From db00ce7be01c2c00b213d19f133d400296a0ea10 Mon Sep 17 00:00:00 2001
From: Bolke de Bruin <bolke@xs4all.nl>
Date: Thu, 20 Aug 2020 14:46:01 +0200
Subject: [PATCH] Verify access key as part of PAA verification

---
 main.go         |  5 +++--
 security/jwt.go | 12 ++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/main.go b/main.go
index ea1f3f2..759aea6 100644
--- a/main.go
+++ b/main.go
@@ -41,8 +41,7 @@ func main() {
 	security.UserSigningKey = []byte(conf.Security.UserTokenSigningKey)
 
 	// set oidc config
-	ctx := context.Background()
-	provider, err := oidc.NewProvider(ctx, conf.OpenId.ProviderUrl)
+	provider, err := oidc.NewProvider(context.Background(), conf.OpenId.ProviderUrl)
 	if err != nil {
 		log.Fatalf("Cannot get oidc provider: %s", err)
 	}
@@ -58,6 +57,8 @@ func main() {
 		Endpoint: provider.Endpoint(),
 		Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
 	}
+	security.OIDCProvider = provider
+	security.Oauth2Config = oauthConfig
 
 	api := &api.Config{
 		GatewayAddress:       conf.Server.GatewayAddress,
diff --git a/security/jwt.go b/security/jwt.go
index 482ea90..a80654a 100644
--- a/security/jwt.go
+++ b/security/jwt.go
@@ -6,8 +6,10 @@ import (
 	"fmt"
 	"github.com/bolkedebruin/rdpgw/common"
 	"github.com/bolkedebruin/rdpgw/protocol"
+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/square/go-jose/v3"
 	"github.com/square/go-jose/v3/jwt"
+	"golang.org/x/oauth2"
 	"log"
 	"time"
 )
@@ -17,6 +19,8 @@ var (
 	EncryptionKey     []byte
 	UserSigningKey    []byte
 	UserEncryptionKey []byte
+	OIDCProvider	  *oidc.Provider
+	Oauth2Config	  oauth2.Config
 )
 
 var ExpiryTime time.Duration = 5
@@ -58,6 +62,14 @@ func VerifyPAAToken(ctx context.Context, tokenString string) (bool, error) {
 		return false, err
 	}
 
+	// validate the access token
+	tokenSource := Oauth2Config.TokenSource(ctx, &oauth2.Token{AccessToken: custom.AccessToken})
+	_, err = OIDCProvider.UserInfo(ctx, tokenSource)
+	if err != nil {
+		log.Printf("Cannot get user info for access token: %s", err)
+		return false, err
+	}
+
 	s := getSessionInfo(ctx)
 
 	s.RemoteServer = custom.RemoteServer
-- 
GitLab