diff --git a/cmd/oidc-token-verifier/main.go b/cmd/oidc-token-verifier/main.go index 9a6930ac5e84..79bb6606842d 100644 --- a/cmd/oidc-token-verifier/main.go +++ b/cmd/oidc-token-verifier/main.go @@ -20,13 +20,14 @@ type Logger interface { } type options struct { - token string - clientID string - outputPath string - publicKeyPath string - newPublicKeysVarName string - trustedWorkflows []string - debug bool + token string + clientID string + outputPath string + publicKeyPath string + newPublicKeysVarName string + trustedWorkflows []string + debug bool + oidcTokenExpirationTime int // OIDC token expiration time in minutes } var ( @@ -53,6 +54,7 @@ func NewRootCmd() *cobra.Command { rootCmd.PersistentFlags().StringVarP(&opts.clientID, "client-id", "c", "image-builder", "OIDC token client ID, this is used to verify the audience claim in the token. The value should be the same as the audience claim value in the token.") rootCmd.PersistentFlags().StringVarP(&opts.publicKeyPath, "public-key-path", "p", "", "Path to the cached public keys directory") rootCmd.PersistentFlags().BoolVarP(&opts.debug, "debug", "d", false, "Enable debug mode") + rootCmd.PersistentFlags().IntVarP(&opts.oidcTokenExpirationTime, "oidc-token-expiration-time", "e", 10, "OIDC token expiration time in minutes") return rootCmd } @@ -165,7 +167,8 @@ func (opts *options) extractClaims() error { token, err = verifier.VerifyToken(ctx, opts.token) if errors.As(err, &tokenExpiredError) { - err = verifier.VerifyExtendedExpiration(err.(tioidc.TokenExpiredError).Expiry, 5) + // Verify the token expiration time using the extended expiration time. + err = verifier.VerifyExtendedExpiration(err.(tioidc.TokenExpiredError).Expiry, opts.oidcTokenExpirationTime) if err != nil { return err } @@ -181,10 +184,8 @@ func (opts *options) extractClaims() error { // claims will store the extracted claim values from the token. claims := tioidc.NewClaims(logger) logger.Infow("Verifying token claims") - // Verifies the token and check if the claims have expected values. - // Verifies custom claim values too. + // Verifies if custom claims has expected values. // Extract the claim values from the token into the claims struct. - // It provides a final result if the token is valid and the claims have expected values. err = tokenProcessor.ValidateClaims(ctx, &claims) if err != nil { return err diff --git a/pkg/oidc/oidc.go b/pkg/oidc/oidc.go index c22c3b30d03e..3bbbf3eade93 100644 --- a/pkg/oidc/oidc.go +++ b/pkg/oidc/oidc.go @@ -155,6 +155,13 @@ type TokenVerifier struct { Logger LoggerInterface } +func maskToken(token string) string { + if len(token) < 15 { + return "********" + } + return token[:2] + "********" + token[len(token)-2:] +} + // NewVerifierConfig creates a new VerifierConfig. // It verifies the clientID is not empty. func NewVerifierConfig(logger LoggerInterface, clientID string, options ...VerifierConfigOption) (VerifierConfig, error) { @@ -201,7 +208,7 @@ func NewVerifierConfig(logger LoggerInterface, clientID string, options ...Verif func (tokenVerifier *TokenVerifier) Verify(ctx context.Context, rawToken string) (Token, error) { logger := tokenVerifier.Logger logger.Debugw("Verifying token") - logger.Debugw("Got raw token value", "rawToken", rawToken) + logger.Debugw("Got raw token value", "rawToken", maskToken(rawToken)) idToken, err := tokenVerifier.Verifier.Verify(ctx, rawToken) if err != nil { token := Token{} @@ -241,7 +248,7 @@ func NewClaims(logger LoggerInterface) Claims { } } -// ValidateExpectations validates the claims against the trusted issuer expected values. +// validateExpectations validates the claims against the trusted issuer expected values. // It checks audience, issuer, and job_workflow_ref claims. func (claims *Claims) validateExpectations(issuer Issuer) error { logger := claims.LoggerInterface @@ -300,7 +307,7 @@ func NewTokenProcessor( tokenProcessor.logger = logger tokenProcessor.rawToken = rawToken - logger.Debugw("Added raw token to token processor", "rawToken", rawToken) + logger.Debugw("Added raw token to token processor", "rawToken", maskToken(rawToken)) tokenProcessor.verifierConfig = config logger.Debugw("Added Verifier config to token processor", @@ -391,7 +398,7 @@ func (tokenProcessor *TokenProcessor) Issuer() string { return tokenProcessor.issuer.IssuerURL } -// VerifyAndExtractClaims verify and parse the token to get the token claims. +// ValidateClaims verify and parse the token to get the token claims. // It uses the provided verifier to verify the token signature and expiration time. // It verifies if the token claims have expected values. // It unmarshal the claims into the provided claims struct.