devstack/authorizer
4
0
Fork 0
Code Pull Requests Actions Activity

feat: add support for response mode

Browse Source
This commit is contained in:
Lakhan Samani 2022-03-07 18:49:18 +05:30
parent 7b09a8817c
commit 128a2a8f75
4 changed files with 163 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
server/crypto/common.go
View File

@ -94,6 +94,7 @@ func EncryptEnvData(data envstore.Store) (string, error) {
if err != nil { if err != nil {
return "", err return "", err
} }
encryptedConfig, err := EncryptAESEnv(configData) encryptedConfig, err := EncryptAESEnv(configData)
if err != nil { if err != nil {
return "", err return "", err

2
server/env/persist_env.go vendored
View File

@ -112,7 +112,7 @@ func PersistEnv() error {
for key, value := range storeData.StringEnv { for key, value := range storeData.StringEnv {
// don't override unexposed envs // don't override unexposed envs
if key != constants.EnvKeyEncryptionKey && key != constants.EnvKeyClientID && key != constants.EnvKeyClientSecret && key != constants.EnvKeyJWK { if key != constants.EnvKeyEncryptionKey {
// check only for derivative keys // check only for derivative keys
// No need to check for ENCRYPTION_KEY which special key we use for encrypting config data // No need to check for ENCRYPTION_KEY which special key we use for encrypting config data
// as we have removed it from json // as we have removed it from json

269
server/handlers/authorize.go
View File

@ -6,10 +6,12 @@ import (
"github.com/authorizerdev/authorizer/server/constants" "github.com/authorizerdev/authorizer/server/constants"
"github.com/authorizerdev/authorizer/server/cookie" "github.com/authorizerdev/authorizer/server/cookie"
"github.com/authorizerdev/authorizer/server/crypto"
"github.com/authorizerdev/authorizer/server/db" "github.com/authorizerdev/authorizer/server/db"
"github.com/authorizerdev/authorizer/server/envstore" "github.com/authorizerdev/authorizer/server/envstore"
"github.com/authorizerdev/authorizer/server/sessionstore" "github.com/authorizerdev/authorizer/server/sessionstore"
"github.com/authorizerdev/authorizer/server/token" "github.com/authorizerdev/authorizer/server/token"
"github.com/authorizerdev/authorizer/server/utils"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/google/uuid" "github.com/google/uuid"
) )
@ -17,6 +19,7 @@ import (
// AuthorizeHandler is the handler for the /authorize route // AuthorizeHandler is the handler for the /authorize route
// required params // required params
// ?redirect_uri = redirect url // ?redirect_uri = redirect url
// ?response_mode = to decide if result should be html or re-direct
// state[recommended] = to prevent CSRF attack (for authorizer its compulsory) // state[recommended] = to prevent CSRF attack (for authorizer its compulsory)
// code_challenge = to prevent CSRF attack // code_challenge = to prevent CSRF attack
// code_challenge_method = to prevent CSRF attack [only sh256 is supported] // code_challenge_method = to prevent CSRF attack [only sh256 is supported]
@ -31,56 +34,74 @@ func AuthorizeHandler() gin.HandlerFunc {
scopeString := strings.TrimSpace(gc.Query("scope")) scopeString := strings.TrimSpace(gc.Query("scope"))
clientID := strings.TrimSpace(gc.Query("client_id")) clientID := strings.TrimSpace(gc.Query("client_id"))
template := "authorize.tmpl" template := "authorize.tmpl"
responseMode := strings.TrimSpace(gc.Query("response_mode"))
if responseMode == "" {
responseMode = "query"
}
if responseMode != "query" && responseMode != "web_message" {
gc.JSON(400, gin.H{"error": "invalid response mode"})
}
if redirectURI == "" {
redirectURI = "/app"
}
isQuery := responseMode == "query"
hostname := utils.GetHost(gc)
loginRedirectState := crypto.EncryptB64(`{"authorizerURL":"` + hostname + `","redirectURL":"` + redirectURI + `"}`)
loginURL := "/app?state=" + loginRedirectState
if clientID == "" { if clientID == "" {
gc.HTML(http.StatusOK, template, gin.H{ if isQuery {
"target_origin": redirectURI, gc.Redirect(http.StatusFound, loginURL)
"authorization_response": map[string]interface{}{ } else {
"type": "authorization_response", gc.HTML(http.StatusOK, template, gin.H{
"response": map[string]string{ "target_origin": redirectURI,
"error": "client_id is required", "authorization_response": map[string]interface{}{
"type": "authorization_response",
"response": map[string]string{
"error": "client_id is required",
},
}, },
}, })
}) }
return return
} }
if clientID != envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID) { if clientID != envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID) {
gc.HTML(http.StatusOK, template, gin.H{ if isQuery {
"target_origin": redirectURI, gc.Redirect(http.StatusFound, loginURL)
"authorization_response": map[string]interface{}{ } else {
"type": "authorization_response", gc.HTML(http.StatusOK, template, gin.H{
"response": map[string]string{ "target_origin": redirectURI,
"error": "invalid_client_id", "authorization_response": map[string]interface{}{
"type": "authorization_response",
"response": map[string]string{
"error": "invalid_client_id",
},
}, },
}, })
}) }
return
}
if redirectURI == "" {
gc.HTML(http.StatusOK, template, gin.H{
"target_origin": redirectURI,
"authorization_response": map[string]interface{}{
"type": "authorization_response",
"response": map[string]string{
"error": "redirect_uri is required",
},
},
})
return return
} }
if state == "" { if state == "" {
gc.HTML(http.StatusOK, template, gin.H{ if isQuery {
"target_origin": redirectURI, gc.Redirect(http.StatusFound, loginURL)
"authorization_response": map[string]interface{}{ } else {
"type": "authorization_response", gc.HTML(http.StatusOK, template, gin.H{
"response": map[string]string{ "target_origin": redirectURI,
"error": "state is required", "authorization_response": map[string]interface{}{
"type": "authorization_response",
"response": map[string]string{
"error": "state is required",
},
}, },
}, })
}) }
return return
} }
@ -99,76 +120,96 @@ func AuthorizeHandler() gin.HandlerFunc {
isResponseTypeToken := responseType == "token" isResponseTypeToken := responseType == "token"
if !isResponseTypeCode && !isResponseTypeToken { if !isResponseTypeCode && !isResponseTypeToken {
gc.HTML(http.StatusOK, template, gin.H{ if isQuery {
"target_origin": redirectURI, gc.Redirect(http.StatusFound, loginURL)
"authorization_response": map[string]interface{}{ } else {
"type": "authorization_response", gc.HTML(http.StatusOK, template, gin.H{
"response": map[string]string{ "target_origin": redirectURI,
"error": "response_type is invalid", "authorization_response": map[string]interface{}{
"type": "authorization_response",
"response": map[string]string{
"error": "response_type is invalid",
},
}, },
}, })
}) }
return return
} }
if isResponseTypeCode { if isResponseTypeCode {
if codeChallenge == "" { if codeChallenge == "" {
gc.HTML(http.StatusBadRequest, template, gin.H{ if isQuery {
"target_origin": redirectURI, gc.Redirect(http.StatusFound, loginURL)
"authorization_response": map[string]interface{}{ } else {
"type": "authorization_response", gc.HTML(http.StatusBadRequest, template, gin.H{
"response": map[string]string{ "target_origin": redirectURI,
"error": "code_challenge is required", "authorization_response": map[string]interface{}{
"type": "authorization_response",
"response": map[string]string{
"error": "code_challenge is required",
},
}, },
}, })
}) }
return return
} }
} }
sessionToken, err := cookie.GetSession(gc) sessionToken, err := cookie.GetSession(gc)
if err != nil { if err != nil {
gc.HTML(http.StatusOK, template, gin.H{ if isQuery {
"target_origin": redirectURI, gc.Redirect(http.StatusFound, loginURL)
"authorization_response": map[string]interface{}{ } else {
"type": "authorization_response", gc.HTML(http.StatusOK, template, gin.H{
"response": map[string]string{ "target_origin": redirectURI,
"error": "login_required", "authorization_response": map[string]interface{}{
"error_description": "Login is required", "type": "authorization_response",
"response": map[string]string{
"error": "login_required",
"error_description": "Login is required",
},
}, },
}, })
}) }
return return
} }
// get session from cookie // get session from cookie
claims, err := token.ValidateBrowserSession(gc, sessionToken) claims, err := token.ValidateBrowserSession(gc, sessionToken)
if err != nil { if err != nil {
gc.HTML(http.StatusOK, template, gin.H{ if isQuery {
"target_origin": redirectURI, gc.Redirect(http.StatusFound, loginURL)
"authorization_response": map[string]interface{}{ } else {
"type": "authorization_response", gc.HTML(http.StatusOK, template, gin.H{
"response": map[string]string{ "target_origin": redirectURI,
"error": "login_required", "authorization_response": map[string]interface{}{
"error_description": "Login is required", "type": "authorization_response",
"response": map[string]string{
"error": "login_required",
"error_description": "Login is required",
},
}, },
}, })
}) }
return return
} }
userID := claims.Subject userID := claims.Subject
user, err := db.Provider.GetUserByID(userID) user, err := db.Provider.GetUserByID(userID)
if err != nil { if err != nil {
gc.HTML(http.StatusOK, template, gin.H{ if isQuery {
"target_origin": redirectURI, gc.Redirect(http.StatusFound, loginURL)
"authorization_response": map[string]interface{}{ } else {
"type": "authorization_response", gc.HTML(http.StatusOK, template, gin.H{
"response": map[string]string{ "target_origin": redirectURI,
"error": "signup_required", "authorization_response": map[string]interface{}{
"error_description": "Sign up required", "type": "authorization_response",
"response": map[string]string{
"error": "signup_required",
"error_description": "Sign up required",
},
}, },
}, })
}) }
return return
} }
@ -180,16 +221,20 @@ func AuthorizeHandler() gin.HandlerFunc {
nonce := uuid.New().String() nonce := uuid.New().String()
newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope) newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope)
if err != nil { if err != nil {
gc.HTML(http.StatusOK, template, gin.H{ if isQuery {
"target_origin": redirectURI, gc.Redirect(http.StatusFound, loginURL)
"authorization_response": map[string]interface{}{ } else {
"type": "authorization_response", gc.HTML(http.StatusOK, template, gin.H{
"response": map[string]string{ "target_origin": redirectURI,
"error": "login_required", "authorization_response": map[string]interface{}{
"error_description": "Login is required", "type": "authorization_response",
"response": map[string]string{
"error": "login_required",
"error_description": "Login is required",
},
}, },
}, })
}) }
return return
} }
@ -214,16 +259,20 @@ func AuthorizeHandler() gin.HandlerFunc {
// rollover the session for security // rollover the session for security
authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope) authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope)
if err != nil { if err != nil {
gc.HTML(http.StatusOK, template, gin.H{ if isQuery {
"target_origin": redirectURI, gc.Redirect(http.StatusFound, loginURL)
"authorization_response": map[string]interface{}{ } else {
"type": "authorization_response", gc.HTML(http.StatusOK, template, gin.H{
"response": map[string]string{ "target_origin": redirectURI,
"error": "login_required", "authorization_response": map[string]interface{}{
"error_description": "Login is required", "type": "authorization_response",
"response": map[string]string{
"error": "login_required",
"error_description": "Login is required",
},
}, },
}, })
}) }
return return
} }
sessionstore.RemoveState(sessionToken) sessionstore.RemoveState(sessionToken)
@ -256,16 +305,20 @@ func AuthorizeHandler() gin.HandlerFunc {
return return
} }
// by default return with error if isQuery {
gc.HTML(http.StatusOK, template, gin.H{ gc.Redirect(http.StatusFound, loginURL)
"target_origin": redirectURI, } else {
"authorization_response": map[string]interface{}{ // by default return with error
"type": "authorization_response", gc.HTML(http.StatusOK, template, gin.H{
"response": map[string]string{ "target_origin": redirectURI,
"error": "login_required", "authorization_response": map[string]interface{}{
"error_description": "Login is required", "type": "authorization_response",
"response": map[string]string{
"error": "login_required",
"error_description": "Login is required",
},
}, },
}, })
}) }
} }
} }

1
templates/authorize.tmpl
View File

@ -8,7 +8,6 @@
(function (window, document) { (function (window, document) {
var targetOrigin = {{.target_origin}}; var targetOrigin = {{.target_origin}};
var authorizationResponse = {{.authorization_response}}; var authorizationResponse = {{.authorization_response}};
console.log({targetOrigin})
window.parent.postMessage(authorizationResponse, targetOrigin); window.parent.postMessage(authorizationResponse, targetOrigin);
})(this, this.document); })(this, this.document);
</script> </script>