authorizer/server/handlers/token.go

package handlers

import (
	"crypto/sha256"
	"encoding/base64"
	"net/http"
	"strings"
	"time"

	"github.com/gin-gonic/gin"
	"github.com/google/uuid"
	log "github.com/sirupsen/logrus"

	"github.com/authorizerdev/authorizer/server/constants"
	"github.com/authorizerdev/authorizer/server/cookie"
	"github.com/authorizerdev/authorizer/server/db"
	"github.com/authorizerdev/authorizer/server/memorystore"
	"github.com/authorizerdev/authorizer/server/token"
)

type RequestBody struct {
	CodeVerifier string `form:"code_verifier" json:"code_verifier"`
	Code         string `form:"code" json:"code"`
	ClientID     string `form:"client_id" json:"client_id"`
	ClientSecret string `form:"client_secret" json:"client_secret"`
	GrantType    string `form:"grant_type" json:"grant_type"`
	RefreshToken string `form:"refresh_token" json:"refresh_token"`
	RedirectURI  string `form:"redirect_uri" json:"redirect_uri"`
}

// TokenHandler to handle /oauth/token requests
// grant type required
func TokenHandler() gin.HandlerFunc {
	return func(gc *gin.Context) {
		var reqBody RequestBody
		if err := gc.Bind(&reqBody); err != nil {
			log.Debug("Error binding JSON: ", err)
			gc.JSON(http.StatusBadRequest, gin.H{
				"error":             "error_binding_json",
				"error_description": err.Error(),
			})
			return
		}

		codeVerifier := strings.TrimSpace(reqBody.CodeVerifier)
		code := strings.TrimSpace(reqBody.Code)
		clientID := strings.TrimSpace(reqBody.ClientID)
		grantType := strings.TrimSpace(reqBody.GrantType)
		refreshToken := strings.TrimSpace(reqBody.RefreshToken)
		clientSecret := strings.TrimSpace(reqBody.ClientSecret)

		if grantType == "" {
			grantType = "authorization_code"
		}

		isRefreshTokenGrant := grantType == "refresh_token"
		isAuthorizationCodeGrant := grantType == "authorization_code"

		if !isRefreshTokenGrant && !isAuthorizationCodeGrant {
			log.Debug("Invalid grant type: ", grantType)
			gc.JSON(http.StatusBadRequest, gin.H{
				"error":             "invalid_grant_type",
				"error_description": "grant_type is invalid",
			})
		}

		// check if clientID & clientSecret are present as part of
		// authorization header with basic auth
		if clientID == "" && clientSecret == "" {
			clientID, clientSecret, _ = gc.Request.BasicAuth()
		}

		if clientID == "" {
			log.Debug("Client ID is empty")
			gc.JSON(http.StatusBadRequest, gin.H{
				"error":             "client_id_required",
				"error_description": "The client id is required",
			})
			return
		}

		if client, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID); clientID != client || err != nil {
			log.Debug("Client ID is invalid: ", clientID)
			gc.JSON(http.StatusBadRequest, gin.H{
				"error":             "invalid_client_id",
				"error_description": "The client id is invalid",
			})
			return
		}

		var userID string
		var roles, scope []string
		loginMethod := ""
		sessionKey := ""

		if isAuthorizationCodeGrant {
			if code == "" {
				log.Debug("Code is empty")
				gc.JSON(http.StatusBadRequest, gin.H{
					"error":             "invalid_code",
					"error_description": "The code is required",
				})
				return
			}

			if codeVerifier == "" && clientSecret == "" {
				gc.JSON(http.StatusBadRequest, gin.H{
					"error":             "invalid_dat",
					"error_description": "The code verifier or client secret is required",
				})
				return
			}
			// Get state
			sessionData, err := memorystore.Provider.GetState(code)
			if sessionData == "" || err != nil {
				log.Debug("Session data is empty")
				gc.JSON(http.StatusBadRequest, gin.H{
					"error":             "invalid_code",
					"error_description": "The code is invalid",
				})
				return
			}

			// [0] -> code_challenge
			// [1] -> session cookie
			sessionDataSplit := strings.Split(sessionData, "@@")

			go memorystore.Provider.RemoveState(code)

			if codeVerifier != "" {
				hash := sha256.New()
				hash.Write([]byte(codeVerifier))
				encryptedCode := strings.ReplaceAll(base64.RawURLEncoding.EncodeToString(hash.Sum(nil)), "+", "-")
				encryptedCode = strings.ReplaceAll(encryptedCode, "/", "_")
				encryptedCode = strings.ReplaceAll(encryptedCode, "=", "")
				if encryptedCode != sessionDataSplit[0] {
					gc.JSON(http.StatusBadRequest, gin.H{
						"error":             "invalid_code_verifier",
						"error_description": "The code verifier is invalid",
					})
					return
				}

			} else {
				if clientHash, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientSecret); clientSecret != clientHash || err != nil {
					log.Debug("Client Secret is invalid: ", clientID)
					gc.JSON(http.StatusBadRequest, gin.H{
						"error":             "invalid_client_secret",
						"error_description": "The client secret is invalid",
					})
					return
				}
			}

			// validate session
			claims, err := token.ValidateBrowserSession(gc, sessionDataSplit[1])
			if err != nil {
				log.Debug("Error validating session: ", err)
				gc.JSON(http.StatusUnauthorized, gin.H{
					"error":             "unauthorized",
					"error_description": "Invalid session data",
				})
				return
			}

			userID = claims.Subject
			roles = claims.Roles
			scope = claims.Scope
			loginMethod = claims.LoginMethod

			// rollover the session for security
			sessionKey = userID
			if loginMethod != "" {
				sessionKey = loginMethod + ":" + userID
			}

			go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)

		} else {
			// validate refresh token
			if refreshToken == "" {
				log.Debug("Refresh token is empty")
				gc.JSON(http.StatusBadRequest, gin.H{
					"error":             "invalid_refresh_token",
					"error_description": "The refresh token is invalid",
				})
				return
			}

			claims, err := token.ValidateRefreshToken(gc, refreshToken)
			if err != nil {
				log.Debug("Error validating refresh token: ", err)
				gc.JSON(http.StatusUnauthorized, gin.H{
					"error":             "unauthorized",
					"error_description": err.Error(),
				})
				return
			}
			userID = claims["sub"].(string)
			claimLoginMethod := claims["login_method"]
			rolesInterface := claims["roles"].([]interface{})
			scopeInterface := claims["scope"].([]interface{})
			for _, v := range rolesInterface {
				roles = append(roles, v.(string))
			}
			for _, v := range scopeInterface {
				scope = append(scope, v.(string))
			}

			sessionKey = userID
			if claimLoginMethod != nil && claimLoginMethod != "" {
				sessionKey = claimLoginMethod.(string) + ":" + sessionKey
				loginMethod = claimLoginMethod.(string)
			}

			// remove older refresh token and rotate it for security
			go memorystore.Provider.DeleteUserSession(sessionKey, claims["nonce"].(string))
		}

		if sessionKey == "" {
			log.Debug("Error getting sessionKey: ", sessionKey, loginMethod)
			gc.JSON(http.StatusUnauthorized, gin.H{
				"error":             "unauthorized",
				"error_description": "User not found",
			})
			return
		}

		user, err := db.Provider.GetUserByID(gc, userID)
		if err != nil {
			log.Debug("Error getting user: ", err)
			gc.JSON(http.StatusUnauthorized, gin.H{
				"error":             "unauthorized",
				"error_description": "User not found",
			})
			return
		}

		nonce := uuid.New().String() + "@@" + code
		authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, code)
		if err != nil {
			log.Debug("Error creating auth token: ", err)
			gc.JSON(http.StatusUnauthorized, gin.H{
				"error":             "unauthorized",
				"error_description": "User not found",
			})
			return
		}

		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
		cookie.SetSession(gc, authToken.FingerPrintHash)

		expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
		if expiresIn <= 0 {
			expiresIn = 1
		}

		res := map[string]interface{}{
			"access_token": authToken.AccessToken.Token,
			"id_token":     authToken.IDToken.Token,
			"scope":        scope,
			"roles":        roles,
			"expires_in":   expiresIn,
		}

		if authToken.RefreshToken != nil {
			res["refresh_token"] = authToken.RefreshToken.Token
			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
		}

		gc.JSON(http.StatusOK, res)
	}
}
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`package handlers`

			`import (`
			`"crypto/sha256"`
			`"encoding/base64"`
			`"net/http"`
			`"strings"`
enhancement: add access_token_expiry_time env variable 2022-03-25 12:21:20 +00:00			`"time"`
feat: add token endpoint 2022-03-04 07:26:11 +00:00
feat: add logs for http handlers 2022-05-23 06:22:51 +00:00			`"github.com/gin-gonic/gin"`
feat: add nonce variable to create auth token 2022-10-23 15:38:08 +00:00			`"github.com/google/uuid"`
feat: add logs for http handlers 2022-05-23 06:22:51 +00:00			`log "github.com/sirupsen/logrus"`

fix: oauth login 2022-03-07 03:01:39 +00:00			`"github.com/authorizerdev/authorizer/server/constants"`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`"github.com/authorizerdev/authorizer/server/cookie"`
			`"github.com/authorizerdev/authorizer/server/db"`
fix: move sessionstore -> memstore 2022-05-27 17:50:38 +00:00			`"github.com/authorizerdev/authorizer/server/memorystore"`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`"github.com/authorizerdev/authorizer/server/token"`
			`)`

fix: openid flow 2022-11-12 18:24:37 +00:00			`type RequestBody struct {`
			CodeVerifier string `form:"code_verifier" json:"code_verifier"`
			Code string `form:"code" json:"code"`
			ClientID string `form:"client_id" json:"client_id"`
			ClientSecret string `form:"client_secret" json:"client_secret"`
			GrantType string `form:"grant_type" json:"grant_type"`
			RefreshToken string `form:"refresh_token" json:"refresh_token"`
			RedirectURI string `form:"redirect_uri" json:"redirect_uri"`
			`}`

feat: add revoke mutation + handler 2022-03-08 13:19:42 +00:00			`// TokenHandler to handle /oauth/token requests`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`// grant type required`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`func TokenHandler() gin.HandlerFunc {`
			`return func(gc *gin.Context) {`
fix: openid flow 2022-11-12 18:24:37 +00:00			`var reqBody RequestBody`
			`if err := gc.Bind(&reqBody); err != nil {`
feat: add logs for http handlers 2022-05-23 06:22:51 +00:00			`log.Debug("Error binding JSON: ", err)`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`gc.JSON(http.StatusBadRequest, gin.H{`
			`"error": "error_binding_json",`
			`"error_description": err.Error(),`
			`})`
			`return`
			`}`

fix: openid flow 2022-11-12 18:24:37 +00:00			`codeVerifier := strings.TrimSpace(reqBody.CodeVerifier)`
			`code := strings.TrimSpace(reqBody.Code)`
			`clientID := strings.TrimSpace(reqBody.ClientID)`
			`grantType := strings.TrimSpace(reqBody.GrantType)`
			`refreshToken := strings.TrimSpace(reqBody.RefreshToken)`
			`clientSecret := strings.TrimSpace(reqBody.ClientSecret)`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00
			`if grantType == "" {`
			`grantType = "authorization_code"`
			`}`

			`isRefreshTokenGrant := grantType == "refresh_token"`
			`isAuthorizationCodeGrant := grantType == "authorization_code"`

			`if !isRefreshTokenGrant && !isAuthorizationCodeGrant {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Invalid grant type: ", grantType)`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`gc.JSON(http.StatusBadRequest, gin.H{`
			`"error": "invalid_grant_type",`
			`"error_description": "grant_type is invalid",`
			`})`
			`}`
fix: oauth login 2022-03-07 03:01:39 +00:00
feat(server): allow using client_id & secret from basic auth header in token endpoint 2022-11-16 17:10:45 +00:00			`// check if clientID & clientSecret are present as part of`
			`// authorization header with basic auth`
fix(server): basic auth check 2022-11-17 00:14:40 +00:00			`if clientID == "" && clientSecret == "" {`
feat(server): allow using client_id & secret from basic auth header in token endpoint 2022-11-16 17:10:45 +00:00			`clientID, clientSecret, _ = gc.Request.BasicAuth()`
			`}`

fix: oauth login 2022-03-07 03:01:39 +00:00			`if clientID == "" {`
feat: add logs for http handlers 2022-05-23 06:22:51 +00:00			`log.Debug("Client ID is empty")`
fix: oauth login 2022-03-07 03:01:39 +00:00			`gc.JSON(http.StatusBadRequest, gin.H{`
			`"error": "client_id_required",`
			`"error_description": "The client id is required",`
			`})`
			`return`
			`}`

fix: update store method till handlers 2022-05-29 11:52:46 +00:00			`if client, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID); clientID != client \|\| err != nil {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Client ID is invalid: ", clientID)`
fix: oauth login 2022-03-07 03:01:39 +00:00			`gc.JSON(http.StatusBadRequest, gin.H{`
			`"error": "invalid_client_id",`
			`"error_description": "The client id is invalid",`
			`})`
			`return`
			`}`
feat: add token endpoint 2022-03-04 07:26:11 +00:00
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`var userID string`
			`var roles, scope []string`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`loginMethod := ""`
			`sessionKey := ""`

feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`if isAuthorizationCodeGrant {`
			`if code == "" {`
feat: add logs for http handlers 2022-05-23 06:22:51 +00:00			`log.Debug("Code is empty")`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`gc.JSON(http.StatusBadRequest, gin.H{`
			`"error": "invalid_code",`
			`"error_description": "The code is required",`
			`})`
			`return`
			`}`
feat: add token endpoint 2022-03-04 07:26:11 +00:00
fix: openid flow 2022-11-12 18:24:37 +00:00			`if codeVerifier == "" && clientSecret == "" {`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`gc.JSON(http.StatusBadRequest, gin.H{`
fix: openid flow 2022-11-12 18:24:37 +00:00			`"error": "invalid_dat",`
			`"error_description": "The code verifier or client secret is required",`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`})`
			`return`
			`}`
fix: openid flow 2022-11-12 18:24:37 +00:00			`// Get state`
			`sessionData, err := memorystore.Provider.GetState(code)`
			`if sessionData == "" \|\| err != nil {`
			`log.Debug("Session data is empty")`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`gc.JSON(http.StatusBadRequest, gin.H{`
fix: openid flow 2022-11-12 18:24:37 +00:00			`"error": "invalid_code",`
			`"error_description": "The code is invalid",`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`})`
			`return`
			`}`

fix: openid flow 2022-11-12 18:24:37 +00:00			`// [0] -> code_challenge`
			`// [1] -> session cookie`
			`sessionDataSplit := strings.Split(sessionData, "@@")`

			`go memorystore.Provider.RemoveState(code)`

			`if codeVerifier != "" {`
			`hash := sha256.New()`
			`hash.Write([]byte(codeVerifier))`
			`encryptedCode := strings.ReplaceAll(base64.RawURLEncoding.EncodeToString(hash.Sum(nil)), "+", "-")`
			`encryptedCode = strings.ReplaceAll(encryptedCode, "/", "_")`
			`encryptedCode = strings.ReplaceAll(encryptedCode, "=", "")`
			`if encryptedCode != sessionDataSplit[0] {`
			`gc.JSON(http.StatusBadRequest, gin.H{`
			`"error": "invalid_code_verifier",`
			`"error_description": "The code verifier is invalid",`
			`})`
			`return`
			`}`

			`} else {`
			`if clientHash, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientSecret); clientSecret != clientHash \|\| err != nil {`
			`log.Debug("Client Secret is invalid: ", clientID)`
			`gc.JSON(http.StatusBadRequest, gin.H{`
			`"error": "invalid_client_secret",`
			`"error_description": "The client secret is invalid",`
			`})`
			`return`
			`}`
			`}`

feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`// validate session`
			`claims, err := token.ValidateBrowserSession(gc, sessionDataSplit[1])`
			`if err != nil {`
feat: add logs for http handlers 2022-05-23 06:22:51 +00:00			`log.Debug("Error validating session: ", err)`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`gc.JSON(http.StatusUnauthorized, gin.H{`
			`"error": "unauthorized",`
			`"error_description": "Invalid session data",`
			`})`
			`return`
			`}`
fix: authorize endpoint setting user session 2022-08-29 02:48:20 +00:00
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`userID = claims.Subject`
			`roles = claims.Roles`
			`scope = claims.Scope`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`loginMethod = claims.LoginMethod`
fix: authorize endpoint setting user session 2022-08-29 02:48:20 +00:00
fix: user session access 2022-06-11 18:57:21 +00:00			`// rollover the session for security`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`sessionKey = userID`
			`if loginMethod != "" {`
			`sessionKey = loginMethod + ":" + userID`
			`}`
fix: authorize endpoint setting user session 2022-08-29 02:48:20 +00:00
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)`
fix: openid flow 2022-11-12 18:24:37 +00:00
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`} else {`
			`// validate refresh token`
			`if refreshToken == "" {`
feat: add logs for http handlers 2022-05-23 06:22:51 +00:00			`log.Debug("Refresh token is empty")`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`gc.JSON(http.StatusBadRequest, gin.H{`
			`"error": "invalid_refresh_token",`
			`"error_description": "The refresh token is invalid",`
			`})`
fixed validation of refresh token 2022-11-03 10:51:59 +00:00			`return`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`}`

			`claims, err := token.ValidateRefreshToken(gc, refreshToken)`
			`if err != nil {`
feat: add logs for http handlers 2022-05-23 06:22:51 +00:00			`log.Debug("Error validating refresh token: ", err)`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`gc.JSON(http.StatusUnauthorized, gin.H{`
			`"error": "unauthorized",`
			`"error_description": err.Error(),`
			`})`
fixed validation of refresh token 2022-11-03 10:51:59 +00:00			`return`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`}`
			`userID = claims["sub"].(string)`
fix: refresh token login method claim 2022-11-03 20:10:18 +00:00			`claimLoginMethod := claims["login_method"]`
fix: refresh token store info 2022-03-08 15:43:23 +00:00			`rolesInterface := claims["roles"].([]interface{})`
			`scopeInterface := claims["scope"].([]interface{})`
			`for _, v := range rolesInterface {`
			`roles = append(roles, v.(string))`
			`}`
			`for _, v := range scopeInterface {`
			`scope = append(scope, v.(string))`
			`}`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00
			`sessionKey = userID`
fix: refresh token login method claim 2022-11-03 20:10:18 +00:00			`if claimLoginMethod != nil && claimLoginMethod != "" {`
			`sessionKey = claimLoginMethod.(string) + ":" + sessionKey`
			`loginMethod = claimLoginMethod.(string)`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`}`
fix: refresh token login method claim 2022-11-03 20:10:18 +00:00
fix: rotate refresh token 2022-03-08 13:48:33 +00:00			`// remove older refresh token and rotate it for security`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`go memorystore.Provider.DeleteUserSession(sessionKey, claims["nonce"].(string))`
			`}`

			`if sessionKey == "" {`
			`log.Debug("Error getting sessionKey: ", sessionKey, loginMethod)`
			`gc.JSON(http.StatusUnauthorized, gin.H{`
			`"error": "unauthorized",`
			`"error_description": "User not found",`
			`})`
			`return`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`}`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00
feat: implement resolvers 2022-07-10 16:19:33 +00:00			`user, err := db.Provider.GetUserByID(gc, userID)`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`if err != nil {`
feat: add logs for http handlers 2022-05-23 06:22:51 +00:00			`log.Debug("Error getting user: ", err)`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`gc.JSON(http.StatusUnauthorized, gin.H{`
			`"error": "unauthorized",`
			`"error_description": "User not found",`
			`})`
			`return`
			`}`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00
fix: openid flow 2022-11-12 18:24:37 +00:00			`nonce := uuid.New().String() + "@@" + code`
fix(server): creepy @@ string split logic for auth_token 2022-11-12 19:52:21 +00:00			`authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, code)`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`if err != nil {`
feat: add logs for http handlers 2022-05-23 06:22:51 +00:00			`log.Debug("Error creating auth token: ", err)`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`gc.JSON(http.StatusUnauthorized, gin.H{`
			`"error": "unauthorized",`
			`"error_description": "User not found",`
			`})`
			`return`
			`}`
fix: refresh token login method claim 2022-11-03 20:10:18 +00:00
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)`
			`memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`cookie.SetSession(gc, authToken.FingerPrintHash)`

enhancement: add access_token_expiry_time env variable 2022-03-25 12:21:20 +00:00			`expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()`
			`if expiresIn <= 0 {`
			`expiresIn = 1`
			`}`

feat: add token endpoint 2022-03-04 07:26:11 +00:00			`res := map[string]interface{}{`
			`"access_token": authToken.AccessToken.Token,`
			`"id_token": authToken.IDToken.Token,`
feat: add ability to get access token based on refresh token 2022-03-08 09:26:46 +00:00			`"scope": scope,`
			`"roles": roles,`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`"expires_in": expiresIn,`
			`}`

			`if authToken.RefreshToken != nil {`
			`res["refresh_token"] = authToken.RefreshToken.Token`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`}`

			`gc.JSON(http.StatusOK, res)`
			`}`
			`}`