devstack/authorizer
4
0
Fork 0
Code Pull Requests Actions Activity

fix: add provider to token creation

Browse Source
This commit is contained in:
Lakhan Samani 2022-06-29 09:54:12 +05:30
parent 64d64b4099
commit e6a4670ba9
2 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
server/handlers/authorize.go
View File

@ -219,7 +219,7 @@ func AuthorizeHandler() gin.HandlerFunc {
} }
// if user is logged in // if user is logged in
// based on the response type, generate the response // based on the response type code, generate the response
if isResponseTypeCode { if isResponseTypeCode {
// rollover the session for security // rollover the session for security
go memorystore.Provider.DeleteUserSession(user.ID, claims.Nonce) go memorystore.Provider.DeleteUserSession(user.ID, claims.Nonce)

30
server/token/auth_token.go
View File

@ -44,15 +44,17 @@ type SessionData struct {
Nonce string `json:"nonce"` Nonce string `json:"nonce"`
IssuedAt int64 `json:"iat"` IssuedAt int64 `json:"iat"`
ExpiresAt int64 `json:"exp"` ExpiresAt int64 `json:"exp"`
Provider string `json:"provider"`
} }
// CreateSessionToken creates a new session token // CreateSessionToken creates a new session token
func CreateSessionToken(user models.User, nonce string, roles, scope []string) (*SessionData, string, error) { func CreateSessionToken(user models.User, nonce string, roles, scope []string, provider string) (*SessionData, string, error) {
fingerPrintMap := &SessionData{ fingerPrintMap := &SessionData{
Nonce: nonce, Nonce: nonce,
Roles: roles, Roles: roles,
Subject: user.ID, Subject: user.ID,
Scope: scope, Scope: scope,
Provider: provider,
IssuedAt: time.Now().Unix(), IssuedAt: time.Now().Unix(),
ExpiresAt: time.Now().AddDate(1, 0, 0).Unix(), ExpiresAt: time.Now().AddDate(1, 0, 0).Unix(),
} }
@ -66,19 +68,19 @@ func CreateSessionToken(user models.User, nonce string, roles, scope []string) (
} }
// CreateAuthToken creates a new auth token when userlogs in // CreateAuthToken creates a new auth token when userlogs in
func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string) (*Token, error) { func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, provider string) (*Token, error) {
hostname := parsers.GetHost(gc) hostname := parsers.GetHost(gc)
nonce := uuid.New().String() nonce := uuid.New().String()
_, fingerPrintHash, err := CreateSessionToken(user, nonce, roles, scope) _, fingerPrintHash, err := CreateSessionToken(user, nonce, roles, scope, provider)
if err != nil { if err != nil {
return nil, err return nil, err
} }
accessToken, accessTokenExpiresAt, err := CreateAccessToken(user, roles, scope, hostname, nonce) accessToken, accessTokenExpiresAt, err := CreateAccessToken(user, roles, scope, hostname, nonce, provider)
if err != nil { if err != nil {
return nil, err return nil, err
} }
idToken, idTokenExpiresAt, err := CreateIDToken(user, roles, hostname, nonce) idToken, idTokenExpiresAt, err := CreateIDToken(user, roles, hostname, nonce, provider)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -91,7 +93,7 @@ func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string) (
} }
if utils.StringSliceContains(scope, "offline_access") { if utils.StringSliceContains(scope, "offline_access") {
refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce) refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce, provider)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -103,7 +105,7 @@ func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string) (
} }
// CreateRefreshToken util to create JWT token // CreateRefreshToken util to create JWT token
func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonce string) (string, int64, error) { func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonce, provider string) (string, int64, error) {
// expires in 1 year // expires in 1 year
expiryBound := time.Hour * 8760 expiryBound := time.Hour * 8760
expiresAt := time.Now().Add(expiryBound).Unix() expiresAt := time.Now().Add(expiryBound).Unix()
@ -121,6 +123,7 @@ func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonc
"roles": roles, "roles": roles,
"scope": scopes, "scope": scopes,
"nonce": nonce, "nonce": nonce,
"provider": provider,
} }
token, err := SignJWTToken(customClaims) token, err := SignJWTToken(customClaims)
@ -133,7 +136,7 @@ func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonc
// CreateAccessToken util to create JWT token, based on // CreateAccessToken util to create JWT token, based on
// user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT // user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT
func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce string) (string, int64, error) { func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce, provider string) (string, int64, error) {
expireTime, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAccessTokenExpiryTime) expireTime, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAccessTokenExpiryTime)
if err != nil { if err != nil {
return "", 0, err return "", 0, err
@ -159,6 +162,7 @@ func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce
"token_type": constants.TokenTypeAccessToken, "token_type": constants.TokenTypeAccessToken,
"scope": scopes, "scope": scopes,
"roles": roles, "roles": roles,
"provider": provider,
} }
token, err := SignJWTToken(customClaims) token, err := SignJWTToken(customClaims)
@ -278,7 +282,12 @@ func ValidateBrowserSession(gc *gin.Context, encryptedSession string) (*SessionD
return nil, err return nil, err
} }
token, err := memorystore.Provider.GetUserSession(res.Subject, constants.TokenTypeSessionToken+"_"+res.Nonce) sessionStoreKey := res.Subject
if res.Provider != "" {
sessionStoreKey = res.Provider + ":" + res.Subject
}
token, err := memorystore.Provider.GetUserSession(sessionStoreKey, constants.TokenTypeSessionToken+"_"+res.Nonce)
if token == "" || err != nil { if token == "" || err != nil {
log.Debug("invalid browser session:", err) log.Debug("invalid browser session:", err)
return nil, fmt.Errorf(`unauthorized`) return nil, fmt.Errorf(`unauthorized`)
@ -297,7 +306,7 @@ func ValidateBrowserSession(gc *gin.Context, encryptedSession string) (*SessionD
// CreateIDToken util to create JWT token, based on // CreateIDToken util to create JWT token, based on
// user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT // user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT
func CreateIDToken(user models.User, roles []string, hostname, nonce string) (string, int64, error) { func CreateIDToken(user models.User, roles []string, hostname, nonce, provider string) (string, int64, error) {
expireTime, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAccessTokenExpiryTime) expireTime, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAccessTokenExpiryTime)
if err != nil { if err != nil {
return "", 0, err return "", 0, err
@ -332,6 +341,7 @@ func CreateIDToken(user models.User, roles []string, hostname, nonce string) (st
"iat": time.Now().Unix(), "iat": time.Now().Unix(),
"token_type": constants.TokenTypeIdentityToken, "token_type": constants.TokenTypeIdentityToken,
"allowed_roles": strings.Split(user.Roles, ","), "allowed_roles": strings.Split(user.Roles, ","),
"provider": provider,
claimKey: roles, claimKey: roles,
} }