[server] Set Key ID on JWT tokens, use it for verification - WEB-100 (#17227)

* retest

* retest

* fix

* fix

* Fix

* also clear jwt cookie

* align max age with config

* [installer] Add key id for each auth keypair

* retest

* [server] Attach and verify JWT Key ID

* Fix

* fix var name

* Fix comment

Author: easyCZ

components/server/src/auth/jwt.spec.ts

@@ -26,8 +26,8 @@ class TestAuthJWT {
         hostUrl: new GitpodHostUrl("https://mp-server-d7650ec945.preview.gitpod-dev.com"),
         auth: {
             pki: {
-                signing: toKeyPair(this.signingKeyPair),
-                validating: [toKeyPair(this.validatingKeyPair1), toKeyPair(this.validatingKeyPair2)],
+                signing: toKeyPair("0001", this.signingKeyPair),
+                validating: [toKeyPair("0002", this.validatingKeyPair1), toKeyPair("0003", this.validatingKeyPair2)],
             },
         },
     } as Config;
@@ -44,6 +44,7 @@ class TestAuthJWT {
 
         const subject = "user-id";
         const encoded = await sut.sign(subject, {});
+        console.log("encoded", encoded);
 
         const decoded = await verify(encoded, this.config.auth.pki.signing.publicKey, {
             algorithms: ["RS512"],
@@ -70,11 +71,13 @@ class TestAuthJWT {
     async test_verify_validates_older_keys() {
         const sut = this.container.get<AuthJWT>(AuthJWT);
 
+        const keypair = this.config.auth.pki.validating[1];
         const subject = "user-id";
-        const encoded = await sign({}, this.config.auth.pki.validating[1].privateKey, {
+        const encoded = await sign({}, keypair.privateKey, {
             algorithm: "RS512",
             expiresIn: "1d",
             issuer: this.config.hostUrl.toStringWoRootSlash(),
+            keyid: keypair.id,
             subject,
         });
 
@@ -86,11 +89,16 @@ class TestAuthJWT {
     }
 }
 
-function toKeyPair(kp: crypto.KeyPairKeyObjectResult): {
+function toKeyPair(
+    id: string,
+    kp: crypto.KeyPairKeyObjectResult,
+): {
+    id: string;
     privateKey: string;
     publicKey: string;
 } {
     return {
+        id,
         privateKey: kp.privateKey
             .export({
                 type: "pkcs1",

components/server/src/auth/jwt.ts

@@ -7,7 +7,6 @@
 import * as jsonwebtoken from "jsonwebtoken";
 import { Config } from "../config";
 import { inject, injectable } from "inversify";
-import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 
 const algorithm: jsonwebtoken.Algorithm = "RS512";
 
@@ -21,43 +20,38 @@ export class AuthJWT {
             expiresIn,
             issuer: this.config.hostUrl.toStringWoRootSlash(),
             subject,
+            keyid: this.config.auth.pki.signing.id,
         };
 
         return sign(payload, this.config.auth.pki.signing.privateKey, opts);
     }
 
     async verify(encoded: string): Promise<jsonwebtoken.JwtPayload> {
-        // When we verify an encoded token, we verify it using all available public keys
-        // That is, we check the following:
-        //  * The current signing public key
-        //  * All other validating public keys, in order
-        //
-        // We do this to allow for key-rotation. But tokens already issued would fail to validate
-        // if the signing key was changed. To accept older sessions, which are still valid
-        // we need to check for older keys also.
-        const validatingPublicKeys = this.config.auth.pki.validating.map((keypair) => keypair.publicKey);
-        const publicKeys = [
-            this.config.auth.pki.signing.publicKey, // signing key is checked first
-            ...validatingPublicKeys,
-        ];
+        const keypairs = [this.config.auth.pki.signing, ...this.config.auth.pki.validating];
+        const publicKeysByID = keypairs.reduce<{ [id: string]: string }>((byID, keypair) => {
+            byID[keypair.id] = keypair.publicKey;
+            return byID;
+        }, {});
 
-        let lastErr;
-        for (let publicKey of publicKeys) {
-            try {
-                const decoded = await verify(encoded, publicKey, {
-                    algorithms: [algorithm],
-                });
-                return decoded;
-            } catch (err) {
-                log.debug(`Failed to verify JWT token using public key.`, err);
-                lastErr = err;
-            }
+        // When we verify an encoded token, we first read the Key ID from the token header (without verifying the signature)
+        // and then lookup the appropriate key from out collection of available keys.
+        const decodedWithoutVerification = decodeWithoutVerification(encoded);
+        const keyID = decodedWithoutVerification.header.kid;
+
+        if (!keyID) {
+            throw new Error("JWT token does not contain kid (key id) property.");
         }
 
-        log.error(`Failed to verify JWT using any available public key.`, lastErr, {
-            publicKeyCount: publicKeys.length,
+        if (!publicKeysByID[keyID]) {
+            throw new Error("JWT was signed with an unknown key id");
+        }
+
+        // Given we know which keyid this token was presumably signed with, let's verify the token using the public key.
+        const verified = await verify(encoded, publicKeysByID[keyID], {
+            algorithms: [algorithm],
         });
-        throw lastErr;
+
+        return verified;
     }
 }
 
@@ -90,3 +84,15 @@ export async function verify(
         });
     });
 }
+
+export function decodeWithoutVerification(encoded: string, options?: jsonwebtoken.DecodeOptions): jsonwebtoken.Jwt {
+    const decoded = jsonwebtoken.decode(encoded, { ...options, complete: true });
+    if (!decoded) {
+        throw new Error("Failed to decode JWT");
+    }
+    if (typeof decoded === "string") {
+        throw new Error("Decoded JWT was a string, JSON payload required.");
+    }
+
+    return decoded;
+}