From 3651275257e9465baca5b90ddbac71c71e0d18da Mon Sep 17 00:00:00 2001 From: mattslocum Date: Wed, 4 Jan 2023 16:12:05 -0700 Subject: [PATCH] Add oauth2.token_prefix configurability --- client/handler.go | 3 ++- driver/config/provider.go | 5 +++++ driver/config/provider_fosite.go | 4 ++++ driver/config/provider_test.go | 11 +++++++++++ go.mod | 1 + go.sum | 4 ++-- spec/config.json | 6 ++++++ 7 files changed, 31 insertions(+), 3 deletions(-) diff --git a/client/handler.go b/client/handler.go index 5f020f23b4e..8a6b83ebd32 100644 --- a/client/handler.go +++ b/client/handler.go @@ -805,7 +805,8 @@ func (h *Handler) ValidDynamicAuth(r *http.Request, ps httprouter.Params) (fosit WithReason("The requested OAuth 2.0 client does not exist or you provided incorrect credentials.").WithDebug("The OAuth2 Client does not have a registration access token.")) } - token := strings.TrimPrefix(fosite.AccessTokenFromRequest(r), "ory_at_") + prefix := h.r.Config().GetTokenPrefix(r.Context()) + "_at_" + token := strings.TrimPrefix(fosite.AccessTokenFromRequest(r), prefix) if err := h.r.OAuth2HMACStrategy().Enigma.Validate(r.Context(), token); err != nil { return nil, herodot.ErrUnauthorized. WithTrace(err). diff --git a/driver/config/provider.go b/driver/config/provider.go index 5e7252d6e66..84d4cae33f4 100644 --- a/driver/config/provider.go +++ b/driver/config/provider.go @@ -92,6 +92,7 @@ const ( KeyOAuth2GrantJWTIDOptional = "oauth2.grant.jwt.jti_optional" KeyOAuth2GrantJWTIssuedDateOptional = "oauth2.grant.jwt.iat_optional" KeyOAuth2GrantJWTMaxDuration = "oauth2.grant.jwt.max_ttl" + KeyOAuth2TokenPrefix = "oauth2.token_prefix" KeyRefreshTokenHookURL = "oauth2.refresh_token_hook" // #nosec G101 KeyDevelopmentMode = "dev" ) @@ -515,6 +516,10 @@ func (p *DefaultProvider) GetJWTMaxDuration(ctx context.Context) time.Duration { return p.getProvider(ctx).DurationF(KeyOAuth2GrantJWTMaxDuration, time.Hour*24*30) } +func (p *DefaultProvider) GetTokenPrefix(ctx context.Context) string { + return p.getProvider(ctx).StringF(KeyOAuth2TokenPrefix, "ory") +} + func (p *DefaultProvider) CookieDomain(ctx context.Context) string { return p.getProvider(ctx).String(KeyCookieDomain) } diff --git a/driver/config/provider_fosite.go b/driver/config/provider_fosite.go index 07c43042edd..5da5ec875dc 100644 --- a/driver/config/provider_fosite.go +++ b/driver/config/provider_fosite.go @@ -89,6 +89,10 @@ func (p *DefaultProvider) GetScopeStrategy(ctx context.Context) fosite.ScopeStra return fosite.ExactScopeStrategy } +func (p *DefaultProvider) GetTokenPrefixProvider(ctx context.Context) string { + return p.getProvider(ctx).StringF(KeyOAuth2TokenPrefix, "ory") +} + func (p *DefaultProvider) GetUseLegacyErrorFormat(context.Context) bool { return false } diff --git a/driver/config/provider_test.go b/driver/config/provider_test.go index fbe8cb2fc62..c9ef1aaf5a1 100644 --- a/driver/config/provider_test.go +++ b/driver/config/provider_test.go @@ -406,6 +406,17 @@ func TestCookieSecure(t *testing.T) { assert.True(t, c.CookieSecure(ctx)) } +func TestTokenPrefix(t *testing.T) { + ctx := context.Background() + l := logrusx.New("", "") + l.Logrus().SetOutput(io.Discard) + c := MustNew(context.Background(), l, configx.SkipValidation()) + + assert.EqualValues(t, "ory", c.GetTokenPrefix(ctx)) // default when not set + c.MustSet(ctx, KeyOAuth2TokenPrefix, "sabre") + assert.EqualValues(t, "sabre", c.GetTokenPrefix(ctx)) +} + func TestTokenRefreshHookURL(t *testing.T) { ctx := context.Background() l := logrusx.New("", "") diff --git a/go.mod b/go.mod index 17fb0f25096..9cbcb7041bd 100644 --- a/go.mod +++ b/go.mod @@ -9,6 +9,7 @@ replace ( github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2 github.com/mattn/go-sqlite3 => github.com/mattn/go-sqlite3 v1.14.13 github.com/oleiade/reflections => github.com/oleiade/reflections v1.0.1 + github.com/ory/fosite => github.com/mattslocum/fosite v0.0.0-20230104213057-70d11837908d ) replace github.com/ory/hydra-client-go/v2 => ./internal/httpclient diff --git a/go.sum b/go.sum index db4ff29fbfc..7532e1818ff 100644 --- a/go.sum +++ b/go.sum @@ -766,6 +766,8 @@ github.com/mattn/go-sqlite3 v1.14.13 h1:1tj15ngiFfcZzii7yd82foL+ks+ouQcj8j/TPq3f github.com/mattn/go-sqlite3 v1.14.13/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/mattn/goveralls v0.0.11 h1:eJXea6R6IFlL1QMKNMzDvvHv/hwGrnvyig4N+0+XiMM= github.com/mattn/goveralls v0.0.11/go.mod h1:gU8SyhNswsJKchEV93xRQxX6X3Ei4PJdQk/6ZHvrvRk= +github.com/mattslocum/fosite v0.0.0-20230104213057-70d11837908d h1:0yn96ItzZRMyrYXNLjqFZFoJvv57ZJSI2Nd6e2OkOl0= +github.com/mattslocum/fosite v0.0.0-20230104213057-70d11837908d/go.mod h1:o/G4kAeNn65l6MCod2+KmFfU6JQBSojS7eXys6lKGzM= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= @@ -856,8 +858,6 @@ github.com/ory/analytics-go/v4 v4.0.3 h1:2zNBQLlm3UiD8U7DdUGLLUBm62ZA5GtbEJ3S5U+ github.com/ory/analytics-go/v4 v4.0.3/go.mod h1:A3Chm/3TmM8jw4nqRss+gFhAYHRI5j/HFYH3C1FRahU= github.com/ory/dockertest/v3 v3.9.1 h1:v4dkG+dlu76goxMiTT2j8zV7s4oPPEppKT8K8p2f1kY= github.com/ory/dockertest/v3 v3.9.1/go.mod h1:42Ir9hmvaAPm0Mgibk6mBPi7SFvTXxEcnztDYOJ//uM= -github.com/ory/fosite v0.44.0 h1:Z3UjyO11/wlIoa3BotOqcTkfm7kUNA8F7dd8mOMfx0o= -github.com/ory/fosite v0.44.0/go.mod h1:o/G4kAeNn65l6MCod2+KmFfU6JQBSojS7eXys6lKGzM= github.com/ory/go-acc v0.2.6/go.mod h1:4Kb/UnPcT8qRAk3IAxta+hvVapdxTLWtrr7bFLlEgpw= github.com/ory/go-acc v0.2.8 h1:rOHHAPQjf0u7eHFGWpiXK+gIu/e0GRSJNr9pDukdNC4= github.com/ory/go-acc v0.2.8/go.mod h1:iCRZUdGb/7nqvSn8xWZkhfVrtXRZ9Wru2E5rabCjFPI= diff --git a/spec/config.json b/spec/config.json index d0a02bbc6cd..554cf20b6e4 100644 --- a/spec/config.json +++ b/spec/config.json @@ -970,6 +970,12 @@ } } }, + "token_prefix": { + "type": "string", + "description": "Sets the prefix for access, refresh, and code tokens. This allows detection of tokens in source code and databases. An additional '_at_', '_rt_', '_ac_' is added after the token_prefix, respectively.", + "examples": ["sabre"], + "default": "ory" + }, "refresh_token_hook": { "type": "string", "description": "Sets the refresh token hook endpoint. If set it will be called during token refresh to receive updated token claims.",