audit

jwt/service/jwt_token_service.go

@@ -343,9 +343,13 @@ func (ts *JWTokenService) RefreshAccessToken(refreshToken model.Token, tokenPayl
 		return nil, ErrInvalidUser
 	}
 
+	requestedScopes := strings.Split(claims.Scopes, " ")
+
+	scopes := model.AllowedScopes(requestedScopes, user.Scopes, app.Offline)
+
 	token, err := ts.NewAccessToken(
 		user,
-		strings.Split(claims.Scopes, " "),
+		scopes,
 		app,
 		false,
 		tokenPayload)

model/slice.go

@@ -2,6 +2,7 @@ package model
 
 import "strings"
 
+// SliceIntersect returns only items in as that are found in bs.
 // simple intersection of two slices, with complexity: O(n^2)
 // there is better algorithms around, this one is simple and scopes are usually 1-3 items in it
 func SliceIntersect(a, b []string) []string {

model/token.go

@@ -181,3 +181,16 @@ type Claims struct {
 
 // Full example of how to use JWT tokens:
 // https://github.com/form3tech-oss/jwt-go/blob/master/cmd/jwt/app.go
+
+func AllowedScopes(requestedScopes, userScopes []string, isOffline bool) []string {
+	scopes := []string{}
+	// if we requested any scope, let's provide all the scopes user has and requested
+	if len(requestedScopes) > 0 {
+		scopes = SliceIntersect(requestedScopes, userScopes)
+	}
+	if SliceContains(requestedScopes, "offline") && isOffline {
+		scopes = append(scopes, "offline")
+	}
+
+	return scopes
+}

storage/grpc/shared/server.go

@@ -18,7 +18,7 @@ type GRPCServer struct {
 func (m *GRPCServer) UserByPhone(ctx context.Context, in *proto.UserByPhoneRequest) (*proto.User, error) {
 	user, err := m.Impl.UserByPhone(in.Phone)
 	if err == model.ErrUserNotFound {
-		return toProto(user), status.Errorf(codes.NotFound, err.Error())
+		return toProto(user), status.Error(codes.NotFound, err.Error())
 	}
 	return toProto(user), err
 }
@@ -31,31 +31,31 @@ func (m *GRPCServer) AddUserWithPassword(ctx context.Context, in *proto.AddUserW
 func (m *GRPCServer) UserByID(ctx context.Context, in *proto.UserByIDRequest) (*proto.User, error) {
 	user, err := m.Impl.UserByID(in.Id)
 	if err == model.ErrUserNotFound {
-		return toProto(user), status.Errorf(codes.NotFound, err.Error())
+		return toProto(user), status.Error(codes.NotFound, err.Error())
 	}
 	return toProto(user), err
 }
 
 func (m *GRPCServer) UserByEmail(ctx context.Context, in *proto.UserByEmailRequest) (*proto.User, error) {
 	user, err := m.Impl.UserByEmail(in.Email)
 	if err == model.ErrUserNotFound {
-		return toProto(user), status.Errorf(codes.NotFound, err.Error())
+		return toProto(user), status.Error(codes.NotFound, err.Error())
 	}
 	return toProto(user), err
 }
 
 func (m *GRPCServer) UserByUsername(ctx context.Context, in *proto.UserByUsernameRequest) (*proto.User, error) {
 	user, err := m.Impl.UserByUsername(in.Username)
 	if err == model.ErrUserNotFound {
-		return toProto(user), status.Errorf(codes.NotFound, err.Error())
+		return toProto(user), status.Error(codes.NotFound, err.Error())
 	}
 	return toProto(user), err
 }
 
 func (m *GRPCServer) UserByFederatedID(ctx context.Context, in *proto.UserByFederatedIDRequest) (*proto.User, error) {
 	user, err := m.Impl.UserByFederatedID(in.Provider, in.Id)
 	if err == model.ErrUserNotFound {
-		return toProto(user), status.Errorf(codes.NotFound, err.Error())
+		return toProto(user), status.Error(codes.NotFound, err.Error())
 	}
 	return toProto(user), err
 }

web/api/2fa.go

@@ -195,7 +195,7 @@ func (ar *Router) ResendTFA() http.HandlerFunc {
 
 		scopes := strings.Split(token.Scopes(), " ")
 
-		authResult, err := ar.loginFlow(app, user, scopes, nil)
+		authResult, _, err := ar.loginFlow(app, user, scopes, nil)
 		if err != nil {
 			ar.Error(w, locale, http.StatusInternalServerError, l.APIInternalServerErrorWithError, err)
 			return
@@ -265,14 +265,7 @@ func (ar *Router) FinalizeTFA() http.HandlerFunc {
 			return
 		}
 
-		scopes := []string{}
-		// if we requested any scope, let's provide all the scopes user has and requested
-		if len(d.Scopes) > 0 {
-			scopes = model.SliceIntersect(d.Scopes, user.Scopes)
-		}
-		if model.SliceContains(d.Scopes, "offline") && app.Offline {
-			scopes = append(scopes, "offline")
-		}
+		scopes := model.AllowedScopes(d.Scopes, app.Scopes, app.Offline)
 
 		tokenPayload, err := ar.getTokenPayloadForApp(app, user.ID)
 		if err != nil {
@@ -312,6 +305,8 @@ func (ar *Router) FinalizeTFA() http.HandlerFunc {
 			}
 		}
 
+		journal(user.ID, app.ID, "2fa_login", scopes)
+
 		ar.server.Storages().User.UpdateLoginMetadata(user.ID)
 		ar.ServeJSON(w, locale, http.StatusOK, result)
 	}

web/api/audit.go

@@ -0,0 +1,8 @@
+package api
+
+import "log"
+
+func journal(userID, appID, action string, scopes []string) {
+	log.Printf("audit record | %s | userID=%s appID=%s scopes=%v\n",
+		action, userID, appID, scopes)
+}

web/api/federated_login.go

@@ -203,7 +203,7 @@ func (ar *Router) FederatedLoginComplete() http.HandlerFunc {
 			return
 		}
 
-		authResult, err := ar.loginFlow(app, user, fsess.Scopes, nil)
+		authResult, resultScopes, err := ar.loginFlow(app, user, fsess.Scopes, nil)
 		if err != nil {
 			ar.Error(w, locale, http.StatusInternalServerError, l.ErrorFederatedLoginError, err)
 			return
@@ -212,6 +212,8 @@ func (ar *Router) FederatedLoginComplete() http.HandlerFunc {
 		authResult.CallbackUrl = fsess.CallbackUrl
 		authResult.Scopes = fsess.Scopes
 
+		journal(user.ID, app.ID, "federated_login", resultScopes)
+
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}
 }

web/api/federated_oidc_login.go

@@ -237,7 +237,7 @@ func (ar *Router) OIDCLoginComplete(useSession bool) http.HandlerFunc {
 		// map OIDC scopes to Identifo scopes
 		requestedScopes = mapScopes(app.OIDCSettings.ScopeMapping, requestedScopes)
 
-		authResult, err := ar.loginFlow(app, user, requestedScopes, nil)
+		authResult, resultScopes, err := ar.loginFlow(app, user, requestedScopes, nil)
 		if err != nil {
 			ar.Error(w, locale, http.StatusInternalServerError, l.ErrorFederatedLoginError, err)
 			return
@@ -247,9 +247,11 @@ func (ar *Router) OIDCLoginComplete(useSession bool) http.HandlerFunc {
 			authResult.CallbackUrl = fsess.CallbackUrl
 		}
 
-		authResult.Scopes = requestedScopes
+		authResult.Scopes = resultScopes
 		authResult.ProviderData = *providerData
 
+		journal(user.ID, app.ID, "oidc_login", resultScopes)
+
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}
 }

web/api/federated_oidc_login_test.go

@@ -19,9 +19,10 @@ import (
 )
 
 var testApp = model.AppData{
-	ID:     "test_app",
-	Active: true,
-	Type:   model.Web,
+	ID:      "test_app",
+	Active:  true,
+	Offline: true,
+	Type:    model.Web,
 	OIDCSettings: model.OIDCSettings{
 		ProviderName:    "test",
 		ClientID:        "test",
@@ -62,6 +63,8 @@ func init() {
 		panic(err)
 	}
 
+	testServer.Storages().App.CreateApp(testApp)
+
 	rs := api.RouterSettings{
 		LoginWith: model.LoginWith{
 			FederatedOIDC: true,
@@ -228,12 +231,20 @@ func Test_Router_OIDCLogin_Complete_ByEmail(t *testing.T) {
 }
 
 func claimsFromResponse(t *testing.T, response []byte) jwt.MapClaims {
+	return claimsFromJSONResponse(t, "access_token", response)
+}
+
+func refreshClaimsFromResponse(t *testing.T, response []byte) jwt.MapClaims {
+	return claimsFromJSONResponse(t, "refresh_token", response)
+}
+
+func claimsFromJSONResponse(t *testing.T, token_field string, response []byte) jwt.MapClaims {
 	var token map[string]any
 
 	err := json.Unmarshal(response, &token)
 	require.NoError(t, err)
 
-	at := token["access_token"].(string)
+	at := token[token_field].(string)
 	require.NotEmpty(t, at)
 
 	c := jwt.MapClaims{}

web/api/impersonate_as.go

@@ -27,20 +27,20 @@ func (ar *Router) ImpersonateAs() http.HandlerFunc {
 			return
 		}
 
-		userID := tokenFromContext(r.Context()).UserID()
+		userID := tokenFromContext(ctx).UserID()
 		adminUser, err := ar.server.Storages().User.UserByID(userID)
 		if err != nil {
 			ar.Error(w, locale, http.StatusUnauthorized, l.ErrorStorageFindUserIDError, userID, err)
 			return
 		}
 
-		log.Println("admin for impersonation", adminUser.ID, adminUser.Scopes)
-
 		d := impersonateData{}
 		if ar.MustParseJSON(w, r, &d) != nil {
 			return
 		}
 
+		log.Println("admin for impersonation", adminUser.ID, adminUser.Scopes, "as", d.UserID)
+
 		user, err := ar.server.Storages().User.UserByID(d.UserID)
 		if err != nil {
 			ar.Error(w, locale, http.StatusUnauthorized, l.ErrorStorageFindUserIDError, d.UserID, err)
@@ -63,7 +63,7 @@ func (ar *Router) ImpersonateAs() http.HandlerFunc {
 			"impersonated_by": adminUser.ID,
 		}
 
-		authResult, err := ar.loginFlow(app, user, nil, ap)
+		authResult, resultScopes, err := ar.loginFlow(app, user, nil, ap)
 		if err != nil {
 			ar.Error(w, locale, http.StatusInternalServerError, l.ErrorAPILoginError, err)
 			return
@@ -72,6 +72,8 @@ func (ar *Router) ImpersonateAs() http.HandlerFunc {
 		// do not allow refresh for impersonated user
 		authResult.RefreshToken = ""
 
+		journal(userID, app.ID, "impersonated", resultScopes)
+
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}
 }

web/api/login.go

@@ -182,12 +182,14 @@ func (ar *Router) LoginWithPassword() http.HandlerFunc {
 			return
 		}
 
-		authResult, err := ar.loginFlow(app, user, ld.Scopes, nil)
+		authResult, resultScopes, err := ar.loginFlow(app, user, ld.Scopes, nil)
 		if err != nil {
 			ar.Error(w, locale, http.StatusInternalServerError, l.ErrorAPILoginError, err)
 			return
 		}
 
+		journal(authResult.User.ID, app.ID, "pass_login", resultScopes)
+
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}
 }
@@ -304,7 +306,13 @@ func (ar *Router) getTokenPayloadService(app model.AppData) (model.TokenPayloadP
 
 // loginUser creates and returns access token for a user.
 // createRefreshToken boolean param tells if we should issue refresh token as well.
-func (ar *Router) loginUser(user model.User, scopes []string, app model.AppData, createRefreshToken, require2FA bool, tokenPayload map[string]interface{}) (string, string, error) {
+func (ar *Router) loginUser(
+	user model.User,
+	scopes []string,
+	app model.AppData,
+	createRefreshToken, require2FA bool,
+	tokenPayload map[string]interface{},
+) (string, string, error) {
 	token, err := ar.server.Services().Token.NewAccessToken(user, scopes, app, require2FA, tokenPayload)
 	if err != nil {
 		return "", "", err
@@ -335,33 +343,26 @@ func (ar *Router) loginFlow(
 	user model.User,
 	requestedScopes []string,
 	additionalPayload map[string]any,
-) (AuthResponse, error) {
+) (AuthResponse, []string, error) {
 	// check if the user has the scope, that allows to login to the app
 	// user has to have at least one scope app expecting
 	if len(app.Scopes) > 0 && len(model.SliceIntersect(app.Scopes, user.Scopes)) == 0 {
-		return AuthResponse{}, errors.New("user does not have required scope for the app")
+		return AuthResponse{}, nil, errors.New("user does not have required scope for the app")
 	}
 
 	// Do login flow.
-	scopes := []string{}
-	// if we requested any scope, let's provide all the scopes user has and requested
-	if len(requestedScopes) > 0 {
-		scopes = model.SliceIntersect(requestedScopes, user.Scopes)
-	}
-	if model.SliceContains(requestedScopes, "offline") && app.Offline {
-		scopes = append(scopes, "offline")
-	}
+	scopes := model.AllowedScopes(requestedScopes, user.Scopes, app.Offline)
 
 	// Check if we should require user to authenticate with 2FA.
 	require2FA, enabled2FA, err := ar.check2FA(app.TFAStatus, ar.tfaType, user)
 	if !require2FA && enabled2FA && err != nil {
-		return AuthResponse{}, err
+		return AuthResponse{}, nil, err
 	}
 
 	offline := contains(scopes, model.OfflineScope)
 	tokenPayload, err := ar.getTokenPayloadForApp(app, user.ID)
 	if err != nil {
-		return AuthResponse{}, err
+		return AuthResponse{}, nil, err
 	}
 
 	if tokenPayload == nil {
@@ -374,7 +375,7 @@ func (ar *Router) loginFlow(
 
 	accessToken, refreshToken, err := ar.loginUser(user, scopes, app, offline, require2FA, tokenPayload)
 	if err != nil {
-		return AuthResponse{}, err
+		return AuthResponse{}, nil, err
 	}
 
 	result := AuthResponse{
@@ -386,15 +387,15 @@ func (ar *Router) loginFlow(
 
 	if require2FA && enabled2FA {
 		if err := ar.sendOTPCode(app, user); err != nil {
-			return AuthResponse{}, err
+			return AuthResponse{}, nil, err
 		}
 	} else {
 		ar.server.Storages().User.UpdateLoginMetadata(user.ID)
 	}
 
 	user = user.Sanitized()
 	result.User = user
-	return result, nil
+	return result, scopes, nil
 }
 
 type impersonateData struct {

web/api/logout.go

@@ -18,9 +18,12 @@ func (ar *Router) Logout() http.HandlerFunc {
 	result := map[string]string{"result": "ok"}
 
 	return func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
 		locale := r.Header.Get("Accept-Language")
 
-		accessTokenBytes, ok := r.Context().Value(model.TokenRawContextKey).([]byte)
+		accessToken := tokenFromContext(ctx)
+
+		accessTokenBytes, ok := ctx.Value(model.TokenRawContextKey).([]byte)
 		if !ok {
 			ar.logger.Println("Cannot fetch access token bytes from context")
 			ar.ServeJSON(w, locale, http.StatusNoContent, nil)
@@ -56,23 +59,20 @@ func (ar *Router) Logout() http.HandlerFunc {
 			}
 		}
 
+		journal(accessToken.Subject(), accessToken.Audience(), "logout", nil)
+
 		ar.ServeJSON(w, locale, http.StatusOK, result)
 	}
 }
 
 func (ar *Router) getTokenSubject(tokenString string) (string, error) {
-	claims := jwt.MapClaims{}
-
-	if _, err := jwt.ParseWithClaims(tokenString, claims, nil); err == nil {
-		return "", fmt.Errorf("Cannot parse token: %s", err)
-	}
+	claims := jwt.RegisteredClaims{}
 
-	sub, ok := claims["sub"].(string)
-	if !ok {
-		return "", fmt.Errorf("Cannot obtain token subject")
+	if _, err := jwt.ParseWithClaims(tokenString, &claims, nil); err == nil {
+		return "", fmt.Errorf("cannot parse token: %s", err)
 	}
 
-	return sub, nil
+	return claims.Subject, nil
 }
 
 func (ar *Router) revokeRefreshToken(refreshTokenString, accessTokenString string) error {