begin refresh token

pkg/op/token_request.go

@@ -0,0 +1,121 @@
+package op
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+
+	"github.com/caos/oidc/pkg/oidc"
+	"github.com/caos/oidc/pkg/utils"
+)
+
+type Exchanger interface {
+	Issuer() string
+	Storage() Storage
+	Decoder() utils.Decoder
+	Signer() Signer
+	Crypto() Crypto
+	AuthMethodPostSupported() bool
+	AuthMethodPrivateKeyJWTSupported() bool
+	GrantTypeTokenExchangeSupported() bool
+	GrantTypeJWTAuthorizationSupported() bool
+}
+
+func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		switch r.FormValue("grant_type") {
+		case string(oidc.GrantTypeCode):
+			CodeExchange(w, r, exchanger)
+			return
+		case string(oidc.GrantTypeRefreshToken):
+			RefreshTokenExchange(w, r, exchanger)
+			return
+		case string(oidc.GrantTypeBearer):
+			if ex, ok := exchanger.(JWTAuthorizationGrantExchanger); ok && exchanger.GrantTypeJWTAuthorizationSupported() {
+				JWTProfile(w, r, ex)
+				return
+			}
+		case string(oidc.GrantTypeTokenExchange):
+			if exchanger.GrantTypeTokenExchangeSupported() {
+				TokenExchange(w, r, exchanger)
+				return
+			}
+		case "":
+			RequestError(w, r, ErrInvalidRequest("grant_type missing"))
+			return
+		}
+		RequestError(w, r, ErrInvalidRequest("grant_type not supported"))
+	}
+}
+
+//authenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest
+//it is implemented by oidc.AuthRequest and oidc.RefreshTokenRequest
+type AuthenticatedTokenRequest interface {
+	SetClientID(string)
+	SetClientSecret(string)
+}
+
+//ParseAuthenticatedTokenRequest parses the client_id and client_secret from the HTTP request from either
+//HTTP Basic Auth header or form body and sets them into the provided authenticatedTokenRequest interface
+func ParseAuthenticatedTokenRequest(r *http.Request, decoder utils.Decoder, request AuthenticatedTokenRequest) error {
+	err := r.ParseForm()
+	if err != nil {
+		return ErrInvalidRequest("error parsing form")
+	}
+	err = decoder.Decode(request, r.Form)
+	if err != nil {
+		return ErrInvalidRequest("error decoding form")
+	}
+	clientID, clientSecret, ok := r.BasicAuth()
+	if ok {
+		clientID, err = url.QueryUnescape(clientID)
+		if err != nil {
+			return ErrInvalidRequest("invalid basic auth header")
+		}
+		clientSecret, err = url.QueryUnescape(clientSecret)
+		if err != nil {
+			return ErrInvalidRequest("invalid basic auth header")
+		}
+		request.SetClientID(clientID)
+		request.SetClientSecret(clientSecret)
+	}
+	return nil
+}
+
+//AuthorizeRefreshClientByClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST)
+func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error {
+	err := storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret)
+	if err != nil {
+		return err //TODO: wrap?
+	}
+	return nil
+}
+
+//AuthorizeCodeClientByCodeChallenge authorizes a client by validating the code_verifier against the previously sent
+//code_challenge of the auth request (PKCE)
+func AuthorizeCodeChallenge(tokenReq *oidc.AccessTokenRequest, challenge *oidc.CodeChallenge) error {
+	if tokenReq.CodeVerifier == "" {
+		return ErrInvalidRequest("code_challenge required")
+	}
+	if !oidc.VerifyCodeChallenge(challenge, tokenReq.CodeVerifier) {
+		return ErrInvalidRequest("code_challenge invalid")
+	}
+	return nil
+}
+
+//AuthorizePrivateJWTKey authorizes a client by validating the client_assertion's signature with a previously
+//registered public key (JWT Profile)
+func AuthorizePrivateJWTKey(ctx context.Context, clientAssertion string, exchanger JWTAuthorizationGrantExchanger) (Client, error) {
+	jwtReq, err := VerifyJWTAssertion(ctx, clientAssertion, exchanger.JWTProfileVerifier())
+	if err != nil {
+		return nil, err
+	}
+	client, err := exchanger.Storage().GetClientByClientID(ctx, jwtReq.Issuer)
+	if err != nil {
+		return nil, err
+	}
+	if client.AuthMethod() != oidc.AuthMethodPrivateKeyJWT {
+		return nil, ErrInvalidRequest("invalid_client")
+	}
+	return client, nil
+}