cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

improve userinfo token handling

Browse source
This commit is contained in:
Livio Amstutz 2020-10-15 12:39:07 +02:00
parent 8be8306511
commit d89470a33f
2 changed files with 28 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

6
pkg/oidc/token.go
View file

@ -24,6 +24,7 @@ type Tokens struct {
type AccessTokenClaims interface { type AccessTokenClaims interface {
Claims Claims
GetSubject() string
GetTokenID() string GetTokenID() string
SetPrivateClaims(map[string]interface{}) SetPrivateClaims(map[string]interface{})
} }
@ -128,6 +129,11 @@ func (a *accessTokenClaims) SetSignatureAlgorithm(algorithm jose.SignatureAlgori
a.signatureAlg = algorithm a.signatureAlg = algorithm
} }
//GetSubject implements the AccessTokenClaims interface
func (a *accessTokenClaims) GetSubject() string {
return a.Subject
}
//GetTokenID implements the AccessTokenClaims interface //GetTokenID implements the AccessTokenClaims interface
func (a *accessTokenClaims) GetTokenID() string { func (a *accessTokenClaims) GetTokenID() string {
return a.JWTID return a.JWTID

32
pkg/op/userinfo.go
View file

@ -1,6 +1,7 @@
package op package op
import ( import (
"context"
"errors" "errors"
"net/http" "net/http"
"strings" "strings"
@ -28,17 +29,12 @@ func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoP
http.Error(w, "access token missing", http.StatusUnauthorized) http.Error(w, "access token missing", http.StatusUnauthorized)
return return
} }
tokenIDSubject, err := userinfoProvider.Crypto().Decrypt(accessToken) tokenID, subject, ok := getTokenIDAndSubject(r.Context(), userinfoProvider, accessToken)
if err != nil { if !ok {
accessTokenClaims, err := VerifyAccessToken(r.Context(), accessToken, userinfoProvider.AccessTokenVerifier()) http.Error(w, "access token invalid", http.StatusUnauthorized)
if err != nil { return
http.Error(w, "access token invalid", http.StatusUnauthorized)
return
}
tokenID = accessTokenClaims.GetTokenID()
} }
splittedToken := strings.Split(tokenIDSubject, ":") info, err := userinfoProvider.Storage().GetUserinfoFromToken(r.Context(), tokenID, subject, r.Header.Get("origin"))
info, err := userinfoProvider.Storage().GetUserinfoFromToken(r.Context(), splittedToken[0], splittedToken[1], r.Header.Get("origin"))
if err != nil { if err != nil {
w.WriteHeader(http.StatusForbidden) w.WriteHeader(http.StatusForbidden)
utils.MarshalJSON(w, err) utils.MarshalJSON(w, err)
@ -67,3 +63,19 @@ func getAccessToken(r *http.Request, decoder utils.Decoder) (string, error) {
} }
return req.AccessToken, nil return req.AccessToken, nil
} }
func getTokenIDAndSubject(ctx context.Context, userinfoProvider UserinfoProvider, accessToken string) (string, string, bool) {
tokenIDSubject, err := userinfoProvider.Crypto().Decrypt(accessToken)
if err == nil {
splittedToken := strings.Split(tokenIDSubject, ":")
if len(splittedToken) != 2 {
return "", "", false
}
return splittedToken[0], splittedToken[1], true
}
accessTokenClaims, err := VerifyAccessToken(ctx, accessToken, userinfoProvider.AccessTokenVerifier())
if err != nil {
return "", "", false
}
return accessTokenClaims.GetTokenID(), accessTokenClaims.GetSubject(), true
}