diff --git a/example/internal/mock/storage.go b/example/internal/mock/storage.go index aee9802..52a3b07 100644 --- a/example/internal/mock/storage.go +++ b/example/internal/mock/storage.go @@ -284,6 +284,14 @@ func (c *ConfClient) AllowedScopes() []string { return nil } +// +//func (c *ConfClient) AssertAdditionalIdTokenScopes() bool { +// return false +//} +//func (c *ConfClient) AssertAdditionalAccessTokenScopes() bool { +// return false +//} + func (c *ConfClient) RestrictAdditionalIdTokenScopes() func(scopes []string) []string { return func(scopes []string) []string { return scopes diff --git a/pkg/op/client.go b/pkg/op/client.go index ceca8b0..2ef2ca5 100644 --- a/pkg/op/client.go +++ b/pkg/op/client.go @@ -34,6 +34,8 @@ type Client interface { AccessTokenType() AccessTokenType IDTokenLifetime() time.Duration DevMode() bool + //AssertAdditionalIdTokenScopes() bool + //AssertAdditionalAccessTokenScopes() bool RestrictAdditionalIdTokenScopes() func(scopes []string) []string RestrictAdditionalAccessTokenScopes() func(scopes []string) []string IsScopeAllowed(scope string) bool diff --git a/pkg/op/mock/storage.mock.impl.go b/pkg/op/mock/storage.mock.impl.go index 92d5ad7..bbd510f 100644 --- a/pkg/op/mock/storage.mock.impl.go +++ b/pkg/op/mock/storage.mock.impl.go @@ -171,6 +171,13 @@ func (c *ConfClient) DevMode() bool { func (c *ConfClient) AllowedScopes() []string { return nil } + +//func (c *ConfClient) AssertAdditionalIdTokenScopes() bool { +// return false +//} +//func (c *ConfClient) AssertAdditionalAccessTokenScopes() bool { +// return false +//} func (c *ConfClient) RestrictAdditionalIdTokenScopes() func(scopes []string) []string { return func(scopes []string) []string { return scopes diff --git a/pkg/op/token.go b/pkg/op/token.go index aff5bcb..c273483 100644 --- a/pkg/op/token.go +++ b/pkg/op/token.go @@ -31,6 +31,7 @@ func CreateTokenResponse(ctx context.Context, authReq AuthRequest, client Client return nil, err } } + //idToken, err := CreateIDToken(ctx, creator.Issuer(), authReq, client.IDTokenLifetime(), accessToken, code, creator.Storage(), creator.Signer(), client.AssertAdditionalIdTokenScopes()) idToken, err := CreateIDToken(ctx, creator.Issuer(), authReq, client.IDTokenLifetime(), accessToken, code, creator.Storage(), creator.Signer(), client.RestrictAdditionalIdTokenScopes()) if err != nil { return nil, err @@ -87,6 +88,8 @@ func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, ex if client != nil { restrictedScopes := client.RestrictAdditionalAccessTokenScopes()(tokenRequest.GetScopes()) privateClaims, err := storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(restrictedScopes)) + //if client != nil && client.AssertAdditionalAccessTokenScopes() { + // privateClaims, err := storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(tokenRequest.GetScopes())) if err != nil { return "", err } @@ -95,6 +98,7 @@ func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, ex return utils.Sign(claims, signer.Signer()) } +//func CreateIDToken(ctx context.Context, issuer string, authReq AuthRequest, validity time.Duration, accessToken, code string, storage Storage, signer Signer, additonalScopes bool) (string, error) { func CreateIDToken(ctx context.Context, issuer string, authReq AuthRequest, validity time.Duration, accessToken, code string, storage Storage, signer Signer, restictAdditionalScopesFunc func([]string) []string) (string, error) { exp := time.Now().UTC().Add(validity) claims := oidc.NewIDTokenClaims(issuer, authReq.GetSubject(), authReq.GetAudience(), exp, authReq.GetAuthTime(), authReq.GetNonce(), authReq.GetACR(), authReq.GetAMR(), authReq.GetClientID()) @@ -109,7 +113,9 @@ func CreateIDToken(ctx context.Context, issuer string, authReq AuthRequest, vali scopes = removeUserinfoScopes(scopes) } scopes = restictAdditionalScopesFunc(scopes) - + //if !additonalScopes { + // scopes = removeAdditionalScopes(scopes) + //} if len(scopes) > 0 { userInfo, err := storage.GetUserinfoFromScopes(ctx, authReq.GetSubject(), authReq.GetClientID(), scopes) if err != nil {