-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
flow_pushed_authorize.go
92 lines (74 loc) · 3.25 KB
/
flow_pushed_authorize.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
// Copyright © 2022 Ory Corp
// SPDX-License-Identifier: Apache-2.0
package par
import (
"context"
"encoding/base64"
"fmt"
"net/url"
"time"
"github.com/ory/fosite"
"github.com/ory/fosite/token/hmac"
"github.com/ory/x/errorsx"
)
const (
defaultPARKeyLength = 32
)
var b64 = base64.URLEncoding.WithPadding(base64.NoPadding)
// PushedAuthorizeHandler handles the PAR request
type PushedAuthorizeHandler struct {
Storage interface{}
Config fosite.Configurator
}
// HandlePushedAuthorizeEndpointRequest handles a pushed authorize endpoint request. To extend the handler's capabilities, the http request
// is passed along, if further information retrieval is required. If the handler feels that he is not responsible for
// the pushed authorize request, he must return nil and NOT modify session nor responder neither requester.
func (c *PushedAuthorizeHandler) HandlePushedAuthorizeEndpointRequest(ctx context.Context, ar fosite.AuthorizeRequester, resp fosite.PushedAuthorizeResponder) error {
configProvider, ok := c.Config.(fosite.PushedAuthorizeRequestConfigProvider)
if !ok {
return errorsx.WithStack(fosite.ErrServerError.WithHint(fosite.ErrorPARNotSupported).WithDebug(fosite.DebugPARConfigMissing))
}
storage, ok := c.Storage.(fosite.PARStorage)
if !ok {
return errorsx.WithStack(fosite.ErrServerError.WithHint(fosite.ErrorPARNotSupported).WithDebug(fosite.DebugPARStorageInvalid))
}
if !ar.GetResponseTypes().HasOneOf("token", "code", "id_token") {
return nil
}
if !c.secureChecker(ctx, ar.GetRedirectURI()) {
return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("Redirect URL is using an insecure protocol, http is only allowed for hosts with suffix 'localhost', for example: http://myapp.localhost/."))
}
client := ar.GetClient()
for _, scope := range ar.GetRequestedScopes() {
if !c.Config.GetScopeStrategy(ctx)(client.GetScopes(), scope) {
return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The OAuth 2.0 Client is not allowed to request scope '%s'.", scope))
}
}
if err := c.Config.GetAudienceStrategy(ctx)(client.GetAudience(), ar.GetRequestedAudience()); err != nil {
return err
}
expiresIn := configProvider.GetPushedAuthorizeContextLifespan(ctx)
if ar.GetSession() != nil {
ar.GetSession().SetExpiresAt(fosite.PushedAuthorizeRequestContext, time.Now().UTC().Add(expiresIn))
}
// generate an ID
stateKey, err := hmac.RandomBytes(defaultPARKeyLength)
if err != nil {
return errorsx.WithStack(fosite.ErrInsufficientEntropy.WithHint("Unable to generate the random part of the request_uri.").WithWrap(err).WithDebug(err.Error()))
}
requestURI := fmt.Sprintf("%s%s", configProvider.GetPushedAuthorizeRequestURIPrefix(ctx), b64.EncodeToString(stateKey))
// store
if err = storage.CreatePARSession(ctx, requestURI, ar); err != nil {
return errorsx.WithStack(fosite.ErrServerError.WithHint("Unable to store the PAR session").WithWrap(err).WithDebug(err.Error()))
}
resp.SetRequestURI(requestURI)
resp.SetExpiresIn(int(expiresIn.Seconds()))
return nil
}
func (c *PushedAuthorizeHandler) secureChecker(ctx context.Context, u *url.URL) bool {
isRedirectURISecure := c.Config.GetRedirectSecureChecker(ctx)
if isRedirectURISecure == nil {
isRedirectURISecure = fosite.IsRedirectURISecure
}
return isRedirectURISecure(ctx, u)
}