-
Notifications
You must be signed in to change notification settings - Fork 9
/
claims.go
100 lines (89 loc) · 2.74 KB
/
claims.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
/*
* Copyright 2017 Kopano and its licensors
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package konnect
import (
"errors"
"github.com/dgrijalva/jwt-go"
)
// Access token claims used by Konnect.
const (
IsAccessTokenClaim = "kc.isAccessToken"
AuthorizedScopesClaim = "kc.authorizedScopes"
IsRefreshTokenClaim = "kc.isRefreshToken"
RefClaim = "kc.ref"
IdentityClaim = "kc.identity"
)
// Identifier claims used by Konnect.
const (
IdentifiedUsernameClaim = "kc.i.un"
IdentifiedDisplayNameClaim = "kc.i.dn"
)
// AccessTokenClaims define the claims found in access tokens issued
// by Konnect.
type AccessTokenClaims struct {
IsAccessToken bool `json:"kc.isAccessToken"`
AuthorizedScopesList []string `json:"kc.authorizedScopes"`
jwt.StandardClaims
IdentityClaims jwt.MapClaims `json:"kc.identity"`
}
// Valid implements the jwt.Claims interface.
func (c AccessTokenClaims) Valid() error {
if err := c.StandardClaims.Valid(); err != nil {
return err
}
if c.IdentityClaims != nil {
if err := c.IdentityClaims.Valid(); err != nil {
return err
}
}
if c.IsAccessToken {
return nil
}
return errors.New("kc.isAccessToken claim not valid")
}
// AuthorizedScopes returns a map with scope keys and true value of all scopes
// set in the accociated access token.
func (c AccessTokenClaims) AuthorizedScopes() map[string]bool {
authorizedScopes := make(map[string]bool)
for _, scope := range c.AuthorizedScopesList {
authorizedScopes[scope] = true
}
return authorizedScopes
}
// RefreshTokenClaims define the claims used by refresh tokens.
type RefreshTokenClaims struct {
IsRefreshToken bool `json:"kc.isRefreshToken"`
ApprovedScopesList []string `json:"kc.approvedScopes"`
Ref string `json:"kc.ref"`
jwt.StandardClaims
IdentityClaims jwt.MapClaims `json:"kc.identity"`
}
// Valid implements the jwt.Claims interface.
func (c RefreshTokenClaims) Valid() error {
if err := c.StandardClaims.Valid(); err != nil {
return err
}
if c.IdentityClaims != nil {
if err := c.IdentityClaims.Valid(); err != nil {
return err
}
}
if c.IsRefreshToken {
return nil
}
return errors.New("kc.isRefreshToken claim not valid")
}