-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
oidc_introspect.go
72 lines (56 loc) · 2.38 KB
/
oidc_introspect.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
package charon
import (
"encoding/json"
"io"
"net/http"
"github.com/ory/fosite"
"gitlab.com/tozd/waf"
)
// TODO: Add support for tokeninfo endpoint to introspect ID tokens.
// See: https://github.com/ory/fosite/issues/410
// See: https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint
// TODO: Add support for specifying expected audience to be available in introspected access tokens.
// See: https://github.com/ory/fosite/issues/410#issuecomment-948393832
// OIDCIntrospectPost handler handles requests to introspect a token. This also validates the token for the caller.
func (s *Service) OIDCIntrospectPost(w http.ResponseWriter, req *http.Request, _ waf.Params) {
defer req.Body.Close()
defer io.Copy(io.Discard, req.Body) //nolint:errcheck
ctx := req.Context()
oidc := s.oidc()
// Create an empty session object which serves as a prototype of the reconstructed session object.
session := new(OIDCSession)
ir, err := oidc.NewIntrospectionRequest(ctx, req, session)
if err != nil {
errE := withFositeError(err)
s.WithError(ctx, errE)
oidc.WriteIntrospectionError(ctx, w, errE)
return
}
// We have to fix RequestedAt timestamp to match the IssuedAt timestamp
// because RequestedAt is used as IssuedAt in WriteIntrospectionResponse.
// See: https://github.com/ory/fosite/issues/774
ar := ir.GetAccessRequester().(*fosite.AccessRequest) //nolint:errcheck,forcetypeassert
ar.RequestedAt = ar.GetSession().(*OIDCSession).JWTClaims.IssuedAt //nolint:forcetypeassert
if ir.GetTokenUse() == "refresh_token" {
// We want to handle refresh tokens differently and output refresh token expiration time.
// See: https://github.com/ory/fosite/issues/801
w.Header().Set("Content-Type", "application/json;charset=UTF-8")
w.Header().Set("Cache-Control", "no-store")
w.Header().Set("Pragma", "no-cache")
if !ir.IsActive() {
_ = json.NewEncoder(w).Encode(&struct { //nolint:errchkjson
Active bool `json:"active"`
}{Active: false})
return
}
response := map[string]interface{}{
"active": true,
}
if !ir.GetAccessRequester().GetSession().GetExpiresAt(fosite.RefreshToken).IsZero() {
response["exp"] = ir.GetAccessRequester().GetSession().GetExpiresAt(fosite.RefreshToken).Unix()
}
_ = json.NewEncoder(w).Encode(response) //nolint:errchkjson
return
}
oidc.WriteIntrospectionResponse(ctx, w, ir)
}