From e6a4670ba965559f1e3b85b0761113a6e849bbdd Mon Sep 17 00:00:00 2001 From: Lakhan Samani Date: Wed, 29 Jun 2022 09:54:12 +0530 Subject: [PATCH] fix: add provider to token creation --- server/handlers/authorize.go | 2 +- server/token/auth_token.go | 30 ++++++++++++++++++++---------- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/server/handlers/authorize.go b/server/handlers/authorize.go index 3a8b6ab..0157d83 100644 --- a/server/handlers/authorize.go +++ b/server/handlers/authorize.go @@ -219,7 +219,7 @@ func AuthorizeHandler() gin.HandlerFunc { } // if user is logged in - // based on the response type, generate the response + // based on the response type code, generate the response if isResponseTypeCode { // rollover the session for security go memorystore.Provider.DeleteUserSession(user.ID, claims.Nonce) diff --git a/server/token/auth_token.go b/server/token/auth_token.go index 0076ff9..c7f01c9 100644 --- a/server/token/auth_token.go +++ b/server/token/auth_token.go @@ -44,15 +44,17 @@ type SessionData struct { Nonce string `json:"nonce"` IssuedAt int64 `json:"iat"` ExpiresAt int64 `json:"exp"` + Provider string `json:"provider"` } // CreateSessionToken creates a new session token -func CreateSessionToken(user models.User, nonce string, roles, scope []string) (*SessionData, string, error) { +func CreateSessionToken(user models.User, nonce string, roles, scope []string, provider string) (*SessionData, string, error) { fingerPrintMap := &SessionData{ Nonce: nonce, Roles: roles, Subject: user.ID, Scope: scope, + Provider: provider, IssuedAt: time.Now().Unix(), ExpiresAt: time.Now().AddDate(1, 0, 0).Unix(), } @@ -66,19 +68,19 @@ func CreateSessionToken(user models.User, nonce string, roles, scope []string) ( } // CreateAuthToken creates a new auth token when userlogs in -func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string) (*Token, error) { +func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, provider string) (*Token, error) { hostname := parsers.GetHost(gc) nonce := uuid.New().String() - _, fingerPrintHash, err := CreateSessionToken(user, nonce, roles, scope) + _, fingerPrintHash, err := CreateSessionToken(user, nonce, roles, scope, provider) if err != nil { return nil, err } - accessToken, accessTokenExpiresAt, err := CreateAccessToken(user, roles, scope, hostname, nonce) + accessToken, accessTokenExpiresAt, err := CreateAccessToken(user, roles, scope, hostname, nonce, provider) if err != nil { return nil, err } - idToken, idTokenExpiresAt, err := CreateIDToken(user, roles, hostname, nonce) + idToken, idTokenExpiresAt, err := CreateIDToken(user, roles, hostname, nonce, provider) if err != nil { return nil, err } @@ -91,7 +93,7 @@ func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string) ( } if utils.StringSliceContains(scope, "offline_access") { - refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce) + refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce, provider) if err != nil { return nil, err } @@ -103,7 +105,7 @@ func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string) ( } // CreateRefreshToken util to create JWT token -func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonce string) (string, int64, error) { +func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonce, provider string) (string, int64, error) { // expires in 1 year expiryBound := time.Hour * 8760 expiresAt := time.Now().Add(expiryBound).Unix() @@ -121,6 +123,7 @@ func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonc "roles": roles, "scope": scopes, "nonce": nonce, + "provider": provider, } token, err := SignJWTToken(customClaims) @@ -133,7 +136,7 @@ func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonc // CreateAccessToken util to create JWT token, based on // user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT -func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce string) (string, int64, error) { +func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce, provider string) (string, int64, error) { expireTime, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAccessTokenExpiryTime) if err != nil { return "", 0, err @@ -159,6 +162,7 @@ func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce "token_type": constants.TokenTypeAccessToken, "scope": scopes, "roles": roles, + "provider": provider, } token, err := SignJWTToken(customClaims) @@ -278,7 +282,12 @@ func ValidateBrowserSession(gc *gin.Context, encryptedSession string) (*SessionD return nil, err } - token, err := memorystore.Provider.GetUserSession(res.Subject, constants.TokenTypeSessionToken+"_"+res.Nonce) + sessionStoreKey := res.Subject + if res.Provider != "" { + sessionStoreKey = res.Provider + ":" + res.Subject + } + + token, err := memorystore.Provider.GetUserSession(sessionStoreKey, constants.TokenTypeSessionToken+"_"+res.Nonce) if token == "" || err != nil { log.Debug("invalid browser session:", err) return nil, fmt.Errorf(`unauthorized`) @@ -297,7 +306,7 @@ func ValidateBrowserSession(gc *gin.Context, encryptedSession string) (*SessionD // CreateIDToken util to create JWT token, based on // user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT -func CreateIDToken(user models.User, roles []string, hostname, nonce string) (string, int64, error) { +func CreateIDToken(user models.User, roles []string, hostname, nonce, provider string) (string, int64, error) { expireTime, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAccessTokenExpiryTime) if err != nil { return "", 0, err @@ -332,6 +341,7 @@ func CreateIDToken(user models.User, roles []string, hostname, nonce string) (st "iat": time.Now().Unix(), "token_type": constants.TokenTypeIdentityToken, "allowed_roles": strings.Split(user.Roles, ","), + "provider": provider, claimKey: roles, }