
 	if cfg.GitHubOauthCredentials != nil {
-		oauthProviders["github"] = *oauth.NewGitHubProvider(cfg.GitHubOauthCredentials)
+		oauthProviders["github"] = *oauth.NewGitHubProvider(cfg.GitHubOauthCredentials, cfg.OAuthSigningKey)
 	}
 	if cfg.FacebookOauthCredentials != nil {
-		oauthProviders["facebook"] = *oauth.NewFacebookProvider(cfg.FacebookOauthCredentials)
+		oauthProviders["facebook"] = *oauth.NewFacebookProvider(cfg.FacebookOauthCredentials, cfg.OAuthSigningKey)
 	}
 	if cfg.DiscordOauthCredentials != nil {
-		oauthProviders["discord"] = *oauth.NewDiscordProvider(cfg.DiscordOauthCredentials)
+		oauthProviders["discord"] = *oauth.NewDiscordProvider(cfg.DiscordOauthCredentials, cfg.OAuthSigningKey)
 	}
 	if cfg.MicrosoftOauthCredientials != nil {
-		oauthProviders["microsoft"] = *oauth.NewMicrosoftProvider(cfg.MicrosoftOauthCredientials)
+		oauthProviders["microsoft"] = *oauth.NewMicrosoftProvider(cfg.MicrosoftOauthCredientials, cfg.OAuthSigningKey)
 	}
 
 	return &App{

app/tokens/oauth/oauth.go

@@ -23,9 +23,9 @@ type Claims struct {
 }
 
 // Sign converts the claims into a serialized string, signed with HMAC.
-func (c *Claims) Sign(hmacKey []byte) (string, error) {
+func (c *Claims) Sign(signingKey jose.SigningKey) (string, error) {
 	signer, err := jose.NewSigner(
-		jose.SigningKey{Algorithm: jose.HS256, Key: hmacKey},
+		signingKey,
 		(&jose.SignerOptions{}).WithType("JWT"),
 	)
 	if err != nil {
@@ -68,7 +68,7 @@ func Parse(tokenStr string, cfg *app.Config, nonce string) (*Claims, error) {
 // New creates Claims for a JWT suitable as a state parameter during an OAuth flow.
 func New(cfg *app.Config, nonce string, destination string) (*Claims, error) {
 	return &Claims{
-		Scope: scope,
+		Scope:                    scope,
 		RequestForgeryProtection: nonce,
 		Destination:              destination,
 		Claims: jwt.Claims{

app/tokens/oauth/oauth_test.go

@@ -8,6 +8,7 @@ import (
 	"github.com/keratin/authn-server/app/tokens/oauth"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"gopkg.in/square/go-jose.v2"
 )
 
 func TestOAuthToken(t *testing.T) {
@@ -28,7 +29,7 @@ func TestOAuthToken(t *testing.T) {
 		assert.True(t, token.Audience.Contains("https://authn.example.com"))
 		assert.NotEmpty(t, token.IssuedAt)
 
-		tokenStr, err := token.Sign(cfg.OAuthSigningKey)
+		tokenStr, err := token.Sign(jose.SigningKey{Algorithm: jose.HS256, Key: cfg.OAuthSigningKey})
 		require.NoError(t, err)
 
 		_, err = oauth.Parse(tokenStr, cfg, nonce)
@@ -39,7 +40,7 @@ func TestOAuthToken(t *testing.T) {
 		token, err := oauth.New(cfg, nonce, "https://app.example.com/return")
 		require.NoError(t, err)
 
-		tokenStr, err := token.Sign(cfg.OAuthSigningKey)
+		tokenStr, err := token.Sign(jose.SigningKey{Algorithm: jose.HS256, Key: cfg.OAuthSigningKey})
 		require.NoError(t, err)
 
 		_, err = oauth.Parse(tokenStr, cfg, "wrong")
@@ -53,7 +54,7 @@ func TestOAuthToken(t *testing.T) {
 		}
 		token, err := oauth.New(cfg, nonce, "https://app.example.com/return")
 		require.NoError(t, err)
-		tokenStr, err := token.Sign(oldCfg.OAuthSigningKey)
+		tokenStr, err := token.Sign(jose.SigningKey{Algorithm: jose.HS256, Key: oldCfg.OAuthSigningKey})
 		require.NoError(t, err)
 		_, err = oauth.Parse(tokenStr, cfg, nonce)
 		assert.Error(t, err)
@@ -66,7 +67,7 @@ func TestOAuthToken(t *testing.T) {
 		}
 		token, err := oauth.New(&oldCfg, nonce, "https://app.example.com/return")
 		require.NoError(t, err)
-		tokenStr, err := token.Sign(cfg.OAuthSigningKey)
+		tokenStr, err := token.Sign(jose.SigningKey{Algorithm: jose.HS256, Key: cfg.OAuthSigningKey})
 		require.NoError(t, err)
 		_, err = oauth.Parse(tokenStr, cfg, nonce)
 		assert.Error(t, err)

lib/oauth/discord.go

@@ -6,10 +6,11 @@ import (
 	"io/ioutil"
 
 	"golang.org/x/oauth2"
+	"gopkg.in/square/go-jose.v2"
 )
 
 // NewDiscordProvider returns a AuthN integration for Discord OAuth
-func NewDiscordProvider(credentials *Credentials) *Provider {
+func NewDiscordProvider(credentials *Credentials, signingKey []byte) *Provider {
 	config := &oauth2.Config{
 		ClientID:     credentials.ID,
 		ClientSecret: credentials.Secret,
@@ -20,24 +21,21 @@ func NewDiscordProvider(credentials *Credentials) *Provider {
 		},
 	}
 
-	return &Provider{
-		config: config,
-		UserInfo: func(t *oauth2.Token) (*UserInfo, error) {
-			client := config.Client(context.TODO(), t)
-			resp, err := client.Get("https://discordapp.com/api/users/@me")
-			if err != nil {
-				return nil, err
-			}
-			defer resp.Body.Close()
+	return NewProvider(config, func(t *oauth2.Token) (*UserInfo, error) {
+		client := config.Client(context.TODO(), t)
+		resp, err := client.Get("https://discordapp.com/api/users/@me")
+		if err != nil {
+			return nil, err
+		}
+		defer resp.Body.Close()
 
-			body, err := ioutil.ReadAll(resp.Body)
-			if err != nil {
-				return nil, err
-			}
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return nil, err
+		}
 
-			var user UserInfo
-			err = json.Unmarshal(body, &user)
-			return &user, err
-		},
-	}
+		var user UserInfo
+		err = json.Unmarshal(body, &user)
+		return &user, err
+	}, jose.SigningKey{Key: signingKey, Algorithm: jose.HS256})
 }

lib/oauth/facebook.go

@@ -7,35 +7,33 @@ import (
 
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/facebook"
+	"gopkg.in/square/go-jose.v2"
 )
 
 // NewFacebookProvider returns a AuthN integration for Facebook OAuth
-func NewFacebookProvider(credentials *Credentials) *Provider {
+func NewFacebookProvider(credentials *Credentials, signingKey []byte) *Provider {
 	config := &oauth2.Config{
 		ClientID:     credentials.ID,
 		ClientSecret: credentials.Secret,
 		Scopes:       []string{"email"},
 		Endpoint:     facebook.Endpoint,
 	}
 
-	return &Provider{
-		config: config,
-		UserInfo: func(t *oauth2.Token) (*UserInfo, error) {
-			client := config.Client(context.TODO(), t)
-			resp, err := client.Get("https://graph.facebook.com/me?fields=id,email")
-			if err != nil {
-				return nil, err
-			}
-			defer resp.Body.Close()
+	return NewProvider(config, func(t *oauth2.Token) (*UserInfo, error) {
+		client := config.Client(context.TODO(), t)
+		resp, err := client.Get("https://graph.facebook.com/me?fields=id,email")
+		if err != nil {
+			return nil, err
+		}
+		defer resp.Body.Close()
 
-			body, err := ioutil.ReadAll(resp.Body)
-			if err != nil {
-				return nil, err
-			}
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return nil, err
+		}
 
-			var user UserInfo
-			err = json.Unmarshal(body, &user)
-			return &user, err
-		},
-	}
+		var user UserInfo
+		err = json.Unmarshal(body, &user)
+		return &user, err
+	}, jose.SigningKey{Key: signingKey, Algorithm: jose.HS256})
 }

lib/oauth/github.go

@@ -8,10 +8,11 @@ import (
 
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/github"
+	"gopkg.in/square/go-jose.v2"
 )
 
 // NewGitHubProvider returns a AuthN integration for GitHub OAuth
-func NewGitHubProvider(credentials *Credentials) *Provider {
+func NewGitHubProvider(credentials *Credentials, signingKey []byte) *Provider {
 	config := &oauth2.Config{
 		ClientID:     credentials.ID,
 		ClientSecret: credentials.Secret,
@@ -71,23 +72,20 @@ func NewGitHubProvider(credentials *Credentials) *Provider {
 		return strconv.Itoa(user.ID), nil
 	}
 
-	return &Provider{
-		config: config,
-		UserInfo: func(t *oauth2.Token) (*UserInfo, error) {
-			id, err := getID(t)
-			if err != nil {
-				return nil, err
-			}
+	return NewProvider(config, func(t *oauth2.Token) (*UserInfo, error) {
+		id, err := getID(t)
+		if err != nil {
+			return nil, err
+		}
 
-			email, err := getPrimaryEmail(t)
-			if err != nil {
-				return nil, err
-			}
+		email, err := getPrimaryEmail(t)
+		if err != nil {
+			return nil, err
+		}
 
-			return &UserInfo{
-				ID:    id,
-				Email: email,
-			}, nil
-		},
-	}
+		return &UserInfo{
+			ID:    id,
+			Email: email,
+		}, nil
+	}, jose.SigningKey{Key: signingKey, Algorithm: jose.HS256})
 }

lib/oauth/google.go

@@ -7,35 +7,33 @@ import (
 
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
+	"gopkg.in/square/go-jose.v2"
 )
 
 // NewGoogleProvider returns a AuthN integration for Google OAuth
-func NewGoogleProvider(credentials *Credentials) *Provider {
+func NewGoogleProvider(credentials *Credentials, signingKey []byte) *Provider {
 	config := &oauth2.Config{
 		ClientID:     credentials.ID,
 		ClientSecret: credentials.Secret,
 		Scopes:       []string{"email"},
 		Endpoint:     google.Endpoint,
 	}
 
-	return &Provider{
-		config: config,
-		UserInfo: func(t *oauth2.Token) (*UserInfo, error) {
-			client := config.Client(context.TODO(), t)
-			resp, err := client.Get("https://www.googleapis.com/oauth2/v1/userinfo?alt=json")
-			if err != nil {
-				return nil, err
-			}
-			defer resp.Body.Close()
+	return NewProvider(config, func(t *oauth2.Token) (*UserInfo, error) {
+		client := config.Client(context.TODO(), t)
+		resp, err := client.Get("https://www.googleapis.com/oauth2/v1/userinfo?alt=json")
+		if err != nil {
+			return nil, err
+		}
+		defer resp.Body.Close()
 
-			body, err := ioutil.ReadAll(resp.Body)
-			if err != nil {
-				return nil, err
-			}
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return nil, err
+		}
 
-			var user UserInfo
-			err = json.Unmarshal(body, &user)
-			return &user, err
-		},
-	}
+		var user UserInfo
+		err = json.Unmarshal(body, &user)
+		return &user, err
+	}, jose.SigningKey{Key: signingKey, Algorithm: jose.HS256})
 }

lib/oauth/microsoft.go

@@ -7,10 +7,11 @@ import (
 	"io"
 
 	"golang.org/x/oauth2"
+	"gopkg.in/square/go-jose.v2"
 )
 
 // NewMicrosoftProvider returns a AuthN integration for Microsoft OAuth
-func NewMicrosoftProvider(credentials *Credentials) *Provider {
+func NewMicrosoftProvider(credentials *Credentials, signingKey []byte) *Provider {
 	config := &oauth2.Config{
 		ClientID:     credentials.ID,
 		ClientSecret: credentials.Secret,
@@ -21,32 +22,29 @@ func NewMicrosoftProvider(credentials *Credentials) *Provider {
 		},
 	}
 
-	return &Provider{
-		config: config,
-		UserInfo: func(t *oauth2.Token) (*UserInfo, error) {
-			var me struct {
-				Id                string `json:"id"`
-				UserPrincipalName string `json:"userPrincipalName"`
-			}
+	return NewProvider(config, func(t *oauth2.Token) (*UserInfo, error) {
+		var me struct {
+			Id                string `json:"id"`
+			UserPrincipalName string `json:"userPrincipalName"`
+		}
 
-			client := config.Client(context.TODO(), t)
-			resp, err := client.Get("https://graph.microsoft.com/v1.0/me")
-			if err != nil {
-				return nil, err
-			}
-			defer resp.Body.Close()
+		client := config.Client(context.TODO(), t)
+		resp, err := client.Get("https://graph.microsoft.com/v1.0/me")
+		if err != nil {
+			return nil, err
+		}
+		defer resp.Body.Close()
 
-			body, err := io.ReadAll(resp.Body)
-			if err != nil {
-				return nil, err
-			}
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return nil, err
+		}
 
-			var user UserInfo
-			err = json.Unmarshal(body, &me)
-			user.ID = me.Id
-			user.Email = me.UserPrincipalName
-			fmt.Println(user)
-			return &user, err
-		},
-	}
+		var user UserInfo
+		err = json.Unmarshal(body, &me)
+		user.ID = me.Id
+		user.Email = me.UserPrincipalName
+		fmt.Println(user)
+		return &user, err
+	}, jose.SigningKey{Key: signingKey, Algorithm: jose.HS256})
 }