cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
zitadel-oidc/pkg/rp/resource_server.go
Livio Amstutz 138da8a208 introspect
2021-02-10 16:42:01 +01:00

184 lines
5.3 KiB
Go
Raw Blame History

package rp
import (
"context"
"errors"
"net/http"
"net/url"
"time"
"golang.org/x/oauth2"
"golang.org/x/oauth2/clientcredentials"
"github.com/caos/oidc/pkg/oidc"
"github.com/caos/oidc/pkg/utils"
)
type ResourceServer interface {
IntrospectionURL() string
HttpClient() *http.Client
AuthFn() interface{}
}
type resourceServer struct {
issuer string
tokenURL string
introspectURL string
httpClient *http.Client
authFn interface{}
}
type jwtAccessTokenSource struct {
clientID string
audience []string
PrivateKey []byte
PrivateKeyID string
}
func (j *jwtAccessTokenSource) Token() (*oauth2.Token, error) {
iat := time.Now()
exp := iat.Add(time.Hour)
assertion, err := GenerateJWTProfileToken(&oidc.JWTProfileAssertion{
PrivateKeyID: j.PrivateKeyID,
PrivateKey: j.PrivateKey,
Issuer: j.clientID,
Subject: j.clientID,
Audience: j.audience,
Expiration: oidc.Time(exp),
IssuedAt: oidc.Time(iat),
})
if err != nil {
return nil, err
}
return &oauth2.Token{AccessToken: assertion, TokenType: "Bearer", Expiry: exp}, nil
}
func (r *resourceServer) IntrospectionURL() string {
return r.introspectURL
}
func (r *resourceServer) HttpClient() *http.Client {
return r.httpClient
}
func (r *resourceServer) AuthFn() interface{} {
return r.authFn
}
func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option RSOption) (ResourceServer, error) {
authorizer := func(tokenURL string) func(context.Context) *http.Client {
return (&clientcredentials.Config{
ClientID: clientID,
ClientSecret: clientSecret,
TokenURL: tokenURL,
}).Client
}
return newResourceServer(issuer, authorizer, option)
}
func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...RSOption) (ResourceServer, error) {
ts := &jwtAccessTokenSource{
clientID: clientID,
PrivateKey: key,
PrivateKeyID: keyID,
audience: []string{issuer},
}
//authorizer := func(tokenURL string) func(context.Context) *http.Client {
// return func(ctx context.Context) *http.Client {
// return oauth2.NewClient(ctx, oauth2.ReuseTokenSource(token, ts))
// }
//}
authorizer := utils.FormAuthorization(func(values url.Values) {
token, err := ts.Token()
if err != nil {
//return nil, err
}
values.Set("client_assertion", token.AccessToken)
})
return newResourceServer(issuer, authorizer, options...)
}
//
//func newResourceServer(issuer string, authorizer func(tokenURL string) func(ctx context.Context) *http.Client, options ...RSOption) (*resourceServer, error) {
// rp := &resourceServer{
// issuer: issuer,
// httpClient: utils.DefaultHTTPClient,
// }
// for _, optFunc := range options {
// optFunc(rp)
// }
// if rp.introspectURL == "" || rp.tokenURL == "" {
// endpoints, err := Discover(rp.issuer, rp.httpClient)
// if err != nil {
// return nil, err
// }
// rp.tokenURL = endpoints.TokenURL
// rp.introspectURL = endpoints.IntrospectURL
// }
// if rp.introspectURL == "" || rp.tokenURL == "" {
// return nil, errors.New("introspectURL and/or tokenURL is empty: please provide with either `WithStaticEndpoints` or a discovery url")
// }
// //rp.httpClient = authorizer(rp.tokenURL)(context.WithValue(context.Background(), oauth2.HTTPClient, rp.HttpClient()))
// return rp, nil
//}
func newResourceServer(issuer string, authorizer interface{}, options ...RSOption) (*resourceServer, error) {
rp := &resourceServer{
issuer: issuer,
httpClient: utils.DefaultHTTPClient,
}
for _, optFunc := range options {
optFunc(rp)
}
if rp.introspectURL == "" || rp.tokenURL == "" {
endpoints, err := Discover(rp.issuer, rp.httpClient)
if err != nil {
return nil, err
}
rp.tokenURL = endpoints.TokenURL
rp.introspectURL = endpoints.IntrospectURL
}
if rp.introspectURL == "" || rp.tokenURL == "" {
return nil, errors.New("introspectURL and/or tokenURL is empty: please provide with either `WithStaticEndpoints` or a discovery url")
}
//rp.httpClient = authorizer(rp.tokenURL)(context.WithValue(context.Background(), oauth2.HTTPClient, rp.HttpClient()))
rp.authFn = authorizer
return rp, nil
}
func NewResourceServerFromKeyFile(path string, options ...RSOption) (ResourceServer, error) {
c, err := ConfigFromKeyFile(path)
if err != nil {
return nil, err
}
c.Issuer = "http://localhost:50002/oauth/v2"
return NewResourceServerJWTProfile(c.Issuer, c.ClientID, c.KeyID, []byte(c.Key), options...)
}
type RSOption func(*resourceServer)
//WithClient provides the ability to set an http client to be used for the resource server
func WithClient(client *http.Client) RSOption {
return func(server *resourceServer) {
server.httpClient = client
}
}
//WithStaticEndpoints provides the ability to set static token and introspect URL
func WithStaticEndpoints(tokenURL, introspectURL string) RSOption {
return func(server *resourceServer) {
server.tokenURL = tokenURL
server.introspectURL = introspectURL
}
}
func Introspect(ctx context.Context, rp ResourceServer, token string) (oidc.IntrospectionResponse, error) {
req, err := utils.FormRequest(rp.IntrospectionURL(), &oidc.IntrospectionRequest{Token: token}, encoder, rp.AuthFn())
if err != nil {
return nil, err
}
resp := oidc.NewIntrospectionResponse()
if err := utils.HttpRequest(rp.HttpClient(), req, resp); err != nil {
return nil, err
}
return resp, nil
}
Reference in a new issue View git blame Copy permalink