dea8bc96ea
* oidc: add regression tests for token claim json this helps to verify that the same JSON is produced, after these types are refactored. * refactor: use struct types for claim related types BREAKING CHANGE: The following types are changed from interface to struct type: - AccessTokenClaims - IDTokenClaims - IntrospectionResponse - UserInfo and related types. The following methods of OPStorage now take a pointer to a struct type, instead of an interface: - SetUserinfoFromScopes - SetUserinfoFromToken - SetIntrospectionFromToken The following functions are now generic, so that type-safe extension of Claims is now possible: - op.VerifyIDTokenHint - op.VerifyAccessToken - rp.VerifyTokens - rp.VerifyIDToken - Changed UserInfoAddress to pointer in UserInfo and IntrospectionResponse. This was needed to make omitempty work correctly. - Copy or merge maps in IntrospectionResponse and SetUserInfo * op: add example for VerifyAccessToken * fix: rp: wrong assignment in WithIssuedAtMaxAge WithIssuedAtMaxAge assigned its value to v.maxAge, which was wrong. This change fixes that by assiging the duration to v.maxAgeIAT. * rp: add VerifyTokens example * oidc: add standard references to: - IDTokenClaims - IntrospectionResponse - UserInfo * only count coverage for `./pkg/...`
129 lines
3.6 KiB
Go
129 lines
3.6 KiB
Go
package rs
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/zitadel/oidc/v2/pkg/client"
|
|
httphelper "github.com/zitadel/oidc/v2/pkg/http"
|
|
"github.com/zitadel/oidc/v2/pkg/oidc"
|
|
)
|
|
|
|
type ResourceServer interface {
|
|
IntrospectionURL() string
|
|
TokenEndpoint() string
|
|
HttpClient() *http.Client
|
|
AuthFn() (interface{}, error)
|
|
}
|
|
|
|
type resourceServer struct {
|
|
issuer string
|
|
tokenURL string
|
|
introspectURL string
|
|
httpClient *http.Client
|
|
authFn func() (interface{}, error)
|
|
}
|
|
|
|
func (r *resourceServer) IntrospectionURL() string {
|
|
return r.introspectURL
|
|
}
|
|
|
|
func (r *resourceServer) TokenEndpoint() string {
|
|
return r.tokenURL
|
|
}
|
|
|
|
func (r *resourceServer) HttpClient() *http.Client {
|
|
return r.httpClient
|
|
}
|
|
|
|
func (r *resourceServer) AuthFn() (interface{}, error) {
|
|
return r.authFn()
|
|
}
|
|
|
|
func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option ...Option) (ResourceServer, error) {
|
|
authorizer := func() (interface{}, error) {
|
|
return httphelper.AuthorizeBasic(clientID, clientSecret), nil
|
|
}
|
|
return newResourceServer(issuer, authorizer, option...)
|
|
}
|
|
|
|
func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...Option) (ResourceServer, error) {
|
|
signer, err := client.NewSignerFromPrivateKeyByte(key, keyID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
authorizer := func() (interface{}, error) {
|
|
assertion, err := client.SignedJWTProfileAssertion(clientID, []string{issuer}, time.Hour, signer)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return client.ClientAssertionFormAuthorization(assertion), nil
|
|
}
|
|
return newResourceServer(issuer, authorizer, options...)
|
|
}
|
|
|
|
func newResourceServer(issuer string, authorizer func() (interface{}, error), options ...Option) (*resourceServer, error) {
|
|
rs := &resourceServer{
|
|
issuer: issuer,
|
|
httpClient: httphelper.DefaultHTTPClient,
|
|
}
|
|
for _, optFunc := range options {
|
|
optFunc(rs)
|
|
}
|
|
if rs.introspectURL == "" || rs.tokenURL == "" {
|
|
config, err := client.Discover(rs.issuer, rs.httpClient)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
rs.tokenURL = config.TokenEndpoint
|
|
rs.introspectURL = config.IntrospectionEndpoint
|
|
}
|
|
if rs.introspectURL == "" || rs.tokenURL == "" {
|
|
return nil, errors.New("introspectURL and/or tokenURL is empty: please provide with either `WithStaticEndpoints` or a discovery url")
|
|
}
|
|
rs.authFn = authorizer
|
|
return rs, nil
|
|
}
|
|
|
|
func NewResourceServerFromKeyFile(issuer, path string, options ...Option) (ResourceServer, error) {
|
|
c, err := client.ConfigFromKeyFile(path)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return NewResourceServerJWTProfile(issuer, c.ClientID, c.KeyID, []byte(c.Key), options...)
|
|
}
|
|
|
|
type Option func(*resourceServer)
|
|
|
|
// WithClient provides the ability to set an http client to be used for the resource server
|
|
func WithClient(client *http.Client) Option {
|
|
return func(server *resourceServer) {
|
|
server.httpClient = client
|
|
}
|
|
}
|
|
|
|
// WithStaticEndpoints provides the ability to set static token and introspect URL
|
|
func WithStaticEndpoints(tokenURL, introspectURL string) Option {
|
|
return func(server *resourceServer) {
|
|
server.tokenURL = tokenURL
|
|
server.introspectURL = introspectURL
|
|
}
|
|
}
|
|
|
|
func Introspect(ctx context.Context, rp ResourceServer, token string) (*oidc.IntrospectionResponse, error) {
|
|
authFn, err := rp.AuthFn()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
req, err := httphelper.FormRequest(rp.IntrospectionURL(), &oidc.IntrospectionRequest{Token: token}, client.Encoder, authFn)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
resp := new(oidc.IntrospectionResponse)
|
|
if err := httphelper.HttpRequest(rp.HttpClient(), req, resp); err != nil {
|
|
return nil, err
|
|
}
|
|
return resp, nil
|
|
}
|