Merge branch 'main' of https://github.com/authorizerdev/authorizer into fix/oauth-provider

2022-11-10 22:51:13 +05:30
parent 274909b7c9 e525877467
commit 4775641431
28 changed files with 523 additions and 93 deletions
--- a/server/token/auth_token.go
+++ b/server/token/auth_token.go
@@ -112,16 +112,17 @@ func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonc
 		return "", 0, err
 	}
 	customClaims := jwt.MapClaims{
-		"iss":          hostname,
-		"aud":          clientID,
-		"sub":          user.ID,
-		"exp":          expiresAt,
-		"iat":          time.Now().Unix(),
-		"token_type":   constants.TokenTypeRefreshToken,
-		"roles":        roles,
-		"scope":        scopes,
-		"nonce":        nonce,
-		"login_method": loginMethod,
+		"iss":           hostname,
+		"aud":           clientID,
+		"sub":           user.ID,
+		"exp":           expiresAt,
+		"iat":           time.Now().Unix(),
+		"token_type":    constants.TokenTypeRefreshToken,
+		"roles":         roles,
+		"scope":         scopes,
+		"nonce":         nonce,
+		"login_method":  loginMethod,
+		"allowed_roles": strings.Split(user.Roles, ","),
 	}

 	token, err := SignJWTToken(customClaims)
@@ -151,16 +152,17 @@ func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce
 		return "", 0, err
 	}
 	customClaims := jwt.MapClaims{
-		"iss":          hostName,
-		"aud":          clientID,
-		"nonce":        nonce,
-		"sub":          user.ID,
-		"exp":          expiresAt,
-		"iat":          time.Now().Unix(),
-		"token_type":   constants.TokenTypeAccessToken,
-		"scope":        scopes,
-		"roles":        roles,
-		"login_method": loginMethod,
+		"iss":           hostName,
+		"aud":           clientID,
+		"nonce":         nonce,
+		"sub":           user.ID,
+		"exp":           expiresAt,
+		"iat":           time.Now().Unix(),
+		"token_type":    constants.TokenTypeAccessToken,
+		"scope":         scopes,
+		"roles":         roles,
+		"login_method":  loginMethod,
+		"allowed_roles": strings.Split(user.Roles, ","),
 	}

 	token, err := SignJWTToken(customClaims)
@@ -254,7 +256,6 @@ func ValidateRefreshToken(gc *gin.Context, refreshToken string) (map[string]inte
 	if loginMethod != nil && loginMethod != "" {
 		sessionKey = loginMethod.(string) + ":" + userID
 	}
-
 	token, err := memorystore.Provider.GetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+nonce)
 	if nonce == "" || err != nil {
 		return res, fmt.Errorf(`unauthorized`)