feat: Token Revocation, Request Object and OP Certification (#130)

FEATURES (and FIXES): - support OAuth 2.0 Token Revocation [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009) - handle request object using `request` parameter [OIDC Core 1.0 Request Object](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject) - handle response mode - added some information to the discovery endpoint: - revocation_endpoint (added with token revocation) - revocation_endpoint_auth_methods_supported (added with token revocation) - revocation_endpoint_auth_signing_alg_values_supported (added with token revocation) - token_endpoint_auth_signing_alg_values_supported (was missing) - introspection_endpoint_auth_signing_alg_values_supported (was missing) - request_object_signing_alg_values_supported (added with request object) - request_parameter_supported (added with request object) - fixed `removeUserinfoScopes ` now returns the scopes without "userinfo" scopes (profile, email, phone, addedd) [source diff](https://github.com/caos/oidc/pull/130/files#diff-fad50c8c0f065d4dbc49d6c6a38f09c992c8f5d651a479ba00e31b500543559eL170-R171) - improved error handling (pkg/oidc/error.go) and fixed some wrong OAuth errors (e.g. `invalid_grant` instead of `invalid_request`) - improved MarshalJSON and added MarshalJSONWithStatus - removed deprecated PEM decryption from `BytesToPrivateKey` [source diff](https://github.com/caos/oidc/pull/130/files#diff-fe246e428e399ccff599627c71764de51387b60b4df84c67de3febd0954e859bL11-L19) - NewAccessTokenVerifier now uses correct (internal) `accessTokenVerifier` [source diff](https://github.com/caos/oidc/pull/130/files#diff-3a01c7500ead8f35448456ef231c7c22f8d291710936cac91de5edeef52ffc72L52-R52) BREAKING CHANGE: - move functions from `utils` package into separate packages - added various methods to the (OP) `Configuration` interface [source diff](https://github.com/caos/oidc/pull/130/files#diff-2538e0dfc772fdc37f057aecd6fcc2943f516c24e8be794cce0e368a26d20a82R19-R32) - added revocationEndpoint to `WithCustomEndpoints ` [source diff](https://github.com/caos/oidc/pull/130/files#diff-19ae13a743eb7cebbb96492798b1bec556673eb6236b1387e38d722900bae1c3L355-R391) - remove unnecessary context parameter from JWTProfileExchange [source diff](https://github.com/caos/oidc/pull/130/files#diff-4ed8f6affa4a9631fa8a034b3d5752fbb6a819107141aae00029014e950f7b4cL14)
2021-11-02 13:21:35 +01:00 · 2021-11-02 13:21:35 +01:00 · eb10752e48
commit eb10752e48
parent 763d3334e7
63 changed files with 1738 additions and 624 deletions
--- a/pkg/oidc/error.go
+++ b/pkg/oidc/error.go
@ -0,0 +1,139 @@
+package oidc
+
+import (
+	"errors"
+	"fmt"
+)
+
+type errorType string
+
+const (
+	InvalidRequest       errorType = "invalid_request"
+	InvalidScope         errorType = "invalid_scope"
+	InvalidClient        errorType = "invalid_client"
+	InvalidGrant         errorType = "invalid_grant"
+	UnauthorizedClient   errorType = "unauthorized_client"
+	UnsupportedGrantType errorType = "unsupported_grant_type"
+	ServerError          errorType = "server_error"
+	InteractionRequired  errorType = "interaction_required"
+	LoginRequired        errorType = "login_required"
+	RequestNotSupported  errorType = "request_not_supported"
+)
+
+var (
+	ErrInvalidRequest = func() *Error {
+		return &Error{
+			ErrorType: InvalidRequest,
+		}
+	}
+	ErrInvalidRequestRedirectURI = func() *Error {
+		return &Error{
+			ErrorType:        InvalidRequest,
+			redirectDisabled: true,
+		}
+	}
+	ErrInvalidScope = func() *Error {
+		return &Error{
+			ErrorType: InvalidScope,
+		}
+	}
+	ErrInvalidClient = func() *Error {
+		return &Error{
+			ErrorType: InvalidClient,
+		}
+	}
+	ErrInvalidGrant = func() *Error {
+		return &Error{
+			ErrorType: InvalidGrant,
+		}
+	}
+	ErrUnauthorizedClient = func() *Error {
+		return &Error{
+			ErrorType: UnauthorizedClient,
+		}
+	}
+	ErrUnsupportedGrantType = func() *Error {
+		return &Error{
+			ErrorType: UnsupportedGrantType,
+		}
+	}
+	ErrServerError = func() *Error {
+		return &Error{
+			ErrorType: ServerError,
+		}
+	}
+	ErrInteractionRequired = func() *Error {
+		return &Error{
+			ErrorType: InteractionRequired,
+		}
+	}
+	ErrLoginRequired = func() *Error {
+		return &Error{
+			ErrorType: LoginRequired,
+		}
+	}
+	ErrRequestNotSupported = func() *Error {
+		return &Error{
+			ErrorType: RequestNotSupported,
+		}
+	}
+)
+
+type Error struct {
+	Parent           error     `json:"-" schema:"-"`
+	ErrorType        errorType `json:"error" schema:"error"`
+	Description      string    `json:"error_description,omitempty" schema:"error_description,omitempty"`
+	State            string    `json:"state,omitempty" schema:"state,omitempty"`
+	redirectDisabled bool      `schema:"-"`
+}
+
+func (e *Error) Error() string {
+	message := "ErrorType=" + string(e.ErrorType)
+	if e.Description != "" {
+		message += " Description=" + e.Description
+	}
+	if e.Parent != nil {
+		message += " Parent=" + e.Parent.Error()
+	}
+	return message
+}
+
+func (e *Error) Unwrap() error {
+	return e.Parent
+}
+
+func (e *Error) Is(target error) bool {
+	t, ok := target.(*Error)
+	if !ok {
+		return false
+	}
+	return e.ErrorType == t.ErrorType &&
+		(e.Description == t.Description || t.Description == "") &&
+		(e.State == t.State || t.State == "")
+}
+
+func (e *Error) WithParent(err error) *Error {
+	e.Parent = err
+	return e
+}
+
+func (e *Error) WithDescription(desc string, args ...interface{}) *Error {
+	e.Description = fmt.Sprintf(desc, args...)
+	return e
+}
+
+func (e *Error) IsRedirectDisabled() bool {
+	return e.redirectDisabled
+}
+
+// DefaultToServerError checks if the error is an Error
+// if not the provided error will be wrapped into a ServerError
+func DefaultToServerError(err error, description string) *Error {
+	oauth := new(Error)
+	if ok := errors.As(err, &oauth); !ok {
+		oauth.ErrorType = ServerError
+		oauth.Description = description
+		oauth.Parent = err
+	}
+	return oauth
+}