introspect and client assertion
This commit is contained in:
Livio Amstutz
parent
50ab51bb46
commit
960be5af1f
19 changed files with 413 additions and 156 deletions
|
|
@ -53,6 +53,9 @@ type RelayingParty interface {
|
|||
//IsOAuth2Only specifies whether relaying party handles only oauth2 or oidc calls
|
||||
IsOAuth2Only() bool
|
||||
|
||||
ClientKey() []byte
|
||||
ClientKeyID() string
|
||||
|
||||
//IDTokenVerifier returns the verifier interface used for oidc id_token verification
|
||||
IDTokenVerifier() IDTokenVerifier
|
||||
|
||||
|
|
@ -74,11 +77,13 @@ type relayingParty struct {
|
|||
oauthConfig *oauth2.Config
|
||||
oauth2Only bool
|
||||
pkce bool
|
||||
clientKey []byte
|
||||
clientKeyID string
|
||||
|
||||
httpClient *http.Client
|
||||
cookieHandler *utils.CookieHandler
|
||||
errorHandler func(http.ResponseWriter, *http.Request, string, string, string)
|
||||
|
||||
errorHandler func(http.ResponseWriter, *http.Request, string, string, string)
|
||||
idTokenVerifier IDTokenVerifier
|
||||
verifierOpts []VerifierOption
|
||||
}
|
||||
|
|
@ -103,6 +108,14 @@ func (rp *relayingParty) IsOAuth2Only() bool {
|
|||
return rp.oauth2Only
|
||||
}
|
||||
|
||||
func (rp *relayingParty) ClientKey() []byte {
|
||||
return rp.clientKey
|
||||
}
|
||||
|
||||
func (rp *relayingParty) ClientKeyID() string {
|
||||
return rp.clientKeyID
|
||||
}
|
||||
|
||||
func (rp *relayingParty) IDTokenVerifier() IDTokenVerifier {
|
||||
if rp.idTokenVerifier == nil {
|
||||
rp.idTokenVerifier = NewIDTokenVerifier(rp.issuer, rp.oauthConfig.ClientID, NewRemoteKeySet(rp.httpClient, rp.endpoints.JKWsURL), rp.verifierOpts...)
|
||||
|
|
@ -314,6 +327,14 @@ func CodeExchangeHandler(callback func(http.ResponseWriter, *http.Request, *oidc
|
|||
}
|
||||
codeOpts = append(codeOpts, WithCodeVerifier(codeVerifier))
|
||||
}
|
||||
//if len(rp.ClientKey()) > 0 {
|
||||
// assertion, err := oidc.NewJWTProfileAssertionStringFromFileData(rp.ClientKey(), []string{rp.OAuthConfig().Endpoint.TokenURL})
|
||||
// if err != nil {
|
||||
// http.Error(w, "failed to build assertion: "+err.Error(), http.StatusUnauthorized)
|
||||
// return
|
||||
// }
|
||||
// codeOpts = append(codeOpts, WithClientAssertionJWT(assertion))
|
||||
//}
|
||||
tokens, err := CodeExchange(r.Context(), params.Get("code"), rp, codeOpts...)
|
||||
if err != nil {
|
||||
http.Error(w, "failed to exchange token: "+err.Error(), http.StatusUnauthorized)
|
||||
|
|
@ -439,3 +460,13 @@ func WithCodeVerifier(codeVerifier string) CodeExchangeOpt {
|
|||
return []oauth2.AuthCodeOption{oauth2.SetAuthURLParam("code_verifier", codeVerifier)}
|
||||
}
|
||||
}
|
||||
|
||||
//WithClientAssertionJWT sets the `client_assertion` param in the token request
|
||||
func WithClientAssertionJWT(clientAssertion string) CodeExchangeOpt {
|
||||
return func() []oauth2.AuthCodeOption {
|
||||
return []oauth2.AuthCodeOption{
|
||||
oauth2.SetAuthURLParam("client_assertion", clientAssertion),
|
||||
oauth2.SetAuthURLParam("client_assertion_type", oidc.ClientAssertionTypeJWTAssertion),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue