authelia/internal/handlers/handler_oidc_token.go

package handlers

import (
	"net/http"

	"github.com/ory/fosite"

	"github.com/authelia/authelia/internal/middlewares"
)

func oidcToken(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request) {
	oidcSession := newOpenIDSession("")

	accessRequest, accessReqErr := ctx.Providers.OpenIDConnect.Fosite.NewAccessRequest(ctx, req, oidcSession)
	if accessReqErr != nil {
		ctx.Logger.Errorf("Error occurred in NewAccessRequest: %+v", accessRequest)
		ctx.Providers.OpenIDConnect.Fosite.WriteAccessError(rw, accessRequest, accessReqErr)

		return
	}

	// If this is a client_credentials grant, grant all scopes the client is allowed to perform.
	if accessRequest.GetGrantTypes().ExactOne("client_credentials") {
		for _, scope := range accessRequest.GetRequestedScopes() {
			if fosite.HierarchicScopeStrategy(accessRequest.GetClient().GetScopes(), scope) {
				accessRequest.GrantScope(scope)
			}
		}
	}

	response, err := ctx.Providers.OpenIDConnect.Fosite.NewAccessResponse(ctx, accessRequest)
	if err != nil {
		ctx.Logger.Errorf("Error occurred in NewAccessResponse: %+v", err)
		ctx.Providers.OpenIDConnect.Fosite.WriteAccessError(rw, accessRequest, err)

		return
	}

	ctx.Providers.OpenIDConnect.Fosite.WriteAccessResponse(rw, accessRequest, response)
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`package handlers`

			`import (`
			`"net/http"`

			`"github.com/ory/fosite"`

			`"github.com/authelia/authelia/internal/middlewares"`
			`)`

			`func oidcToken(ctx middlewares.AutheliaCtx, rw http.ResponseWriter, req http.Request) {`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00			`oidcSession := newOpenIDSession("")`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
			`accessRequest, accessReqErr := ctx.Providers.OpenIDConnect.Fosite.NewAccessRequest(ctx, req, oidcSession)`
			`if accessReqErr != nil {`
			`ctx.Logger.Errorf("Error occurred in NewAccessRequest: %+v", accessRequest)`
			`ctx.Providers.OpenIDConnect.Fosite.WriteAccessError(rw, accessRequest, accessReqErr)`

			`return`
			`}`

			`// If this is a client_credentials grant, grant all scopes the client is allowed to perform.`
			`if accessRequest.GetGrantTypes().ExactOne("client_credentials") {`
			`for _, scope := range accessRequest.GetRequestedScopes() {`
			`if fosite.HierarchicScopeStrategy(accessRequest.GetClient().GetScopes(), scope) {`
			`accessRequest.GrantScope(scope)`
			`}`
			`}`
			`}`

			`response, err := ctx.Providers.OpenIDConnect.Fosite.NewAccessResponse(ctx, accessRequest)`
			`if err != nil {`
			`ctx.Logger.Errorf("Error occurred in NewAccessResponse: %+v", err)`
			`ctx.Providers.OpenIDConnect.Fosite.WriteAccessError(rw, accessRequest, err)`

			`return`
			`}`

			`ctx.Providers.OpenIDConnect.Fosite.WriteAccessResponse(rw, accessRequest, response)`
			`}`