devstack/authorizer
4
0
Fork 0
Code Pull Requests Actions Activity

fix(server): add flow comment

Browse Source
This commit is contained in:
Lakhan Samani 2022-11-13 00:40:28 +05:30
parent c09558043e
commit 9320f1cb07
1 changed files with 40 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
server/handlers/authorize.go
View File

@ -1,5 +1,36 @@
package handlers package handlers
/**
LOGIC TO REMEMBER THE AUTHORIZE FLOW
jargons
`at_hash` -> access_token_hash
`c_hash` -> code_hash
# ResponseType: Code
with /authorize request
- set state [state, code@@challenge]
- add &code to login redirect url
login resolver has optional param state
-if state found in store, split with @@
- if len > 1 -> response type is code and has code + challenge
- set `nonce@@code` for createAuthToken request so that `c_hash` can be generated
- do not add `nonce` to id_token in code flow, instead set `c_hash` and `at_hash`
# ResponseType: token / id_token
with /authorize request
- set state [state, nonce]
- add &nonce to login redirect url
login resolver has optional param state
- if state found in store, split with @@
- if len < 1 -> response type is token / id_token and has nonce
- send received nonce for createAuthToken
- set `nonce` and `at_hash` in `id_token`
**/
import ( import (
"fmt" "fmt"
"net/http" "net/http"
@ -19,6 +50,15 @@ import (
"github.com/authorizerdev/authorizer/server/utils" "github.com/authorizerdev/authorizer/server/utils"
) )
// Check the flow for generating and verifying codes: https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#:~:text=PKCE%20works%20by%20having%20the,is%20called%20the%20Code%20Challenge.
// Check following docs for understanding request / response params for various types of requests: https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-auth-code-flow
const (
authorizeWebMessageTemplate = "authorize_web_message.tmpl"
authorizeFormPostTemplate = "authorize_form_post.tmpl"
)
// AuthorizeHandler is the handler for the /authorize route // AuthorizeHandler is the handler for the /authorize route
// required params // required params
// ?redirect_uri = redirect url // ?redirect_uri = redirect url
@ -26,14 +66,6 @@ import (
// state[recommended] = to prevent CSRF attack (for authorizer its compulsory) // state[recommended] = to prevent CSRF attack (for authorizer its compulsory)
// code_challenge = to prevent CSRF attack // code_challenge = to prevent CSRF attack
// code_challenge_method = to prevent CSRF attack [only sh256 is supported] // code_challenge_method = to prevent CSRF attack [only sh256 is supported]
// check the flow for generating and verifying codes: https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#:~:text=PKCE%20works%20by%20having%20the,is%20called%20the%20Code%20Challenge.
const (
authorizeWebMessageTemplate = "authorize_web_message.tmpl"
authorizeFormPostTemplate = "authorize_form_post.tmpl"
)
func AuthorizeHandler() gin.HandlerFunc { func AuthorizeHandler() gin.HandlerFunc {
return func(gc *gin.Context) { return func(gc *gin.Context) {
redirectURI := strings.TrimSpace(gc.Query("redirect_uri")) redirectURI := strings.TrimSpace(gc.Query("redirect_uri"))