cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

introspect and client assertion

Browse source
This commit is contained in:
Livio Amstutz 2021-02-01 17:17:40 +01:00
parent 50ab51bb46
commit 960be5af1f
19 changed files with 413 additions and 156 deletions
Download patch file Download diff file Expand all files Collapse all files

118
pkg/rp/resource_server.go Normal file
View file

@ -0,0 +1,118 @@
package rp
import (
"context"
"errors"
"net/http"
"golang.org/x/oauth2"
"golang.org/x/oauth2/clientcredentials"
"golang.org/x/oauth2/jwt"
"github.com/caos/oidc/pkg/oidc"
"github.com/caos/oidc/pkg/utils"
)
type ResourceServer interface {
IntrospectionURL() string
HttpClient() *http.Client
}
type resourceServer struct {
issuer string
tokenURL string
introspectURL string
httpClient *http.Client
}
func (r *resourceServer) IntrospectionURL() string {
return r.introspectURL
}
func (r *resourceServer) HttpClient() *http.Client {
return r.httpClient
}
func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option RSOption) (ResourceServer, error) {
authorizer := func(tokenURL string) func(ctx context.Context) *http.Client {
return (&clientcredentials.Config{
ClientID: clientID,
ClientSecret: clientSecret,
TokenURL: tokenURL,
}).Client
}
return newResourceServer(issuer, authorizer, option)
}
func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...RSOption) (ResourceServer, error) {
authorizer := func(tokenURL string) func(ctx context.Context) *http.Client {
return (&jwt.Config{
Email: clientID,
Subject: clientID,
PrivateKey: key,
PrivateKeyID: keyID,
Audience: issuer,
TokenURL: tokenURL,
}).Client
}
return newResourceServer(issuer, authorizer, options...)
}
func newResourceServer(issuer string, authorizer func(tokenURL string) func(ctx context.Context) *http.Client, options ...RSOption) (*resourceServer, error) {
rp := &resourceServer{
issuer: issuer,
httpClient: utils.DefaultHTTPClient,
}
for _, optFunc := range options {
optFunc(rp)
}
if rp.introspectURL == "" || rp.tokenURL == "" {
endpoints, err := Discover(rp.issuer, rp.httpClient)
if err != nil {
return nil, err
}
rp.tokenURL = endpoints.TokenURL
rp.introspectURL = endpoints.IntrospectURL
}
if rp.introspectURL == "" || rp.tokenURL == "" {
return nil, errors.New("introspectURL and/or tokenURL is empty: please provide with either `WithStaticEndpoints` or a discovery url")
}
rp.httpClient = authorizer(rp.tokenURL)(context.WithValue(context.Background(), oauth2.HTTPClient, rp.HttpClient()))
return rp, nil
}
func NewResourceServerFromKeyFile(path string, options ...RSOption) (ResourceServer, error) {
c, err := ConfigFromKeyFile(path)
if err != nil {
return nil, err
}
return NewResourceServerJWTProfile(c.Issuer, c.ClientID, c.KeyID, []byte(c.Key), options...)
}
type RSOption func(*resourceServer)
//WithClient provides the ability to set an http client to be used for the resource server
func WithClient(client *http.Client) RSOption {
return func(server *resourceServer) {
server.httpClient = client
}
}
//WithStaticEndpoints provides the ability to set static token and introspect URL
func WithStaticEndpoints(tokenURL, introspectURL string) RSOption {
return func(server *resourceServer) {
server.tokenURL = tokenURL
server.introspectURL = introspectURL
}
}
func Introspect(ctx context.Context, rp ResourceServer, token string) (oidc.IntrospectionResponse, error) {
req, err := utils.FormRequest(rp.IntrospectionURL(), &oidc.IntrospectionRequest{Token: token}, encoder, nil)
if err != nil {
return nil, err
}
resp := oidc.NewIntrospectionResponse()
if err := utils.HttpRequest(rp.HttpClient(), req, resp); err != nil {
return nil, err
}
return resp, nil
}