build(deps): update module github.com/ory/fosite to v0.43.0 (#4269)
This updates fosite and refactors our usage out of compose.pull/4370/head
parent
7a0067e572
commit
ad68f33aeb
43
go.mod
43
go.mod
|
@ -19,14 +19,16 @@ require (
|
||||||
github.com/golang-jwt/jwt/v4 v4.4.2
|
github.com/golang-jwt/jwt/v4 v4.4.2
|
||||||
github.com/golang/mock v1.6.0
|
github.com/golang/mock v1.6.0
|
||||||
github.com/google/uuid v1.3.0
|
github.com/google/uuid v1.3.0
|
||||||
|
github.com/hashicorp/go-retryablehttp v0.7.1
|
||||||
github.com/jackc/pgx/v5 v5.1.0
|
github.com/jackc/pgx/v5 v5.1.0
|
||||||
github.com/jmoiron/sqlx v1.3.5
|
github.com/jmoiron/sqlx v1.3.5
|
||||||
github.com/knadh/koanf v1.4.4
|
github.com/knadh/koanf v1.4.4
|
||||||
github.com/mattn/go-sqlite3 v1.14.16
|
github.com/mattn/go-sqlite3 v1.14.16
|
||||||
github.com/mitchellh/mapstructure v1.5.0
|
github.com/mitchellh/mapstructure v1.5.0
|
||||||
github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
|
github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
|
||||||
github.com/ory/fosite v0.42.2
|
github.com/ory/fosite v0.43.0
|
||||||
github.com/ory/herodot v0.9.13
|
github.com/ory/herodot v0.9.13
|
||||||
|
github.com/ory/x v0.0.507
|
||||||
github.com/otiai10/copy v1.9.0
|
github.com/otiai10/copy v1.9.0
|
||||||
github.com/pkg/errors v0.9.1
|
github.com/pkg/errors v0.9.1
|
||||||
github.com/pquerna/otp v1.3.0
|
github.com/pquerna/otp v1.3.0
|
||||||
|
@ -51,37 +53,40 @@ require (
|
||||||
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
|
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
|
||||||
github.com/cespare/xxhash/v2 v2.1.2 // indirect
|
github.com/cespare/xxhash/v2 v2.1.2 // indirect
|
||||||
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
|
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
|
||||||
|
github.com/cristalhq/jwt/v4 v4.0.2 // indirect
|
||||||
|
github.com/dave/jennifer v1.6.0 // indirect
|
||||||
github.com/davecgh/go-spew v1.1.1 // indirect
|
github.com/davecgh/go-spew v1.1.1 // indirect
|
||||||
github.com/dgraph-io/ristretto v0.1.0 // indirect
|
github.com/dgraph-io/ristretto v0.1.1 // indirect
|
||||||
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
|
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
|
||||||
github.com/dlclark/regexp2 v1.4.0 // indirect
|
github.com/dlclark/regexp2 v1.4.0 // indirect
|
||||||
github.com/dustin/go-humanize v1.0.0 // indirect
|
github.com/dustin/go-humanize v1.0.0 // indirect
|
||||||
|
github.com/ecordell/optgen v0.0.6 // indirect
|
||||||
github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
|
github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
|
||||||
github.com/fxamacker/cbor/v2 v2.4.0 // indirect
|
github.com/fxamacker/cbor/v2 v2.4.0 // indirect
|
||||||
github.com/go-crypt/x v0.1.3 // indirect
|
github.com/go-crypt/x v0.1.3 // indirect
|
||||||
github.com/go-redis/redis/v8 v8.11.5 // indirect
|
github.com/go-redis/redis/v8 v8.11.5 // indirect
|
||||||
github.com/go-webauthn/revoke v0.1.6 // indirect
|
github.com/go-webauthn/revoke v0.1.6 // indirect
|
||||||
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b // indirect
|
github.com/golang/glog v1.0.0 // indirect
|
||||||
github.com/golang/protobuf v1.5.2 // indirect
|
github.com/golang/protobuf v1.5.2 // indirect
|
||||||
github.com/google/go-tpm v0.3.3 // indirect
|
github.com/google/go-tpm v0.3.3 // indirect
|
||||||
github.com/gorilla/websocket v1.4.2 // indirect
|
github.com/gorilla/websocket v1.5.0 // indirect
|
||||||
|
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
|
||||||
github.com/hashicorp/hcl v1.0.0 // indirect
|
github.com/hashicorp/hcl v1.0.0 // indirect
|
||||||
github.com/inconshreveable/mousetrap v1.0.1 // indirect
|
github.com/inconshreveable/mousetrap v1.0.1 // indirect
|
||||||
github.com/jackc/pgpassfile v1.0.0 // indirect
|
github.com/jackc/pgpassfile v1.0.0 // indirect
|
||||||
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
|
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
|
||||||
github.com/jandelgado/gcov2lcov v1.0.5 // indirect
|
github.com/jandelgado/gcov2lcov v1.0.5 // indirect
|
||||||
github.com/klauspost/compress v1.15.9 // indirect
|
github.com/klauspost/compress v1.15.9 // indirect
|
||||||
github.com/magiconair/properties v1.8.5 // indirect
|
github.com/magiconair/properties v1.8.6 // indirect
|
||||||
github.com/mattn/goveralls v0.0.6 // indirect
|
github.com/mattn/goveralls v0.0.11 // indirect
|
||||||
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
|
github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
|
||||||
github.com/mitchellh/copystructure v1.2.0 // indirect
|
github.com/mitchellh/copystructure v1.2.0 // indirect
|
||||||
github.com/mitchellh/reflectwalk v1.0.2 // indirect
|
github.com/mitchellh/reflectwalk v1.0.2 // indirect
|
||||||
github.com/ory/go-acc v0.2.6 // indirect
|
github.com/ory/go-acc v0.2.8 // indirect
|
||||||
github.com/ory/go-convenience v0.1.0 // indirect
|
github.com/ory/go-convenience v0.1.0 // indirect
|
||||||
github.com/ory/viper v1.7.5 // indirect
|
github.com/ory/viper v1.7.5 // indirect
|
||||||
github.com/ory/x v0.0.288 // indirect
|
|
||||||
github.com/pborman/uuid v1.2.1 // indirect
|
github.com/pborman/uuid v1.2.1 // indirect
|
||||||
github.com/pelletier/go-toml v1.9.4 // indirect
|
github.com/pelletier/go-toml v1.9.5 // indirect
|
||||||
github.com/philhofer/fwd v1.1.1 // indirect
|
github.com/philhofer/fwd v1.1.1 // indirect
|
||||||
github.com/pmezard/go-difflib v1.0.0 // indirect
|
github.com/pmezard/go-difflib v1.0.0 // indirect
|
||||||
github.com/prometheus/client_model v0.3.0 // indirect
|
github.com/prometheus/client_model v0.3.0 // indirect
|
||||||
|
@ -90,10 +95,10 @@ require (
|
||||||
github.com/russross/blackfriday/v2 v2.1.0 // indirect
|
github.com/russross/blackfriday/v2 v2.1.0 // indirect
|
||||||
github.com/savsgio/dictpool v0.0.0-20220406081701-03de5edb2e6d // indirect
|
github.com/savsgio/dictpool v0.0.0-20220406081701-03de5edb2e6d // indirect
|
||||||
github.com/savsgio/gotils v0.0.0-20220530130905-52f3993e8d6d // indirect
|
github.com/savsgio/gotils v0.0.0-20220530130905-52f3993e8d6d // indirect
|
||||||
github.com/spf13/afero v1.6.0 // indirect
|
github.com/spf13/afero v1.9.2 // indirect
|
||||||
github.com/spf13/cast v1.4.1 // indirect
|
github.com/spf13/cast v1.5.0 // indirect
|
||||||
github.com/spf13/jwalterweatherman v1.1.0 // indirect
|
github.com/spf13/jwalterweatherman v1.1.0 // indirect
|
||||||
github.com/subosito/gotenv v1.2.0 // indirect
|
github.com/subosito/gotenv v1.4.1 // indirect
|
||||||
github.com/test-go/testify v1.1.4 // indirect
|
github.com/test-go/testify v1.1.4 // indirect
|
||||||
github.com/tinylib/msgp v1.1.6 // indirect
|
github.com/tinylib/msgp v1.1.6 // indirect
|
||||||
github.com/valyala/bytebufferpool v1.0.0 // indirect
|
github.com/valyala/bytebufferpool v1.0.0 // indirect
|
||||||
|
@ -102,14 +107,16 @@ require (
|
||||||
github.com/ysmood/gson v0.7.1 // indirect
|
github.com/ysmood/gson v0.7.1 // indirect
|
||||||
github.com/ysmood/leakless v0.8.0 // indirect
|
github.com/ysmood/leakless v0.8.0 // indirect
|
||||||
golang.org/x/crypto v0.1.0 // indirect
|
golang.org/x/crypto v0.1.0 // indirect
|
||||||
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
|
golang.org/x/mod v0.6.0 // indirect
|
||||||
golang.org/x/net v0.1.0 // indirect
|
golang.org/x/net v0.1.0 // indirect
|
||||||
|
golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
|
||||||
golang.org/x/sys v0.2.0 // indirect
|
golang.org/x/sys v0.2.0 // indirect
|
||||||
golang.org/x/tools v0.1.12 // indirect
|
golang.org/x/tools v0.2.0 // indirect
|
||||||
google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
|
google.golang.org/appengine v1.6.7 // indirect
|
||||||
google.golang.org/grpc v1.42.0 // indirect
|
google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71 // indirect
|
||||||
|
google.golang.org/grpc v1.50.1 // indirect
|
||||||
google.golang.org/protobuf v1.28.1 // indirect
|
google.golang.org/protobuf v1.28.1 // indirect
|
||||||
gopkg.in/ini.v1 v1.66.2 // indirect
|
gopkg.in/ini.v1 v1.67.0 // indirect
|
||||||
gopkg.in/yaml.v2 v2.4.0 // indirect
|
gopkg.in/yaml.v2 v2.4.0 // indirect
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -25,7 +25,7 @@ func OAuthIntrospectionPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter
|
||||||
|
|
||||||
ctx.Logger.Errorf("Introspection Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())
|
ctx.Logger.Errorf("Introspection Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteIntrospectionError(rw, err)
|
ctx.Providers.OpenIDConnect.WriteIntrospectionError(ctx, rw, err)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -34,5 +34,5 @@ func OAuthIntrospectionPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter
|
||||||
|
|
||||||
ctx.Logger.Tracef("Introspection Request yeilded a %s (active: %t) requested at %s created with request id '%s' on client with id '%s'", responder.GetTokenUse(), responder.IsActive(), requester.GetRequestedAt().String(), requester.GetID(), requester.GetClient().GetID())
|
ctx.Logger.Tracef("Introspection Request yeilded a %s (active: %t) requested at %s created with request id '%s' on client with id '%s'", responder.GetTokenUse(), responder.IsActive(), requester.GetRequestedAt().String(), requester.GetID(), requester.GetClient().GetID())
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteIntrospectionResponse(rw, responder)
|
ctx.Providers.OpenIDConnect.WriteIntrospectionResponse(ctx, rw, responder)
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,5 +20,5 @@ func OAuthRevocationPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, r
|
||||||
ctx.Logger.Errorf("Revocation Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())
|
ctx.Logger.Errorf("Revocation Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteRevocationResponse(rw, err)
|
ctx.Providers.OpenIDConnect.WriteRevocationResponse(ctx, rw, err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,7 +31,7 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr
|
||||||
|
|
||||||
ctx.Logger.Errorf("Authorization Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())
|
ctx.Logger.Errorf("Authorization Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, err)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, err)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -47,7 +47,7 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr
|
||||||
ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: failed to find client: %+v", requester.GetID(), clientID, err)
|
ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: failed to find client: %+v", requester.GetID(), clientID, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, err)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, err)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -55,7 +55,7 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr
|
||||||
if issuer, err = ctx.IssuerURL(); err != nil {
|
if issuer, err = ctx.IssuerURL(); err != nil {
|
||||||
ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: error occurred determining issuer: %+v", requester.GetID(), clientID, err)
|
ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: error occurred determining issuer: %+v", requester.GetID(), clientID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrIssuerCouldNotDerive)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrIssuerCouldNotDerive)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -76,7 +76,7 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr
|
||||||
if authTime, err = userSession.AuthenticatedTime(client.Policy); err != nil {
|
if authTime, err = userSession.AuthenticatedTime(client.Policy); err != nil {
|
||||||
ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: error occurred checking authentication time: %+v", requester.GetID(), client.GetID(), err)
|
ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: error occurred checking authentication time: %+v", requester.GetID(), client.GetID(), err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, fosite.ErrServerError.WithHint("Could not obtain the authentication time."))
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, fosite.ErrServerError.WithHint("Could not obtain the authentication time."))
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -94,7 +94,7 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr
|
||||||
|
|
||||||
ctx.Logger.Errorf("Authorization Response for Request with id '%s' on client with id '%s' could not be created: %s", requester.GetID(), clientID, rfc.WithExposeDebug(true).GetDescription())
|
ctx.Logger.Errorf("Authorization Response for Request with id '%s' on client with id '%s' could not be created: %s", requester.GetID(), clientID, rfc.WithExposeDebug(true).GetDescription())
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, err)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, err)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -102,10 +102,10 @@ func OpenIDConnectAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWr
|
||||||
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionGranted(ctx, consent.ID); err != nil {
|
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionGranted(ctx, consent.ID); err != nil {
|
||||||
ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: error occurred saving consent session: %+v", requester.GetID(), client.GetID(), err)
|
ctx.Logger.Errorf("Authorization Request with id '%s' on client with id '%s' could not be processed: error occurred saving consent session: %+v", requester.GetID(), client.GetID(), err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeResponse(rw, requester, responder)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeResponse(ctx, rw, requester, responder)
|
||||||
}
|
}
|
||||||
|
|
|
@ -37,7 +37,7 @@ func handleOIDCAuthorizationConsent(ctx *middlewares.AutheliaCtx, issuer *url.UR
|
||||||
if subject, err = ctx.Providers.OpenIDConnect.GetSubject(ctx, client.GetSectorIdentifier(), userSession.Username); err != nil {
|
if subject, err = ctx.Providers.OpenIDConnect.GetSubject(ctx, client.GetSectorIdentifier(), userSession.Username); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentCantGetSubject, requester.GetID(), client.GetID(), client.Consent, userSession.Username, client.GetSectorIdentifier(), err)
|
ctx.Logger.Errorf(logFmtErrConsentCantGetSubject, requester.GetID(), client.GetID(), client.Consent, userSession.Username, client.GetSectorIdentifier(), err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrSubjectCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrSubjectCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -52,7 +52,7 @@ func handleOIDCAuthorizationConsent(ctx *middlewares.AutheliaCtx, issuer *url.UR
|
||||||
default:
|
default:
|
||||||
ctx.Logger.Errorf(logFmtErrConsentCantDetermineConsentMode, requester.GetID(), client.GetID())
|
ctx.Logger.Errorf(logFmtErrConsentCantDetermineConsentMode, requester.GetID(), client.GetID())
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, fosite.ErrServerError.WithHint("Could not determine the client consent mode."))
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, fosite.ErrServerError.WithHint("Could not determine the client consent mode."))
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -60,7 +60,7 @@ func handleOIDCAuthorizationConsent(ctx *middlewares.AutheliaCtx, issuer *url.UR
|
||||||
if subject, err = ctx.Providers.OpenIDConnect.GetSubject(ctx, client.GetSectorIdentifier(), userSession.Username); err != nil {
|
if subject, err = ctx.Providers.OpenIDConnect.GetSubject(ctx, client.GetSectorIdentifier(), userSession.Username); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentCantGetSubject, requester.GetID(), client.GetID(), client.Consent, userSession.Username, client.GetSectorIdentifier(), err)
|
ctx.Logger.Errorf(logFmtErrConsentCantGetSubject, requester.GetID(), client.GetID(), client.Consent, userSession.Username, client.GetSectorIdentifier(), err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrSubjectCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrSubjectCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -93,7 +93,7 @@ func handleOIDCAuthorizationConsentGenerate(ctx *middlewares.AutheliaCtx, issuer
|
||||||
if len(ctx.QueryArgs().PeekBytes(qryArgConsentID)) != 0 {
|
if len(ctx.QueryArgs().PeekBytes(qryArgConsentID)) != 0 {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.Consent, "generating", errors.New("consent id value was present when it should be absent"))
|
ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.Consent, "generating", errors.New("consent id value was present when it should be absent"))
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotGenerate)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotGenerate)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -101,7 +101,7 @@ func handleOIDCAuthorizationConsentGenerate(ctx *middlewares.AutheliaCtx, issuer
|
||||||
if consent, err = model.NewOAuth2ConsentSession(subject, requester); err != nil {
|
if consent, err = model.NewOAuth2ConsentSession(subject, requester); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.Consent, "generating", err)
|
ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.Consent, "generating", err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotGenerate)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotGenerate)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -109,7 +109,7 @@ func handleOIDCAuthorizationConsentGenerate(ctx *middlewares.AutheliaCtx, issuer
|
||||||
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSession(ctx, *consent); err != nil {
|
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSession(ctx, *consent); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.Consent, "saving", err)
|
ctx.Logger.Errorf(logFmtErrConsentGenerateError, requester.GetID(), client.GetID(), client.Consent, "saving", err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
|
|
@ -30,7 +30,7 @@ func handleOIDCAuthorizationConsentModeExplicit(ctx *middlewares.AutheliaCtx, is
|
||||||
if consentID, err = uuid.ParseBytes(bytesConsentID); err != nil {
|
if consentID, err = uuid.ParseBytes(bytesConsentID); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentParseChallengeID, requester.GetID(), client.GetID(), client.Consent, bytesConsentID, err)
|
ctx.Logger.Errorf(logFmtErrConsentParseChallengeID, requester.GetID(), client.GetID(), client.Consent, bytesConsentID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentMalformedChallengeID)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentMalformedChallengeID)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -49,7 +49,7 @@ func handleOIDCAuthorizationConsentModeExplicitWithID(ctx *middlewares.AutheliaC
|
||||||
if consentID.ID() == 0 {
|
if consentID.ID() == 0 {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentZeroID, requester.GetID(), client.GetID(), client.Consent)
|
ctx.Logger.Errorf(logFmtErrConsentZeroID, requester.GetID(), client.GetID(), client.Consent)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -57,7 +57,7 @@ func handleOIDCAuthorizationConsentModeExplicitWithID(ctx *middlewares.AutheliaC
|
||||||
if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consentID); err != nil {
|
if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consentID); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentLookupLoadingSession, requester.GetID(), client.GetID(), client.Consent, consentID, err)
|
ctx.Logger.Errorf(logFmtErrConsentLookupLoadingSession, requester.GetID(), client.GetID(), client.Consent, consentID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -65,7 +65,7 @@ func handleOIDCAuthorizationConsentModeExplicitWithID(ctx *middlewares.AutheliaC
|
||||||
if subject.ID() != consent.Subject.UUID.ID() {
|
if subject.ID() != consent.Subject.UUID.ID() {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentSessionSubjectNotAuthorized, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, userSession.Username, subject, consent.Subject.UUID)
|
ctx.Logger.Errorf(logFmtErrConsentSessionSubjectNotAuthorized, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, userSession.Username, subject, consent.Subject.UUID)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -73,7 +73,7 @@ func handleOIDCAuthorizationConsentModeExplicitWithID(ctx *middlewares.AutheliaC
|
||||||
if !consent.CanGrant() {
|
if !consent.CanGrant() {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentCantGrant, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, "explicit")
|
ctx.Logger.Errorf(logFmtErrConsentCantGrant, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, "explicit")
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotPerform)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotPerform)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -82,7 +82,7 @@ func handleOIDCAuthorizationConsentModeExplicitWithID(ctx *middlewares.AutheliaC
|
||||||
if consent.Responded() {
|
if consent.Responded() {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentCantGrantRejected, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID)
|
ctx.Logger.Errorf(logFmtErrConsentCantGrantRejected, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, fosite.ErrAccessDenied)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, fosite.ErrAccessDenied)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
|
|
@ -28,7 +28,7 @@ func handleOIDCAuthorizationConsentModeImplicit(ctx *middlewares.AutheliaCtx, is
|
||||||
if consentID, err = uuid.ParseBytes(bytesConsentID); err != nil {
|
if consentID, err = uuid.ParseBytes(bytesConsentID); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentParseChallengeID, requester.GetID(), client.GetID(), client.Consent, bytesConsentID, err)
|
ctx.Logger.Errorf(logFmtErrConsentParseChallengeID, requester.GetID(), client.GetID(), client.Consent, bytesConsentID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentMalformedChallengeID)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentMalformedChallengeID)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -47,7 +47,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithID(ctx *middlewares.AutheliaC
|
||||||
if consentID.ID() == 0 {
|
if consentID.ID() == 0 {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentZeroID, requester.GetID(), client.GetID(), client.Consent)
|
ctx.Logger.Errorf(logFmtErrConsentZeroID, requester.GetID(), client.GetID(), client.Consent)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -55,7 +55,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithID(ctx *middlewares.AutheliaC
|
||||||
if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consentID); err != nil {
|
if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consentID); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentLookupLoadingSession, requester.GetID(), client.GetID(), client.Consent, consentID, err)
|
ctx.Logger.Errorf(logFmtErrConsentLookupLoadingSession, requester.GetID(), client.GetID(), client.Consent, consentID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -63,7 +63,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithID(ctx *middlewares.AutheliaC
|
||||||
if subject.ID() != consent.Subject.UUID.ID() {
|
if subject.ID() != consent.Subject.UUID.ID() {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentSessionSubjectNotAuthorized, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, userSession.Username, subject, consent.Subject.UUID)
|
ctx.Logger.Errorf(logFmtErrConsentSessionSubjectNotAuthorized, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, userSession.Username, subject, consent.Subject.UUID)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -71,7 +71,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithID(ctx *middlewares.AutheliaC
|
||||||
if !consent.CanGrant() {
|
if !consent.CanGrant() {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentCantGrant, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, "implicit")
|
ctx.Logger.Errorf(logFmtErrConsentCantGrant, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, "implicit")
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotPerform)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotPerform)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -81,7 +81,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithID(ctx *middlewares.AutheliaC
|
||||||
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
|
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -99,7 +99,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithoutID(ctx *middlewares.Authel
|
||||||
if consent, err = model.NewOAuth2ConsentSession(subject, requester); err != nil {
|
if consent, err = model.NewOAuth2ConsentSession(subject, requester); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentGenerate, requester.GetID(), client.GetID(), client.Consent, err)
|
ctx.Logger.Errorf(logFmtErrConsentGenerate, requester.GetID(), client.GetID(), client.Consent, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotGenerate)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotGenerate)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -107,7 +107,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithoutID(ctx *middlewares.Authel
|
||||||
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSession(ctx, *consent); err != nil {
|
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSession(ctx, *consent); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -115,7 +115,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithoutID(ctx *middlewares.Authel
|
||||||
if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consent.ChallengeID); err != nil {
|
if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consent.ChallengeID); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -125,7 +125,7 @@ func handleOIDCAuthorizationConsentModeImplicitWithoutID(ctx *middlewares.Authel
|
||||||
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
|
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,7 +34,7 @@ func handleOIDCAuthorizationConsentModePreConfigured(ctx *middlewares.AutheliaCt
|
||||||
if consentID, err = uuid.ParseBytes(bytesConsentID); err != nil {
|
if consentID, err = uuid.ParseBytes(bytesConsentID); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentParseChallengeID, requester.GetID(), client.GetID(), client.Consent, bytesConsentID, err)
|
ctx.Logger.Errorf(logFmtErrConsentParseChallengeID, requester.GetID(), client.GetID(), client.Consent, bytesConsentID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentMalformedChallengeID)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentMalformedChallengeID)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -54,7 +54,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
|
||||||
if consentID.ID() == 0 {
|
if consentID.ID() == 0 {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentZeroID, requester.GetID(), client.GetID(), client.Consent)
|
ctx.Logger.Errorf(logFmtErrConsentZeroID, requester.GetID(), client.GetID(), client.Consent)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -62,7 +62,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
|
||||||
if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consentID); err != nil {
|
if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consentID); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentLookupLoadingSession, requester.GetID(), client.GetID(), client.Consent, consentID, err)
|
ctx.Logger.Errorf(logFmtErrConsentLookupLoadingSession, requester.GetID(), client.GetID(), client.Consent, consentID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -70,7 +70,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
|
||||||
if subject.ID() != consent.Subject.UUID.ID() {
|
if subject.ID() != consent.Subject.UUID.ID() {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentSessionSubjectNotAuthorized, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, userSession.Username, subject, consent.Subject.UUID)
|
ctx.Logger.Errorf(logFmtErrConsentSessionSubjectNotAuthorized, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, userSession.Username, subject, consent.Subject.UUID)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -78,7 +78,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
|
||||||
if !consent.CanGrant() {
|
if !consent.CanGrant() {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentCantGrantPreConf, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID)
|
ctx.Logger.Errorf(logFmtErrConsentCantGrantPreConf, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotPerform)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotPerform)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -86,7 +86,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
|
||||||
if config, err = handleOIDCAuthorizationConsentModePreConfiguredGetPreConfig(ctx, client, subject, requester); err != nil {
|
if config, err = handleOIDCAuthorizationConsentModePreConfiguredGetPreConfig(ctx, client, subject, requester); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentPreConfLookup, requester.GetID(), client.GetID(), client.Consent, err)
|
ctx.Logger.Errorf(logFmtErrConsentPreConfLookup, requester.GetID(), client.GetID(), client.Consent, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -99,7 +99,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
|
||||||
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
|
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -111,7 +111,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithID(ctx *middlewares.Auth
|
||||||
if consent.Responded() {
|
if consent.Responded() {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentCantGrantRejected, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID)
|
ctx.Logger.Errorf(logFmtErrConsentCantGrantRejected, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, fosite.ErrAccessDenied)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, fosite.ErrAccessDenied)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -135,7 +135,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithoutID(ctx *middlewares.A
|
||||||
if config, err = handleOIDCAuthorizationConsentModePreConfiguredGetPreConfig(ctx, client, subject, requester); err != nil {
|
if config, err = handleOIDCAuthorizationConsentModePreConfiguredGetPreConfig(ctx, client, subject, requester); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentPreConfLookup, requester.GetID(), client.GetID(), client.Consent, err)
|
ctx.Logger.Errorf(logFmtErrConsentPreConfLookup, requester.GetID(), client.GetID(), client.Consent, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotLookup)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotLookup)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -147,7 +147,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithoutID(ctx *middlewares.A
|
||||||
if consent, err = model.NewOAuth2ConsentSession(subject, requester); err != nil {
|
if consent, err = model.NewOAuth2ConsentSession(subject, requester); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentGenerate, requester.GetID(), client.GetID(), client.Consent, err)
|
ctx.Logger.Errorf(logFmtErrConsentGenerate, requester.GetID(), client.GetID(), client.Consent, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotGenerate)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotGenerate)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -155,7 +155,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithoutID(ctx *middlewares.A
|
||||||
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSession(ctx, *consent); err != nil {
|
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSession(ctx, *consent); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -163,7 +163,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithoutID(ctx *middlewares.A
|
||||||
if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consent.ChallengeID); err != nil {
|
if consent, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentSessionByChallengeID(ctx, consent.ChallengeID); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
ctx.Logger.Errorf(logFmtErrConsentSaveSession, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
@ -175,7 +175,7 @@ func handleOIDCAuthorizationConsentModePreConfiguredWithoutID(ctx *middlewares.A
|
||||||
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
|
if err = ctx.Providers.StorageProvider.SaveOAuth2ConsentSessionResponse(ctx, *consent, false); err != nil {
|
||||||
ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
ctx.Logger.Errorf(logFmtErrConsentSaveSessionResponse, requester.GetID(), client.GetID(), client.Consent, consent.ChallengeID, err)
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAuthorizeError(rw, requester, oidc.ErrConsentCouldNotSave)
|
ctx.Providers.OpenIDConnect.WriteAuthorizeError(ctx, rw, requester, oidc.ErrConsentCouldNotSave)
|
||||||
|
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,7 +26,7 @@ func OpenIDConnectTokenPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter
|
||||||
|
|
||||||
ctx.Logger.Errorf("Access Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())
|
ctx.Logger.Errorf("Access Request failed with error: %s", rfc.WithExposeDebug(true).GetDescription())
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAccessError(rw, requester, err)
|
ctx.Providers.OpenIDConnect.WriteAccessError(ctx, rw, requester, err)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -51,7 +51,7 @@ func OpenIDConnectTokenPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter
|
||||||
|
|
||||||
ctx.Logger.Errorf("Access Response for Request with id '%s' failed to be created with error: %s", requester.GetID(), rfc.WithExposeDebug(true).GetDescription())
|
ctx.Logger.Errorf("Access Response for Request with id '%s' failed to be created with error: %s", requester.GetID(), rfc.WithExposeDebug(true).GetDescription())
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAccessError(rw, requester, err)
|
ctx.Providers.OpenIDConnect.WriteAccessError(ctx, rw, requester, err)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -60,5 +60,5 @@ func OpenIDConnectTokenPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter
|
||||||
|
|
||||||
ctx.Logger.Tracef("Access Request with id '%s' on client with id '%s' produced the following claims: %+v", requester.GetID(), client.GetID(), responder.ToMap())
|
ctx.Logger.Tracef("Access Request with id '%s' on client with id '%s' produced the following claims: %+v", requester.GetID(), client.GetID(), responder.ToMap())
|
||||||
|
|
||||||
ctx.Providers.OpenIDConnect.WriteAccessResponse(rw, requester, responder)
|
ctx.Providers.OpenIDConnect.WriteAccessResponse(ctx, rw, requester, responder)
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,583 @@
|
||||||
|
package oidc
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"crypto/sha512"
|
||||||
|
"hash"
|
||||||
|
"html/template"
|
||||||
|
"net/url"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/hashicorp/go-retryablehttp"
|
||||||
|
"github.com/ory/fosite"
|
||||||
|
"github.com/ory/fosite/handler/oauth2"
|
||||||
|
"github.com/ory/fosite/handler/openid"
|
||||||
|
"github.com/ory/fosite/handler/par"
|
||||||
|
"github.com/ory/fosite/handler/pkce"
|
||||||
|
"github.com/ory/fosite/i18n"
|
||||||
|
"github.com/ory/fosite/token/hmac"
|
||||||
|
"github.com/ory/fosite/token/jwt"
|
||||||
|
|
||||||
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
||||||
|
"github.com/authelia/authelia/v4/internal/utils"
|
||||||
|
)
|
||||||
|
|
||||||
|
func NewConfig(config *schema.OpenIDConnectConfiguration) *Config {
|
||||||
|
c := &Config{
|
||||||
|
GlobalSecret: []byte(utils.HashSHA256FromString(config.HMACSecret)),
|
||||||
|
SendDebugMessagesToClients: config.EnableClientDebugMessages,
|
||||||
|
MinParameterEntropy: config.MinimumParameterEntropy,
|
||||||
|
Lifespans: LifespanConfig{
|
||||||
|
AccessToken: config.AccessTokenLifespan,
|
||||||
|
AuthorizeCode: config.AuthorizeCodeLifespan,
|
||||||
|
IDToken: config.IDTokenLifespan,
|
||||||
|
RefreshToken: config.RefreshTokenLifespan,
|
||||||
|
},
|
||||||
|
ProofKeyCodeExchange: ProofKeyCodeExchangeConfig{
|
||||||
|
Enforce: config.EnforcePKCE == "always",
|
||||||
|
EnforcePublicClients: config.EnforcePKCE != "never",
|
||||||
|
AllowPlainChallengeMethod: config.EnablePKCEPlainChallenge,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
prefix := "authelia_%s_"
|
||||||
|
c.Strategy.Core = &HMACCoreStrategy{
|
||||||
|
Enigma: &hmac.HMACStrategy{Config: c},
|
||||||
|
Config: c,
|
||||||
|
prefix: &prefix,
|
||||||
|
}
|
||||||
|
|
||||||
|
return c
|
||||||
|
}
|
||||||
|
|
||||||
|
type Config struct {
|
||||||
|
// GlobalSecret is the global secret used to sign and verify signatures.
|
||||||
|
GlobalSecret []byte
|
||||||
|
|
||||||
|
// RotatedGlobalSecrets is a list of global secrets that are used to verify signatures.
|
||||||
|
RotatedGlobalSecrets [][]byte
|
||||||
|
|
||||||
|
Issuers IssuersConfig
|
||||||
|
|
||||||
|
SendDebugMessagesToClients bool
|
||||||
|
DisableRefreshTokenValidation bool
|
||||||
|
OmitRedirectScopeParameter bool
|
||||||
|
|
||||||
|
JWTScopeField jwt.JWTScopeFieldEnum
|
||||||
|
JWTMaxDuration time.Duration
|
||||||
|
|
||||||
|
Hash HashConfig
|
||||||
|
Strategy StrategyConfig
|
||||||
|
PAR PARConfig
|
||||||
|
Handlers HandlersConfig
|
||||||
|
Lifespans LifespanConfig
|
||||||
|
ProofKeyCodeExchange ProofKeyCodeExchangeConfig
|
||||||
|
GrantTypeJWTBearer GrantTypeJWTBearerConfig
|
||||||
|
|
||||||
|
TokenURL string
|
||||||
|
TokenEntropy int
|
||||||
|
MinParameterEntropy int
|
||||||
|
|
||||||
|
SanitationWhiteList []string
|
||||||
|
AllowedPrompts []string
|
||||||
|
RefreshTokenScopes []string
|
||||||
|
|
||||||
|
HTTPClient *retryablehttp.Client
|
||||||
|
FormPostHTMLTemplate *template.Template
|
||||||
|
MessageCatalog i18n.MessageCatalog
|
||||||
|
}
|
||||||
|
|
||||||
|
type HashConfig struct {
|
||||||
|
ClientSecrets fosite.Hasher
|
||||||
|
HMAC func() (h hash.Hash)
|
||||||
|
}
|
||||||
|
|
||||||
|
type StrategyConfig struct {
|
||||||
|
Core oauth2.CoreStrategy
|
||||||
|
OpenID openid.OpenIDConnectTokenStrategy
|
||||||
|
Audience fosite.AudienceMatchingStrategy
|
||||||
|
Scope fosite.ScopeStrategy
|
||||||
|
JWKSFetcher fosite.JWKSFetcherStrategy
|
||||||
|
ClientAuthentication fosite.ClientAuthenticationStrategy
|
||||||
|
}
|
||||||
|
|
||||||
|
type PARConfig struct {
|
||||||
|
Enforced bool
|
||||||
|
URIPrefix string
|
||||||
|
ContextLifespan time.Duration
|
||||||
|
}
|
||||||
|
|
||||||
|
type IssuersConfig struct {
|
||||||
|
IDToken string
|
||||||
|
AccessToken string
|
||||||
|
}
|
||||||
|
|
||||||
|
type HandlersConfig struct {
|
||||||
|
// ResponseMode provides an extension handler for custom response modes.
|
||||||
|
ResponseMode fosite.ResponseModeHandler
|
||||||
|
|
||||||
|
// AuthorizeEndpoint is a list of handlers that are called before the authorization endpoint is served.
|
||||||
|
AuthorizeEndpoint fosite.AuthorizeEndpointHandlers
|
||||||
|
|
||||||
|
// TokenEndpoint is a list of handlers that are called before the token endpoint is served.
|
||||||
|
TokenEndpoint fosite.TokenEndpointHandlers
|
||||||
|
|
||||||
|
// TokenIntrospection is a list of handlers that are called before the token introspection endpoint is served.
|
||||||
|
TokenIntrospection fosite.TokenIntrospectionHandlers
|
||||||
|
|
||||||
|
// Revocation is a list of handlers that are called before the revocation endpoint is served.
|
||||||
|
Revocation fosite.RevocationHandlers
|
||||||
|
|
||||||
|
// PushedAuthorizeEndpoint is a list of handlers that are called before the PAR endpoint is served.
|
||||||
|
PushedAuthorizeEndpoint fosite.PushedAuthorizeEndpointHandlers
|
||||||
|
}
|
||||||
|
|
||||||
|
type GrantTypeJWTBearerConfig struct {
|
||||||
|
OptionalClientAuth bool
|
||||||
|
OptionalJTIClaim bool
|
||||||
|
OptionalIssuedDate bool
|
||||||
|
}
|
||||||
|
|
||||||
|
type ProofKeyCodeExchangeConfig struct {
|
||||||
|
Enforce bool
|
||||||
|
EnforcePublicClients bool
|
||||||
|
AllowPlainChallengeMethod bool
|
||||||
|
}
|
||||||
|
|
||||||
|
type LifespanConfig struct {
|
||||||
|
AccessToken time.Duration
|
||||||
|
AuthorizeCode time.Duration
|
||||||
|
IDToken time.Duration
|
||||||
|
RefreshToken time.Duration
|
||||||
|
}
|
||||||
|
|
||||||
|
const (
|
||||||
|
PromptNone = none
|
||||||
|
PromptLogin = "login"
|
||||||
|
PromptConsent = "consent"
|
||||||
|
)
|
||||||
|
|
||||||
|
func (c *Config) LoadHandlers(store *Store, strategy jwt.Signer) {
|
||||||
|
validator := openid.NewOpenIDConnectRequestValidator(strategy, c)
|
||||||
|
|
||||||
|
handlers := []any{
|
||||||
|
&oauth2.AuthorizeExplicitGrantHandler{
|
||||||
|
AccessTokenStrategy: c.Strategy.Core,
|
||||||
|
RefreshTokenStrategy: c.Strategy.Core,
|
||||||
|
AuthorizeCodeStrategy: c.Strategy.Core,
|
||||||
|
CoreStorage: store,
|
||||||
|
TokenRevocationStorage: store,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
&oauth2.AuthorizeImplicitGrantTypeHandler{
|
||||||
|
AccessTokenStrategy: c.Strategy.Core,
|
||||||
|
AccessTokenStorage: store,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
&oauth2.ClientCredentialsGrantHandler{
|
||||||
|
HandleHelper: &oauth2.HandleHelper{
|
||||||
|
AccessTokenStrategy: c.Strategy.Core,
|
||||||
|
AccessTokenStorage: store,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
&oauth2.RefreshTokenGrantHandler{
|
||||||
|
AccessTokenStrategy: c.Strategy.Core,
|
||||||
|
RefreshTokenStrategy: c.Strategy.Core,
|
||||||
|
TokenRevocationStorage: store,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
&openid.OpenIDConnectExplicitHandler{
|
||||||
|
IDTokenHandleHelper: &openid.IDTokenHandleHelper{
|
||||||
|
IDTokenStrategy: c.Strategy.OpenID,
|
||||||
|
},
|
||||||
|
OpenIDConnectRequestValidator: validator,
|
||||||
|
OpenIDConnectRequestStorage: store,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
&openid.OpenIDConnectImplicitHandler{
|
||||||
|
AuthorizeImplicitGrantTypeHandler: &oauth2.AuthorizeImplicitGrantTypeHandler{
|
||||||
|
AccessTokenStrategy: c.Strategy.Core,
|
||||||
|
AccessTokenStorage: store,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
IDTokenHandleHelper: &openid.IDTokenHandleHelper{
|
||||||
|
IDTokenStrategy: c.Strategy.OpenID,
|
||||||
|
},
|
||||||
|
OpenIDConnectRequestValidator: validator,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
&openid.OpenIDConnectHybridHandler{
|
||||||
|
AuthorizeExplicitGrantHandler: &oauth2.AuthorizeExplicitGrantHandler{
|
||||||
|
AccessTokenStrategy: c.Strategy.Core,
|
||||||
|
RefreshTokenStrategy: c.Strategy.Core,
|
||||||
|
AuthorizeCodeStrategy: c.Strategy.Core,
|
||||||
|
CoreStorage: store,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
Config: c,
|
||||||
|
AuthorizeImplicitGrantTypeHandler: &oauth2.AuthorizeImplicitGrantTypeHandler{
|
||||||
|
AccessTokenStrategy: c.Strategy.Core,
|
||||||
|
AccessTokenStorage: store,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
IDTokenHandleHelper: &openid.IDTokenHandleHelper{
|
||||||
|
IDTokenStrategy: c.Strategy.OpenID,
|
||||||
|
},
|
||||||
|
OpenIDConnectRequestValidator: validator,
|
||||||
|
OpenIDConnectRequestStorage: store,
|
||||||
|
},
|
||||||
|
&openid.OpenIDConnectRefreshHandler{
|
||||||
|
IDTokenHandleHelper: &openid.IDTokenHandleHelper{
|
||||||
|
IDTokenStrategy: c.Strategy.OpenID,
|
||||||
|
},
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
&oauth2.CoreValidator{
|
||||||
|
CoreStrategy: c.Strategy.Core,
|
||||||
|
CoreStorage: store,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
&oauth2.TokenRevocationHandler{
|
||||||
|
AccessTokenStrategy: c.Strategy.Core,
|
||||||
|
RefreshTokenStrategy: c.Strategy.Core,
|
||||||
|
TokenRevocationStorage: store,
|
||||||
|
},
|
||||||
|
&pkce.Handler{
|
||||||
|
AuthorizeCodeStrategy: c.Strategy.Core,
|
||||||
|
Storage: store,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
&par.PushedAuthorizeHandler{
|
||||||
|
Storage: store,
|
||||||
|
Config: c,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
x := HandlersConfig{}
|
||||||
|
|
||||||
|
for _, handler := range handlers {
|
||||||
|
if h, ok := handler.(fosite.AuthorizeEndpointHandler); ok {
|
||||||
|
x.AuthorizeEndpoint.Append(h)
|
||||||
|
}
|
||||||
|
|
||||||
|
if h, ok := handler.(fosite.TokenEndpointHandler); ok {
|
||||||
|
x.TokenEndpoint.Append(h)
|
||||||
|
}
|
||||||
|
|
||||||
|
if h, ok := handler.(fosite.TokenIntrospector); ok {
|
||||||
|
x.TokenIntrospection.Append(h)
|
||||||
|
}
|
||||||
|
|
||||||
|
if h, ok := handler.(fosite.RevocationHandler); ok {
|
||||||
|
x.Revocation.Append(h)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
c.Handlers = x
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetAllowedPrompts returns the allowed prompts.
|
||||||
|
func (c *Config) GetAllowedPrompts(ctx context.Context) (prompts []string) {
|
||||||
|
if len(c.AllowedPrompts) == 0 {
|
||||||
|
c.AllowedPrompts = []string{PromptNone, PromptLogin, PromptConsent}
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.AllowedPrompts
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetEnforcePKCE returns the enforcement of PKCE.
|
||||||
|
func (c *Config) GetEnforcePKCE(ctx context.Context) (enforce bool) {
|
||||||
|
return c.ProofKeyCodeExchange.Enforce
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetEnforcePKCEForPublicClients returns the enforcement of PKCE for public clients.
|
||||||
|
func (c *Config) GetEnforcePKCEForPublicClients(ctx context.Context) (enforce bool) {
|
||||||
|
return c.GetEnforcePKCE(ctx) || c.ProofKeyCodeExchange.EnforcePublicClients
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetEnablePKCEPlainChallengeMethod returns the enable PKCE plain challenge method.
|
||||||
|
func (c *Config) GetEnablePKCEPlainChallengeMethod(ctx context.Context) (enable bool) {
|
||||||
|
return c.ProofKeyCodeExchange.AllowPlainChallengeMethod
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetGrantTypeJWTBearerCanSkipClientAuth returns the grant type JWT bearer can skip client auth.
|
||||||
|
func (c *Config) GetGrantTypeJWTBearerCanSkipClientAuth(ctx context.Context) (skip bool) {
|
||||||
|
return c.GrantTypeJWTBearer.OptionalClientAuth
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetGrantTypeJWTBearerIDOptional returns the grant type JWT bearer ID optional.
|
||||||
|
func (c *Config) GetGrantTypeJWTBearerIDOptional(ctx context.Context) (optional bool) {
|
||||||
|
return c.GrantTypeJWTBearer.OptionalJTIClaim
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetGrantTypeJWTBearerIssuedDateOptional returns the grant type JWT bearer issued date optional.
|
||||||
|
func (c *Config) GetGrantTypeJWTBearerIssuedDateOptional(ctx context.Context) (optional bool) {
|
||||||
|
return c.GrantTypeJWTBearer.OptionalIssuedDate
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetJWTMaxDuration returns the JWT max duration.
|
||||||
|
func (c *Config) GetJWTMaxDuration(ctx context.Context) (duration time.Duration) {
|
||||||
|
if c.JWTMaxDuration == 0 {
|
||||||
|
c.JWTMaxDuration = time.Hour * 24
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.JWTMaxDuration
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetRedirectSecureChecker returns the redirect URL security validator.
|
||||||
|
func (c *Config) GetRedirectSecureChecker(ctx context.Context) func(context.Context, *url.URL) (secure bool) {
|
||||||
|
return fosite.IsRedirectURISecure
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetOmitRedirectScopeParam must be set to true if the scope query param is to be omitted
|
||||||
|
// in the authorization's redirect URI.
|
||||||
|
func (c *Config) GetOmitRedirectScopeParam(ctx context.Context) (omit bool) {
|
||||||
|
return c.OmitRedirectScopeParameter
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetSanitationWhiteList is a whitelist of form values that are required by the token endpoint. These values
|
||||||
|
// are safe for storage in a database (cleartext).
|
||||||
|
func (c *Config) GetSanitationWhiteList(ctx context.Context) (whitelist []string) {
|
||||||
|
return c.SanitationWhiteList
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetJWTScopeField returns the JWT scope field.
|
||||||
|
func (c *Config) GetJWTScopeField(ctx context.Context) (field jwt.JWTScopeFieldEnum) {
|
||||||
|
if c.JWTScopeField == jwt.JWTScopeFieldUnset {
|
||||||
|
c.JWTScopeField = jwt.JWTScopeFieldList
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.JWTScopeField
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetIDTokenIssuer returns the ID token issuer.
|
||||||
|
func (c *Config) GetIDTokenIssuer(ctx context.Context) (issuer string) {
|
||||||
|
return c.Issuers.IDToken
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetAccessTokenIssuer returns the access token issuer.
|
||||||
|
func (c *Config) GetAccessTokenIssuer(ctx context.Context) (issuer string) {
|
||||||
|
return c.Issuers.AccessToken
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetDisableRefreshTokenValidation returns the disable refresh token validation flag.
|
||||||
|
func (c *Config) GetDisableRefreshTokenValidation(ctx context.Context) (disable bool) {
|
||||||
|
return c.DisableRefreshTokenValidation
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetAuthorizeCodeLifespan returns the authorization code lifespan.
|
||||||
|
func (c *Config) GetAuthorizeCodeLifespan(ctx context.Context) (lifespan time.Duration) {
|
||||||
|
if c.Lifespans.AuthorizeCode <= 0 {
|
||||||
|
c.Lifespans.AccessToken = lifespanAuthorizeCodeDefault
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Lifespans.AuthorizeCode
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetRefreshTokenLifespan returns the refresh token lifespan.
|
||||||
|
func (c *Config) GetRefreshTokenLifespan(ctx context.Context) (lifespan time.Duration) {
|
||||||
|
if c.Lifespans.RefreshToken <= 0 {
|
||||||
|
c.Lifespans.AccessToken = lifespanRefreshTokenDefault
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Lifespans.RefreshToken
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetIDTokenLifespan returns the ID token lifespan.
|
||||||
|
func (c *Config) GetIDTokenLifespan(ctx context.Context) (lifespan time.Duration) {
|
||||||
|
if c.Lifespans.IDToken <= 0 {
|
||||||
|
c.Lifespans.AccessToken = lifespanTokenDefault
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Lifespans.IDToken
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetAccessTokenLifespan returns the access token lifespan.
|
||||||
|
func (c *Config) GetAccessTokenLifespan(ctx context.Context) (lifespan time.Duration) {
|
||||||
|
if c.Lifespans.AccessToken <= 0 {
|
||||||
|
c.Lifespans.AccessToken = lifespanTokenDefault
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Lifespans.AccessToken
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetTokenEntropy returns the token entropy.
|
||||||
|
func (c *Config) GetTokenEntropy(ctx context.Context) (entropy int) {
|
||||||
|
if c.TokenEntropy == 0 {
|
||||||
|
c.TokenEntropy = 32
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.TokenEntropy
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetGlobalSecret returns the global secret.
|
||||||
|
func (c *Config) GetGlobalSecret(ctx context.Context) (secret []byte) {
|
||||||
|
return c.GlobalSecret
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetRotatedGlobalSecrets returns the rotated global secrets.
|
||||||
|
func (c *Config) GetRotatedGlobalSecrets(ctx context.Context) (secrets [][]byte) {
|
||||||
|
return c.RotatedGlobalSecrets
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHTTPClient returns the HTTP client provider.
|
||||||
|
func (c *Config) GetHTTPClient(ctx context.Context) (client *retryablehttp.Client) {
|
||||||
|
if c.HTTPClient == nil {
|
||||||
|
c.HTTPClient = retryablehttp.NewClient()
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.HTTPClient
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetRefreshTokenScopes returns the refresh token scopes.
|
||||||
|
func (c *Config) GetRefreshTokenScopes(ctx context.Context) (scopes []string) {
|
||||||
|
if c.RefreshTokenScopes == nil {
|
||||||
|
c.RefreshTokenScopes = []string{ScopeOffline, ScopeOfflineAccess}
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.RefreshTokenScopes
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetScopeStrategy returns the scope strategy.
|
||||||
|
func (c *Config) GetScopeStrategy(ctx context.Context) (strategy fosite.ScopeStrategy) {
|
||||||
|
if c.Strategy.Scope == nil {
|
||||||
|
c.Strategy.Scope = fosite.ExactScopeStrategy
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Strategy.Scope
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetAudienceStrategy returns the audience strategy.
|
||||||
|
func (c *Config) GetAudienceStrategy(ctx context.Context) (strategy fosite.AudienceMatchingStrategy) {
|
||||||
|
if c.Strategy.Audience == nil {
|
||||||
|
c.Strategy.Audience = fosite.DefaultAudienceMatchingStrategy
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Strategy.Audience
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMinParameterEntropy returns the minimum parameter entropy.
|
||||||
|
func (c *Config) GetMinParameterEntropy(_ context.Context) (entropy int) {
|
||||||
|
if c.MinParameterEntropy == 0 {
|
||||||
|
c.MinParameterEntropy = fosite.MinParameterEntropy
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.MinParameterEntropy
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHMACHasher returns the hash function.
|
||||||
|
func (c *Config) GetHMACHasher(ctx context.Context) func() (h hash.Hash) {
|
||||||
|
if c.Hash.HMAC == nil {
|
||||||
|
c.Hash.HMAC = sha512.New512_256
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Hash.HMAC
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetSendDebugMessagesToClients returns the send debug messages to clients.
|
||||||
|
func (c *Config) GetSendDebugMessagesToClients(ctx context.Context) (send bool) {
|
||||||
|
return c.SendDebugMessagesToClients
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetJWKSFetcherStrategy returns the JWKS fetcher strategy.
|
||||||
|
func (c *Config) GetJWKSFetcherStrategy(ctx context.Context) (strategy fosite.JWKSFetcherStrategy) {
|
||||||
|
if c.Strategy.JWKSFetcher == nil {
|
||||||
|
c.Strategy.JWKSFetcher = fosite.NewDefaultJWKSFetcherStrategy()
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Strategy.JWKSFetcher
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetClientAuthenticationStrategy returns the client authentication strategy.
|
||||||
|
func (c *Config) GetClientAuthenticationStrategy(ctx context.Context) (strategy fosite.ClientAuthenticationStrategy) {
|
||||||
|
return c.Strategy.ClientAuthentication
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMessageCatalog returns the message catalog.
|
||||||
|
func (c *Config) GetMessageCatalog(ctx context.Context) (catalog i18n.MessageCatalog) {
|
||||||
|
return c.MessageCatalog
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetFormPostHTMLTemplate returns the form post HTML template.
|
||||||
|
func (c *Config) GetFormPostHTMLTemplate(ctx context.Context) (tmpl *template.Template) {
|
||||||
|
return c.FormPostHTMLTemplate
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetTokenURL returns the token URL.
|
||||||
|
func (c *Config) GetTokenURL(ctx context.Context) (tokenURL string) {
|
||||||
|
return c.TokenURL
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetSecretsHasher returns the client secrets hashing function.
|
||||||
|
func (c *Config) GetSecretsHasher(ctx context.Context) (hasher fosite.Hasher) {
|
||||||
|
if c.Hash.ClientSecrets == nil {
|
||||||
|
c.Hash.ClientSecrets = &AdaptiveHasher{}
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Hash.ClientSecrets
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetUseLegacyErrorFormat returns whether to use the legacy error format.
|
||||||
|
//
|
||||||
|
// Deprecated: Do not use this flag anymore.
|
||||||
|
func (c *Config) GetUseLegacyErrorFormat(ctx context.Context) (use bool) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetAuthorizeEndpointHandlers returns the authorize endpoint handlers.
|
||||||
|
func (c *Config) GetAuthorizeEndpointHandlers(ctx context.Context) (handlers fosite.AuthorizeEndpointHandlers) {
|
||||||
|
return c.Handlers.AuthorizeEndpoint
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetTokenEndpointHandlers returns the token endpoint handlers.
|
||||||
|
func (c *Config) GetTokenEndpointHandlers(ctx context.Context) (handlers fosite.TokenEndpointHandlers) {
|
||||||
|
return c.Handlers.TokenEndpoint
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetTokenIntrospectionHandlers returns the token introspection handlers.
|
||||||
|
func (c *Config) GetTokenIntrospectionHandlers(ctx context.Context) (handlers fosite.TokenIntrospectionHandlers) {
|
||||||
|
return c.Handlers.TokenIntrospection
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetRevocationHandlers returns the revocation handlers.
|
||||||
|
func (c *Config) GetRevocationHandlers(ctx context.Context) (handlers fosite.RevocationHandlers) {
|
||||||
|
return c.Handlers.Revocation
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetPushedAuthorizeEndpointHandlers returns the handlers.
|
||||||
|
func (c *Config) GetPushedAuthorizeEndpointHandlers(ctx context.Context) fosite.PushedAuthorizeEndpointHandlers {
|
||||||
|
return c.Handlers.PushedAuthorizeEndpoint
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetResponseModeHandlerExtension returns the response mode handler extension.
|
||||||
|
func (c *Config) GetResponseModeHandlerExtension(ctx context.Context) (handler fosite.ResponseModeHandler) {
|
||||||
|
return c.Handlers.ResponseMode
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetPushedAuthorizeRequestURIPrefix is the request URI prefix. This is
|
||||||
|
// usually 'urn:ietf:params:oauth:request_uri:'.
|
||||||
|
func (c *Config) GetPushedAuthorizeRequestURIPrefix(ctx context.Context) string {
|
||||||
|
if c.PAR.URIPrefix == "" {
|
||||||
|
c.PAR.URIPrefix = urnPARPrefix
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.PAR.URIPrefix
|
||||||
|
}
|
||||||
|
|
||||||
|
// EnforcePushedAuthorize indicates if PAR is enforced. In this mode, a client
|
||||||
|
// cannot pass authorize parameters at the 'authorize' endpoint. The 'authorize' endpoint
|
||||||
|
// must contain the PAR request_uri.
|
||||||
|
func (c *Config) EnforcePushedAuthorize(ctx context.Context) bool {
|
||||||
|
return c.PAR.Enforced
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetPushedAuthorizeContextLifespan is the lifespan of the short-lived PAR context.
|
||||||
|
func (c *Config) GetPushedAuthorizeContextLifespan(ctx context.Context) (lifespan time.Duration) {
|
||||||
|
if c.PAR.ContextLifespan == 0 {
|
||||||
|
c.PAR.ContextLifespan = lifespanPARContextDefault
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.PAR.ContextLifespan
|
||||||
|
}
|
|
@ -1,8 +1,13 @@
|
||||||
package oidc
|
package oidc
|
||||||
|
|
||||||
|
import (
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
// Scope strings.
|
// Scope strings.
|
||||||
const (
|
const (
|
||||||
ScopeOfflineAccess = "offline_access"
|
ScopeOfflineAccess = "offline_access"
|
||||||
|
ScopeOffline = "offline"
|
||||||
ScopeOpenID = "openid"
|
ScopeOpenID = "openid"
|
||||||
ScopeProfile = "profile"
|
ScopeProfile = "profile"
|
||||||
ScopeEmail = "email"
|
ScopeEmail = "email"
|
||||||
|
@ -35,6 +40,17 @@ const (
|
||||||
ClaimClientIdentifier = "client_id"
|
ClaimClientIdentifier = "client_id"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
lifespanTokenDefault = time.Hour
|
||||||
|
lifespanRefreshTokenDefault = time.Hour * 24 * 30
|
||||||
|
lifespanAuthorizeCodeDefault = time.Minute * 15
|
||||||
|
lifespanPARContextDefault = time.Minute * 5
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
urnPARPrefix = "urn:ietf:params:oauth:request_uri:"
|
||||||
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// ClaimEmailAlts is an unregistered/custom claim.
|
// ClaimEmailAlts is an unregistered/custom claim.
|
||||||
// It represents the emails which are not considered primary.
|
// It represents the emails which are not considered primary.
|
||||||
|
|
|
@ -0,0 +1,129 @@
|
||||||
|
package oidc
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"fmt"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/ory/fosite"
|
||||||
|
"github.com/ory/fosite/token/hmac"
|
||||||
|
"github.com/ory/x/errorsx"
|
||||||
|
)
|
||||||
|
|
||||||
|
// HMACCoreStrategy implements oauth2.CoreStrategy. It's a copy of the oauth2.HMACSHAStrategy.
|
||||||
|
type HMACCoreStrategy struct {
|
||||||
|
Enigma *hmac.HMACStrategy
|
||||||
|
Config interface {
|
||||||
|
fosite.AccessTokenLifespanProvider
|
||||||
|
fosite.RefreshTokenLifespanProvider
|
||||||
|
fosite.AuthorizeCodeLifespanProvider
|
||||||
|
}
|
||||||
|
prefix *string
|
||||||
|
}
|
||||||
|
|
||||||
|
// AccessTokenSignature implements oauth2.AccessTokenStrategy.
|
||||||
|
func (h *HMACCoreStrategy) AccessTokenSignature(ctx context.Context, token string) string {
|
||||||
|
return h.Enigma.Signature(token)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateAccessToken implements oauth2.AccessTokenStrategy.
|
||||||
|
func (h *HMACCoreStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
|
||||||
|
token, sig, err := h.Enigma.Generate(ctx)
|
||||||
|
if err != nil {
|
||||||
|
return "", "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
return h.setPrefix(token, "at"), sig, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ValidateAccessToken implements oauth2.AccessTokenStrategy.
|
||||||
|
func (h *HMACCoreStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, token string) (err error) {
|
||||||
|
var exp = r.GetSession().GetExpiresAt(fosite.AccessToken)
|
||||||
|
if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx)).Before(time.Now().UTC()) {
|
||||||
|
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx))))
|
||||||
|
}
|
||||||
|
|
||||||
|
if !exp.IsZero() && exp.Before(time.Now().UTC()) {
|
||||||
|
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", exp))
|
||||||
|
}
|
||||||
|
|
||||||
|
return h.Enigma.Validate(ctx, h.trimPrefix(token, "at"))
|
||||||
|
}
|
||||||
|
|
||||||
|
// RefreshTokenSignature implements oauth2.RefreshTokenStrategy.
|
||||||
|
func (h *HMACCoreStrategy) RefreshTokenSignature(ctx context.Context, token string) string {
|
||||||
|
return h.Enigma.Signature(token)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateRefreshToken implements oauth2.RefreshTokenStrategy.
|
||||||
|
func (h *HMACCoreStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
|
||||||
|
token, sig, err := h.Enigma.Generate(ctx)
|
||||||
|
if err != nil {
|
||||||
|
return "", "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
return h.setPrefix(token, "rt"), sig, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ValidateRefreshToken implements oauth2.RefreshTokenStrategy.
|
||||||
|
func (h *HMACCoreStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error) {
|
||||||
|
var exp = r.GetSession().GetExpiresAt(fosite.RefreshToken)
|
||||||
|
if exp.IsZero() {
|
||||||
|
return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
|
||||||
|
}
|
||||||
|
|
||||||
|
if !exp.IsZero() && exp.Before(time.Now().UTC()) {
|
||||||
|
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Refresh token expired at '%s'.", exp))
|
||||||
|
}
|
||||||
|
|
||||||
|
return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthorizeCodeSignature implements oauth2.AuthorizeCodeStrategy.
|
||||||
|
func (h *HMACCoreStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string {
|
||||||
|
return h.Enigma.Signature(token)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.
|
||||||
|
func (h *HMACCoreStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
|
||||||
|
token, sig, err := h.Enigma.Generate(ctx)
|
||||||
|
if err != nil {
|
||||||
|
return "", "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
return h.setPrefix(token, "ac"), sig, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ValidateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.
|
||||||
|
func (h *HMACCoreStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error) {
|
||||||
|
var exp = r.GetSession().GetExpiresAt(fosite.AuthorizeCode)
|
||||||
|
if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)).Before(time.Now().UTC()) {
|
||||||
|
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx))))
|
||||||
|
}
|
||||||
|
|
||||||
|
if !exp.IsZero() && exp.Before(time.Now().UTC()) {
|
||||||
|
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", exp))
|
||||||
|
}
|
||||||
|
|
||||||
|
return h.Enigma.Validate(ctx, h.trimPrefix(token, "ac"))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h *HMACCoreStrategy) getPrefix(part string) string {
|
||||||
|
if h.prefix == nil {
|
||||||
|
prefix := "ory_%s_"
|
||||||
|
h.prefix = &prefix
|
||||||
|
} else if len(*h.prefix) == 0 {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Sprintf(*h.prefix, part)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h *HMACCoreStrategy) trimPrefix(token, part string) string {
|
||||||
|
return strings.TrimPrefix(token, h.getPrefix(part))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h *HMACCoreStrategy) setPrefix(token, part string) string {
|
||||||
|
return h.getPrefix(part) + token
|
||||||
|
}
|
|
@ -34,7 +34,7 @@ func NewKeyManager() (manager *KeyManager) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Strategy returns the fosite jwt.JWTStrategy.
|
// Strategy returns the fosite jwt.JWTStrategy.
|
||||||
func (m *KeyManager) Strategy() (strategy jwt.JWTStrategy) {
|
func (m *KeyManager) Strategy() (strategy jwt.Signer) {
|
||||||
if m.jwk == nil {
|
if m.jwk == nil {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -98,7 +98,7 @@ func (m *KeyManager) AddActiveJWK(chain schema.X509CertificateChain, key *rsa.Pr
|
||||||
|
|
||||||
// JWTStrategy is a decorator struct for the fosite jwt.JWTStrategy.
|
// JWTStrategy is a decorator struct for the fosite jwt.JWTStrategy.
|
||||||
type JWTStrategy struct {
|
type JWTStrategy struct {
|
||||||
jwt.JWTStrategy
|
jwt.Signer
|
||||||
|
|
||||||
id string
|
id string
|
||||||
}
|
}
|
||||||
|
@ -157,8 +157,12 @@ type JWK struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Strategy returns the relevant jwt.JWTStrategy for this JWT.
|
// Strategy returns the relevant jwt.JWTStrategy for this JWT.
|
||||||
func (j *JWK) Strategy() (strategy jwt.JWTStrategy) {
|
func (j *JWK) Strategy() (strategy jwt.Signer) {
|
||||||
return &JWTStrategy{id: j.id, JWTStrategy: &jwt.RS256JWTStrategy{PrivateKey: j.key}}
|
return &JWTStrategy{id: j.id, Signer: &jwt.DefaultSigner{GetPrivateKey: j.GetPrivateKey}}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (j *JWK) GetPrivateKey(ctx context.Context) (key any, err error) {
|
||||||
|
return j.key, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// JSONWebKey returns the relevant *jose.JSONWebKey for this JWT.
|
// JSONWebKey returns the relevant *jose.JSONWebKey for this JWT.
|
||||||
|
|
|
@ -1,18 +1,14 @@
|
||||||
package oidc
|
package oidc
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/sha512"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"github.com/ory/fosite/compose"
|
"github.com/ory/fosite"
|
||||||
"github.com/ory/fosite/handler/oauth2"
|
|
||||||
"github.com/ory/fosite/handler/openid"
|
"github.com/ory/fosite/handler/openid"
|
||||||
"github.com/ory/fosite/token/hmac"
|
|
||||||
"github.com/ory/herodot"
|
"github.com/ory/herodot"
|
||||||
|
|
||||||
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
||||||
"github.com/authelia/authelia/v4/internal/storage"
|
"github.com/authelia/authelia/v4/internal/storage"
|
||||||
"github.com/authelia/authelia/v4/internal/utils"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// NewOpenIDConnectProvider new-ups a OpenIDConnectProvider.
|
// NewOpenIDConnectProvider new-ups a OpenIDConnectProvider.
|
||||||
|
@ -23,76 +19,22 @@ func NewOpenIDConnectProvider(config *schema.OpenIDConnectConfiguration, store s
|
||||||
|
|
||||||
provider = &OpenIDConnectProvider{
|
provider = &OpenIDConnectProvider{
|
||||||
JSONWriter: herodot.NewJSONWriter(nil),
|
JSONWriter: herodot.NewJSONWriter(nil),
|
||||||
Store: NewOpenIDConnectStore(config, store),
|
Store: NewStore(config, store),
|
||||||
|
Config: NewConfig(config),
|
||||||
}
|
}
|
||||||
|
|
||||||
cconfig := &compose.Config{
|
provider.OAuth2Provider = fosite.NewOAuth2Provider(provider.Store, provider.Config)
|
||||||
AccessTokenLifespan: config.AccessTokenLifespan,
|
|
||||||
AuthorizeCodeLifespan: config.AuthorizeCodeLifespan,
|
|
||||||
IDTokenLifespan: config.IDTokenLifespan,
|
|
||||||
RefreshTokenLifespan: config.RefreshTokenLifespan,
|
|
||||||
SendDebugMessagesToClients: config.EnableClientDebugMessages,
|
|
||||||
MinParameterEntropy: config.MinimumParameterEntropy,
|
|
||||||
EnforcePKCE: config.EnforcePKCE == "always",
|
|
||||||
EnforcePKCEForPublicClients: config.EnforcePKCE != "never",
|
|
||||||
EnablePKCEPlainChallengeMethod: config.EnablePKCEPlainChallenge,
|
|
||||||
}
|
|
||||||
|
|
||||||
if provider.KeyManager, err = NewKeyManagerWithConfiguration(config); err != nil {
|
if provider.KeyManager, err = NewKeyManagerWithConfiguration(config); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
jwtStrategy := provider.KeyManager.Strategy()
|
provider.Config.Strategy.OpenID = &openid.DefaultStrategy{
|
||||||
|
Signer: provider.KeyManager.Strategy(),
|
||||||
strategy := &compose.CommonStrategy{
|
Config: provider.Config,
|
||||||
CoreStrategy: &oauth2.HMACSHAStrategy{
|
|
||||||
Enigma: &hmac.HMACStrategy{
|
|
||||||
GlobalSecret: []byte(utils.HashSHA256FromString(config.HMACSecret)),
|
|
||||||
RotatedGlobalSecrets: nil,
|
|
||||||
TokenEntropy: cconfig.GetTokenEntropy(),
|
|
||||||
Hash: sha512.New512_256,
|
|
||||||
},
|
|
||||||
AccessTokenLifespan: cconfig.GetAccessTokenLifespan(),
|
|
||||||
AuthorizeCodeLifespan: cconfig.GetAuthorizeCodeLifespan(),
|
|
||||||
RefreshTokenLifespan: cconfig.GetRefreshTokenLifespan(),
|
|
||||||
},
|
|
||||||
OpenIDConnectTokenStrategy: &openid.DefaultStrategy{
|
|
||||||
JWTStrategy: jwtStrategy,
|
|
||||||
Expiry: cconfig.GetIDTokenLifespan(),
|
|
||||||
Issuer: cconfig.IDTokenIssuer,
|
|
||||||
MinParameterEntropy: cconfig.GetMinParameterEntropy(),
|
|
||||||
},
|
|
||||||
JWTStrategy: jwtStrategy,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
provider.OAuth2Provider = compose.Compose(
|
provider.Config.LoadHandlers(provider.Store, provider.KeyManager.Strategy())
|
||||||
cconfig,
|
|
||||||
provider.Store,
|
|
||||||
strategy,
|
|
||||||
AdaptiveHasher{},
|
|
||||||
|
|
||||||
/*
|
|
||||||
These are the OAuth2 and OpenIDConnect factories. Order is important (the OAuth2 factories at the top must
|
|
||||||
be before the OpenIDConnect factories) and taken directly from fosite.compose.ComposeAllEnabled. The
|
|
||||||
commented factories are not enabled as we don't yet use them but are still here for reference purposes.
|
|
||||||
*/
|
|
||||||
compose.OAuth2AuthorizeExplicitFactory,
|
|
||||||
compose.OAuth2AuthorizeImplicitFactory,
|
|
||||||
compose.OAuth2ClientCredentialsGrantFactory,
|
|
||||||
compose.OAuth2RefreshTokenGrantFactory,
|
|
||||||
// compose.OAuth2ResourceOwnerPasswordCredentialsFactory,
|
|
||||||
// compose.RFC7523AssertionGrantFactory,.
|
|
||||||
|
|
||||||
compose.OpenIDConnectExplicitFactory,
|
|
||||||
compose.OpenIDConnectImplicitFactory,
|
|
||||||
compose.OpenIDConnectHybridFactory,
|
|
||||||
compose.OpenIDConnectRefreshFactory,
|
|
||||||
|
|
||||||
compose.OAuth2TokenIntrospectionFactory,
|
|
||||||
compose.OAuth2TokenRevocationFactory,
|
|
||||||
|
|
||||||
compose.OAuth2PKCEFactory,
|
|
||||||
)
|
|
||||||
|
|
||||||
provider.discovery = NewOpenIDConnectWellKnownConfiguration(config.EnablePKCEPlainChallenge, provider.Store.clients)
|
provider.discovery = NewOpenIDConnectWellKnownConfiguration(config.EnablePKCEPlainChallenge, provider.Store.clients)
|
||||||
|
|
||||||
|
|
|
@ -18,8 +18,8 @@ import (
|
||||||
"github.com/authelia/authelia/v4/internal/storage"
|
"github.com/authelia/authelia/v4/internal/storage"
|
||||||
)
|
)
|
||||||
|
|
||||||
// NewOpenIDConnectStore returns a Store when provided with a schema.OpenIDConnectConfiguration and storage.Provider.
|
// NewStore returns a Store when provided with a schema.OpenIDConnectConfiguration and storage.Provider.
|
||||||
func NewOpenIDConnectStore(config *schema.OpenIDConnectConfiguration, provider storage.Provider) (store *Store) {
|
func NewStore(config *schema.OpenIDConnectConfiguration, provider storage.Provider) (store *Store) {
|
||||||
logger := logging.Logger()
|
logger := logging.Logger()
|
||||||
|
|
||||||
store = &Store{
|
store = &Store{
|
||||||
|
|
|
@ -12,7 +12,7 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestOpenIDConnectStore_GetClientPolicy(t *testing.T) {
|
func TestOpenIDConnectStore_GetClientPolicy(t *testing.T) {
|
||||||
s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
|
s := NewStore(&schema.OpenIDConnectConfiguration{
|
||||||
IssuerCertificateChain: schema.X509CertificateChain{},
|
IssuerCertificateChain: schema.X509CertificateChain{},
|
||||||
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
|
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
|
||||||
Clients: []schema.OpenIDConnectClientConfiguration{
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
||||||
|
@ -44,7 +44,7 @@ func TestOpenIDConnectStore_GetClientPolicy(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestOpenIDConnectStore_GetInternalClient(t *testing.T) {
|
func TestOpenIDConnectStore_GetInternalClient(t *testing.T) {
|
||||||
s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
|
s := NewStore(&schema.OpenIDConnectConfiguration{
|
||||||
IssuerCertificateChain: schema.X509CertificateChain{},
|
IssuerCertificateChain: schema.X509CertificateChain{},
|
||||||
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
|
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
|
||||||
Clients: []schema.OpenIDConnectClientConfiguration{
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
||||||
|
@ -77,7 +77,7 @@ func TestOpenIDConnectStore_GetInternalClient_ValidClient(t *testing.T) {
|
||||||
Secret: MustDecodeSecret("$plaintext$mysecret"),
|
Secret: MustDecodeSecret("$plaintext$mysecret"),
|
||||||
}
|
}
|
||||||
|
|
||||||
s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
|
s := NewStore(&schema.OpenIDConnectConfiguration{
|
||||||
IssuerCertificateChain: schema.X509CertificateChain{},
|
IssuerCertificateChain: schema.X509CertificateChain{},
|
||||||
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
|
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
|
||||||
Clients: []schema.OpenIDConnectClientConfiguration{c1},
|
Clients: []schema.OpenIDConnectClientConfiguration{c1},
|
||||||
|
@ -105,7 +105,7 @@ func TestOpenIDConnectStore_GetInternalClient_InvalidClient(t *testing.T) {
|
||||||
Secret: MustDecodeSecret("$plaintext$mysecret"),
|
Secret: MustDecodeSecret("$plaintext$mysecret"),
|
||||||
}
|
}
|
||||||
|
|
||||||
s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
|
s := NewStore(&schema.OpenIDConnectConfiguration{
|
||||||
IssuerCertificateChain: schema.X509CertificateChain{},
|
IssuerCertificateChain: schema.X509CertificateChain{},
|
||||||
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
|
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
|
||||||
Clients: []schema.OpenIDConnectClientConfiguration{c1},
|
Clients: []schema.OpenIDConnectClientConfiguration{c1},
|
||||||
|
@ -117,7 +117,7 @@ func TestOpenIDConnectStore_GetInternalClient_InvalidClient(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestOpenIDConnectStore_IsValidClientID(t *testing.T) {
|
func TestOpenIDConnectStore_IsValidClientID(t *testing.T) {
|
||||||
s := NewOpenIDConnectStore(&schema.OpenIDConnectConfiguration{
|
s := NewStore(&schema.OpenIDConnectConfiguration{
|
||||||
IssuerCertificateChain: schema.X509CertificateChain{},
|
IssuerCertificateChain: schema.X509CertificateChain{},
|
||||||
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
|
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
|
||||||
Clients: []schema.OpenIDConnectClientConfiguration{
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
||||||
|
|
|
@ -9,7 +9,7 @@ import (
|
||||||
"github.com/ory/fosite/handler/openid"
|
"github.com/ory/fosite/handler/openid"
|
||||||
"github.com/ory/fosite/token/jwt"
|
"github.com/ory/fosite/token/jwt"
|
||||||
"github.com/ory/herodot"
|
"github.com/ory/herodot"
|
||||||
jose "gopkg.in/square/go-jose.v2"
|
"gopkg.in/square/go-jose.v2"
|
||||||
|
|
||||||
"github.com/authelia/authelia/v4/internal/authorization"
|
"github.com/authelia/authelia/v4/internal/authorization"
|
||||||
"github.com/authelia/authelia/v4/internal/model"
|
"github.com/authelia/authelia/v4/internal/model"
|
||||||
|
@ -82,6 +82,7 @@ type OpenIDConnectProvider struct {
|
||||||
fosite.OAuth2Provider
|
fosite.OAuth2Provider
|
||||||
*herodot.JSONWriter
|
*herodot.JSONWriter
|
||||||
*Store
|
*Store
|
||||||
|
*Config
|
||||||
|
|
||||||
KeyManager *KeyManager
|
KeyManager *KeyManager
|
||||||
|
|
||||||
|
@ -607,16 +608,36 @@ type OpenIDConnectBackChannelLogoutDiscoveryOptions struct {
|
||||||
BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"`
|
BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// PushedAuthorizationDiscoveryOptions represents the well known discovery document specific to the
|
||||||
|
// OAuth 2.0 Pushed Authorization Requests (RFC9126) implementation.
|
||||||
|
//
|
||||||
|
// OAuth 2.0 Pushed Authorization Requests: https://datatracker.ietf.org/doc/html/rfc9126#section-5
|
||||||
|
type PushedAuthorizationDiscoveryOptions struct {
|
||||||
|
/*
|
||||||
|
The URL of the pushed authorization request endpoint at which a client can post an authorization request to
|
||||||
|
exchange for a "request_uri" value usable at the authorization server.
|
||||||
|
*/
|
||||||
|
PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint,omitempty"`
|
||||||
|
|
||||||
|
/*
|
||||||
|
Boolean parameter indicating whether the authorization server accepts authorization request data only via PAR.
|
||||||
|
If omitted, the default value is "false".
|
||||||
|
*/
|
||||||
|
RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests"`
|
||||||
|
}
|
||||||
|
|
||||||
// OAuth2WellKnownConfiguration represents the well known discovery document specific to OAuth 2.0.
|
// OAuth2WellKnownConfiguration represents the well known discovery document specific to OAuth 2.0.
|
||||||
type OAuth2WellKnownConfiguration struct {
|
type OAuth2WellKnownConfiguration struct {
|
||||||
CommonDiscoveryOptions
|
CommonDiscoveryOptions
|
||||||
OAuth2DiscoveryOptions
|
OAuth2DiscoveryOptions
|
||||||
|
PushedAuthorizationDiscoveryOptions
|
||||||
}
|
}
|
||||||
|
|
||||||
// OpenIDConnectWellKnownConfiguration represents the well known discovery document specific to OpenID Connect.
|
// OpenIDConnectWellKnownConfiguration represents the well known discovery document specific to OpenID Connect.
|
||||||
type OpenIDConnectWellKnownConfiguration struct {
|
type OpenIDConnectWellKnownConfiguration struct {
|
||||||
CommonDiscoveryOptions
|
CommonDiscoveryOptions
|
||||||
OAuth2DiscoveryOptions
|
OAuth2DiscoveryOptions
|
||||||
|
PushedAuthorizationDiscoveryOptions
|
||||||
OpenIDConnectDiscoveryOptions
|
OpenIDConnectDiscoveryOptions
|
||||||
OpenIDConnectFrontChannelLogoutDiscoveryOptions
|
OpenIDConnectFrontChannelLogoutDiscoveryOptions
|
||||||
OpenIDConnectBackChannelLogoutDiscoveryOptions
|
OpenIDConnectBackChannelLogoutDiscoveryOptions
|
||||||
|
|
|
@ -29,17 +29,35 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
// OAuth2SessionType represents the potential OAuth 2.0 session types.
|
// OAuth2SessionType represents the potential OAuth 2.0 session types.
|
||||||
type OAuth2SessionType string
|
type OAuth2SessionType int
|
||||||
|
|
||||||
// Representation of specific OAuth 2.0 session types.
|
// Representation of specific OAuth 2.0 session types.
|
||||||
const (
|
const (
|
||||||
OAuth2SessionTypeAuthorizeCode OAuth2SessionType = "authorization code"
|
OAuth2SessionTypeAuthorizeCode OAuth2SessionType = iota
|
||||||
OAuth2SessionTypeAccessToken OAuth2SessionType = "access token"
|
OAuth2SessionTypeAccessToken
|
||||||
OAuth2SessionTypeRefreshToken OAuth2SessionType = "refresh token"
|
OAuth2SessionTypeRefreshToken
|
||||||
OAuth2SessionTypePKCEChallenge OAuth2SessionType = "pkce challenge"
|
OAuth2SessionTypePKCEChallenge
|
||||||
OAuth2SessionTypeOpenIDConnect OAuth2SessionType = "openid connect"
|
OAuth2SessionTypeOpenIDConnect
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// String returns a string representation of this OAuth2SessionType.
|
||||||
|
func (s OAuth2SessionType) String() string {
|
||||||
|
switch s {
|
||||||
|
case OAuth2SessionTypeAuthorizeCode:
|
||||||
|
return "authorization code"
|
||||||
|
case OAuth2SessionTypeAccessToken:
|
||||||
|
return "access token"
|
||||||
|
case OAuth2SessionTypeRefreshToken:
|
||||||
|
return "refresh token"
|
||||||
|
case OAuth2SessionTypePKCEChallenge:
|
||||||
|
return "pkce challenge"
|
||||||
|
case OAuth2SessionTypeOpenIDConnect:
|
||||||
|
return "openid connect"
|
||||||
|
default:
|
||||||
|
return "invalid"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
sqlNetworkTypeTCP = "tcp"
|
sqlNetworkTypeTCP = "tcp"
|
||||||
sqlNetworkTypeUnixSocket = "unix"
|
sqlNetworkTypeUnixSocket = "unix"
|
||||||
|
|
|
@ -547,11 +547,11 @@ func (p *SQLProvider) RevokeOAuth2Session(ctx context.Context, sessionType OAuth
|
||||||
case OAuth2SessionTypeOpenIDConnect:
|
case OAuth2SessionTypeOpenIDConnect:
|
||||||
query = p.sqlRevokeOAuth2OpenIDConnectSession
|
query = p.sqlRevokeOAuth2OpenIDConnectSession
|
||||||
default:
|
default:
|
||||||
return fmt.Errorf("error revoking oauth2 session with signature '%s': unknown oauth2 session type '%s'", signature, sessionType)
|
return fmt.Errorf("error revoking oauth2 session with signature '%s': unknown oauth2 session type '%s'", signature, sessionType.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
if _, err = p.db.ExecContext(ctx, query, signature); err != nil {
|
if _, err = p.db.ExecContext(ctx, query, signature); err != nil {
|
||||||
return fmt.Errorf("error revoking oauth2 %s session with signature '%s': %w", sessionType, signature, err)
|
return fmt.Errorf("error revoking oauth2 %s session with signature '%s': %w", sessionType.String(), signature, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
@ -573,11 +573,11 @@ func (p *SQLProvider) RevokeOAuth2SessionByRequestID(ctx context.Context, sessio
|
||||||
case OAuth2SessionTypeOpenIDConnect:
|
case OAuth2SessionTypeOpenIDConnect:
|
||||||
query = p.sqlRevokeOAuth2OpenIDConnectSessionByRequestID
|
query = p.sqlRevokeOAuth2OpenIDConnectSessionByRequestID
|
||||||
default:
|
default:
|
||||||
return fmt.Errorf("error revoking oauth2 session with request id '%s': unknown oauth2 session type '%s'", requestID, sessionType)
|
return fmt.Errorf("error revoking oauth2 session with request id '%s': unknown oauth2 session type '%s'", requestID, sessionType.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
if _, err = p.db.ExecContext(ctx, query, requestID); err != nil {
|
if _, err = p.db.ExecContext(ctx, query, requestID); err != nil {
|
||||||
return fmt.Errorf("error revoking oauth2 %s session with request id '%s': %w", sessionType, requestID, err)
|
return fmt.Errorf("error revoking oauth2 %s session with request id '%s': %w", sessionType.String(), requestID, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
@ -599,11 +599,11 @@ func (p *SQLProvider) DeactivateOAuth2Session(ctx context.Context, sessionType O
|
||||||
case OAuth2SessionTypeOpenIDConnect:
|
case OAuth2SessionTypeOpenIDConnect:
|
||||||
query = p.sqlDeactivateOAuth2OpenIDConnectSession
|
query = p.sqlDeactivateOAuth2OpenIDConnectSession
|
||||||
default:
|
default:
|
||||||
return fmt.Errorf("error deactivating oauth2 session with signature '%s': unknown oauth2 session type '%s'", signature, sessionType)
|
return fmt.Errorf("error deactivating oauth2 session with signature '%s': unknown oauth2 session type '%s'", signature, sessionType.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
if _, err = p.db.ExecContext(ctx, query, signature); err != nil {
|
if _, err = p.db.ExecContext(ctx, query, signature); err != nil {
|
||||||
return fmt.Errorf("error deactivating oauth2 %s session with signature '%s': %w", sessionType, signature, err)
|
return fmt.Errorf("error deactivating oauth2 %s session with signature '%s': %w", sessionType.String(), signature, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
@ -625,7 +625,7 @@ func (p *SQLProvider) DeactivateOAuth2SessionByRequestID(ctx context.Context, se
|
||||||
case OAuth2SessionTypeOpenIDConnect:
|
case OAuth2SessionTypeOpenIDConnect:
|
||||||
query = p.sqlDeactivateOAuth2OpenIDConnectSessionByRequestID
|
query = p.sqlDeactivateOAuth2OpenIDConnectSessionByRequestID
|
||||||
default:
|
default:
|
||||||
return fmt.Errorf("error deactivating oauth2 session with request id '%s': unknown oauth2 session type '%s'", requestID, sessionType)
|
return fmt.Errorf("error deactivating oauth2 session with request id '%s': unknown oauth2 session type '%s'", requestID, sessionType.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
if _, err = p.db.ExecContext(ctx, query, requestID); err != nil {
|
if _, err = p.db.ExecContext(ctx, query, requestID); err != nil {
|
||||||
|
@ -651,17 +651,17 @@ func (p *SQLProvider) LoadOAuth2Session(ctx context.Context, sessionType OAuth2S
|
||||||
case OAuth2SessionTypeOpenIDConnect:
|
case OAuth2SessionTypeOpenIDConnect:
|
||||||
query = p.sqlSelectOAuth2OpenIDConnectSession
|
query = p.sqlSelectOAuth2OpenIDConnectSession
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("error selecting oauth2 session: unknown oauth2 session type '%s'", sessionType)
|
return nil, fmt.Errorf("error selecting oauth2 session: unknown oauth2 session type '%s'", sessionType.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
session = &model.OAuth2Session{}
|
session = &model.OAuth2Session{}
|
||||||
|
|
||||||
if err = p.db.GetContext(ctx, session, query, signature); err != nil {
|
if err = p.db.GetContext(ctx, session, query, signature); err != nil {
|
||||||
return nil, fmt.Errorf("error selecting oauth2 %s session with signature '%s': %w", sessionType, signature, err)
|
return nil, fmt.Errorf("error selecting oauth2 %s session with signature '%s': %w", sessionType.String(), signature, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if session.Session, err = p.decrypt(session.Session); err != nil {
|
if session.Session, err = p.decrypt(session.Session); err != nil {
|
||||||
return nil, fmt.Errorf("error decrypting the oauth2 %s session data with signature '%s' for subject '%s' and request id '%s': %w", sessionType, signature, session.Subject, session.RequestID, err)
|
return nil, fmt.Errorf("error decrypting the oauth2 %s session data with signature '%s' for subject '%s' and request id '%s': %w", sessionType.String(), signature, session.Subject, session.RequestID, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
return session, nil
|
return session, nil
|
||||||
|
|
Loading…
Reference in New Issue