feat: bearer access token includes tokenid and subject
This commit is contained in:
Fabiennne
parent
49324646d7
commit
bd3bdf32c5
5 changed files with 12 additions and 11 deletions
|
|
@ -210,7 +210,7 @@ func (s *AuthStorage) AuthorizeClientIDSecret(_ context.Context, id string, _ st
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *AuthStorage) GetUserinfoFromToken(ctx context.Context, _, _ string) (*oidc.Userinfo, error) {
|
func (s *AuthStorage) GetUserinfoFromToken(ctx context.Context, _, _, _ string) (*oidc.Userinfo, error) {
|
||||||
return s.GetUserinfoFromScopes(ctx, "", []string{})
|
return s.GetUserinfoFromScopes(ctx, "", []string{})
|
||||||
}
|
}
|
||||||
func (s *AuthStorage) GetUserinfoFromScopes(_ context.Context, _ string, _ []string) (*oidc.Userinfo, error) {
|
func (s *AuthStorage) GetUserinfoFromScopes(_ context.Context, _ string, _ []string) (*oidc.Userinfo, error) {
|
||||||
|
|
|
||||||
|
|
@ -199,18 +199,18 @@ func (mr *MockStorageMockRecorder) GetUserinfoFromScopes(arg0, arg1, arg2 interf
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetUserinfoFromToken mocks base method
|
// GetUserinfoFromToken mocks base method
|
||||||
func (m *MockStorage) GetUserinfoFromToken(arg0 context.Context, arg1, arg2 string) (*oidc.Userinfo, error) {
|
func (m *MockStorage) GetUserinfoFromToken(arg0 context.Context, arg1, arg2, arg3 string) (*oidc.Userinfo, error) {
|
||||||
m.ctrl.T.Helper()
|
m.ctrl.T.Helper()
|
||||||
ret := m.ctrl.Call(m, "GetUserinfoFromToken", arg0, arg1, arg2)
|
ret := m.ctrl.Call(m, "GetUserinfoFromToken", arg0, arg1, arg2, arg3)
|
||||||
ret0, _ := ret[0].(*oidc.Userinfo)
|
ret0, _ := ret[0].(*oidc.Userinfo)
|
||||||
ret1, _ := ret[1].(error)
|
ret1, _ := ret[1].(error)
|
||||||
return ret0, ret1
|
return ret0, ret1
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetUserinfoFromToken indicates an expected call of GetUserinfoFromToken
|
// GetUserinfoFromToken indicates an expected call of GetUserinfoFromToken
|
||||||
func (mr *MockStorageMockRecorder) GetUserinfoFromToken(arg0, arg1, arg2 interface{}) *gomock.Call {
|
func (mr *MockStorageMockRecorder) GetUserinfoFromToken(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
|
||||||
mr.mock.ctrl.T.Helper()
|
mr.mock.ctrl.T.Helper()
|
||||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserinfoFromToken", reflect.TypeOf((*MockStorage)(nil).GetUserinfoFromToken), arg0, arg1, arg2)
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserinfoFromToken", reflect.TypeOf((*MockStorage)(nil).GetUserinfoFromToken), arg0, arg1, arg2, arg3)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Health mocks base method
|
// Health mocks base method
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,7 @@ type OPStorage interface {
|
||||||
GetClientByClientID(context.Context, string) (Client, error)
|
GetClientByClientID(context.Context, string) (Client, error)
|
||||||
AuthorizeClientIDSecret(context.Context, string, string) error
|
AuthorizeClientIDSecret(context.Context, string, string) error
|
||||||
GetUserinfoFromScopes(context.Context, string, []string) (*oidc.Userinfo, error)
|
GetUserinfoFromScopes(context.Context, string, []string) (*oidc.Userinfo, error)
|
||||||
GetUserinfoFromToken(context.Context, string, string) (*oidc.Userinfo, error)
|
GetUserinfoFromToken(ctx context.Context, tokenID, subject, origin string) (*oidc.Userinfo, error)
|
||||||
GetKeyByIDAndUserID(ctx context.Context, keyID, userID string) (*jose.JSONWebKey, error)
|
GetKeyByIDAndUserID(ctx context.Context, keyID, userID string) (*jose.JSONWebKey, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -73,12 +73,12 @@ func CreateAccessToken(ctx context.Context, authReq TokenRequest, accessTokenTyp
|
||||||
token, err = CreateJWT(creator.Issuer(), authReq, exp, id, creator.Signer())
|
token, err = CreateJWT(creator.Issuer(), authReq, exp, id, creator.Signer())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
token, err = CreateBearerToken(id, creator.Crypto())
|
token, err = CreateBearerToken(id, authReq.GetSubject(), creator.Crypto())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
func CreateBearerToken(id string, crypto Crypto) (string, error) {
|
func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error) {
|
||||||
return crypto.Encrypt(id)
|
return crypto.Encrypt(tokenID + ":" + subject)
|
||||||
}
|
}
|
||||||
|
|
||||||
func CreateJWT(issuer string, authReq TokenRequest, exp time.Time, id string, signer Signer) (string, error) {
|
func CreateJWT(issuer string, authReq TokenRequest, exp time.Time, id string, signer Signer) (string, error) {
|
||||||
|
|
|
||||||
|
|
@ -27,12 +27,13 @@ func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoP
|
||||||
http.Error(w, "access token missing", http.StatusUnauthorized)
|
http.Error(w, "access token missing", http.StatusUnauthorized)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
tokenID, err := userinfoProvider.Crypto().Decrypt(accessToken)
|
tokenIDSubject, err := userinfoProvider.Crypto().Decrypt(accessToken)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
http.Error(w, "access token missing", http.StatusUnauthorized)
|
http.Error(w, "access token missing", http.StatusUnauthorized)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
info, err := userinfoProvider.Storage().GetUserinfoFromToken(r.Context(), tokenID, r.Header.Get("origin"))
|
splittedToken := strings.Split(tokenIDSubject, ":")
|
||||||
|
info, err := userinfoProvider.Storage().GetUserinfoFromToken(r.Context(), splittedToken[0], splittedToken[1], r.Header.Get("origin"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
w.WriteHeader(http.StatusForbidden)
|
w.WriteHeader(http.StatusForbidden)
|
||||||
utils.MarshalJSON(w, err)
|
utils.MarshalJSON(w, err)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue