authenticate: implement hpke-based login flow (#3779)

* urlutil: add time validation functions * authenticate: implement hpke-based login flow * fix import cycle * fix tests * log error * fix callback url * add idp param * fix test * fix test
2025-08-03 08:50:42 +02:00 · 2022-12-05 15:31:07 -07:00 · 2022-12-05 15:31:07 -07:00 · 57217af7dd
commit 57217af7dd
parent 8d1235a5cc
25 changed files with 656 additions and 661 deletions
--- a/proxy/state.go
+++ b/proxy/state.go
@ -13,6 +13,7 @@ import (
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/hpke"
 )

 var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn)
@ -26,10 +27,12 @@ type proxyState struct {
 	authenticateSigninURL    *url.URL
 	authenticateRefreshURL   *url.URL

-	encoder         encoding.MarshalUnmarshaler
-	cookieSecret    []byte
-	sessionStore    sessions.SessionStore
-	jwtClaimHeaders config.JWTClaimHeaders
+	encoder                encoding.MarshalUnmarshaler
+	cookieSecret           []byte
+	sessionStore           sessions.SessionStore
+	jwtClaimHeaders        config.JWTClaimHeaders
+	hpkePrivateKey         *hpke.PrivateKey
+	authenticateKeyFetcher hpke.KeyFetcher

 	dataBrokerClient databroker.DataBrokerServiceClient

@ -44,11 +47,24 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {

 	state := new(proxyState)

+	authenticateURL, err := cfg.Options.GetAuthenticateURL()
+	if err != nil {
+		return nil, err
+	}
+
 	state.sharedKey, err = cfg.Options.GetSharedKey()
 	if err != nil {
 		return nil, err
 	}

+	state.hpkePrivateKey, err = cfg.Options.GetHPKEPrivateKey()
+	if err != nil {
+		return nil, err
+	}
+	state.authenticateKeyFetcher = hpke.NewKeyFetcher(authenticateURL.ResolveReference(&url.URL{
+		Path: "/.well-known/pomerium/jwks.json",
+	}).String())
+
 	state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey)
 	if err != nil {
 		return nil, err