Replaced github.com/coreos/go-oidc with github.com/lestrrat-go/jwx/v2 too

Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

go.mod

@@ -46,7 +46,6 @@ require (
 	github.com/camunda/zeebe/clients/go/v8 v8.1.6
 	github.com/cenkalti/backoff/v4 v4.2.0
 	github.com/cinience/go_rocketmq v0.0.2
-	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/cyphar/filepath-securejoin v0.2.3
 	github.com/dancannon/gorethink v4.0.0+incompatible
 	github.com/dapr/kit v0.0.4
@@ -79,6 +78,7 @@ require (
 	github.com/json-iterator/go v1.1.12
 	github.com/kubemq-io/kubemq-go v1.7.8
 	github.com/labd/commercetools-go-sdk v1.2.0
+	github.com/lestrrat-go/httprc v1.0.4
 	github.com/lestrrat-go/jwx/v2 v2.0.8
 	github.com/machinebox/graphql v0.2.2
 	github.com/matoous/go-nanoid/v2 v2.0.0
@@ -273,7 +273,6 @@ require (
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.1 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
-	github.com/lestrrat-go/httprc v1.0.4 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
 	github.com/lestrrat-go/option v1.0.0 // indirect
 	github.com/linkedin/goavro/v2 v2.9.8 // indirect
@@ -312,7 +311,6 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
-	github.com/pquerna/cachecontrol v0.1.0 // indirect
 	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.39.0 // indirect
@@ -376,7 +374,6 @@ require (
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/kataras/go-serializer.v0 v0.0.4 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
-	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/klog/v2 v2.80.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect

go.sum

@@ -688,8 +688,6 @@ github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u9
 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
-github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
@@ -1557,8 +1555,6 @@ github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndr
 github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8cTqKc=
-github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
@@ -2654,8 +2650,6 @@ gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
-gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=

middleware/http/bearer/bearer_middleware.go

@@ -15,10 +15,14 @@ package bearer
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"strings"
+	"time"
 
-	oidc "github.com/coreos/go-oidc"
+	"github.com/lestrrat-go/httprc"
+	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/lestrrat-go/jwx/v2/jwt"
 
 	"github.com/dapr/components-contrib/internal/httputils"
 	mdutils "github.com/dapr/components-contrib/metadata"
@@ -31,18 +35,26 @@ type bearerMiddlewareMetadata struct {
 	ClientID  string `json:"clientID"`
 }
 
-// NewBearerMiddleware returns a new oAuth2 middleware.
-func NewBearerMiddleware(_ logger.Logger) middleware.Middleware {
-	return &Middleware{}
+const (
+	// Prefix for the authorization header (case-insensitive)
+	bearerPrefix = "bearer "
+	// Minimum interval before refreshing the JWKS cache
+	minRefreshInterval = 10 * time.Minute
+	// Allowed clock skew
+	allowedClockSkew = 5 * time.Minute
+)
+
+// NewBearerMiddleware returns a new OAuth2 middleware.
+func NewBearerMiddleware(logger logger.Logger) middleware.Middleware {
+	return &Middleware{
+		logger: logger,
+	}
 }
 
-// Middleware is an oAuth2 authentication middleware.
-type Middleware struct{}
-
-const (
-	bearerPrefix       = "bearer "
-	bearerPrefixLength = len(bearerPrefix)
-)
+// Middleware is an OAuth2 authentication middleware.
+type Middleware struct {
+	logger logger.Logger
+}
 
 // GetHandler retruns the HTTP handler provided by the middleware.
 func (m *Middleware) GetHandler(metadata middleware.Metadata) (func(next http.Handler) http.Handler, error) {
@@ -51,24 +63,52 @@ func (m *Middleware) GetHandler(metadata middleware.Metadata) (func(next http.Ha
 		return nil, err
 	}
 
-	provider, err := oidc.NewProvider(context.Background(), meta.IssuerURL)
+	ctx := context.TODO()
+
+	// Create a JWKS cache that is refreshed automatically
+	cache := jwk.NewCache(ctx)
+	err = cache.Register(meta.IssuerURL,
+		jwk.WithMinRefreshInterval(minRefreshInterval),
+		jwk.WithErrSink(httprc.ErrSinkFunc(func(err error) {
+			m.logger.Warnf("Error while refreshing JWKS cache: %v", err)
+		})),
+	)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to register JWKS cache: %w", err)
 	}
 
-	verifier := provider.Verifier(&oidc.Config{
-		ClientID: meta.ClientID,
-	})
+	// Fetch the JWKS right away to start, so we can check it's valid and populate the cache
+	_, err = cache.Refresh(ctx, meta.IssuerURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch JWKS: %w", err)
+	}
 
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			authHeader := r.Header.Get("authorization")
-			if !strings.HasPrefix(strings.ToLower(authHeader), bearerPrefix) {
+			if strings.ToLower(authHeader[0:len(bearerPrefix)]) != bearerPrefix {
 				httputils.RespondWithError(w, http.StatusUnauthorized)
 				return
 			}
-			rawToken := authHeader[bearerPrefixLength:]
-			_, err := verifier.Verify(r.Context(), rawToken)
+			rawToken := authHeader[len(bearerPrefix):]
+			if len(rawToken) < 10 {
+				httputils.RespondWithError(w, http.StatusUnauthorized)
+				return
+			}
+
+			keyset, err := cache.Get(r.Context(), meta.IssuerURL)
+			if err != nil {
+				m.logger.Errorf("Failed to retrieve JWKS cache: %v", err)
+				httputils.RespondWithError(w, http.StatusInternalServerError)
+				return
+			}
+
+			_, err = jwt.Parse([]byte(rawToken),
+				jwt.WithContext(r.Context()),
+				jwt.WithAcceptableSkew(allowedClockSkew),
+				jwt.WithKeySet(keyset),
+				jwt.WithAudience(meta.ClientID),
+			)
 			if err != nil {
 				httputils.RespondWithError(w, http.StatusUnauthorized)
 				return