token introspection

2021-02-03 10:42:01 +01:00 · 2021-02-03 10:42:01 +01:00 · 345fc7e837
commit 345fc7e837
parent 4b426c899a
4 changed files with 28 additions and 35 deletions
--- a/pkg/op/tokenrequest.go
+++ b/pkg/op/tokenrequest.go
@ -191,9 +191,11 @@ func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizati
 		return
 	}

-	//TODO: filter scopes
-	tokenRequest.Scopes = ValidateJWTProfileScopes(tokenRequest., profileRequest.Scope)
-
+	tokenRequest.Scopes, err = exchanger.Storage().ValidateJWTProfileScopes(r.Context(), tokenRequest.Issuer, profileRequest.Scope)
+	if err != nil {
+		RequestError(w, r, err)
+		return
+	}
 	resp, err := CreateJWTTokenResponse(r.Context(), tokenRequest, exchanger)
 	if err != nil {
 		RequestError(w, r, err)
@ -215,24 +217,6 @@ func ParseJWTProfileRequest(r *http.Request, decoder utils.Decoder) (*oidc.JWTPr
 	return tokenReq, nil
 }

-func ValidateJWTProfileScopes(client Client, scopes []string) []string {
-	for i := len(scopes) - 1; i >= 0; i-- {
-		scope := scopes[i]
-		if !(scope == oidc.ScopeOpenID ||
-			scope == oidc.ScopeProfile ||
-			scope == oidc.ScopeEmail ||
-			scope == oidc.ScopePhone ||
-			scope == oidc.ScopeAddress ||
-			scope == oidc.ScopeOfflineAccess) && //TODO: allowed
-			!client.IsScopeAllowed(scope) {
-			scopes[i] = scopes[len(scopes)-1]
-			scopes[len(scopes)-1] = ""
-			scopes = scopes[:len(scopes)-1]
-		}
-	}
-	return scopes
-}
-
 func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
 	tokenRequest, err := ParseTokenExchangeRequest(w, r)
 	if err != nil {