improve userinfo token handling
This commit is contained in:
Livio Amstutz
parent
8be8306511
commit
d89470a33f
2 changed files with 28 additions and 10 deletions
|
|
@ -24,6 +24,7 @@ type Tokens struct {
|
|||
|
||||
type AccessTokenClaims interface {
|
||||
Claims
|
||||
GetSubject() string
|
||||
GetTokenID() string
|
||||
SetPrivateClaims(map[string]interface{})
|
||||
}
|
||||
|
|
@ -128,6 +129,11 @@ func (a *accessTokenClaims) SetSignatureAlgorithm(algorithm jose.SignatureAlgori
|
|||
a.signatureAlg = algorithm
|
||||
}
|
||||
|
||||
//GetSubject implements the AccessTokenClaims interface
|
||||
func (a *accessTokenClaims) GetSubject() string {
|
||||
return a.Subject
|
||||
}
|
||||
|
||||
//GetTokenID implements the AccessTokenClaims interface
|
||||
func (a *accessTokenClaims) GetTokenID() string {
|
||||
return a.JWTID
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
package op
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"net/http"
|
||||
"strings"
|
||||
|
|
@ -28,17 +29,12 @@ func Userinfo(w http.ResponseWriter, r *http.Request, userinfoProvider UserinfoP
|
|||
http.Error(w, "access token missing", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
tokenIDSubject, err := userinfoProvider.Crypto().Decrypt(accessToken)
|
||||
if err != nil {
|
||||
accessTokenClaims, err := VerifyAccessToken(r.Context(), accessToken, userinfoProvider.AccessTokenVerifier())
|
||||
if err != nil {
|
||||
tokenID, subject, ok := getTokenIDAndSubject(r.Context(), userinfoProvider, accessToken)
|
||||
if !ok {
|
||||
http.Error(w, "access token invalid", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
tokenID = accessTokenClaims.GetTokenID()
|
||||
}
|
||||
splittedToken := strings.Split(tokenIDSubject, ":")
|
||||
info, err := userinfoProvider.Storage().GetUserinfoFromToken(r.Context(), splittedToken[0], splittedToken[1], r.Header.Get("origin"))
|
||||
info, err := userinfoProvider.Storage().GetUserinfoFromToken(r.Context(), tokenID, subject, r.Header.Get("origin"))
|
||||
if err != nil {
|
||||
w.WriteHeader(http.StatusForbidden)
|
||||
utils.MarshalJSON(w, err)
|
||||
|
|
@ -67,3 +63,19 @@ func getAccessToken(r *http.Request, decoder utils.Decoder) (string, error) {
|
|||
}
|
||||
return req.AccessToken, nil
|
||||
}
|
||||
|
||||
func getTokenIDAndSubject(ctx context.Context, userinfoProvider UserinfoProvider, accessToken string) (string, string, bool) {
|
||||
tokenIDSubject, err := userinfoProvider.Crypto().Decrypt(accessToken)
|
||||
if err == nil {
|
||||
splittedToken := strings.Split(tokenIDSubject, ":")
|
||||
if len(splittedToken) != 2 {
|
||||
return "", "", false
|
||||
}
|
||||
return splittedToken[0], splittedToken[1], true
|
||||
}
|
||||
accessTokenClaims, err := VerifyAccessToken(ctx, accessToken, userinfoProvider.AccessTokenVerifier())
|
||||
if err != nil {
|
||||
return "", "", false
|
||||
}
|
||||
return accessTokenClaims.GetTokenID(), accessTokenClaims.GetSubject(), true
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue