From 49324646d736a645473d45f5ba0bb497420e29f7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 13 Oct 2020 07:12:47 +0200
Subject: [PATCH 1/2] chore(deps): bump github.com/sirupsen/logrus from 1.6.0
 to 1.7.0 (#61)

Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.6.0...v1.7.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index f162e70..4112c69 100644
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/gorilla/schema v1.2.0
 	github.com/gorilla/securecookie v1.1.1
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
-	github.com/sirupsen/logrus v1.6.0
+	github.com/sirupsen/logrus v1.7.0
 	github.com/stretchr/testify v1.6.1
 	golang.org/x/net v0.0.0-20200904194848-62affa334b73
 	golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43
diff --git a/go.sum b/go.sum
index f7b4f76..b2b0f45 100644
--- a/go.sum
+++ b/go.sum
@@ -143,6 +143,8 @@ github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -251,6 +253,7 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191206220618-eeba5f6aabab h1:FvshnhkKW+LO3HWHodML8kuVX8rnJTxKm9dFPuI68UM=
 golang.org/x/sys v0.0.0-20191206220618-eeba5f6aabab/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

From 9943f20215c4ce8d2a1c9dd02e64899da1fd7a96 Mon Sep 17 00:00:00 2001
From: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Date: Thu, 15 Oct 2020 09:38:06 +0200
Subject: [PATCH 2/2] feat: bearer access token includes tokenid and subject
 (#62)

---
 example/internal/mock/storage.go | 2 +-
 pkg/op/mock/storage.mock.go      | 8 ++++----
 pkg/op/storage.go                | 2 +-
 pkg/op/token.go                  | 6 +++---
 pkg/op/userinfo.go               | 5 +++--
 5 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/example/internal/mock/storage.go b/example/internal/mock/storage.go
index f20fb9b..686f5ee 100644
--- a/example/internal/mock/storage.go
+++ b/example/internal/mock/storage.go
@@ -210,7 +210,7 @@ func (s *AuthStorage) AuthorizeClientIDSecret(_ context.Context, id string, _ st
 	return nil
 }
 
-func (s *AuthStorage) GetUserinfoFromToken(ctx context.Context, _, _ string) (*oidc.Userinfo, error) {
+func (s *AuthStorage) GetUserinfoFromToken(ctx context.Context, _, _, _ string) (*oidc.Userinfo, error) {
 	return s.GetUserinfoFromScopes(ctx, "", []string{})
 }
 func (s *AuthStorage) GetUserinfoFromScopes(_ context.Context, _ string, _ []string) (*oidc.Userinfo, error) {
diff --git a/pkg/op/mock/storage.mock.go b/pkg/op/mock/storage.mock.go
index a7ca4cb..0efbbd4 100644
--- a/pkg/op/mock/storage.mock.go
+++ b/pkg/op/mock/storage.mock.go
@@ -199,18 +199,18 @@ func (mr *MockStorageMockRecorder) GetUserinfoFromScopes(arg0, arg1, arg2 interf
 }
 
 // GetUserinfoFromToken mocks base method
-func (m *MockStorage) GetUserinfoFromToken(arg0 context.Context, arg1, arg2 string) (*oidc.Userinfo, error) {
+func (m *MockStorage) GetUserinfoFromToken(arg0 context.Context, arg1, arg2, arg3 string) (*oidc.Userinfo, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetUserinfoFromToken", arg0, arg1, arg2)
+	ret := m.ctrl.Call(m, "GetUserinfoFromToken", arg0, arg1, arg2, arg3)
 	ret0, _ := ret[0].(*oidc.Userinfo)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
 // GetUserinfoFromToken indicates an expected call of GetUserinfoFromToken
-func (mr *MockStorageMockRecorder) GetUserinfoFromToken(arg0, arg1, arg2 interface{}) *gomock.Call {
+func (mr *MockStorageMockRecorder) GetUserinfoFromToken(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserinfoFromToken", reflect.TypeOf((*MockStorage)(nil).GetUserinfoFromToken), arg0, arg1, arg2)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserinfoFromToken", reflect.TypeOf((*MockStorage)(nil).GetUserinfoFromToken), arg0, arg1, arg2, arg3)
 }
 
 // Health mocks base method
diff --git a/pkg/op/storage.go b/pkg/op/storage.go
index 669b08e..9f8e6bd 100644
--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@@ -29,7 +29,7 @@ type OPStorage interface {
 	GetClientByClientID(context.Context, string) (Client, error)
 	AuthorizeClientIDSecret(context.Context, string, string) error
 	GetUserinfoFromScopes(context.Context, string, []string) (*oidc.Userinfo, error)
-	GetUserinfoFromToken(context.Context, string, string) (*oidc.Userinfo, error)
+	GetUserinfoFromToken(ctx context.Context, tokenID, subject, origin string) (*oidc.Userinfo, error)
 	GetKeyByIDAndUserID(ctx context.Context, keyID, userID string) (*jose.JSONWebKey, error)
 }
 
diff --git a/pkg/op/token.go b/pkg/op/token.go
index 87494b9..0dd0663 100644
--- a/pkg/op/token.go
+++ b/pkg/op/token.go
@@ -73,12 +73,12 @@ func CreateAccessToken(ctx context.Context, authReq TokenRequest, accessTokenTyp
 		token, err = CreateJWT(creator.Issuer(), authReq, exp, id, creator.Signer())
 		return
 	}
-	token, err = CreateBearerToken(id, creator.Crypto())
+	token, err = CreateBearerToken(id, authReq.GetSubject(), creator.Crypto())
 	return
 }
 
-func CreateBearerToken(id string, crypto Crypto) (string, error) {
-	return crypto.Encrypt(id)
+func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error) {
+	return crypto.Encrypt(tokenID + ":" + subject)
 }
 
 func CreateJWT(issuer string, authReq TokenRequest, exp time.Time, id string, signer Signer) (string, error) {
diff --git a/pkg/op/userinfo.go b/pkg/op/userinfo.go
index 36ecd4a..1798be5 100644
--- a/pkg/op/userinfo.go
+++ b/pkg/op/userinfo.go
@@ -27,12 +27,13 @@ func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoP
 		http.Error(w, "access token missing", http.StatusUnauthorized)
 		return
 	}
-	tokenID, err := userinfoProvider.Crypto().Decrypt(accessToken)
+	tokenIDSubject, err := userinfoProvider.Crypto().Decrypt(accessToken)
 	if err != nil {
 		http.Error(w, "access token missing", http.StatusUnauthorized)
 		return
 	}
-	info, err := userinfoProvider.Storage().GetUserinfoFromToken(r.Context(), tokenID, r.Header.Get("origin"))
+	splittedToken := strings.Split(tokenIDSubject, ":")
+	info, err := userinfoProvider.Storage().GetUserinfoFromToken(r.Context(), splittedToken[0], splittedToken[1], r.Header.Get("origin"))
 	if err != nil {
 		w.WriteHeader(http.StatusForbidden)
 		utils.MarshalJSON(w, err)