diff --git a/example/internal/mock/storage.go b/example/internal/mock/storage.go index d00d7a5..3d7bb63 100644 --- a/example/internal/mock/storage.go +++ b/example/internal/mock/storage.go @@ -95,6 +95,8 @@ func (a *AuthRequest) GetScopes() []string { } } +func (a *AuthRequest) SetCurrentScopes(scopes oidc.Scopes) {} + func (a *AuthRequest) GetState() string { return "" } @@ -151,9 +153,19 @@ func (s *AuthStorage) AuthRequestByID(_ context.Context, id string) (op.AuthRequ } return a, nil } -func (s *AuthStorage) CreateToken(_ context.Context, authReq op.TokenRequest) (string, time.Time, error) { +func (s *AuthStorage) CreateAccessToken(ctx context.Context, request op.TokenRequest) (string, time.Time, error) { return "id", time.Now().UTC().Add(5 * time.Minute), nil } +func (s *AuthStorage) CreateAccessAndRefreshTokens(ctx context.Context, request op.TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error) { + return "id", "refreshToken", time.Now().UTC().Add(5 * time.Minute), nil +} +func (s *AuthStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (op.RefreshTokenRequest, error) { + if refreshToken != c { + return nil, errors.New("invalid token") + } + return a, nil +} + func (s *AuthStorage) TerminateSession(_ context.Context, userID, clientID string) error { return nil } diff --git a/go.sum b/go.sum index 371d837..bb48d24 100644 --- a/go.sum +++ b/go.sum @@ -12,50 +12,70 @@ cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bP cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0 h1:Dg9iHVQfrhq82rUNu9ZxUDrJLaxFUe/HlCVaLyRruq8= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0 h1:PQcPefKFdaIzjQFbiyOgAqyx8q5djaE7x9Sqe712DPA= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/datastore v1.1.0 h1:/May9ojXjRkPBNVrq+oWLqmWCkr4OU5uRY29bu0mRyQ= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1 h1:ukjixP1wl0LpnZ6LWtZJ0mX5tBmjp1f8Sqer8Z2OMUU= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0 h1:STgFzyU5/8miMl0//zKh2aQeTyeaUH3WN9bSUiJ09bA= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9 h1:VpgP7xuJadIUuKccphEpTJnWhS2jkQyMt6Y7pJCD7fY= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802 h1:1BDTz0u9nC3//pOCMdNH+CiXJVYJh5UQNCOBG7jbELc= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo= github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0= +github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 h1:q763qf9huN11kDQavWsoZXJNW3xEE4JJyHa5Q25/sd8= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f h1:WBZRG4aNOuI15bLRrCgN8fCq8E5Xuty6jGbmSNEvSsU= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4 h1:rEvIZUSZ3fx39WIi3JkQqQBitGwpELBIYWeBVh6wn+E= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1 h1:QbL/5oDUmRBzO9/Z7Seo6zf912W/a6Sr4Eu0G/3Jho0= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4 h1:WtGNWLvXpe6ZudgnXrq0barxBImvnnJoMEhXAzcbM0I= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= @@ -81,6 +101,7 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -95,7 +116,9 @@ github.com/google/go-github/v31 v31.0.0 h1:JJUxlP9lFK+ziXKimTCprajMApV1ecWD4NB6C github.com/google/go-github/v31 v31.0.0/go.mod h1:NQPZol8/1sMoWYGN2yaALIBytu17gAWfhbweiEed3pM= github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= +github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian/v3 v3.0.0 h1:pMen7vLs8nvgEYhywH3KDWJIJTeEr2ULsVWHWYHQyBs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= @@ -103,11 +126,14 @@ github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99 h1:Ak8CrdlwwXwAZxzS66vgPt4U8yUZX7JwLvVR58FN5jM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs= github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= @@ -118,14 +144,21 @@ github.com/gorilla/schema v1.2.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlI github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 h1:UDMh68UUwekSh5iP2OMhRRZJiiBccgV7axzUG8vi56c= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= @@ -133,12 +166,15 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWb github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 h1:gQz4mCbXsO+nc9n1hCxHcGA3Zx3Eo+UHZoInFGUIXNM= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/rogpeppe/go-internal v1.3.0 h1:RR9dF3JtopPvtkroDZuVD7qquD0bnHlKSqaQhgwt8yk= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -146,11 +182,13 @@ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5Cc github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.32 h1:5tjfNdR2ki3yYQ842+eX2sQHeiwpKJ0RnHO4IYOc4V8= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4 h1:LYy1Hy3MJdrCdMwwzxA/dRok4ejH+RwNGbuoD9fCjto= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -167,8 +205,10 @@ golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6 h1:QE6XYQK6naiK1EPAe1g/ILLxN5RBoH5xkJk3CqlMI/Y= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b h1:+qEpEAPhDZ1o0x3tHzZTQDArnOixOzGD9HUJfcg0mb4= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -179,14 +219,17 @@ golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028 h1:4+4C/Iv2U4fMZBiMCc98MG1In4gJY5YRhtpDNeDeHWs= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -230,6 +273,7 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 h1:qwRHBd0NqMbJxfbotnDhm2ByMI1Shq4Y6oRJo21SGJA= golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -269,6 +313,7 @@ golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -309,6 +354,7 @@ golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200825202427-b303f430e36d h1:W07d4xkoAUSNOkOzdzXCdFGxT7o2rW4q8M34tB2i//k= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -330,6 +376,7 @@ google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/ google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0 h1:yfrXXP61wVuLb0vBcG6qaOoIoqYEzOQS8jum51jkv2w= google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -366,6 +413,7 @@ google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEY google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200825200019-8632dd797987 h1:PDIOdWxZ8eRizhKa1AAvY53xsvLB1cWorMjslvY3VA8= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= @@ -378,6 +426,7 @@ google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8 google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0 h1:T7P4R73V3SSDPhH7WW7ATbfViLtmamH0DKrP3f9AuDI= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -394,6 +443,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/errgo.v2 v2.1.0 h1:0vLT13EuvQ0hNvakwLuFZ/jYrLp5F3kcWHXdRggjCE8= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w= gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= @@ -408,7 +458,11 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +rsc.io/binaryregexp v0.2.0 h1:HfqmD5MEmC0zvwBuF187nq9mdnXjXsSivRiXN7SmRkE= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +rsc.io/quote/v3 v3.1.0 h1:9JKUTTIUgS6kzR9mK1YuGKv6Nl+DijDNIc0ghT58FaY= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= +rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/QiW4= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/pkg/client/rp/relaying_party.go b/pkg/client/rp/relaying_party.go index 528f554..5a48951 100644 --- a/pkg/client/rp/relaying_party.go +++ b/pkg/client/rp/relaying_party.go @@ -165,7 +165,6 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco return nil, err } } - endpoints, err := Discover(rp.issuer, rp.httpClient) if err != nil { return nil, err diff --git a/pkg/oidc/token_request.go b/pkg/oidc/token_request.go index 0c5b70b..1136f8e 100644 --- a/pkg/oidc/token_request.go +++ b/pkg/oidc/token_request.go @@ -10,6 +10,9 @@ const ( //GrantTypeCode defines the grant_type `authorization_code` used for the Token Request in the Authorization Code Flow GrantTypeCode GrantType = "authorization_code" + //GrantTypeCode defines the grant_type `refresh_token` used for the Token Request in the Refresh Token Flow + GrantTypeRefreshToken GrantType = "refresh_token" + //GrantTypeBearer defines the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer" @@ -44,6 +47,39 @@ func (a *AccessTokenRequest) GrantType() GrantType { return GrantTypeCode } +//SetClientID implements op.AuthenticatedTokenRequest +func (a *AccessTokenRequest) SetClientID(clientID string) { + a.ClientID = clientID +} + +//SetClientSecret implements op.AuthenticatedTokenRequest +func (a *AccessTokenRequest) SetClientSecret(clientSecret string) { + a.ClientSecret = clientSecret +} + +type RefreshTokenRequest struct { + RefreshToken string `schema:"refresh_token"` + Scopes Scopes `schema:"scope"` + ClientID string `schema:"client_id"` + ClientSecret string `schema:"client_secret"` + ClientAssertion string `schema:"client_assertion"` + ClientAssertionType string `schema:"client_assertion_type"` +} + +func (a *RefreshTokenRequest) GrantType() GrantType { + return GrantTypeRefreshToken +} + +//SetClientID implements op.AuthenticatedTokenRequest +func (a *RefreshTokenRequest) SetClientID(clientID string) { + a.ClientID = clientID +} + +//SetClientSecret implements op.AuthenticatedTokenRequest +func (a *RefreshTokenRequest) SetClientSecret(clientSecret string) { + a.ClientSecret = clientSecret +} + type JWTTokenRequest struct { Issuer string `json:"iss"` Subject string `json:"sub"` diff --git a/pkg/op/authrequest.go b/pkg/op/auth_request.go similarity index 98% rename from pkg/op/authrequest.go rename to pkg/op/auth_request.go index 8e6d8eb..9e0cd45 100644 --- a/pkg/op/authrequest.go +++ b/pkg/op/auth_request.go @@ -91,7 +91,7 @@ func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer) { RedirectToLogin(req.GetID(), client, w, r) } -//ParseAuthorizeRequest parsed the http request into a AuthRequest +//ParseAuthorizeRequest parsed the http request into a oidc.AuthRequest func ParseAuthorizeRequest(r *http.Request, decoder utils.Decoder) (*oidc.AuthRequest, error) { err := r.ParseForm() if err != nil { @@ -299,7 +299,7 @@ func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthReques //AuthResponseToken creates the successful token(s) authentication response func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthRequest, authorizer Authorizer, client Client) { createAccessToken := authReq.GetResponseType() != oidc.ResponseTypeIDTokenOnly - resp, err := CreateTokenResponse(r.Context(), authReq, client, authorizer, createAccessToken, "") + resp, err := CreateTokenResponse(r.Context(), authReq, client, authorizer, createAccessToken, "", "") if err != nil { AuthRequestError(w, r, authReq, err, authorizer.Encoder()) return @@ -325,6 +325,7 @@ func CreateAuthRequestCode(ctx context.Context, authReq AuthRequest, storage Sto return code, nil } +//BuildAuthRequestCode builds the string representation of the auth code func BuildAuthRequestCode(authReq AuthRequest, crypto Crypto) (string, error) { return crypto.Encrypt(authReq.GetID()) } diff --git a/pkg/op/authrequest_test.go b/pkg/op/auth_request_test.go similarity index 100% rename from pkg/op/authrequest_test.go rename to pkg/op/auth_request_test.go diff --git a/pkg/op/mock/authorizer.mock.go b/pkg/op/mock/authorizer.mock.go index 5da2437..69f6927 100644 --- a/pkg/op/mock/authorizer.mock.go +++ b/pkg/op/mock/authorizer.mock.go @@ -5,36 +5,37 @@ package mock import ( + reflect "reflect" + op "github.com/caos/oidc/pkg/op" utils "github.com/caos/oidc/pkg/utils" gomock "github.com/golang/mock/gomock" - reflect "reflect" ) -// MockAuthorizer is a mock of Authorizer interface +// MockAuthorizer is a mock of Authorizer interface. type MockAuthorizer struct { ctrl *gomock.Controller recorder *MockAuthorizerMockRecorder } -// MockAuthorizerMockRecorder is the mock recorder for MockAuthorizer +// MockAuthorizerMockRecorder is the mock recorder for MockAuthorizer. type MockAuthorizerMockRecorder struct { mock *MockAuthorizer } -// NewMockAuthorizer creates a new mock instance +// NewMockAuthorizer creates a new mock instance. func NewMockAuthorizer(ctrl *gomock.Controller) *MockAuthorizer { mock := &MockAuthorizer{ctrl: ctrl} mock.recorder = &MockAuthorizerMockRecorder{mock} return mock } -// EXPECT returns an object that allows the caller to indicate expected use +// EXPECT returns an object that allows the caller to indicate expected use. func (m *MockAuthorizer) EXPECT() *MockAuthorizerMockRecorder { return m.recorder } -// Crypto mocks base method +// Crypto mocks base method. func (m *MockAuthorizer) Crypto() op.Crypto { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "Crypto") @@ -42,13 +43,13 @@ func (m *MockAuthorizer) Crypto() op.Crypto { return ret0 } -// Crypto indicates an expected call of Crypto +// Crypto indicates an expected call of Crypto. func (mr *MockAuthorizerMockRecorder) Crypto() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Crypto", reflect.TypeOf((*MockAuthorizer)(nil).Crypto)) } -// Decoder mocks base method +// Decoder mocks base method. func (m *MockAuthorizer) Decoder() utils.Decoder { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "Decoder") @@ -56,13 +57,13 @@ func (m *MockAuthorizer) Decoder() utils.Decoder { return ret0 } -// Decoder indicates an expected call of Decoder +// Decoder indicates an expected call of Decoder. func (mr *MockAuthorizerMockRecorder) Decoder() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Decoder", reflect.TypeOf((*MockAuthorizer)(nil).Decoder)) } -// Encoder mocks base method +// Encoder mocks base method. func (m *MockAuthorizer) Encoder() utils.Encoder { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "Encoder") @@ -70,13 +71,13 @@ func (m *MockAuthorizer) Encoder() utils.Encoder { return ret0 } -// Encoder indicates an expected call of Encoder +// Encoder indicates an expected call of Encoder. func (mr *MockAuthorizerMockRecorder) Encoder() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Encoder", reflect.TypeOf((*MockAuthorizer)(nil).Encoder)) } -// IDTokenHintVerifier mocks base method +// IDTokenHintVerifier mocks base method. func (m *MockAuthorizer) IDTokenHintVerifier() op.IDTokenHintVerifier { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "IDTokenHintVerifier") @@ -84,13 +85,13 @@ func (m *MockAuthorizer) IDTokenHintVerifier() op.IDTokenHintVerifier { return ret0 } -// IDTokenHintVerifier indicates an expected call of IDTokenHintVerifier +// IDTokenHintVerifier indicates an expected call of IDTokenHintVerifier. func (mr *MockAuthorizerMockRecorder) IDTokenHintVerifier() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IDTokenHintVerifier", reflect.TypeOf((*MockAuthorizer)(nil).IDTokenHintVerifier)) } -// Issuer mocks base method +// Issuer mocks base method. func (m *MockAuthorizer) Issuer() string { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "Issuer") @@ -98,13 +99,13 @@ func (m *MockAuthorizer) Issuer() string { return ret0 } -// Issuer indicates an expected call of Issuer +// Issuer indicates an expected call of Issuer. func (mr *MockAuthorizerMockRecorder) Issuer() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Issuer", reflect.TypeOf((*MockAuthorizer)(nil).Issuer)) } -// Signer mocks base method +// Signer mocks base method. func (m *MockAuthorizer) Signer() op.Signer { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "Signer") @@ -112,13 +113,13 @@ func (m *MockAuthorizer) Signer() op.Signer { return ret0 } -// Signer indicates an expected call of Signer +// Signer indicates an expected call of Signer. func (mr *MockAuthorizerMockRecorder) Signer() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Signer", reflect.TypeOf((*MockAuthorizer)(nil).Signer)) } -// Storage mocks base method +// Storage mocks base method. func (m *MockAuthorizer) Storage() op.Storage { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "Storage") @@ -126,7 +127,7 @@ func (m *MockAuthorizer) Storage() op.Storage { return ret0 } -// Storage indicates an expected call of Storage +// Storage indicates an expected call of Storage. func (mr *MockAuthorizerMockRecorder) Storage() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Storage", reflect.TypeOf((*MockAuthorizer)(nil).Storage)) diff --git a/pkg/op/mock/client.mock.go b/pkg/op/mock/client.mock.go index 9d5fe41..e03ae0c 100644 --- a/pkg/op/mock/client.mock.go +++ b/pkg/op/mock/client.mock.go @@ -5,37 +5,38 @@ package mock import ( + reflect "reflect" + time "time" + oidc "github.com/caos/oidc/pkg/oidc" op "github.com/caos/oidc/pkg/op" gomock "github.com/golang/mock/gomock" - reflect "reflect" - time "time" ) -// MockClient is a mock of Client interface +// MockClient is a mock of Client interface. type MockClient struct { ctrl *gomock.Controller recorder *MockClientMockRecorder } -// MockClientMockRecorder is the mock recorder for MockClient +// MockClientMockRecorder is the mock recorder for MockClient. type MockClientMockRecorder struct { mock *MockClient } -// NewMockClient creates a new mock instance +// NewMockClient creates a new mock instance. func NewMockClient(ctrl *gomock.Controller) *MockClient { mock := &MockClient{ctrl: ctrl} mock.recorder = &MockClientMockRecorder{mock} return mock } -// EXPECT returns an object that allows the caller to indicate expected use +// EXPECT returns an object that allows the caller to indicate expected use. func (m *MockClient) EXPECT() *MockClientMockRecorder { return m.recorder } -// AccessTokenType mocks base method +// AccessTokenType mocks base method. func (m *MockClient) AccessTokenType() op.AccessTokenType { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "AccessTokenType") @@ -43,13 +44,13 @@ func (m *MockClient) AccessTokenType() op.AccessTokenType { return ret0 } -// AccessTokenType indicates an expected call of AccessTokenType +// AccessTokenType indicates an expected call of AccessTokenType. func (mr *MockClientMockRecorder) AccessTokenType() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AccessTokenType", reflect.TypeOf((*MockClient)(nil).AccessTokenType)) } -// ApplicationType mocks base method +// ApplicationType mocks base method. func (m *MockClient) ApplicationType() op.ApplicationType { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "ApplicationType") @@ -57,13 +58,13 @@ func (m *MockClient) ApplicationType() op.ApplicationType { return ret0 } -// ApplicationType indicates an expected call of ApplicationType +// ApplicationType indicates an expected call of ApplicationType. func (mr *MockClientMockRecorder) ApplicationType() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ApplicationType", reflect.TypeOf((*MockClient)(nil).ApplicationType)) } -// AuthMethod mocks base method +// AuthMethod mocks base method. func (m *MockClient) AuthMethod() oidc.AuthMethod { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "AuthMethod") @@ -71,13 +72,13 @@ func (m *MockClient) AuthMethod() oidc.AuthMethod { return ret0 } -// AuthMethod indicates an expected call of AuthMethod +// AuthMethod indicates an expected call of AuthMethod. func (mr *MockClientMockRecorder) AuthMethod() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthMethod", reflect.TypeOf((*MockClient)(nil).AuthMethod)) } -// ClockSkew mocks base method +// ClockSkew mocks base method. func (m *MockClient) ClockSkew() time.Duration { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "ClockSkew") @@ -85,13 +86,13 @@ func (m *MockClient) ClockSkew() time.Duration { return ret0 } -// ClockSkew indicates an expected call of ClockSkew +// ClockSkew indicates an expected call of ClockSkew. func (mr *MockClientMockRecorder) ClockSkew() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ClockSkew", reflect.TypeOf((*MockClient)(nil).ClockSkew)) } -// DevMode mocks base method +// DevMode mocks base method. func (m *MockClient) DevMode() bool { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "DevMode") @@ -99,13 +100,13 @@ func (m *MockClient) DevMode() bool { return ret0 } -// DevMode indicates an expected call of DevMode +// DevMode indicates an expected call of DevMode. func (mr *MockClientMockRecorder) DevMode() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DevMode", reflect.TypeOf((*MockClient)(nil).DevMode)) } -// GetID mocks base method +// GetID mocks base method. func (m *MockClient) GetID() string { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "GetID") @@ -113,13 +114,13 @@ func (m *MockClient) GetID() string { return ret0 } -// GetID indicates an expected call of GetID +// GetID indicates an expected call of GetID. func (mr *MockClientMockRecorder) GetID() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetID", reflect.TypeOf((*MockClient)(nil).GetID)) } -// IDTokenLifetime mocks base method +// IDTokenLifetime mocks base method. func (m *MockClient) IDTokenLifetime() time.Duration { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "IDTokenLifetime") @@ -127,13 +128,13 @@ func (m *MockClient) IDTokenLifetime() time.Duration { return ret0 } -// IDTokenLifetime indicates an expected call of IDTokenLifetime +// IDTokenLifetime indicates an expected call of IDTokenLifetime. func (mr *MockClientMockRecorder) IDTokenLifetime() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IDTokenLifetime", reflect.TypeOf((*MockClient)(nil).IDTokenLifetime)) } -// IDTokenUserinfoClaimsAssertion mocks base method +// IDTokenUserinfoClaimsAssertion mocks base method. func (m *MockClient) IDTokenUserinfoClaimsAssertion() bool { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "IDTokenUserinfoClaimsAssertion") @@ -141,13 +142,13 @@ func (m *MockClient) IDTokenUserinfoClaimsAssertion() bool { return ret0 } -// IDTokenUserinfoClaimsAssertion indicates an expected call of IDTokenUserinfoClaimsAssertion +// IDTokenUserinfoClaimsAssertion indicates an expected call of IDTokenUserinfoClaimsAssertion. func (mr *MockClientMockRecorder) IDTokenUserinfoClaimsAssertion() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IDTokenUserinfoClaimsAssertion", reflect.TypeOf((*MockClient)(nil).IDTokenUserinfoClaimsAssertion)) } -// IsScopeAllowed mocks base method +// IsScopeAllowed mocks base method. func (m *MockClient) IsScopeAllowed(arg0 string) bool { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "IsScopeAllowed", arg0) @@ -155,13 +156,13 @@ func (m *MockClient) IsScopeAllowed(arg0 string) bool { return ret0 } -// IsScopeAllowed indicates an expected call of IsScopeAllowed +// IsScopeAllowed indicates an expected call of IsScopeAllowed. func (mr *MockClientMockRecorder) IsScopeAllowed(arg0 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsScopeAllowed", reflect.TypeOf((*MockClient)(nil).IsScopeAllowed), arg0) } -// LoginURL mocks base method +// LoginURL mocks base method. func (m *MockClient) LoginURL(arg0 string) string { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "LoginURL", arg0) @@ -169,13 +170,13 @@ func (m *MockClient) LoginURL(arg0 string) string { return ret0 } -// LoginURL indicates an expected call of LoginURL +// LoginURL indicates an expected call of LoginURL. func (mr *MockClientMockRecorder) LoginURL(arg0 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LoginURL", reflect.TypeOf((*MockClient)(nil).LoginURL), arg0) } -// PostLogoutRedirectURIs mocks base method +// PostLogoutRedirectURIs mocks base method. func (m *MockClient) PostLogoutRedirectURIs() []string { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "PostLogoutRedirectURIs") @@ -183,13 +184,13 @@ func (m *MockClient) PostLogoutRedirectURIs() []string { return ret0 } -// PostLogoutRedirectURIs indicates an expected call of PostLogoutRedirectURIs +// PostLogoutRedirectURIs indicates an expected call of PostLogoutRedirectURIs. func (mr *MockClientMockRecorder) PostLogoutRedirectURIs() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PostLogoutRedirectURIs", reflect.TypeOf((*MockClient)(nil).PostLogoutRedirectURIs)) } -// RedirectURIs mocks base method +// RedirectURIs mocks base method. func (m *MockClient) RedirectURIs() []string { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "RedirectURIs") @@ -197,13 +198,13 @@ func (m *MockClient) RedirectURIs() []string { return ret0 } -// RedirectURIs indicates an expected call of RedirectURIs +// RedirectURIs indicates an expected call of RedirectURIs. func (mr *MockClientMockRecorder) RedirectURIs() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RedirectURIs", reflect.TypeOf((*MockClient)(nil).RedirectURIs)) } -// ResponseTypes mocks base method +// ResponseTypes mocks base method. func (m *MockClient) ResponseTypes() []oidc.ResponseType { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "ResponseTypes") @@ -211,13 +212,13 @@ func (m *MockClient) ResponseTypes() []oidc.ResponseType { return ret0 } -// ResponseTypes indicates an expected call of ResponseTypes +// ResponseTypes indicates an expected call of ResponseTypes. func (mr *MockClientMockRecorder) ResponseTypes() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResponseTypes", reflect.TypeOf((*MockClient)(nil).ResponseTypes)) } -// RestrictAdditionalAccessTokenScopes mocks base method +// RestrictAdditionalAccessTokenScopes mocks base method. func (m *MockClient) RestrictAdditionalAccessTokenScopes() func([]string) []string { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "RestrictAdditionalAccessTokenScopes") @@ -225,13 +226,13 @@ func (m *MockClient) RestrictAdditionalAccessTokenScopes() func([]string) []stri return ret0 } -// RestrictAdditionalAccessTokenScopes indicates an expected call of RestrictAdditionalAccessTokenScopes +// RestrictAdditionalAccessTokenScopes indicates an expected call of RestrictAdditionalAccessTokenScopes. func (mr *MockClientMockRecorder) RestrictAdditionalAccessTokenScopes() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RestrictAdditionalAccessTokenScopes", reflect.TypeOf((*MockClient)(nil).RestrictAdditionalAccessTokenScopes)) } -// RestrictAdditionalIdTokenScopes mocks base method +// RestrictAdditionalIdTokenScopes mocks base method. func (m *MockClient) RestrictAdditionalIdTokenScopes() func([]string) []string { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "RestrictAdditionalIdTokenScopes") @@ -239,7 +240,7 @@ func (m *MockClient) RestrictAdditionalIdTokenScopes() func([]string) []string { return ret0 } -// RestrictAdditionalIdTokenScopes indicates an expected call of RestrictAdditionalIdTokenScopes +// RestrictAdditionalIdTokenScopes indicates an expected call of RestrictAdditionalIdTokenScopes. func (mr *MockClientMockRecorder) RestrictAdditionalIdTokenScopes() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RestrictAdditionalIdTokenScopes", reflect.TypeOf((*MockClient)(nil).RestrictAdditionalIdTokenScopes)) diff --git a/pkg/op/mock/configuration.mock.go b/pkg/op/mock/configuration.mock.go index 4f83f35..f9f297e 100644 --- a/pkg/op/mock/configuration.mock.go +++ b/pkg/op/mock/configuration.mock.go @@ -5,35 +5,36 @@ package mock import ( + reflect "reflect" + op "github.com/caos/oidc/pkg/op" gomock "github.com/golang/mock/gomock" - reflect "reflect" ) -// MockConfiguration is a mock of Configuration interface +// MockConfiguration is a mock of Configuration interface. type MockConfiguration struct { ctrl *gomock.Controller recorder *MockConfigurationMockRecorder } -// MockConfigurationMockRecorder is the mock recorder for MockConfiguration +// MockConfigurationMockRecorder is the mock recorder for MockConfiguration. type MockConfigurationMockRecorder struct { mock *MockConfiguration } -// NewMockConfiguration creates a new mock instance +// NewMockConfiguration creates a new mock instance. func NewMockConfiguration(ctrl *gomock.Controller) *MockConfiguration { mock := &MockConfiguration{ctrl: ctrl} mock.recorder = &MockConfigurationMockRecorder{mock} return mock } -// EXPECT returns an object that allows the caller to indicate expected use +// EXPECT returns an object that allows the caller to indicate expected use. func (m *MockConfiguration) EXPECT() *MockConfigurationMockRecorder { return m.recorder } -// AuthMethodPostSupported mocks base method +// AuthMethodPostSupported mocks base method. func (m *MockConfiguration) AuthMethodPostSupported() bool { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "AuthMethodPostSupported") @@ -41,13 +42,13 @@ func (m *MockConfiguration) AuthMethodPostSupported() bool { return ret0 } -// AuthMethodPostSupported indicates an expected call of AuthMethodPostSupported +// AuthMethodPostSupported indicates an expected call of AuthMethodPostSupported. func (mr *MockConfigurationMockRecorder) AuthMethodPostSupported() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthMethodPostSupported", reflect.TypeOf((*MockConfiguration)(nil).AuthMethodPostSupported)) } -// AuthMethodPrivateKeyJWTSupported mocks base method +// AuthMethodPrivateKeyJWTSupported mocks base method. func (m *MockConfiguration) AuthMethodPrivateKeyJWTSupported() bool { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "AuthMethodPrivateKeyJWTSupported") @@ -55,13 +56,13 @@ func (m *MockConfiguration) AuthMethodPrivateKeyJWTSupported() bool { return ret0 } -// AuthMethodPrivateKeyJWTSupported indicates an expected call of AuthMethodPrivateKeyJWTSupported +// AuthMethodPrivateKeyJWTSupported indicates an expected call of AuthMethodPrivateKeyJWTSupported. func (mr *MockConfigurationMockRecorder) AuthMethodPrivateKeyJWTSupported() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthMethodPrivateKeyJWTSupported", reflect.TypeOf((*MockConfiguration)(nil).AuthMethodPrivateKeyJWTSupported)) } -// AuthorizationEndpoint mocks base method +// AuthorizationEndpoint mocks base method. func (m *MockConfiguration) AuthorizationEndpoint() op.Endpoint { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "AuthorizationEndpoint") @@ -69,13 +70,13 @@ func (m *MockConfiguration) AuthorizationEndpoint() op.Endpoint { return ret0 } -// AuthorizationEndpoint indicates an expected call of AuthorizationEndpoint +// AuthorizationEndpoint indicates an expected call of AuthorizationEndpoint. func (mr *MockConfigurationMockRecorder) AuthorizationEndpoint() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthorizationEndpoint", reflect.TypeOf((*MockConfiguration)(nil).AuthorizationEndpoint)) } -// CodeMethodS256Supported mocks base method +// CodeMethodS256Supported mocks base method. func (m *MockConfiguration) CodeMethodS256Supported() bool { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "CodeMethodS256Supported") @@ -83,13 +84,13 @@ func (m *MockConfiguration) CodeMethodS256Supported() bool { return ret0 } -// CodeMethodS256Supported indicates an expected call of CodeMethodS256Supported +// CodeMethodS256Supported indicates an expected call of CodeMethodS256Supported. func (mr *MockConfigurationMockRecorder) CodeMethodS256Supported() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CodeMethodS256Supported", reflect.TypeOf((*MockConfiguration)(nil).CodeMethodS256Supported)) } -// EndSessionEndpoint mocks base method +// EndSessionEndpoint mocks base method. func (m *MockConfiguration) EndSessionEndpoint() op.Endpoint { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "EndSessionEndpoint") @@ -97,13 +98,13 @@ func (m *MockConfiguration) EndSessionEndpoint() op.Endpoint { return ret0 } -// EndSessionEndpoint indicates an expected call of EndSessionEndpoint +// EndSessionEndpoint indicates an expected call of EndSessionEndpoint. func (mr *MockConfigurationMockRecorder) EndSessionEndpoint() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EndSessionEndpoint", reflect.TypeOf((*MockConfiguration)(nil).EndSessionEndpoint)) } -// GrantTypeJWTAuthorizationSupported mocks base method +// GrantTypeJWTAuthorizationSupported mocks base method. func (m *MockConfiguration) GrantTypeJWTAuthorizationSupported() bool { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "GrantTypeJWTAuthorizationSupported") @@ -111,13 +112,13 @@ func (m *MockConfiguration) GrantTypeJWTAuthorizationSupported() bool { return ret0 } -// GrantTypeJWTAuthorizationSupported indicates an expected call of GrantTypeJWTAuthorizationSupported +// GrantTypeJWTAuthorizationSupported indicates an expected call of GrantTypeJWTAuthorizationSupported. func (mr *MockConfigurationMockRecorder) GrantTypeJWTAuthorizationSupported() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeJWTAuthorizationSupported", reflect.TypeOf((*MockConfiguration)(nil).GrantTypeJWTAuthorizationSupported)) } -// GrantTypeTokenExchangeSupported mocks base method +// GrantTypeTokenExchangeSupported mocks base method. func (m *MockConfiguration) GrantTypeTokenExchangeSupported() bool { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "GrantTypeTokenExchangeSupported") @@ -125,13 +126,13 @@ func (m *MockConfiguration) GrantTypeTokenExchangeSupported() bool { return ret0 } -// GrantTypeTokenExchangeSupported indicates an expected call of GrantTypeTokenExchangeSupported +// GrantTypeTokenExchangeSupported indicates an expected call of GrantTypeTokenExchangeSupported. func (mr *MockConfigurationMockRecorder) GrantTypeTokenExchangeSupported() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GrantTypeTokenExchangeSupported", reflect.TypeOf((*MockConfiguration)(nil).GrantTypeTokenExchangeSupported)) } -// IntrospectionEndpoint mocks base method +// IntrospectionEndpoint mocks base method. func (m *MockConfiguration) IntrospectionEndpoint() op.Endpoint { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "IntrospectionEndpoint") @@ -139,13 +140,13 @@ func (m *MockConfiguration) IntrospectionEndpoint() op.Endpoint { return ret0 } -// IntrospectionEndpoint indicates an expected call of IntrospectionEndpoint +// IntrospectionEndpoint indicates an expected call of IntrospectionEndpoint. func (mr *MockConfigurationMockRecorder) IntrospectionEndpoint() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IntrospectionEndpoint", reflect.TypeOf((*MockConfiguration)(nil).IntrospectionEndpoint)) } -// Issuer mocks base method +// Issuer mocks base method. func (m *MockConfiguration) Issuer() string { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "Issuer") @@ -153,13 +154,13 @@ func (m *MockConfiguration) Issuer() string { return ret0 } -// Issuer indicates an expected call of Issuer +// Issuer indicates an expected call of Issuer. func (mr *MockConfigurationMockRecorder) Issuer() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Issuer", reflect.TypeOf((*MockConfiguration)(nil).Issuer)) } -// KeysEndpoint mocks base method +// KeysEndpoint mocks base method. func (m *MockConfiguration) KeysEndpoint() op.Endpoint { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "KeysEndpoint") @@ -167,13 +168,13 @@ func (m *MockConfiguration) KeysEndpoint() op.Endpoint { return ret0 } -// KeysEndpoint indicates an expected call of KeysEndpoint +// KeysEndpoint indicates an expected call of KeysEndpoint. func (mr *MockConfigurationMockRecorder) KeysEndpoint() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "KeysEndpoint", reflect.TypeOf((*MockConfiguration)(nil).KeysEndpoint)) } -// TokenEndpoint mocks base method +// TokenEndpoint mocks base method. func (m *MockConfiguration) TokenEndpoint() op.Endpoint { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "TokenEndpoint") @@ -181,13 +182,13 @@ func (m *MockConfiguration) TokenEndpoint() op.Endpoint { return ret0 } -// TokenEndpoint indicates an expected call of TokenEndpoint +// TokenEndpoint indicates an expected call of TokenEndpoint. func (mr *MockConfigurationMockRecorder) TokenEndpoint() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TokenEndpoint", reflect.TypeOf((*MockConfiguration)(nil).TokenEndpoint)) } -// UserinfoEndpoint mocks base method +// UserinfoEndpoint mocks base method. func (m *MockConfiguration) UserinfoEndpoint() op.Endpoint { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "UserinfoEndpoint") @@ -195,7 +196,7 @@ func (m *MockConfiguration) UserinfoEndpoint() op.Endpoint { return ret0 } -// UserinfoEndpoint indicates an expected call of UserinfoEndpoint +// UserinfoEndpoint indicates an expected call of UserinfoEndpoint. func (mr *MockConfigurationMockRecorder) UserinfoEndpoint() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UserinfoEndpoint", reflect.TypeOf((*MockConfiguration)(nil).UserinfoEndpoint)) diff --git a/pkg/op/mock/signer.mock.go b/pkg/op/mock/signer.mock.go index b52f9d4..0564aa1 100644 --- a/pkg/op/mock/signer.mock.go +++ b/pkg/op/mock/signer.mock.go @@ -6,35 +6,36 @@ package mock import ( context "context" + reflect "reflect" + gomock "github.com/golang/mock/gomock" jose "gopkg.in/square/go-jose.v2" - reflect "reflect" ) -// MockSigner is a mock of Signer interface +// MockSigner is a mock of Signer interface. type MockSigner struct { ctrl *gomock.Controller recorder *MockSignerMockRecorder } -// MockSignerMockRecorder is the mock recorder for MockSigner +// MockSignerMockRecorder is the mock recorder for MockSigner. type MockSignerMockRecorder struct { mock *MockSigner } -// NewMockSigner creates a new mock instance +// NewMockSigner creates a new mock instance. func NewMockSigner(ctrl *gomock.Controller) *MockSigner { mock := &MockSigner{ctrl: ctrl} mock.recorder = &MockSignerMockRecorder{mock} return mock } -// EXPECT returns an object that allows the caller to indicate expected use +// EXPECT returns an object that allows the caller to indicate expected use. func (m *MockSigner) EXPECT() *MockSignerMockRecorder { return m.recorder } -// Health mocks base method +// Health mocks base method. func (m *MockSigner) Health(arg0 context.Context) error { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "Health", arg0) @@ -42,13 +43,13 @@ func (m *MockSigner) Health(arg0 context.Context) error { return ret0 } -// Health indicates an expected call of Health +// Health indicates an expected call of Health. func (mr *MockSignerMockRecorder) Health(arg0 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Health", reflect.TypeOf((*MockSigner)(nil).Health), arg0) } -// SignatureAlgorithm mocks base method +// SignatureAlgorithm mocks base method. func (m *MockSigner) SignatureAlgorithm() jose.SignatureAlgorithm { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "SignatureAlgorithm") @@ -56,13 +57,13 @@ func (m *MockSigner) SignatureAlgorithm() jose.SignatureAlgorithm { return ret0 } -// SignatureAlgorithm indicates an expected call of SignatureAlgorithm +// SignatureAlgorithm indicates an expected call of SignatureAlgorithm. func (mr *MockSignerMockRecorder) SignatureAlgorithm() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SignatureAlgorithm", reflect.TypeOf((*MockSigner)(nil).SignatureAlgorithm)) } -// Signer mocks base method +// Signer mocks base method. func (m *MockSigner) Signer() jose.Signer { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "Signer") @@ -70,7 +71,7 @@ func (m *MockSigner) Signer() jose.Signer { return ret0 } -// Signer indicates an expected call of Signer +// Signer indicates an expected call of Signer. func (mr *MockSignerMockRecorder) Signer() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Signer", reflect.TypeOf((*MockSigner)(nil).Signer)) diff --git a/pkg/op/mock/storage.mock.go b/pkg/op/mock/storage.mock.go index 280e8e6..be261bb 100644 --- a/pkg/op/mock/storage.mock.go +++ b/pkg/op/mock/storage.mock.go @@ -6,38 +6,39 @@ package mock import ( context "context" + reflect "reflect" + time "time" + oidc "github.com/caos/oidc/pkg/oidc" op "github.com/caos/oidc/pkg/op" gomock "github.com/golang/mock/gomock" jose "gopkg.in/square/go-jose.v2" - reflect "reflect" - time "time" ) -// MockStorage is a mock of Storage interface +// MockStorage is a mock of Storage interface. type MockStorage struct { ctrl *gomock.Controller recorder *MockStorageMockRecorder } -// MockStorageMockRecorder is the mock recorder for MockStorage +// MockStorageMockRecorder is the mock recorder for MockStorage. type MockStorageMockRecorder struct { mock *MockStorage } -// NewMockStorage creates a new mock instance +// NewMockStorage creates a new mock instance. func NewMockStorage(ctrl *gomock.Controller) *MockStorage { mock := &MockStorage{ctrl: ctrl} mock.recorder = &MockStorageMockRecorder{mock} return mock } -// EXPECT returns an object that allows the caller to indicate expected use +// EXPECT returns an object that allows the caller to indicate expected use. func (m *MockStorage) EXPECT() *MockStorageMockRecorder { return m.recorder } -// AuthRequestByCode mocks base method +// AuthRequestByCode mocks base method. func (m *MockStorage) AuthRequestByCode(arg0 context.Context, arg1 string) (op.AuthRequest, error) { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "AuthRequestByCode", arg0, arg1) @@ -46,13 +47,13 @@ func (m *MockStorage) AuthRequestByCode(arg0 context.Context, arg1 string) (op.A return ret0, ret1 } -// AuthRequestByCode indicates an expected call of AuthRequestByCode +// AuthRequestByCode indicates an expected call of AuthRequestByCode. func (mr *MockStorageMockRecorder) AuthRequestByCode(arg0, arg1 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthRequestByCode", reflect.TypeOf((*MockStorage)(nil).AuthRequestByCode), arg0, arg1) } -// AuthRequestByID mocks base method +// AuthRequestByID mocks base method. func (m *MockStorage) AuthRequestByID(arg0 context.Context, arg1 string) (op.AuthRequest, error) { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "AuthRequestByID", arg0, arg1) @@ -61,13 +62,13 @@ func (m *MockStorage) AuthRequestByID(arg0 context.Context, arg1 string) (op.Aut return ret0, ret1 } -// AuthRequestByID indicates an expected call of AuthRequestByID +// AuthRequestByID indicates an expected call of AuthRequestByID. func (mr *MockStorageMockRecorder) AuthRequestByID(arg0, arg1 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthRequestByID", reflect.TypeOf((*MockStorage)(nil).AuthRequestByID), arg0, arg1) } -// AuthorizeClientIDSecret mocks base method +// AuthorizeClientIDSecret mocks base method. func (m *MockStorage) AuthorizeClientIDSecret(arg0 context.Context, arg1, arg2 string) error { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "AuthorizeClientIDSecret", arg0, arg1, arg2) @@ -75,13 +76,46 @@ func (m *MockStorage) AuthorizeClientIDSecret(arg0 context.Context, arg1, arg2 s return ret0 } -// AuthorizeClientIDSecret indicates an expected call of AuthorizeClientIDSecret +// AuthorizeClientIDSecret indicates an expected call of AuthorizeClientIDSecret. func (mr *MockStorageMockRecorder) AuthorizeClientIDSecret(arg0, arg1, arg2 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthorizeClientIDSecret", reflect.TypeOf((*MockStorage)(nil).AuthorizeClientIDSecret), arg0, arg1, arg2) } -// CreateAuthRequest mocks base method +// CreateAccessAndRefreshTokens mocks base method. +func (m *MockStorage) CreateAccessAndRefreshTokens(arg0 context.Context, arg1 op.TokenRequest, arg2 string) (string, string, time.Time, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "CreateAccessAndRefreshTokens", arg0, arg1, arg2) + ret0, _ := ret[0].(string) + ret1, _ := ret[1].(string) + ret2, _ := ret[2].(time.Time) + ret3, _ := ret[3].(error) + return ret0, ret1, ret2, ret3 +} + +// CreateAccessAndRefreshTokens indicates an expected call of CreateAccessAndRefreshTokens. +func (mr *MockStorageMockRecorder) CreateAccessAndRefreshTokens(arg0, arg1, arg2 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAccessAndRefreshTokens", reflect.TypeOf((*MockStorage)(nil).CreateAccessAndRefreshTokens), arg0, arg1, arg2) +} + +// CreateAccessToken mocks base method. +func (m *MockStorage) CreateAccessToken(arg0 context.Context, arg1 op.TokenRequest) (string, time.Time, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "CreateAccessToken", arg0, arg1) + ret0, _ := ret[0].(string) + ret1, _ := ret[1].(time.Time) + ret2, _ := ret[2].(error) + return ret0, ret1, ret2 +} + +// CreateAccessToken indicates an expected call of CreateAccessToken. +func (mr *MockStorageMockRecorder) CreateAccessToken(arg0, arg1 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAccessToken", reflect.TypeOf((*MockStorage)(nil).CreateAccessToken), arg0, arg1) +} + +// CreateAuthRequest mocks base method. func (m *MockStorage) CreateAuthRequest(arg0 context.Context, arg1 *oidc.AuthRequest, arg2 string) (op.AuthRequest, error) { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "CreateAuthRequest", arg0, arg1, arg2) @@ -90,29 +124,13 @@ func (m *MockStorage) CreateAuthRequest(arg0 context.Context, arg1 *oidc.AuthReq return ret0, ret1 } -// CreateAuthRequest indicates an expected call of CreateAuthRequest +// CreateAuthRequest indicates an expected call of CreateAuthRequest. func (mr *MockStorageMockRecorder) CreateAuthRequest(arg0, arg1, arg2 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAuthRequest", reflect.TypeOf((*MockStorage)(nil).CreateAuthRequest), arg0, arg1, arg2) } -// CreateToken mocks base method -func (m *MockStorage) CreateToken(arg0 context.Context, arg1 op.TokenRequest) (string, time.Time, error) { - m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "CreateToken", arg0, arg1) - ret0, _ := ret[0].(string) - ret1, _ := ret[1].(time.Time) - ret2, _ := ret[2].(error) - return ret0, ret1, ret2 -} - -// CreateToken indicates an expected call of CreateToken -func (mr *MockStorageMockRecorder) CreateToken(arg0, arg1 interface{}) *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateToken", reflect.TypeOf((*MockStorage)(nil).CreateToken), arg0, arg1) -} - -// DeleteAuthRequest mocks base method +// DeleteAuthRequest mocks base method. func (m *MockStorage) DeleteAuthRequest(arg0 context.Context, arg1 string) error { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "DeleteAuthRequest", arg0, arg1) @@ -120,13 +138,13 @@ func (m *MockStorage) DeleteAuthRequest(arg0 context.Context, arg1 string) error return ret0 } -// DeleteAuthRequest indicates an expected call of DeleteAuthRequest +// DeleteAuthRequest indicates an expected call of DeleteAuthRequest. func (mr *MockStorageMockRecorder) DeleteAuthRequest(arg0, arg1 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAuthRequest", reflect.TypeOf((*MockStorage)(nil).DeleteAuthRequest), arg0, arg1) } -// GetClientByClientID mocks base method +// GetClientByClientID mocks base method. func (m *MockStorage) GetClientByClientID(arg0 context.Context, arg1 string) (op.Client, error) { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "GetClientByClientID", arg0, arg1) @@ -135,13 +153,13 @@ func (m *MockStorage) GetClientByClientID(arg0 context.Context, arg1 string) (op return ret0, ret1 } -// GetClientByClientID indicates an expected call of GetClientByClientID +// GetClientByClientID indicates an expected call of GetClientByClientID. func (mr *MockStorageMockRecorder) GetClientByClientID(arg0, arg1 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetClientByClientID", reflect.TypeOf((*MockStorage)(nil).GetClientByClientID), arg0, arg1) } -// GetKeyByIDAndUserID mocks base method +// GetKeyByIDAndUserID mocks base method. func (m *MockStorage) GetKeyByIDAndUserID(arg0 context.Context, arg1, arg2 string) (*jose.JSONWebKey, error) { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "GetKeyByIDAndUserID", arg0, arg1, arg2) @@ -150,13 +168,13 @@ func (m *MockStorage) GetKeyByIDAndUserID(arg0 context.Context, arg1, arg2 strin return ret0, ret1 } -// GetKeyByIDAndUserID indicates an expected call of GetKeyByIDAndUserID +// GetKeyByIDAndUserID indicates an expected call of GetKeyByIDAndUserID. func (mr *MockStorageMockRecorder) GetKeyByIDAndUserID(arg0, arg1, arg2 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetKeyByIDAndUserID", reflect.TypeOf((*MockStorage)(nil).GetKeyByIDAndUserID), arg0, arg1, arg2) } -// GetKeySet mocks base method +// GetKeySet mocks base method. func (m *MockStorage) GetKeySet(arg0 context.Context) (*jose.JSONWebKeySet, error) { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "GetKeySet", arg0) @@ -165,13 +183,13 @@ func (m *MockStorage) GetKeySet(arg0 context.Context) (*jose.JSONWebKeySet, erro return ret0, ret1 } -// GetKeySet indicates an expected call of GetKeySet +// GetKeySet indicates an expected call of GetKeySet. func (mr *MockStorageMockRecorder) GetKeySet(arg0 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetKeySet", reflect.TypeOf((*MockStorage)(nil).GetKeySet), arg0) } -// GetPrivateClaimsFromScopes mocks base method +// GetPrivateClaimsFromScopes mocks base method. func (m *MockStorage) GetPrivateClaimsFromScopes(arg0 context.Context, arg1, arg2 string, arg3 []string) (map[string]interface{}, error) { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "GetPrivateClaimsFromScopes", arg0, arg1, arg2, arg3) @@ -180,25 +198,25 @@ func (m *MockStorage) GetPrivateClaimsFromScopes(arg0 context.Context, arg1, arg return ret0, ret1 } -// GetPrivateClaimsFromScopes indicates an expected call of GetPrivateClaimsFromScopes +// GetPrivateClaimsFromScopes indicates an expected call of GetPrivateClaimsFromScopes. func (mr *MockStorageMockRecorder) GetPrivateClaimsFromScopes(arg0, arg1, arg2, arg3 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPrivateClaimsFromScopes", reflect.TypeOf((*MockStorage)(nil).GetPrivateClaimsFromScopes), arg0, arg1, arg2, arg3) } -// GetSigningKey mocks base method +// GetSigningKey mocks base method. func (m *MockStorage) GetSigningKey(arg0 context.Context, arg1 chan<- jose.SigningKey) { m.ctrl.T.Helper() m.ctrl.Call(m, "GetSigningKey", arg0, arg1) } -// GetSigningKey indicates an expected call of GetSigningKey +// GetSigningKey indicates an expected call of GetSigningKey. func (mr *MockStorageMockRecorder) GetSigningKey(arg0, arg1 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetSigningKey", reflect.TypeOf((*MockStorage)(nil).GetSigningKey), arg0, arg1) } -// Health mocks base method +// Health mocks base method. func (m *MockStorage) Health(arg0 context.Context) error { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "Health", arg0) @@ -206,13 +224,13 @@ func (m *MockStorage) Health(arg0 context.Context) error { return ret0 } -// Health indicates an expected call of Health +// Health indicates an expected call of Health. func (mr *MockStorageMockRecorder) Health(arg0 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Health", reflect.TypeOf((*MockStorage)(nil).Health), arg0) } -// SaveAuthCode mocks base method +// SaveAuthCode mocks base method. func (m *MockStorage) SaveAuthCode(arg0 context.Context, arg1, arg2 string) error { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "SaveAuthCode", arg0, arg1, arg2) @@ -220,13 +238,13 @@ func (m *MockStorage) SaveAuthCode(arg0 context.Context, arg1, arg2 string) erro return ret0 } -// SaveAuthCode indicates an expected call of SaveAuthCode +// SaveAuthCode indicates an expected call of SaveAuthCode. func (mr *MockStorageMockRecorder) SaveAuthCode(arg0, arg1, arg2 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SaveAuthCode", reflect.TypeOf((*MockStorage)(nil).SaveAuthCode), arg0, arg1, arg2) } -// SetIntrospectionFromToken mocks base method +// SetIntrospectionFromToken mocks base method. func (m *MockStorage) SetIntrospectionFromToken(arg0 context.Context, arg1 oidc.IntrospectionResponse, arg2, arg3, arg4 string) error { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "SetIntrospectionFromToken", arg0, arg1, arg2, arg3, arg4) @@ -234,13 +252,13 @@ func (m *MockStorage) SetIntrospectionFromToken(arg0 context.Context, arg1 oidc. return ret0 } -// SetIntrospectionFromToken indicates an expected call of SetIntrospectionFromToken +// SetIntrospectionFromToken indicates an expected call of SetIntrospectionFromToken. func (mr *MockStorageMockRecorder) SetIntrospectionFromToken(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetIntrospectionFromToken", reflect.TypeOf((*MockStorage)(nil).SetIntrospectionFromToken), arg0, arg1, arg2, arg3, arg4) } -// SetUserinfoFromScopes mocks base method +// SetUserinfoFromScopes mocks base method. func (m *MockStorage) SetUserinfoFromScopes(arg0 context.Context, arg1 oidc.UserInfoSetter, arg2, arg3 string, arg4 []string) error { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "SetUserinfoFromScopes", arg0, arg1, arg2, arg3, arg4) @@ -248,13 +266,13 @@ func (m *MockStorage) SetUserinfoFromScopes(arg0 context.Context, arg1 oidc.User return ret0 } -// SetUserinfoFromScopes indicates an expected call of SetUserinfoFromScopes +// SetUserinfoFromScopes indicates an expected call of SetUserinfoFromScopes. func (mr *MockStorageMockRecorder) SetUserinfoFromScopes(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetUserinfoFromScopes", reflect.TypeOf((*MockStorage)(nil).SetUserinfoFromScopes), arg0, arg1, arg2, arg3, arg4) } -// SetUserinfoFromToken mocks base method +// SetUserinfoFromToken mocks base method. func (m *MockStorage) SetUserinfoFromToken(arg0 context.Context, arg1 oidc.UserInfoSetter, arg2, arg3, arg4 string) error { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "SetUserinfoFromToken", arg0, arg1, arg2, arg3, arg4) @@ -262,13 +280,13 @@ func (m *MockStorage) SetUserinfoFromToken(arg0 context.Context, arg1 oidc.UserI return ret0 } -// SetUserinfoFromToken indicates an expected call of SetUserinfoFromToken +// SetUserinfoFromToken indicates an expected call of SetUserinfoFromToken. func (mr *MockStorageMockRecorder) SetUserinfoFromToken(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetUserinfoFromToken", reflect.TypeOf((*MockStorage)(nil).SetUserinfoFromToken), arg0, arg1, arg2, arg3, arg4) } -// TerminateSession mocks base method +// TerminateSession mocks base method. func (m *MockStorage) TerminateSession(arg0 context.Context, arg1, arg2 string) error { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "TerminateSession", arg0, arg1, arg2) @@ -276,13 +294,28 @@ func (m *MockStorage) TerminateSession(arg0 context.Context, arg1, arg2 string) return ret0 } -// TerminateSession indicates an expected call of TerminateSession +// TerminateSession indicates an expected call of TerminateSession. func (mr *MockStorageMockRecorder) TerminateSession(arg0, arg1, arg2 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TerminateSession", reflect.TypeOf((*MockStorage)(nil).TerminateSession), arg0, arg1, arg2) } -// ValidateJWTProfileScopes mocks base method +// TokenRequestByRefreshToken mocks base method. +func (m *MockStorage) TokenRequestByRefreshToken(arg0 context.Context, arg1 string) (op.RefreshTokenRequest, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "TokenRequestByRefreshToken", arg0, arg1) + ret0, _ := ret[0].(op.RefreshTokenRequest) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// TokenRequestByRefreshToken indicates an expected call of TokenRequestByRefreshToken. +func (mr *MockStorageMockRecorder) TokenRequestByRefreshToken(arg0, arg1 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TokenRequestByRefreshToken", reflect.TypeOf((*MockStorage)(nil).TokenRequestByRefreshToken), arg0, arg1) +} + +// ValidateJWTProfileScopes mocks base method. func (m *MockStorage) ValidateJWTProfileScopes(arg0 context.Context, arg1 string, arg2 oidc.Scopes) (oidc.Scopes, error) { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "ValidateJWTProfileScopes", arg0, arg1, arg2) @@ -291,7 +324,7 @@ func (m *MockStorage) ValidateJWTProfileScopes(arg0 context.Context, arg1 string return ret0, ret1 } -// ValidateJWTProfileScopes indicates an expected call of ValidateJWTProfileScopes +// ValidateJWTProfileScopes indicates an expected call of ValidateJWTProfileScopes. func (mr *MockStorageMockRecorder) ValidateJWTProfileScopes(arg0, arg1, arg2 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ValidateJWTProfileScopes", reflect.TypeOf((*MockStorage)(nil).ValidateJWTProfileScopes), arg0, arg1, arg2) diff --git a/pkg/op/storage.go b/pkg/op/storage.go index 277f244..0e0794e 100644 --- a/pkg/op/storage.go +++ b/pkg/op/storage.go @@ -16,7 +16,9 @@ type AuthStorage interface { SaveAuthCode(context.Context, string, string) error DeleteAuthRequest(context.Context, string) error - CreateToken(context.Context, TokenRequest) (string, time.Time, error) + CreateAccessToken(context.Context, TokenRequest) (string, time.Time, error) + CreateAccessAndRefreshTokens(ctx context.Context, request TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error) + TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (RefreshTokenRequest, error) TerminateSession(context.Context, string, string) error diff --git a/pkg/op/token.go b/pkg/op/token.go index 334bec9..28bc011 100644 --- a/pkg/op/token.go +++ b/pkg/op/token.go @@ -21,53 +21,61 @@ type TokenRequest interface { GetScopes() []string } -func CreateTokenResponse(ctx context.Context, authReq AuthRequest, client Client, creator TokenCreator, createAccessToken bool, code string) (*oidc.AccessTokenResponse, error) { - var accessToken string +func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Client, creator TokenCreator, createAccessToken bool, code, refreshToken string) (*oidc.AccessTokenResponse, error) { + var accessToken, newRefreshToken string var validity time.Duration if createAccessToken { var err error - accessToken, validity, err = CreateAccessToken(ctx, authReq, client.AccessTokenType(), creator, client) + accessToken, newRefreshToken, validity, err = CreateAccessToken(ctx, request, client.AccessTokenType(), creator, client, refreshToken) if err != nil { return nil, err } } - idToken, err := CreateIDToken(ctx, creator.Issuer(), authReq, client.IDTokenLifetime(), accessToken, code, creator.Storage(), creator.Signer(), client) + idToken, err := CreateIDToken(ctx, creator.Issuer(), request, client.IDTokenLifetime(), accessToken, code, creator.Storage(), creator.Signer(), client) if err != nil { return nil, err } - err = creator.Storage().DeleteAuthRequest(ctx, authReq.GetID()) - if err != nil { - return nil, err + if authRequest, ok := request.(AuthRequest); ok { + err = creator.Storage().DeleteAuthRequest(ctx, authRequest.GetID()) + if err != nil { + return nil, err + } } exp := uint64(validity.Seconds()) return &oidc.AccessTokenResponse{ - AccessToken: accessToken, - IDToken: idToken, - TokenType: oidc.BearerToken, - ExpiresIn: exp, + AccessToken: accessToken, + IDToken: idToken, + RefreshToken: newRefreshToken, + TokenType: oidc.BearerToken, + ExpiresIn: exp, }, nil } -func CreateJWTTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator) (*oidc.AccessTokenResponse, error) { - accessToken, validity, err := CreateAccessToken(ctx, tokenRequest, AccessTokenTypeBearer, creator, nil) - if err != nil { - return nil, err +func createTokens(ctx context.Context, tokenRequest TokenRequest, storage Storage, refreshToken string) (id, newRefreshToken string, exp time.Time, err error) { + if needsRefreshToken(tokenRequest) { + return storage.CreateAccessAndRefreshTokens(ctx, tokenRequest, refreshToken) } - - exp := uint64(validity.Seconds()) - return &oidc.AccessTokenResponse{ - AccessToken: accessToken, - TokenType: oidc.BearerToken, - ExpiresIn: exp, - }, nil + id, exp, err = storage.CreateAccessToken(ctx, tokenRequest) + return } -func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, accessTokenType AccessTokenType, creator TokenCreator, client Client) (token string, validity time.Duration, err error) { - id, exp, err := creator.Storage().CreateToken(ctx, tokenRequest) +func needsRefreshToken(tokenRequest TokenRequest) bool { + switch req := tokenRequest.(type) { + case AuthRequest: + return utils.Contains(req.GetScopes(), oidc.ScopeOfflineAccess) && req.GetResponseType() == oidc.ResponseTypeCode + case RefreshTokenRequest: + return true + default: + return false + } +} + +func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, accessTokenType AccessTokenType, creator TokenCreator, client Client, refreshToken string) (accessToken, newRefreshToken string, validity time.Duration, err error) { + id, newRefreshToken, exp, err := createTokens(ctx, tokenRequest, creator.Storage(), refreshToken) if err != nil { - return "", 0, err + return "", "", 0, err } var clockSkew time.Duration if client != nil { @@ -75,10 +83,10 @@ func CreateAccessToken(ctx context.Context, tokenRequest TokenRequest, accessTok } validity = exp.Add(clockSkew).Sub(time.Now().UTC()) if accessTokenType == AccessTokenTypeJWT { - token, err = CreateJWT(ctx, creator.Issuer(), tokenRequest, exp, id, creator.Signer(), client, creator.Storage()) + accessToken, err = CreateJWT(ctx, creator.Issuer(), tokenRequest, exp, id, creator.Signer(), client, creator.Storage()) return } - token, err = CreateBearerToken(id, tokenRequest.GetSubject(), creator.Crypto()) + accessToken, err = CreateBearerToken(id, tokenRequest.GetSubject(), creator.Crypto()) return } @@ -99,10 +107,24 @@ func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, ex return utils.Sign(claims, signer.Signer()) } -func CreateIDToken(ctx context.Context, issuer string, authReq AuthRequest, validity time.Duration, accessToken, code string, storage Storage, signer Signer, client Client) (string, error) { +type IDTokenRequest interface { + GetAMR() []string + GetAudience() []string + GetAuthTime() time.Time + GetClientID() string + GetScopes() []string + GetSubject() string +} + +func CreateIDToken(ctx context.Context, issuer string, request IDTokenRequest, validity time.Duration, accessToken, code string, storage Storage, signer Signer, client Client) (string, error) { exp := time.Now().UTC().Add(client.ClockSkew()).Add(validity) - claims := oidc.NewIDTokenClaims(issuer, authReq.GetSubject(), authReq.GetAudience(), exp, authReq.GetAuthTime(), authReq.GetNonce(), authReq.GetACR(), authReq.GetAMR(), authReq.GetClientID(), client.ClockSkew()) - scopes := client.RestrictAdditionalIdTokenScopes()(authReq.GetScopes()) + var acr, nonce string + if authRequest, ok := request.(AuthRequest); ok { + acr = authRequest.GetACR() + nonce = authRequest.GetNonce() + } + claims := oidc.NewIDTokenClaims(issuer, request.GetSubject(), request.GetAudience(), exp, request.GetAuthTime(), nonce, acr, request.GetAMR(), request.GetClientID(), client.ClockSkew()) + scopes := client.RestrictAdditionalIdTokenScopes()(request.GetScopes()) if accessToken != "" { atHash, err := oidc.ClaimHash(accessToken, signer.SignatureAlgorithm()) if err != nil { @@ -115,7 +137,7 @@ func CreateIDToken(ctx context.Context, issuer string, authReq AuthRequest, vali } if len(scopes) > 0 { userInfo := oidc.NewUserInfo() - err := storage.SetUserinfoFromScopes(ctx, userInfo, authReq.GetSubject(), authReq.GetClientID(), scopes) + err := storage.SetUserinfoFromScopes(ctx, userInfo, request.GetSubject(), request.GetClientID(), scopes) if err != nil { return "", err } diff --git a/pkg/op/token_code.go b/pkg/op/token_code.go new file mode 100644 index 0000000..9aae67b --- /dev/null +++ b/pkg/op/token_code.go @@ -0,0 +1,107 @@ +package op + +import ( + "context" + "errors" + "net/http" + + "github.com/caos/oidc/pkg/oidc" + "github.com/caos/oidc/pkg/utils" +) + +//CodeExchange handles the OAuth 2.0 authorization_code grant, including +//parsing, validating, authorizing the client and finally exchanging the code for tokens +func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) { + tokenReq, err := ParseAccessTokenRequest(r, exchanger.Decoder()) + if err != nil { + RequestError(w, r, err) + } + if tokenReq.Code == "" { + RequestError(w, r, ErrInvalidRequest("code missing")) + return + } + authReq, client, err := ValidateAccessTokenRequest(r.Context(), tokenReq, exchanger) + if err != nil { + RequestError(w, r, err) + return + } + resp, err := CreateTokenResponse(r.Context(), authReq, client, exchanger, true, tokenReq.Code, "") + if err != nil { + RequestError(w, r, err) + return + } + utils.MarshalJSON(w, resp) +} + +//ParseAccessTokenRequest parsed the http request into a oidc.AccessTokenRequest +func ParseAccessTokenRequest(r *http.Request, decoder utils.Decoder) (*oidc.AccessTokenRequest, error) { + request := new(oidc.AccessTokenRequest) + err := ParseAuthenticatedTokenRequest(r, decoder, request) + if err != nil { + return nil, err + } + return request, nil +} + +//ValidateAccessTokenRequest validates the token request parameters including authorization check of the client +//and returns the previous created auth request corresponding to the auth code +func ValidateAccessTokenRequest(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error) { + authReq, client, err := AuthorizeCodeClient(ctx, tokenReq, exchanger) + if err != nil { + return nil, nil, err + } + if client.GetID() != authReq.GetClientID() { + return nil, nil, ErrInvalidRequest("invalid auth code") + } + if tokenReq.RedirectURI != authReq.GetRedirectURI() { + return nil, nil, ErrInvalidRequest("redirect_uri does not correspond") + } + return authReq, client, nil +} + +//AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered. +//It than returns the auth request corresponding to the auth code +func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (request AuthRequest, client Client, err error) { + if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion { + jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger) + if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() { + return nil, nil, errors.New("auth_method private_key_jwt not supported") + } + client, err = AuthorizePrivateJWTKey(ctx, tokenReq.ClientAssertion, jwtExchanger) + if err != nil { + return nil, nil, err + } + request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code) + return request, client, err + } + client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID) + if err != nil { + return nil, nil, err + } + if client.AuthMethod() == oidc.AuthMethodPrivateKeyJWT { + return nil, nil, errors.New("invalid_grant") + } + if client.AuthMethod() == oidc.AuthMethodNone { + request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code) + if err != nil { + return nil, nil, err + } + err = AuthorizeCodeChallenge(tokenReq, request.GetCodeChallenge()) + return request, client, err + } + if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() { + return nil, nil, errors.New("auth_method post not supported") + } + err = AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, exchanger.Storage()) + request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code) + return request, client, err +} + +//AuthRequestByCode returns the AuthRequest previously created from Storage corresponding to the auth code or an error +func AuthRequestByCode(ctx context.Context, storage Storage, code string) (AuthRequest, error) { + authReq, err := storage.AuthRequestByCode(ctx, code) + if err != nil { + return nil, ErrInvalidRequest("invalid code") + } + return authReq, nil +} diff --git a/pkg/op/token_exchange.go b/pkg/op/token_exchange.go new file mode 100644 index 0000000..8d93e0c --- /dev/null +++ b/pkg/op/token_exchange.go @@ -0,0 +1,30 @@ +package op + +import ( + "errors" + "net/http" + + "github.com/caos/oidc/pkg/oidc" +) + +//TokenExchange will handle the OAuth 2.0 token exchange grant ("urn:ietf:params:oauth:grant-type:token-exchange") +func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) { + tokenRequest, err := ParseTokenExchangeRequest(w, r) + if err != nil { + RequestError(w, r, err) + return + } + err = ValidateTokenExchangeRequest(tokenRequest, exchanger.Storage()) + if err != nil { + RequestError(w, r, err) + return + } +} + +func ParseTokenExchangeRequest(w http.ResponseWriter, r *http.Request) (oidc.TokenRequest, error) { + return nil, errors.New("Unimplemented") //TODO: impl +} + +func ValidateTokenExchangeRequest(tokenReq oidc.TokenRequest, storage Storage) error { + return errors.New("Unimplemented") //TODO: impl +} diff --git a/pkg/op/token_jwt_profile.go b/pkg/op/token_jwt_profile.go new file mode 100644 index 0000000..ac3e2a1 --- /dev/null +++ b/pkg/op/token_jwt_profile.go @@ -0,0 +1,79 @@ +package op + +import ( + "context" + "net/http" + "time" + + "github.com/caos/oidc/pkg/oidc" + "github.com/caos/oidc/pkg/utils" +) + +type JWTAuthorizationGrantExchanger interface { + Exchanger + JWTProfileVerifier() JWTProfileVerifier +} + +//JWTProfile handles the OAuth 2.0 JWT Profile Authorization Grant https://tools.ietf.org/html/rfc7523#section-2.1 +func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizationGrantExchanger) { + profileRequest, err := ParseJWTProfileGrantRequest(r, exchanger.Decoder()) + if err != nil { + RequestError(w, r, err) + } + + tokenRequest, err := VerifyJWTAssertion(r.Context(), profileRequest.Assertion, exchanger.JWTProfileVerifier()) + if err != nil { + RequestError(w, r, err) + return + } + + tokenRequest.Scopes, err = exchanger.Storage().ValidateJWTProfileScopes(r.Context(), tokenRequest.Issuer, profileRequest.Scope) + if err != nil { + RequestError(w, r, err) + return + } + resp, err := CreateJWTTokenResponse(r.Context(), tokenRequest, exchanger) + if err != nil { + RequestError(w, r, err) + return + } + utils.MarshalJSON(w, resp) +} + +func ParseJWTProfileGrantRequest(r *http.Request, decoder utils.Decoder) (*oidc.JWTProfileGrantRequest, error) { + err := r.ParseForm() + if err != nil { + return nil, ErrInvalidRequest("error parsing form") + } + tokenReq := new(oidc.JWTProfileGrantRequest) + err = decoder.Decode(tokenReq, r.Form) + if err != nil { + return nil, ErrInvalidRequest("error decoding form") + } + return tokenReq, nil +} + +//CreateJWTTokenResponse creates +func CreateJWTTokenResponse(ctx context.Context, tokenRequest TokenRequest, creator TokenCreator) (*oidc.AccessTokenResponse, error) { + id, exp, err := creator.Storage().CreateAccessToken(ctx, tokenRequest) + if err != nil { + return nil, err + } + accessToken, err := CreateBearerToken(id, tokenRequest.GetSubject(), creator.Crypto()) + if err != nil { + return nil, err + } + + return &oidc.AccessTokenResponse{ + AccessToken: accessToken, + TokenType: oidc.BearerToken, + ExpiresIn: uint64(exp.Sub(time.Now().UTC()).Seconds()), + }, nil +} + +//ParseJWTProfileRequest has been renamed to ParseJWTProfileGrantRequest +// +//deprecated: use ParseJWTProfileGrantRequest +func ParseJWTProfileRequest(r *http.Request, decoder utils.Decoder) (*oidc.JWTProfileGrantRequest, error) { + return ParseJWTProfileGrantRequest(r, decoder) +} diff --git a/pkg/op/token_refresh.go b/pkg/op/token_refresh.go new file mode 100644 index 0000000..3cb1b24 --- /dev/null +++ b/pkg/op/token_refresh.go @@ -0,0 +1,132 @@ +package op + +import ( + "context" + "errors" + "net/http" + "time" + + "github.com/caos/oidc/pkg/oidc" + "github.com/caos/oidc/pkg/utils" +) + +type RefreshTokenRequest interface { + GetAMR() []string + GetAudience() []string + GetAuthTime() time.Time + GetClientID() string + GetScopes() []string + GetSubject() string + SetCurrentScopes(scopes oidc.Scopes) +} + +//RefreshTokenExchange handles the OAuth 2.0 refresh_token grant, including +//parsing, validating, authorizing the client and finally exchanging the refresh_token for new tokens +func RefreshTokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) { + tokenReq, err := ParseRefreshTokenRequest(r, exchanger.Decoder()) + if err != nil { + RequestError(w, r, err) + } + validatedRequest, client, err := ValidateRefreshTokenRequest(r.Context(), tokenReq, exchanger) + if err != nil { + RequestError(w, r, err) + return + } + resp, err := CreateTokenResponse(r.Context(), validatedRequest, client, exchanger, true, "", tokenReq.RefreshToken) + if err != nil { + RequestError(w, r, err) + return + } + utils.MarshalJSON(w, resp) +} + +//ParseRefreshTokenRequest parsed the http request into a oidc.RefreshTokenRequest +func ParseRefreshTokenRequest(r *http.Request, decoder utils.Decoder) (*oidc.RefreshTokenRequest, error) { + request := new(oidc.RefreshTokenRequest) + err := ParseAuthenticatedTokenRequest(r, decoder, request) + if err != nil { + return nil, err + } + return request, nil +} + +//ValidateRefreshTokenRequest validates the refresh_token request parameters including authorization check of the client +//and returns the data representing the original auth request corresponding to the refresh_token +func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error) { + if tokenReq.RefreshToken == "" { + return nil, nil, ErrInvalidRequest("code missing") + } + request, client, err := AuthorizeRefreshClient(ctx, tokenReq, exchanger) + if err != nil { + return nil, nil, err + } + if client.GetID() != request.GetClientID() { + return nil, nil, ErrInvalidRequest("invalid auth code") + } + if err = ValidateRefreshTokenScopes(tokenReq.Scopes, request); err != nil { + return nil, nil, err + } + return request, client, nil +} + +//ValidateRefreshTokenScopes validates that requested scope is a subset of the original auth request scope +//it will set the requested scopes as current scopes onto RefreshTokenRequest +//if empty the original scopes will be used +func ValidateRefreshTokenScopes(requestedScopes oidc.Scopes, authRequest RefreshTokenRequest) error { + if len(requestedScopes) == 0 { + return nil + } + for _, scope := range requestedScopes { + if !utils.Contains(authRequest.GetScopes(), scope) { + return errors.New("invalid_scope") + } + } + authRequest.SetCurrentScopes(requestedScopes) + return nil +} + +//AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered. +//It than returns the data representing the original auth request corresponding to the refresh_token +func AuthorizeRefreshClient(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (request RefreshTokenRequest, client Client, err error) { + if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion { + jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger) + if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() { + return nil, nil, errors.New("auth_method private_key_jwt not supported") + } + client, err = AuthorizePrivateJWTKey(ctx, tokenReq.ClientAssertion, jwtExchanger) + if err != nil { + return nil, nil, err + } + request, err = RefreshTokenRequestByRefreshToken(ctx, exchanger.Storage(), tokenReq.RefreshToken) + return request, client, err + } + client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID) + if err != nil { + return nil, nil, err + } + if client.AuthMethod() == oidc.AuthMethodPrivateKeyJWT { + return nil, nil, errors.New("invalid_grant") + } + if client.AuthMethod() == oidc.AuthMethodNone { + request, err = RefreshTokenRequestByRefreshToken(ctx, exchanger.Storage(), tokenReq.RefreshToken) + return request, client, err + } + if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() { + return nil, nil, errors.New("auth_method post not supported") + } + if err = AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, exchanger.Storage()); err != nil { + return nil, nil, err + } + request, err = RefreshTokenRequestByRefreshToken(ctx, exchanger.Storage(), tokenReq.RefreshToken) + return request, client, err +} + +//RefreshTokenRequestByRefreshToken returns the RefreshTokenRequest (data representing the original auth request) +//corresponding to the refresh_token from Storage or an error +func RefreshTokenRequestByRefreshToken(ctx context.Context, storage Storage, refreshToken string) (RefreshTokenRequest, error) { + request, err := storage.TokenRequestByRefreshToken(ctx, refreshToken) + if err != nil { + return nil, ErrInvalidRequest("invalid refreshToken") + } + return request, nil +} diff --git a/pkg/op/token_request.go b/pkg/op/token_request.go new file mode 100644 index 0000000..f8148d7 --- /dev/null +++ b/pkg/op/token_request.go @@ -0,0 +1,121 @@ +package op + +import ( + "context" + "net/http" + "net/url" + + "github.com/caos/oidc/pkg/oidc" + "github.com/caos/oidc/pkg/utils" +) + +type Exchanger interface { + Issuer() string + Storage() Storage + Decoder() utils.Decoder + Signer() Signer + Crypto() Crypto + AuthMethodPostSupported() bool + AuthMethodPrivateKeyJWTSupported() bool + GrantTypeTokenExchangeSupported() bool + GrantTypeJWTAuthorizationSupported() bool +} + +func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Request) { + return func(w http.ResponseWriter, r *http.Request) { + switch r.FormValue("grant_type") { + case string(oidc.GrantTypeCode): + CodeExchange(w, r, exchanger) + return + case string(oidc.GrantTypeRefreshToken): + RefreshTokenExchange(w, r, exchanger) + return + case string(oidc.GrantTypeBearer): + if ex, ok := exchanger.(JWTAuthorizationGrantExchanger); ok && exchanger.GrantTypeJWTAuthorizationSupported() { + JWTProfile(w, r, ex) + return + } + case string(oidc.GrantTypeTokenExchange): + if exchanger.GrantTypeTokenExchangeSupported() { + TokenExchange(w, r, exchanger) + return + } + case "": + RequestError(w, r, ErrInvalidRequest("grant_type missing")) + return + } + RequestError(w, r, ErrInvalidRequest("grant_type not supported")) + } +} + +//authenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest +//it is implemented by oidc.AuthRequest and oidc.RefreshTokenRequest +type AuthenticatedTokenRequest interface { + SetClientID(string) + SetClientSecret(string) +} + +//ParseAuthenticatedTokenRequest parses the client_id and client_secret from the HTTP request from either +//HTTP Basic Auth header or form body and sets them into the provided authenticatedTokenRequest interface +func ParseAuthenticatedTokenRequest(r *http.Request, decoder utils.Decoder, request AuthenticatedTokenRequest) error { + err := r.ParseForm() + if err != nil { + return ErrInvalidRequest("error parsing form") + } + err = decoder.Decode(request, r.Form) + if err != nil { + return ErrInvalidRequest("error decoding form") + } + clientID, clientSecret, ok := r.BasicAuth() + if ok { + clientID, err = url.QueryUnescape(clientID) + if err != nil { + return ErrInvalidRequest("invalid basic auth header") + } + clientSecret, err = url.QueryUnescape(clientSecret) + if err != nil { + return ErrInvalidRequest("invalid basic auth header") + } + request.SetClientID(clientID) + request.SetClientSecret(clientSecret) + } + return nil +} + +//AuthorizeRefreshClientByClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST) +func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error { + err := storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret) + if err != nil { + return err //TODO: wrap? + } + return nil +} + +//AuthorizeCodeClientByCodeChallenge authorizes a client by validating the code_verifier against the previously sent +//code_challenge of the auth request (PKCE) +func AuthorizeCodeChallenge(tokenReq *oidc.AccessTokenRequest, challenge *oidc.CodeChallenge) error { + if tokenReq.CodeVerifier == "" { + return ErrInvalidRequest("code_challenge required") + } + if !oidc.VerifyCodeChallenge(challenge, tokenReq.CodeVerifier) { + return ErrInvalidRequest("code_challenge invalid") + } + return nil +} + +//AuthorizePrivateJWTKey authorizes a client by validating the client_assertion's signature with a previously +//registered public key (JWT Profile) +func AuthorizePrivateJWTKey(ctx context.Context, clientAssertion string, exchanger JWTAuthorizationGrantExchanger) (Client, error) { + jwtReq, err := VerifyJWTAssertion(ctx, clientAssertion, exchanger.JWTProfileVerifier()) + if err != nil { + return nil, err + } + client, err := exchanger.Storage().GetClientByClientID(ctx, jwtReq.Issuer) + if err != nil { + return nil, err + } + if client.AuthMethod() != oidc.AuthMethodPrivateKeyJWT { + return nil, ErrInvalidRequest("invalid_client") + } + return client, nil +} diff --git a/pkg/op/tokenrequest.go b/pkg/op/tokenrequest.go deleted file mode 100644 index b51d2c8..0000000 --- a/pkg/op/tokenrequest.go +++ /dev/null @@ -1,242 +0,0 @@ -package op - -import ( - "context" - "errors" - "net/http" - "net/url" - - "github.com/caos/oidc/pkg/oidc" - "github.com/caos/oidc/pkg/utils" -) - -type Exchanger interface { - Issuer() string - Storage() Storage - Decoder() utils.Decoder - Signer() Signer - Crypto() Crypto - AuthMethodPostSupported() bool - AuthMethodPrivateKeyJWTSupported() bool - GrantTypeTokenExchangeSupported() bool - GrantTypeJWTAuthorizationSupported() bool -} - -type JWTAuthorizationGrantExchanger interface { - Exchanger - JWTProfileVerifier() JWTProfileVerifier -} - -func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Request) { - return func(w http.ResponseWriter, r *http.Request) { - switch r.FormValue("grant_type") { - case string(oidc.GrantTypeCode): - CodeExchange(w, r, exchanger) - return - case string(oidc.GrantTypeBearer): - if ex, ok := exchanger.(JWTAuthorizationGrantExchanger); ok && exchanger.GrantTypeJWTAuthorizationSupported() { - JWTProfile(w, r, ex) - return - } - case string(oidc.GrantTypeTokenExchange): - if exchanger.GrantTypeTokenExchangeSupported() { - TokenExchange(w, r, exchanger) - return - } - case "": - RequestError(w, r, ErrInvalidRequest("grant_type missing")) - return - } - RequestError(w, r, ErrInvalidRequest("grant_type not supported")) - } -} - -func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) { - tokenReq, err := ParseAccessTokenRequest(r, exchanger.Decoder()) - if err != nil { - RequestError(w, r, err) - } - if tokenReq.Code == "" { - RequestError(w, r, ErrInvalidRequest("code missing")) - return - } - authReq, client, err := ValidateAccessTokenRequest(r.Context(), tokenReq, exchanger) - if err != nil { - RequestError(w, r, err) - return - } - resp, err := CreateTokenResponse(r.Context(), authReq, client, exchanger, true, tokenReq.Code) - if err != nil { - RequestError(w, r, err) - return - } - utils.MarshalJSON(w, resp) -} - -func ParseAccessTokenRequest(r *http.Request, decoder utils.Decoder) (*oidc.AccessTokenRequest, error) { - err := r.ParseForm() - if err != nil { - return nil, ErrInvalidRequest("error parsing form") - } - tokenReq := new(oidc.AccessTokenRequest) - err = decoder.Decode(tokenReq, r.Form) - if err != nil { - return nil, ErrInvalidRequest("error decoding form") - } - clientID, clientSecret, ok := r.BasicAuth() - if ok { - tokenReq.ClientID, err = url.QueryUnescape(clientID) - if err != nil { - return nil, ErrInvalidRequest("invalid basic auth header") - } - tokenReq.ClientSecret, err = url.QueryUnescape(clientSecret) - if err != nil { - return nil, ErrInvalidRequest("invalid basic auth header") - } - } - return tokenReq, nil -} - -func ValidateAccessTokenRequest(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error) { - authReq, client, err := AuthorizeClient(ctx, tokenReq, exchanger) - if err != nil { - return nil, nil, err - } - if client.GetID() != authReq.GetClientID() { - return nil, nil, ErrInvalidRequest("invalid auth code") - } - if tokenReq.RedirectURI != authReq.GetRedirectURI() { - return nil, nil, ErrInvalidRequest("redirect_uri does no correspond") - } - return authReq, client, nil -} - -func AuthorizeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, Client, error) { - if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion { - jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger) - if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() { - return nil, nil, errors.New("auth_method private_key_jwt not supported") - } - return AuthorizePrivateJWTKey(ctx, tokenReq, jwtExchanger) - } - client, err := exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID) - if err != nil { - return nil, nil, err - } - if client.AuthMethod() == oidc.AuthMethodPrivateKeyJWT { - return nil, nil, errors.New("invalid_grant") - } - if client.AuthMethod() == oidc.AuthMethodNone { - authReq, err := AuthorizeCodeChallenge(ctx, tokenReq, exchanger) - return authReq, client, err - } - if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() { - return nil, nil, errors.New("auth_method post not supported") - } - authReq, err := AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, tokenReq.Code, exchanger.Storage()) - return authReq, client, err -} - -func AuthorizePrivateJWTKey(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger JWTAuthorizationGrantExchanger) (AuthRequest, Client, error) { - jwtReq, err := VerifyJWTAssertion(ctx, tokenReq.ClientAssertion, exchanger.JWTProfileVerifier()) - if err != nil { - return nil, nil, err - } - authReq, err := exchanger.Storage().AuthRequestByCode(ctx, tokenReq.Code) - if err != nil { - return nil, nil, ErrInvalidRequest("invalid code") - } - client, err := exchanger.Storage().GetClientByClientID(ctx, jwtReq.Issuer) - if err != nil { - return nil, nil, err - } - if client.AuthMethod() != oidc.AuthMethodPrivateKeyJWT { - return nil, nil, ErrInvalidRequest("invalid_client") - } - return authReq, client, nil -} - -func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret, code string, storage Storage) (AuthRequest, error) { - err := storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret) - if err != nil { - return nil, err - } - authReq, err := storage.AuthRequestByCode(ctx, code) - if err != nil { - return nil, ErrInvalidRequest("invalid code") - } - return authReq, nil -} - -func AuthorizeCodeChallenge(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, error) { - if tokenReq.CodeVerifier == "" { - return nil, ErrInvalidRequest("code_challenge required") - } - authReq, err := exchanger.Storage().AuthRequestByCode(ctx, tokenReq.Code) - if err != nil { - return nil, ErrInvalidRequest("invalid code") - } - if !oidc.VerifyCodeChallenge(authReq.GetCodeChallenge(), tokenReq.CodeVerifier) { - return nil, ErrInvalidRequest("code_challenge invalid") - } - return authReq, nil -} - -func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizationGrantExchanger) { - profileRequest, err := ParseJWTProfileRequest(r, exchanger.Decoder()) - if err != nil { - RequestError(w, r, err) - } - - tokenRequest, err := VerifyJWTAssertion(r.Context(), profileRequest.Assertion, exchanger.JWTProfileVerifier()) - if err != nil { - RequestError(w, r, err) - return - } - - tokenRequest.Scopes, err = exchanger.Storage().ValidateJWTProfileScopes(r.Context(), tokenRequest.Issuer, profileRequest.Scope) - if err != nil { - RequestError(w, r, err) - return - } - resp, err := CreateJWTTokenResponse(r.Context(), tokenRequest, exchanger) - if err != nil { - RequestError(w, r, err) - return - } - utils.MarshalJSON(w, resp) -} - -func ParseJWTProfileRequest(r *http.Request, decoder utils.Decoder) (*oidc.JWTProfileGrantRequest, error) { - err := r.ParseForm() - if err != nil { - return nil, ErrInvalidRequest("error parsing form") - } - tokenReq := new(oidc.JWTProfileGrantRequest) - err = decoder.Decode(tokenReq, r.Form) - if err != nil { - return nil, ErrInvalidRequest("error decoding form") - } - return tokenReq, nil -} - -func TokenExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) { - tokenRequest, err := ParseTokenExchangeRequest(w, r) - if err != nil { - RequestError(w, r, err) - return - } - err = ValidateTokenExchangeRequest(tokenRequest, exchanger.Storage()) - if err != nil { - RequestError(w, r, err) - return - } -} - -func ParseTokenExchangeRequest(w http.ResponseWriter, r *http.Request) (oidc.TokenRequest, error) { - return nil, errors.New("Unimplemented") //TODO: impl -} - -func ValidateTokenExchangeRequest(tokenReq oidc.TokenRequest, storage Storage) error { - return errors.New("Unimplemented") //TODO: impl -} diff --git a/pkg/op/verifier_jwt_profile.go b/pkg/op/verifier_jwt_profile.go index 338e39a..f7939b5 100644 --- a/pkg/op/verifier_jwt_profile.go +++ b/pkg/op/verifier_jwt_profile.go @@ -23,6 +23,7 @@ type jwtProfileVerifier struct { offset time.Duration } +//NewJWTProfileVerifier creates a oidc.Verifier for JWT Profile assertions (authorization grant and client authentication) func NewJWTProfileVerifier(storage Storage, issuer string, maxAgeIAT, offset time.Duration) JWTProfileVerifier { return &jwtProfileVerifier{ storage: storage, @@ -48,6 +49,9 @@ func (v *jwtProfileVerifier) Offset() time.Duration { return v.offset } +//VerifyJWTAssertion verifies the assertion string from JWT Profile (authorization grant and client authentication) +// +//checks audience, exp, iat, signature and that issuer and sub are the same func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTProfileVerifier) (*oidc.JWTTokenRequest, error) { request := new(oidc.JWTTokenRequest) payload, err := oidc.ParseToken(assertion, request) @@ -85,6 +89,7 @@ type jwtProfileKeySet struct { userID string } +//VerifySignature implements oidc.KeySet by getting the public key from Storage implementation func (k *jwtProfileKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) { keyID := "" for _, sig := range jws.Signatures {