DockerCLI/cli/internal/oauth/jwt.go

package oauth

import (
	"github.com/go-jose/go-jose/v3/jwt"
)

// Claims represents standard claims along with some custom ones.
type Claims struct {
	jwt.Claims

	// Domain is the domain claims for the token.
	Domain DomainClaims `json:"https://hub.docker.com"`

	// Scope is the scopes for the claims as a string that is space delimited.
	Scope string `json:"scope,omitempty"`
}

// DomainClaims represents a custom claim data set that doesn't change the spec
// payload. This is primarily introduced by Auth0 and is defined by a fully
// specified URL as it's key. e.g. "https://hub.docker.com"
type DomainClaims struct {
	// UUID is the user, machine client, or organization's UUID in our database.
	UUID string `json:"uuid"`

	// Email is the user's email address.
	Email string `json:"email"`

	// Username is the user's username.
	Username string `json:"username"`

	// Source is the source of the JWT. This should look like
	// `docker_{type}|{id}`.
	Source string `json:"source"`

	// SessionID is the unique ID of the token.
	SessionID string `json:"session_id"`

	// ClientID is the client_id that generated the token. This is filled if
	// M2M.
	ClientID string `json:"client_id,omitempty"`

	// ClientName is the name of the client that generated the token. This is
	// filled if M2M.
	ClientName string `json:"client_name,omitempty"`
}

// Source represents a source of a JWT.
type Source struct {
	// Type is the type of source. This could be "pat" etc.
	Type string `json:"type"`

	// ID is the identifier to the source type. If "pat" then this will be the
	// ID of the PAT.
	ID string `json:"id"`
}

// GetClaims returns claims from an access token without verification.
func GetClaims(accessToken string) (claims Claims, err error) {
	token, err := parseSigned(accessToken)
	if err != nil {
		return
	}

	err = token.UnsafeClaimsWithoutVerification(&claims)

	return
}

// parseSigned parses a JWT and returns the signature object or error. This does
// not verify the validity of the JWT.
func parseSigned(token string) (*jwt.JSONWebToken, error) {
	return jwt.ParseSigned(token)
}
auth: add support for oauth device-code login This commit adds support for the oauth [device-code](https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow) login flow when authenticating against the official registry. This is achieved by adding `cli/internal/oauth`, which contains code to manage interacting with the Docker OAuth tenant (`login.docker.com`), including launching the device-code flow, refreshing access using the refresh-token, and logging out. The `OAuthManager` introduced here is also made available through the `command.Cli` interface method `OAuthManager()`. In order to maintain compatibility with any clients manually accessing the credentials through `~/.docker/config.json` or via credential helpers, the added `OAuthManager` uses the retrieved access token to automatically generate a PAT with Hub, and store that in the credentials. Signed-off-by: Laura Brehm <laurabrehm@hey.com> 2024-07-08 08:50:12 -04:00			`package oauth`

			`import (`
			`"github.com/go-jose/go-jose/v3/jwt"`
			`)`

			`// Claims represents standard claims along with some custom ones.`
			`type Claims struct {`
			`jwt.Claims`

			`// Domain is the domain claims for the token.`
			Domain DomainClaims `json:"https://hub.docker.com"`

			`// Scope is the scopes for the claims as a string that is space delimited.`
			Scope string `json:"scope,omitempty"`
			`}`

			`// DomainClaims represents a custom claim data set that doesn't change the spec`
			`// payload. This is primarily introduced by Auth0 and is defined by a fully`
			`// specified URL as it's key. e.g. "https://hub.docker.com"`
			`type DomainClaims struct {`
			`// UUID is the user, machine client, or organization's UUID in our database.`
			UUID string `json:"uuid"`

			`// Email is the user's email address.`
			Email string `json:"email"`

			`// Username is the user's username.`
			Username string `json:"username"`

			`// Source is the source of the JWT. This should look like`
			// `docker_{type}\|{id}`.
			Source string `json:"source"`

			`// SessionID is the unique ID of the token.`
			SessionID string `json:"session_id"`

			`// ClientID is the client_id that generated the token. This is filled if`
			`// M2M.`
			ClientID string `json:"client_id,omitempty"`

			`// ClientName is the name of the client that generated the token. This is`
			`// filled if M2M.`
			ClientName string `json:"client_name,omitempty"`
			`}`

			`// Source represents a source of a JWT.`
			`type Source struct {`
			`// Type is the type of source. This could be "pat" etc.`
			Type string `json:"type"`

			`// ID is the identifier to the source type. If "pat" then this will be the`
			`// ID of the PAT.`
			ID string `json:"id"`
			`}`

			`// GetClaims returns claims from an access token without verification.`
			`func GetClaims(accessToken string) (claims Claims, err error) {`
			`token, err := parseSigned(accessToken)`
			`if err != nil {`
			`return`
			`}`

			`err = token.UnsafeClaimsWithoutVerification(&claims)`

			`return`
			`}`

			`// parseSigned parses a JWT and returns the signature object or error. This does`
			`// not verify the validity of the JWT.`
			`func parseSigned(token string) (*jwt.JSONWebToken, error) {`
			`return jwt.ParseSigned(token)`
			`}`