fix: parse max_age and prompt correctly (and change scope type) (#105)

* fix: parse max_age and prompt correctly (and change scope type) * remove unnecessary omitempty
2021-06-16 08:34:01 +02:00 · 2021-06-16 08:34:01 +02:00 · 400f5c4de4
commit 400f5c4de4
parent 0591a0d1ef
16 changed files with 98 additions and 85 deletions
--- a/pkg/op/auth_request.go
+++ b/pkg/op/auth_request.go
@ -106,7 +106,11 @@ func ParseAuthorizeRequest(r *http.Request, decoder utils.Decoder) (*oidc.AuthRe
 }

 //ValidateAuthRequest validates the authorize parameters and returns the userID of the id_token_hint if passed
-func ValidateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, verifier IDTokenHintVerifier) (string, error) {
+func ValidateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, storage Storage, verifier IDTokenHintVerifier) (sub string, err error) {
+	authReq.MaxAge, err = ValidateAuthReqPrompt(authReq.Prompt, authReq.MaxAge)
+	if err != nil {
+		return "", err
+	}
 	client, err := storage.GetClientByClientID(ctx, authReq.ClientID)
 	if err != nil {
 		return "", ErrServerError(err.Error())
@ -124,6 +128,19 @@ func ValidateAuthRequest(ctx context.Context, authReq *oidc.AuthRequest, storage
 	return ValidateAuthReqIDTokenHint(ctx, authReq.IDTokenHint, verifier)
 }

+//ValidateAuthReqPrompt validates the passed prompt values and sets max_age to 0 if prompt login is present
+func ValidateAuthReqPrompt(prompts []string, maxAge *uint) (_ *uint, err error) {
+	for _, prompt := range prompts {
+		if prompt == oidc.PromptNone && len(prompts) > 1 {
+			return nil, ErrInvalidRequest("The prompt parameter `none` must only be used as a single value")
+		}
+		if prompt == oidc.PromptLogin {
+			maxAge = oidc.NewMaxAge(0)
+		}
+	}
+	return maxAge, nil
+}
+
 //ValidateAuthReqScopes validates the passed scopes
 func ValidateAuthReqScopes(client Client, scopes []string) ([]string, error) {
 	if len(scopes) == 0 {
--- a/pkg/op/auth_request_test.go
+++ b/pkg/op/auth_request_test.go
@ -123,7 +123,7 @@ func TestParseAuthorizeRequest(t *testing.T) {
 				}(),
 			},
 			res{
-				&oidc.AuthRequest{Scopes: oidc.Scopes{"openid"}},
+				&oidc.AuthRequest{Scopes: oidc.SpaceDelimitedArray{"openid"}},
 				false,
 			},
 		},
--- a/pkg/op/mock/storage.mock.go
+++ b/pkg/op/mock/storage.mock.go
@ -316,10 +316,10 @@ func (mr *MockStorageMockRecorder) TokenRequestByRefreshToken(arg0, arg1 interfa
 }

 // ValidateJWTProfileScopes mocks base method.
-func (m *MockStorage) ValidateJWTProfileScopes(arg0 context.Context, arg1 string, arg2 oidc.Scopes) (oidc.Scopes, error) {
+func (m *MockStorage) ValidateJWTProfileScopes(arg0 context.Context, arg1 string, arg2 []string) ([]string, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ValidateJWTProfileScopes", arg0, arg1, arg2)
-	ret0, _ := ret[0].(oidc.Scopes)
+	ret0, _ := ret[0].([]string)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
--- a/pkg/op/mock/storage.mock.impl.go
+++ b/pkg/op/mock/storage.mock.impl.go
@ -140,10 +140,10 @@ func (c *ConfClient) GetID() string {
 }

 func (c *ConfClient) AccessTokenLifetime() time.Duration {
-	return time.Duration(5 * time.Minute)
+	return 5 * time.Minute
 }
 func (c *ConfClient) IDTokenLifetime() time.Duration {
-	return time.Duration(5 * time.Minute)
+	return 5 * time.Minute
 }
 func (c *ConfClient) AccessTokenType() op.AccessTokenType {
 	return c.accessTokenType
--- a/pkg/op/session.go
+++ b/pkg/op/session.go
@ -83,13 +83,3 @@ func ValidateEndSessionRequest(ctx context.Context, req *oidc.EndSessionRequest,
 	}
 	return nil, ErrInvalidRequest("post_logout_redirect_uri invalid")
 }
-
-func NeedsExistingSession(authRequest *oidc.AuthRequest) bool {
-	if authRequest == nil {
-		return true
-	}
-	if authRequest.Prompt == oidc.PromptNone {
-		return true
-	}
-	return false
-}
--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@ -34,7 +34,7 @@ type OPStorage interface {
 	SetIntrospectionFromToken(ctx context.Context, userinfo oidc.IntrospectionResponse, tokenID, subject, clientID string) error
 	GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (map[string]interface{}, error)
 	GetKeyByIDAndUserID(ctx context.Context, keyID, userID string) (*jose.JSONWebKey, error)
-	ValidateJWTProfileScopes(ctx context.Context, userID string, scope oidc.Scopes) (oidc.Scopes, error)
+	ValidateJWTProfileScopes(ctx context.Context, userID string, scopes []string) ([]string, error)
 }

 type Storage interface {
--- a/pkg/op/token_refresh.go
+++ b/pkg/op/token_refresh.go
@ -17,7 +17,7 @@ type RefreshTokenRequest interface {
 	GetClientID() string
 	GetScopes() []string
 	GetSubject() string
-	SetCurrentScopes(scopes oidc.Scopes)
+	SetCurrentScopes(scopes []string)
 }

 //RefreshTokenExchange handles the OAuth 2.0 refresh_token grant, including
@ -72,7 +72,7 @@ func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshToke
 //ValidateRefreshTokenScopes validates that the requested scope is a subset of the original auth request scope
 //it will set the requested scopes as current scopes onto RefreshTokenRequest
 //if empty the original scopes will be used
-func ValidateRefreshTokenScopes(requestedScopes oidc.Scopes, authRequest RefreshTokenRequest) error {
+func ValidateRefreshTokenScopes(requestedScopes []string, authRequest RefreshTokenRequest) error {
 	if len(requestedScopes) == 0 {
 		return nil
 	}