forked from ory/fosite
-
Notifications
You must be signed in to change notification settings - Fork 0
/
oauth2.go
385 lines (303 loc) · 15.7 KB
/
oauth2.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
/*
* Copyright © 2015-2018 Aeneas Rekkas <[email protected]>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* @author Aeneas Rekkas <[email protected]>
* @copyright 2015-2018 Aeneas Rekkas <[email protected]>
* @license Apache-2.0
*
*/
package fosite
import (
"context"
"net/http"
"net/url"
"time"
"golang.org/x/text/language"
)
type TokenUse = TokenType
type TokenType string
type GrantType string
const (
AccessToken TokenType = "access_token"
RefreshToken TokenType = "refresh_token"
AuthorizeCode TokenType = "authorize_code"
IDToken TokenType = "id_token"
// PushedAuthorizeRequestContext represents the PAR context object
PushedAuthorizeRequestContext TokenType = "par_context"
GrantTypeImplicit GrantType = "implicit"
GrantTypeRefreshToken GrantType = "refresh_token"
GrantTypeAuthorizationCode GrantType = "authorization_code"
GrantTypePassword GrantType = "password"
GrantTypeClientCredentials GrantType = "client_credentials"
GrantTypeJWTBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer" //nolint:gosec // this is not a hardcoded credential
BearerAccessToken string = "bearer"
)
// OAuth2Provider is an interface that enables you to write OAuth2 handlers with only a few lines of code.
// Check Fosite for an implementation of this interface.
type OAuth2Provider interface {
// NewAuthorizeRequest returns an AuthorizeRequest.
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#section-3.1
// Extension response types MAY contain a space-delimited (%x20) list of
// values, where the order of values does not matter (e.g., response
// type "a b" is the same as "b a"). The meaning of such composite
// response types is defined by their respective specifications.
// * https://tools.ietf.org/html/rfc6749#section-3.1.2
// The redirection endpoint URI MUST be an absolute URI as defined by
// [RFC3986] Section 4.3. The endpoint URI MAY include an
// "application/x-www-form-urlencoded" formatted (per Appendix B) query
// component ([RFC3986] Section 3.4), which MUST be retained when adding
// additional query parameters. The endpoint URI MUST NOT include a
// fragment component.
// * https://tools.ietf.org/html/rfc6749#section-3.1.2.2 (everything MUST be implemented)
NewAuthorizeRequest(ctx context.Context, req *http.Request) (AuthorizeRequester, error)
// NewAuthorizeResponse iterates through all response type handlers and returns their result or
// ErrUnsupportedResponseType if none of the handler's were able to handle it.
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#section-3.1.1
// Extension response types MAY contain a space-delimited (%x20) list of
// values, where the order of values does not matter (e.g., response
// type "a b" is the same as "b a"). The meaning of such composite
// response types is defined by their respective specifications.
// If an authorization request is missing the "response_type" parameter,
// or if the response type is not understood, the authorization server
// MUST return an error response as described in Section 4.1.2.1.
NewAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (AuthorizeResponder, error)
// WriteAuthorizeError returns the error codes to the redirection endpoint or shows the error to the user, if no valid
// redirect uri was given. Implements rfc6749#section-4.1.2.1
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#section-3.1.2
// The redirection endpoint URI MUST be an absolute URI as defined by
// [RFC3986] Section 4.3. The endpoint URI MAY include an
// "application/x-www-form-urlencoded" formatted (per Appendix B) query
// component ([RFC3986] Section 3.4), which MUST be retained when adding
// additional query parameters. The endpoint URI MUST NOT include a
// fragment component.
// * https://tools.ietf.org/html/rfc6749#section-4.1.2.1 (everything)
// * https://tools.ietf.org/html/rfc6749#section-3.1.2.2 (everything MUST be implemented)
WriteAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error)
// WriteAuthorizeResponse persists the AuthorizeSession in the store and redirects the user agent to the provided
// redirect url or returns an error if storage failed.
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#rfc6749#section-4.1.2.1
// After completing its interaction with the resource owner, the
// authorization server directs the resource owner's user-agent back to
// the client. The authorization server redirects the user-agent to the
// client's redirection endpoint previously established with the
// authorization server during the client registration process or when
// making the authorization request.
// * https://tools.ietf.org/html/rfc6749#section-3.1.2.2 (everything MUST be implemented)
WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)
// NewAccessRequest creates a new access request object and validates
// various parameters.
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#section-3.2 (everything)
// * https://tools.ietf.org/html/rfc6749#section-3.2.1 (everything)
//
// Furthermore the registered handlers should implement their specs accordingly.
NewAccessRequest(ctx context.Context, req *http.Request, session Session) (AccessRequester, error)
// NewAccessResponse creates a new access response and validates that access_token and token_type are set.
//
// The following specs must be considered in any implementation of this method:
// https://tools.ietf.org/html/rfc6749#section-5.1
NewAccessResponse(ctx context.Context, requester AccessRequester) (AccessResponder, error)
// WriteAccessError writes an access request error response.
//
// The following specs must be considered in any implementation of this method:
// * https://tools.ietf.org/html/rfc6749#section-5.2 (everything)
WriteAccessError(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, err error)
// WriteAccessResponse writes the access response.
//
// The following specs must be considered in any implementation of this method:
// https://tools.ietf.org/html/rfc6749#section-5.1
WriteAccessResponse(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)
// NewRevocationRequest handles incoming token revocation requests and validates various parameters.
//
// The following specs must be considered in any implementation of this method:
// https://tools.ietf.org/html/rfc7009#section-2.1
NewRevocationRequest(ctx context.Context, r *http.Request) error
// WriteRevocationResponse writes the revoke response.
//
// The following specs must be considered in any implementation of this method:
// https://tools.ietf.org/html/rfc7009#section-2.2
WriteRevocationResponse(ctx context.Context, rw http.ResponseWriter, err error)
// IntrospectToken returns token metadata, if the token is valid. Tokens generated by the authorization endpoint,
// such as the authorization code, can not be introspected.
IntrospectToken(ctx context.Context, token string, tokenUse TokenUse, session Session, scope ...string) (TokenUse, AccessRequester, error)
// NewIntrospectionRequest initiates token introspection as defined in
// https://tools.ietf.org/search/rfc7662#section-2.1
NewIntrospectionRequest(ctx context.Context, r *http.Request, session Session) (IntrospectionResponder, error)
// WriteIntrospectionError responds with an error if token introspection failed as defined in
// https://tools.ietf.org/search/rfc7662#section-2.3
WriteIntrospectionError(ctx context.Context, rw http.ResponseWriter, err error)
// WriteIntrospectionResponse responds with token metadata discovered by token introspection as defined in
// https://tools.ietf.org/search/rfc7662#section-2.2
WriteIntrospectionResponse(ctx context.Context, rw http.ResponseWriter, r IntrospectionResponder)
// NewPushedAuthorizeRequest validates the request and produces an AuthorizeRequester object that can be stored
NewPushedAuthorizeRequest(ctx context.Context, r *http.Request) (AuthorizeRequester, error)
// NewPushedAuthorizeResponse executes the handlers and builds the response
NewPushedAuthorizeResponse(ctx context.Context, ar AuthorizeRequester, session Session) (PushedAuthorizeResponder, error)
// WritePushedAuthorizeResponse writes the PAR response
WritePushedAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, ar AuthorizeRequester, resp PushedAuthorizeResponder)
// WritePushedAuthorizeError writes the PAR error
WritePushedAuthorizeError(ctx context.Context, rw http.ResponseWriter, ar AuthorizeRequester, err error)
}
// IntrospectionResponder is the response object that will be returned when token introspection was successful,
// for example when the client is allowed to perform token introspection. Refer to
// https://tools.ietf.org/search/rfc7662#section-2.2 for more details.
type IntrospectionResponder interface {
// IsActive returns true if the introspected token is active and false otherwise.
IsActive() bool
// AccessRequester returns nil when IsActive() is false and the original access request object otherwise.
GetAccessRequester() AccessRequester
// GetTokenUse optionally returns the type of the token that was introspected. This could be "access_token", "refresh_token",
// or if the type can not be determined an empty string.
GetTokenUse() TokenUse
//GetAccessTokenType optionally returns the type of the access token that was introspected. This could be "bearer", "mac",
// or empty string if the type of the token is refresh token.
GetAccessTokenType() string
}
// Requester is an abstract interface for handling requests in Fosite.
type Requester interface {
// SetID sets the unique identifier.
SetID(id string)
// GetID returns a unique identifier.
GetID() string
// GetRequestedAt returns the time the request was created.
GetRequestedAt() (requestedAt time.Time)
// GetClient returns the request's client.
GetClient() (client Client)
// GetRequestedScopes returns the request's scopes.
GetRequestedScopes() (scopes Arguments)
// GetRequestedAudience returns the requested audiences for this request.
GetRequestedAudience() (audience Arguments)
// SetRequestedScopes sets the request's scopes.
SetRequestedScopes(scopes Arguments)
// SetRequestedAudience sets the requested audience.
SetRequestedAudience(audience Arguments)
// AppendRequestedScope appends a scope to the request.
AppendRequestedScope(scope string)
// GetGrantScopes returns all granted scopes.
GetGrantedScopes() (grantedScopes Arguments)
// GetGrantedAudience returns all granted audiences.
GetGrantedAudience() (grantedAudience Arguments)
// GrantScope marks a request's scope as granted.
GrantScope(scope string)
// GrantAudience marks a request's audience as granted.
GrantAudience(audience string)
// GetSession returns a pointer to the request's session or nil if none is set.
GetSession() (session Session)
// SetSession sets the request's session pointer.
SetSession(session Session)
// GetRequestForm returns the request's form input.
GetRequestForm() url.Values
// Merge merges the argument into the method receiver.
Merge(requester Requester)
// Sanitize returns a sanitized clone of the request which can be used for storage.
Sanitize(allowedParameters []string) Requester
}
// AccessRequester is a token endpoint's request context.
type AccessRequester interface {
// GetGrantType returns the requests grant type.
GetGrantTypes() (grantTypes Arguments)
Requester
}
// AuthorizeRequester is an authorize endpoint's request context.
type AuthorizeRequester interface {
// GetResponseTypes returns the requested response types
GetResponseTypes() (responseTypes Arguments)
// SetResponseTypeHandled marks a response_type (e.g. token or code) as handled indicating that the response type
// is supported.
SetResponseTypeHandled(responseType string)
// DidHandleAllResponseTypes returns if all requested response types have been handled correctly
DidHandleAllResponseTypes() (didHandle bool)
// GetRedirectURI returns the requested redirect URI
GetRedirectURI() (redirectURL *url.URL)
// IsRedirectURIValid returns false if the redirect is not rfc-conform (i.e. missing client, not on white list,
// or malformed)
IsRedirectURIValid() (isValid bool)
// GetState returns the request's state.
GetState() (state string)
// GetResponseMode returns response_mode of the authorization request
GetResponseMode() ResponseModeType
// SetDefaultResponseMode sets default response mode for a response type in a flow
SetDefaultResponseMode(responseMode ResponseModeType)
// GetDefaultResponseMode gets default response mode for a response type in a flow
GetDefaultResponseMode() ResponseModeType
Requester
}
// AccessResponder is a token endpoint's response.
type AccessResponder interface {
// SetExtra sets a key value pair for the access response.
SetExtra(key string, value interface{})
// GetExtra returns a key's value.
GetExtra(key string) interface{}
SetExpiresIn(time.Duration)
SetScopes(scopes Arguments)
// SetAccessToken sets the responses mandatory access token.
SetAccessToken(token string)
// SetTokenType set's the responses mandatory token type
SetTokenType(tokenType string)
// SetAccessToken returns the responses access token.
GetAccessToken() (token string)
// GetTokenType returns the responses token type.
GetTokenType() (token string)
// ToMap converts the response to a map.
ToMap() map[string]interface{}
}
// AuthorizeResponder is an authorization endpoint's response.
type AuthorizeResponder interface {
// GetCode returns the response's authorize code if set.
GetCode() string
// GetHeader returns the response's header
GetHeader() (header http.Header)
// AddHeader adds an header key value pair to the response
AddHeader(key, value string)
// GetParameters returns the response's parameters
GetParameters() (query url.Values)
// AddParameter adds key value pair to the response
AddParameter(key, value string)
}
// PushedAuthorizeResponder is the response object for PAR
type PushedAuthorizeResponder interface {
// GetRequestURI returns the request_uri
GetRequestURI() string
// SetRequestURI sets the request_uri
SetRequestURI(requestURI string)
// GetExpiresIn gets the expires_in
GetExpiresIn() int
// SetExpiresIn sets the expires_in
SetExpiresIn(seconds int)
// GetHeader returns the response's header
GetHeader() (header http.Header)
// AddHeader adds an header key value pair to the response
AddHeader(key, value string)
// SetExtra sets a key value pair for the response.
SetExtra(key string, value interface{})
// GetExtra returns a key's value.
GetExtra(key string) interface{}
// ToMap converts the response to a map.
ToMap() map[string]interface{}
}
// G11NContext is the globalization context
type G11NContext interface {
// GetLang returns the current language in the context
GetLang() language.Tag
}