diff --git a/example/internal/mock/storage.go b/example/internal/mock/storage.go index 7465ae0..39e297e 100644 --- a/example/internal/mock/storage.go +++ b/example/internal/mock/storage.go @@ -140,6 +140,9 @@ func (s *AuthStorage) AuthRequestByID(_ context.Context, id string) (op.AuthRequ } return a, nil } +func (s *AuthStorage) CreateToken(_ context.Context, authReq op.AuthRequest) (string, time.Time, error) { + return authReq.GetID(), time.Now().UTC().Add(5 * time.Minute), nil +} func (s *AuthStorage) GetSigningKey(_ context.Context, keyCh chan<- jose.SigningKey, _ chan<- error, _ <-chan time.Time) { keyCh <- jose.SigningKey{Algorithm: jose.RS256, Key: s.key} } @@ -243,9 +246,6 @@ func (c *ConfClient) GetAuthMethod() op.AuthMethod { return c.authMethod } -func (c *ConfClient) AccessTokenLifetime() time.Duration { - return time.Duration(5 * time.Minute) -} func (c *ConfClient) IDTokenLifetime() time.Duration { return time.Duration(5 * time.Minute) } diff --git a/pkg/op/authrequest.go b/pkg/op/authrequest.go index 9f9505d..0e13df2 100644 --- a/pkg/op/authrequest.go +++ b/pkg/op/authrequest.go @@ -179,7 +179,7 @@ func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthReques func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer, client Client) { createAccessToken := authReq.GetResponseType() != oidc.ResponseTypeIDTokenOnly - resp, err := CreateTokenResponse(authReq, client, authorizer, createAccessToken, "") + resp, err := CreateTokenResponse(r.Context(), authReq, client, authorizer, createAccessToken, "") if err != nil { AuthRequestError(w, r, authReq, err, authorizer.Encoder()) return diff --git a/pkg/op/client.go b/pkg/op/client.go index 33c30a4..5422933 100644 --- a/pkg/op/client.go +++ b/pkg/op/client.go @@ -18,7 +18,6 @@ type Client interface { GetAuthMethod() AuthMethod LoginURL(string) string AccessTokenType() AccessTokenType - AccessTokenLifetime() time.Duration IDTokenLifetime() time.Duration } diff --git a/pkg/op/mock/client.mock.go b/pkg/op/mock/client.mock.go index 9ae2201..b0b9244 100644 --- a/pkg/op/mock/client.mock.go +++ b/pkg/op/mock/client.mock.go @@ -34,20 +34,6 @@ func (m *MockClient) EXPECT() *MockClientMockRecorder { return m.recorder } -// AccessTokenLifetime mocks base method -func (m *MockClient) AccessTokenLifetime() time.Duration { - m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "AccessTokenLifetime") - ret0, _ := ret[0].(time.Duration) - return ret0 -} - -// AccessTokenLifetime indicates an expected call of AccessTokenLifetime -func (mr *MockClientMockRecorder) AccessTokenLifetime() *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AccessTokenLifetime", reflect.TypeOf((*MockClient)(nil).AccessTokenLifetime)) -} - // AccessTokenType mocks base method func (m *MockClient) AccessTokenType() op.AccessTokenType { m.ctrl.T.Helper() diff --git a/pkg/op/mock/storage.mock.go b/pkg/op/mock/storage.mock.go index 11a8ab5..14f106e 100644 --- a/pkg/op/mock/storage.mock.go +++ b/pkg/op/mock/storage.mock.go @@ -81,6 +81,22 @@ func (mr *MockStorageMockRecorder) CreateAuthRequest(arg0, arg1 interface{}) *go return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAuthRequest", reflect.TypeOf((*MockStorage)(nil).CreateAuthRequest), arg0, arg1) } +// CreateToken mocks base method +func (m *MockStorage) CreateToken(arg0 context.Context, arg1 op.AuthRequest) (string, time.Time, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "CreateToken", arg0, arg1) + ret0, _ := ret[0].(string) + ret1, _ := ret[1].(time.Time) + ret2, _ := ret[2].(error) + return ret0, ret1, ret2 +} + +// CreateToken indicates an expected call of CreateToken +func (mr *MockStorageMockRecorder) CreateToken(arg0, arg1 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateToken", reflect.TypeOf((*MockStorage)(nil).CreateToken), arg0, arg1) +} + // DeleteAuthRequest mocks base method func (m *MockStorage) DeleteAuthRequest(arg0 context.Context, arg1 string) error { m.ctrl.T.Helper() diff --git a/pkg/op/storage.go b/pkg/op/storage.go index fd9a582..5d6725d 100644 --- a/pkg/op/storage.go +++ b/pkg/op/storage.go @@ -14,6 +14,8 @@ type AuthStorage interface { AuthRequestByID(context.Context, string) (AuthRequest, error) DeleteAuthRequest(context.Context, string) error + CreateToken(context.Context, AuthRequest) (string, time.Time, error) + GetSigningKey(context.Context, chan<- jose.SigningKey, chan<- error, <-chan time.Time) GetKeySet(context.Context) (*jose.JSONWebKeySet, error) SaveNewKeyPair(context.Context) error diff --git a/pkg/op/token.go b/pkg/op/token.go index 7c1dedc..ff74d69 100644 --- a/pkg/op/token.go +++ b/pkg/op/token.go @@ -1,6 +1,7 @@ package op import ( + "context" "time" "github.com/caos/oidc/pkg/oidc" @@ -13,11 +14,12 @@ type TokenCreator interface { Crypto() Crypto } -func CreateTokenResponse(authReq AuthRequest, client Client, creator TokenCreator, createAccessToken bool, code string) (*oidc.AccessTokenResponse, error) { +func CreateTokenResponse(ctx context.Context, authReq AuthRequest, client Client, creator TokenCreator, createAccessToken bool, code string) (*oidc.AccessTokenResponse, error) { var accessToken string + var validity time.Duration if createAccessToken { var err error - accessToken, err = CreateAccessToken(authReq, client, creator) + accessToken, validity, err = CreateAccessToken(ctx, authReq, client, creator) if err != nil { return nil, err } @@ -26,7 +28,8 @@ func CreateTokenResponse(authReq AuthRequest, client Client, creator TokenCreato if err != nil { return nil, err } - exp := uint64(client.AccessTokenLifetime().Seconds()) + + exp := uint64(validity.Seconds()) return &oidc.AccessTokenResponse{ AccessToken: accessToken, IDToken: idToken, @@ -35,21 +38,27 @@ func CreateTokenResponse(authReq AuthRequest, client Client, creator TokenCreato }, nil } -func CreateAccessToken(authReq AuthRequest, client Client, creator TokenCreator) (string, error) { - if client.AccessTokenType() == AccessTokenTypeJWT { - return CreateJWT(creator.Issuer(), authReq, client, creator.Signer()) +func CreateAccessToken(ctx context.Context, authReq AuthRequest, client Client, creator TokenCreator) (token string, validity time.Duration, err error) { + id, exp, err := creator.Storage().CreateToken(ctx, authReq) + if err != nil { + return "", 0, err } - return CreateBearerToken(authReq, creator.Crypto()) + validity = exp.Sub(time.Now().UTC()) + if client.AccessTokenType() == AccessTokenTypeJWT { + token, err = CreateJWT(creator.Issuer(), authReq, exp, id, creator.Signer()) + return + } + token, err = CreateBearerToken(id, creator.Crypto()) + return } -func CreateBearerToken(authReq AuthRequest, crypto Crypto) (string, error) { - return crypto.Encrypt(authReq.GetID()) +func CreateBearerToken(id string, crypto Crypto) (string, error) { + return crypto.Encrypt(id) } -func CreateJWT(issuer string, authReq AuthRequest, client Client, signer Signer) (string, error) { +func CreateJWT(issuer string, authReq AuthRequest, exp time.Time, id string, signer Signer) (string, error) { now := time.Now().UTC() nbf := now - exp := now.Add(client.AccessTokenLifetime()) claims := &oidc.AccessTokenClaims{ Issuer: issuer, Subject: authReq.GetSubject(), @@ -57,6 +66,7 @@ func CreateJWT(issuer string, authReq AuthRequest, client Client, signer Signer) Expiration: exp, IssuedAt: now, NotBefore: nbf, + JWTID: id, } return signer.SignAccessToken(claims) } diff --git a/pkg/op/tokenrequest.go b/pkg/op/tokenrequest.go index c8a7fe8..cdd5396 100644 --- a/pkg/op/tokenrequest.go +++ b/pkg/op/tokenrequest.go @@ -39,7 +39,7 @@ func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) { ExchangeRequestError(w, r, err) return } - resp, err := CreateTokenResponse(authReq, client, exchanger, true, tokenReq.Code) + resp, err := CreateTokenResponse(r.Context(), authReq, client, exchanger, true, tokenReq.Code) if err != nil { ExchangeRequestError(w, r, err) return