cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: restrict additional scopes

Browse source
This commit is contained in:
Fabiennne 2020-11-02 09:51:45 +01:00
parent 6ba72be7ea
commit f48d6f8361
4 changed files with 24 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
example/internal/mock/storage.go
View file

@ -284,6 +284,14 @@ func (c *ConfClient) AllowedScopes() []string {
return nil return nil
} }
//
//func (c *ConfClient) AssertAdditionalIdTokenScopes() bool {
// return false
//}
//func (c *ConfClient) AssertAdditionalAccessTokenScopes() bool {
// return false
//}
func (c *ConfClient) RestrictAdditionalIdTokenScopes() func(scopes []string) []string { func (c *ConfClient) RestrictAdditionalIdTokenScopes() func(scopes []string) []string {
return func(scopes []string) []string { return func(scopes []string) []string {
return scopes return scopes

2
pkg/op/client.go
View file

@ -34,6 +34,8 @@ type Client interface {
AccessTokenType() AccessTokenType AccessTokenType() AccessTokenType
IDTokenLifetime() time.Duration IDTokenLifetime() time.Duration
DevMode() bool DevMode() bool
//AssertAdditionalIdTokenScopes() bool
//AssertAdditionalAccessTokenScopes() bool
RestrictAdditionalIdTokenScopes() func(scopes []string) []string RestrictAdditionalIdTokenScopes() func(scopes []string) []string
RestrictAdditionalAccessTokenScopes() func(scopes []string) []string RestrictAdditionalAccessTokenScopes() func(scopes []string) []string
IsScopeAllowed(scope string) bool IsScopeAllowed(scope string) bool

7
pkg/op/mock/storage.mock.impl.go
View file

@ -171,6 +171,13 @@ func (c *ConfClient) DevMode() bool {
func (c *ConfClient) AllowedScopes() []string { func (c *ConfClient) AllowedScopes() []string {
return nil return nil
} }
//func (c *ConfClient) AssertAdditionalIdTokenScopes() bool {
// return false
//}
//func (c *ConfClient) AssertAdditionalAccessTokenScopes() bool {
// return false
//}
func (c *ConfClient) RestrictAdditionalIdTokenScopes() func(scopes []string) []string { func (c *ConfClient) RestrictAdditionalIdTokenScopes() func(scopes []string) []string {
return func(scopes []string) []string { return func(scopes []string) []string {
return scopes return scopes

8
pkg/op/token.go
View file

@ -31,6 +31,7 @@ func CreateTokenResponse(ctx context.Context, authReq AuthRequest, client Client
return nil, err return nil, err
} }
} }
//idToken, err := CreateIDToken(ctx, creator.Issuer(), authReq, client.IDTokenLifetime(), accessToken, code, creator.Storage(), creator.Signer(), client.AssertAdditionalIdTokenScopes())
idToken, err := CreateIDToken(ctx, creator.Issuer(), authReq, client.IDTokenLifetime(), accessToken, code, creator.Storage(), creator.Signer(), client.RestrictAdditionalIdTokenScopes()) idToken, err := CreateIDToken(ctx, creator.Issuer(), authReq, client.IDTokenLifetime(), accessToken, code, creator.Storage(), creator.Signer(), client.RestrictAdditionalIdTokenScopes())
if err != nil { if err != nil {
return nil, err return nil, err
@ -87,6 +88,8 @@ func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, ex
if client != nil { if client != nil {
restrictedScopes := client.RestrictAdditionalAccessTokenScopes()(tokenRequest.GetScopes()) restrictedScopes := client.RestrictAdditionalAccessTokenScopes()(tokenRequest.GetScopes())
privateClaims, err := storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(restrictedScopes)) privateClaims, err := storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(restrictedScopes))
//if client != nil && client.AssertAdditionalAccessTokenScopes() {
// privateClaims, err := storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(tokenRequest.GetScopes()))
if err != nil { if err != nil {
return "", err return "", err
} }
@ -95,6 +98,7 @@ func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, ex
return utils.Sign(claims, signer.Signer()) return utils.Sign(claims, signer.Signer())
} }
//func CreateIDToken(ctx context.Context, issuer string, authReq AuthRequest, validity time.Duration, accessToken, code string, storage Storage, signer Signer, additonalScopes bool) (string, error) {
func CreateIDToken(ctx context.Context, issuer string, authReq AuthRequest, validity time.Duration, accessToken, code string, storage Storage, signer Signer, restictAdditionalScopesFunc func([]string) []string) (string, error) { func CreateIDToken(ctx context.Context, issuer string, authReq AuthRequest, validity time.Duration, accessToken, code string, storage Storage, signer Signer, restictAdditionalScopesFunc func([]string) []string) (string, error) {
exp := time.Now().UTC().Add(validity) exp := time.Now().UTC().Add(validity)
claims := oidc.NewIDTokenClaims(issuer, authReq.GetSubject(), authReq.GetAudience(), exp, authReq.GetAuthTime(), authReq.GetNonce(), authReq.GetACR(), authReq.GetAMR(), authReq.GetClientID()) claims := oidc.NewIDTokenClaims(issuer, authReq.GetSubject(), authReq.GetAudience(), exp, authReq.GetAuthTime(), authReq.GetNonce(), authReq.GetACR(), authReq.GetAMR(), authReq.GetClientID())
@ -109,7 +113,9 @@ func CreateIDToken(ctx context.Context, issuer string, authReq AuthRequest, vali
scopes = removeUserinfoScopes(scopes) scopes = removeUserinfoScopes(scopes)
} }
scopes = restictAdditionalScopesFunc(scopes) scopes = restictAdditionalScopesFunc(scopes)
//if !additonalScopes {
// scopes = removeAdditionalScopes(scopes)
//}
if len(scopes) > 0 { if len(scopes) > 0 {
userInfo, err := storage.GetUserinfoFromScopes(ctx, authReq.GetSubject(), authReq.GetClientID(), scopes) userInfo, err := storage.GetUserinfoFromScopes(ctx, authReq.GetSubject(), authReq.GetClientID(), scopes)
if err != nil { if err != nil {