cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #13 from caos/token

Browse source 
Token
This commit is contained in:
livio-a 2020-02-27 18:45:21 +01:00 committed by GitHub
commit 3019f79f62
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 44 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

6
example/internal/mock/storage.go
View file

@ -140,6 +140,9 @@ func (s *AuthStorage) AuthRequestByID(_ context.Context, id string) (op.AuthRequ
} }
return a, nil return a, nil
} }
func (s *AuthStorage) CreateToken(_ context.Context, authReq op.AuthRequest) (string, time.Time, error) {
return authReq.GetID(), time.Now().UTC().Add(5 * time.Minute), nil
}
func (s *AuthStorage) GetSigningKey(_ context.Context, keyCh chan<- jose.SigningKey, _ chan<- error, _ <-chan time.Time) { func (s *AuthStorage) GetSigningKey(_ context.Context, keyCh chan<- jose.SigningKey, _ chan<- error, _ <-chan time.Time) {
keyCh <- jose.SigningKey{Algorithm: jose.RS256, Key: s.key} keyCh <- jose.SigningKey{Algorithm: jose.RS256, Key: s.key}
} }
@ -243,9 +246,6 @@ func (c *ConfClient) GetAuthMethod() op.AuthMethod {
return c.authMethod return c.authMethod
} }
func (c *ConfClient) AccessTokenLifetime() time.Duration {
return time.Duration(5 * time.Minute)
}
func (c *ConfClient) IDTokenLifetime() time.Duration { func (c *ConfClient) IDTokenLifetime() time.Duration {
return time.Duration(5 * time.Minute) return time.Duration(5 * time.Minute)
} }

2
pkg/op/authrequest.go
View file

@ -179,7 +179,7 @@ func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthReques
func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer, client Client) { func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer, client Client) {
createAccessToken := authReq.GetResponseType() != oidc.ResponseTypeIDTokenOnly createAccessToken := authReq.GetResponseType() != oidc.ResponseTypeIDTokenOnly
resp, err := CreateTokenResponse(authReq, client, authorizer, createAccessToken, "") resp, err := CreateTokenResponse(r.Context(), authReq, client, authorizer, createAccessToken, "")
if err != nil { if err != nil {
AuthRequestError(w, r, authReq, err, authorizer.Encoder()) AuthRequestError(w, r, authReq, err, authorizer.Encoder())
return return

1
pkg/op/client.go
View file

@ -18,7 +18,6 @@ type Client interface {
GetAuthMethod() AuthMethod GetAuthMethod() AuthMethod
LoginURL(string) string LoginURL(string) string
AccessTokenType() AccessTokenType AccessTokenType() AccessTokenType
AccessTokenLifetime() time.Duration
IDTokenLifetime() time.Duration IDTokenLifetime() time.Duration
} }

14
pkg/op/mock/client.mock.go
View file

@ -34,20 +34,6 @@ func (m *MockClient) EXPECT() *MockClientMockRecorder {
return m.recorder return m.recorder
} }
// AccessTokenLifetime mocks base method
func (m *MockClient) AccessTokenLifetime() time.Duration {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "AccessTokenLifetime")
ret0, _ := ret[0].(time.Duration)
return ret0
}
// AccessTokenLifetime indicates an expected call of AccessTokenLifetime
func (mr *MockClientMockRecorder) AccessTokenLifetime() *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AccessTokenLifetime", reflect.TypeOf((*MockClient)(nil).AccessTokenLifetime))
}
// AccessTokenType mocks base method // AccessTokenType mocks base method
func (m *MockClient) AccessTokenType() op.AccessTokenType { func (m *MockClient) AccessTokenType() op.AccessTokenType {
m.ctrl.T.Helper() m.ctrl.T.Helper()

16
pkg/op/mock/storage.mock.go
View file

@ -81,6 +81,22 @@ func (mr *MockStorageMockRecorder) CreateAuthRequest(arg0, arg1 interface{}) *go
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAuthRequest", reflect.TypeOf((*MockStorage)(nil).CreateAuthRequest), arg0, arg1) return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAuthRequest", reflect.TypeOf((*MockStorage)(nil).CreateAuthRequest), arg0, arg1)
} }
// CreateToken mocks base method
func (m *MockStorage) CreateToken(arg0 context.Context, arg1 op.AuthRequest) (string, time.Time, error) {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "CreateToken", arg0, arg1)
ret0, _ := ret[0].(string)
ret1, _ := ret[1].(time.Time)
ret2, _ := ret[2].(error)
return ret0, ret1, ret2
}
// CreateToken indicates an expected call of CreateToken
func (mr *MockStorageMockRecorder) CreateToken(arg0, arg1 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateToken", reflect.TypeOf((*MockStorage)(nil).CreateToken), arg0, arg1)
}
// DeleteAuthRequest mocks base method // DeleteAuthRequest mocks base method
func (m *MockStorage) DeleteAuthRequest(arg0 context.Context, arg1 string) error { func (m *MockStorage) DeleteAuthRequest(arg0 context.Context, arg1 string) error {
m.ctrl.T.Helper() m.ctrl.T.Helper()

2
pkg/op/storage.go
View file

@ -14,6 +14,8 @@ type AuthStorage interface {
AuthRequestByID(context.Context, string) (AuthRequest, error) AuthRequestByID(context.Context, string) (AuthRequest, error)
DeleteAuthRequest(context.Context, string) error DeleteAuthRequest(context.Context, string) error
CreateToken(context.Context, AuthRequest) (string, time.Time, error)
GetSigningKey(context.Context, chan<- jose.SigningKey, chan<- error, <-chan time.Time) GetSigningKey(context.Context, chan<- jose.SigningKey, chan<- error, <-chan time.Time)
GetKeySet(context.Context) (*jose.JSONWebKeySet, error) GetKeySet(context.Context) (*jose.JSONWebKeySet, error)
SaveNewKeyPair(context.Context) error SaveNewKeyPair(context.Context) error

30
pkg/op/token.go
View file

@ -1,6 +1,7 @@
package op package op
import ( import (
"context"
"time" "time"
"github.com/caos/oidc/pkg/oidc" "github.com/caos/oidc/pkg/oidc"
@ -13,11 +14,12 @@ type TokenCreator interface {
Crypto() Crypto Crypto() Crypto
} }
func CreateTokenResponse(authReq AuthRequest, client Client, creator TokenCreator, createAccessToken bool, code string) (*oidc.AccessTokenResponse, error) { func CreateTokenResponse(ctx context.Context, authReq AuthRequest, client Client, creator TokenCreator, createAccessToken bool, code string) (*oidc.AccessTokenResponse, error) {
var accessToken string var accessToken string
var validity time.Duration
if createAccessToken { if createAccessToken {
var err error var err error
accessToken, err = CreateAccessToken(authReq, client, creator) accessToken, validity, err = CreateAccessToken(ctx, authReq, client, creator)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -26,7 +28,8 @@ func CreateTokenResponse(authReq AuthRequest, client Client, creator TokenCreato
if err != nil { if err != nil {
return nil, err return nil, err
} }
exp := uint64(client.AccessTokenLifetime().Seconds())
exp := uint64(validity.Seconds())
return &oidc.AccessTokenResponse{ return &oidc.AccessTokenResponse{
AccessToken: accessToken, AccessToken: accessToken,
IDToken: idToken, IDToken: idToken,
@ -35,21 +38,27 @@ func CreateTokenResponse(authReq AuthRequest, client Client, creator TokenCreato
}, nil }, nil
} }
func CreateAccessToken(authReq AuthRequest, client Client, creator TokenCreator) (string, error) { func CreateAccessToken(ctx context.Context, authReq AuthRequest, client Client, creator TokenCreator) (token string, validity time.Duration, err error) {
id, exp, err := creator.Storage().CreateToken(ctx, authReq)
if err != nil {
return "", 0, err
}
validity = exp.Sub(time.Now().UTC())
if client.AccessTokenType() == AccessTokenTypeJWT { if client.AccessTokenType() == AccessTokenTypeJWT {
return CreateJWT(creator.Issuer(), authReq, client, creator.Signer()) token, err = CreateJWT(creator.Issuer(), authReq, exp, id, creator.Signer())
return
} }
return CreateBearerToken(authReq, creator.Crypto()) token, err = CreateBearerToken(id, creator.Crypto())
return
} }
func CreateBearerToken(authReq AuthRequest, crypto Crypto) (string, error) { func CreateBearerToken(id string, crypto Crypto) (string, error) {
return crypto.Encrypt(authReq.GetID()) return crypto.Encrypt(id)
} }
func CreateJWT(issuer string, authReq AuthRequest, client Client, signer Signer) (string, error) { func CreateJWT(issuer string, authReq AuthRequest, exp time.Time, id string, signer Signer) (string, error) {
now := time.Now().UTC() now := time.Now().UTC()
nbf := now nbf := now
exp := now.Add(client.AccessTokenLifetime())
claims := &oidc.AccessTokenClaims{ claims := &oidc.AccessTokenClaims{
Issuer: issuer, Issuer: issuer,
Subject: authReq.GetSubject(), Subject: authReq.GetSubject(),
@ -57,6 +66,7 @@ func CreateJWT(issuer string, authReq AuthRequest, client Client, signer Signer)
Expiration: exp, Expiration: exp,
IssuedAt: now, IssuedAt: now,
NotBefore: nbf, NotBefore: nbf,
JWTID: id,
} }
return signer.SignAccessToken(claims) return signer.SignAccessToken(claims)
} }

2
pkg/op/tokenrequest.go
View file

@ -39,7 +39,7 @@ func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
ExchangeRequestError(w, r, err) ExchangeRequestError(w, r, err)
return return
} }
resp, err := CreateTokenResponse(authReq, client, exchanger, true, tokenReq.Code) resp, err := CreateTokenResponse(r.Context(), authReq, client, exchanger, true, tokenReq.Code)
if err != nil { if err != nil {
ExchangeRequestError(w, r, err) ExchangeRequestError(w, r, err)
return return