Skip to content

Commit

Permalink
Fixed JWKS endpoint issue due to recent security fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@rorylshanks
rorylshanks committed Mar 30, 2024
1 parent 2d8391a commit 78fb200
Show file tree
Hide file tree
Showing 5 changed files with 12 additions and 4 deletions.
2 changes: 1 addition & 1 deletion example-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ idp_refresh_directory_interval: 10m
idp_refresh_directory_timeout: 5m
signing_key: "BASE64_ENCODED_RSA_PRIVATE_KEY"
redirect_base_path: /.veriflow
jwks_path: /.well-known/veriflow/jwks.json
jwks_path: /.veriflow/jwks.json
trusted_ranges:
- 192.168.60.0/24
- 192.168.61.0/24
Expand Down
4 changes: 3 additions & 1 deletion lib/http.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,9 @@ app.get(redirectBasePath + '/logout', async (req, res) => {
app.get(redirectBasePath + '/auth', ssoController.redirectToSsoProvider)
app.get(redirectBasePath + '/callback', ssoController.verifySsoCallback)

app.get(config.jwks_path, (req, res) => {
var jwksPath = config.jwks_path || getRedirectBasepath() + "/jwks.json"

app.get(jwksPath, (req, res) => {
res.json({
keys: [jwks],
});
Expand Down
1 change: 0 additions & 1 deletion test/e2e/configs/veriflow.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ refresh_idp_at_start: true
# BELOW KEY IS ONLY FOR TESTING AND NOT A REAL KEY
signing_key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBazdPT1kyZzk4QnVRWFFGN0d6VXQ3V3pQc1hsQXBXYWg5blozMDZwZzJUV0NXYm95CmIwekJEVWpmeWZHWDNEUnl1NTdZSFgwL2pwWUdhcGt6YW41SkxWSkl2MmpsQnZkWGZOREFvRkFWVURnTFJYa3QKN3FlMnRNazFGMEFoQnBpbWdQSUlMbU9HRVJrSzZ4cmFmRHorTXRyV2NOVnNqdmJUZ1ZuSC85K2lBSGZXSTQ3Zwp4NWd1MmJuR1U2N3cyN3BvZGo1ZWsyUGdBR0cwb2M0dUJiY3V4cGFOSy9xdERnZU1samtyRWc0S0NpYmlFMUFuCm5aUUc2aGkrNkJuQnNWQkRWTDV5L0xkOUhrS0FxNDB2MHQ4VThKZ0xqNElmcUJ4c2Z0WllyL2Y4UDhoR2Z1N0UKek13ZS91MnU2NXZCRVBlRnNYQk14UmZqQ041enVlVWI2L1RRaXdJREFRQUJBb0lCQVFDUlZ1bXhKZjEwelJyVQpla1dTYzFUN1FjeHFQZitBQXFzelpFWHJVY2UxVlhNc0tnM0ErYzBwN21EUVRkeDZRbDM0QTRsMEV6QThkYUpnCnVOb2dXNTVVYTVqTVNVSzlCUnpnNUdYNEduV3VsMGQ0R0pNN09XdVBJRU1PMnZya2k4ZWtNUVlkNTY4Z0dmMWwKZGVveXdLMytpdHJpOHhDODZXTWM4S1RlUTBnZG5rKzBOM0h0cWx5N005TG9laElpVHMyMGRBSGcwT1NGaXdyYwpiL2Y1T0MybFRhbmdJb1FpbzFvTEwwRUM2dk4wdnpUUkxnNW9hMXhUMTlDN21FcFprL1ZnUjBuQlpRcU4vNDlICklvTGpIWWNFbXVsZDh1UU14dUZ1RzVLN0lpQlBVKys1QWhvbmUwTDlvQnB2NFlYeVM2OXE0amU0ZjNFSllPa2QKS2VndmVJa3BBb0dCQU1RVUhheDBhOHVaTWNaZnhvaG9CMjVuaE53Nng1VEZtVGRQeC9DamxYWllBYWcrbUFGYwpTWnF4SEJHcVJTTFRQMVkreFp6VExlS0VJNnlLSXJwbHozMXZPMEdsU05Xb3UybGkvUFRBQlBUVnl3eEcvWVpHCmZUL3BhZXJXYzJuYkxnUngxMkl5TzhsQXIwUVFJU3ZHdlF0cUdHUlpQY2YxSHJMQU81dkgzK2U5QW9HQkFNRFcKdXgxMmo5U1BZT3NBN2E1b2JmSzZmazNnTVFjeEZVRGVUaU1GSHl3bFdoWThQOUhqelRHVUNEQ3gzT2lwSHdNZApBUWZOTXRMRDR4WThZS05Ha2t1YklFemFRL0hWckRIQklZdGNsMHFobUZzRDAyYXJqWnlNV2xQN0FySEZlenNhCnZGMHR5eEIzQlFjVWE0REpqcG1jN1V2S2l6Zm4xVEl0a2NXL1lsbm5Bb0dCQUpndEFJYXFhRXJBWDNnVk52RUEKdzl1MHJkRjZNUkZPZGtZT1BoK041ZDdPR0tNcHlURXRIZGJYNCsvMTFPaGRTUWUzZWdqbmdQSVBHZHk3N0kzNwpuQmcrcnArWkZyanoxbGZKUW9iMVRDTjBsYnkyaithWmFIV2t3dFpHajVZMVREYVkzODlQSzBWYlZXc2VsWS96CkV4Nzd2V2lNTmoydENLRTBQazc5eGRHRkFvR0JBSUVNc3JmcTZpSWp1WVpMWHNSQzJxRi9zSnJKRjhacVVJRFMKeEpPbkQ4OXBSN3B0bzRBQTVRYnl1L0JxZHgyMFlDNmpNRmRhT1ZMWENKZU8zRlVvR3l0QnF3SURaMGpsNTVCOApZTWgwdEVLYmxld0N5V3lDRGdqZjNHc3JKZ2gxMGh3aHJrRGxMbW5jWEo3NlNWOHNnNlBGWXdBL2taOWVKRXlxCk5rMlI0RzJ0QW9HQWZVL092bHdCSWlBN0p3Wjc4c2x5MVFPMkkrbWdybHo5OWRERlNRcTAwQTVUZjd2dGFEYncKNzQwRXBGc0lNRm5BNlZRQUg5YVV1RnVxSVV4K1RQazMyQXdJTy9SNVpLR2dNelNqcndDRVNBeXMyR0JJdWx1TwpFcktHNUp1NmFteWUyWk90eEl5emdWV3Zmc0hERG5MNDRuTmNhYkNDbnRQR1dJb3QyeXhnZllvPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" # ONLY FOR TESTING
redirect_base_path: /.veriflow
jwks_path: /.well-known/pomerium/jwks.json
kid_override: "0"
policy:
- from: http://test-basic-login.localtest.me
Expand Down
6 changes: 6 additions & 0 deletions test/e2e/tests/jwks_test.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Feature('JWKS').retry(3);

Scenario('I can see JWKS from configuration', async ({ I }) => {
I.amOnPage('http://veriflow.localtest.me/.veriflow/jwks.json');
I.see("kid")
})
3 changes: 2 additions & 1 deletion util/caddyModels.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,8 @@ async function generateCaddyConfig() {
getRedirectBasepath() + "/set",
getRedirectBasepath() + "/logout",
getRedirectBasepath() + "/auth",
getRedirectBasepath() + "/callback"
getRedirectBasepath() + "/callback",
config.jwks_path || getRedirectBasepath() + "/jwks.json"
]
}
],
Expand Down

0 comments on commit 78fb200

Please sign in to comment.