Lightweight service providing an OAuth 2 token info HTTP endpoint to validate JWT tokens issued by the Plan B OpenID Connect Provider.
Current features:
- Download public keys (set of JWKs) from OpenID provider
- Verify signed JWT tokens using the right public key (identified by "kid" JOSE header)
- Proxy to upstream tokeninfo for non-JWT tokens and cache the response
- Download revocation lists from Plan B Revocation Service
- Deny JWT tokens matching any revocation list
More information is available in our Plan B Documentation.
Requires Go 1.5 or higher.
$ sudo apt-get install golang # how to install Go on Ubuntu 15.10
$ export GOPATH=$(pwd) # first set GOPATH if not done already
$ go get -t github.com/zalando/planb-tokeninfo
$ go test github.com/zalando/planb-tokeninfo/...
$ go install github.com/zalando/planb-tokeninfo
$ export OPENID_PROVIDER_CONFIGURATION_URL=https://planb-provider.example.org/.well-known/openid-configuration
$ export REVOCATION_PROVIDER_URL=https://planb-revocation.example.org/revocations
$ $GOPATH/bin/planb-tokeninfo # start server on port 9021
Now we can test our token info endpoint with a valid JWT access token:
$ # using the Authorization header is the preferred method
$ curl -H 'Authorization: Bearer MjoxLjUuMS0wdW..' localhost:9021/oauth2/tokeninfo
$ # simple GET query parameter works too (not recommended!)
$ curl localhost:9021/oauth2/tokeninfo?access_token=MjoxLjUuMS0wdW..
Running with Docker:
$ TAG=$(curl https://registry.opensource.zalan.do/teams/stups/artifacts/planb-tokeninfo/tags | jq -r .[].name | tail -n 1)
$ docker run -it -v /etc/ssl/certs:/etc/ssl/certs -p 9021:9021 -e OPENID_PROVIDER_CONFIGURATION_URL=https://planb-provider.example.org/.well-known/openid-configuration registry.opensource.zalan.do/stups/planb-tokeninfo:$TAG
The following environment variables are supported:
OPENID_PROVIDER_CONFIGURATION_URL
- URL of the OpenID Connect configuration discovery document containing the
jwks_uri
which points to a set of JWKs. OPENID_PROVIDER_REFRESH_INTERVAL
- The OpenID Connect configuration refresh interval. See Time based settings
UPSTREAM_TOKENINFO_URL
- URL of upstream OAuth 2 token info for non-JWT Bearer tokens. Optional.
UPSTREAM_CACHE_MAX_SIZE
- Maximum number of entries for upstream token cache. It defaults to 10000.
UPSTREAM_CACHE_TTL
- The TTL for upstream token cache entries. It defaults to 60 seconds. Zero will disable the cache. See also Time based settings
REVOCATION_PROVIDER_URL
- URL of of the Revocation service.
REVOCATION_PROVIDER_REFRESH_INTERVAL
- Refresh interval for polling the Revocation service. See Time based settings
REVOCATION_REFRESH_TOLERANCE
- Amount of time to account for network latencies when polling the revocation service. Default is 60 seconds. See Time based settings
REVOCATION_CACHE_TTL
- The TTL for Revocation cache entries. Default is 30 days. See Time based settings
REVOCATION_HASHING_SALT
- Shared salt with Revocation service. Used for comparing hashed tokens from the Revocation service.
LISTEN_ADDRESS
- The address for the application listener. It defaults to ':9021'
METRICS_LISTEN_ADDRESS
- The address for the metrics listener. Should be different from the application listener. It defaults to ':9020'
HTTP_CLIENT_TIMEOUT
- The timeout for the default HTTP client. See Time based settings
HTTP_CLIENT_TLS_TIMEOUT
- The timeout for the default HTTP client when using TLS. See Time based settings
Some of the above settings accept time based definitions. Those definitions can be specified as a string that can be understood by time.ParseDuration(). For ex., '10s' for 10 seconds, '1h10m' for 1 hour and 10 minutes, '100ms' for 100 milliseconds. A simple numeric value is interpreted as Seconds. For ex., '30' is interpreted as 30 seconds.
Metrics are exposed by default on port 9020 "/metrics". They include:
planb.openidprovider.numkeys
- Number of public keys in memory.
planb.tokeninfo.proxy
- Timer for the proxy handler (includes cached results and upstream calls).
planb.tokeninfo.proxy.cache.hits
- Number of upstream cache hits.
planb.tokeninfo.proxy.cache.misses
- Number of upstream cache misses.
planb.tokeninfo.proxy.cache.expirations
- Number of upstream cache misses because of expiration.
planb.tokeninfo.proxy.upstream
- Timer for calls to the upstream tokeninfo. Cached responses are not measured here.