forked from ory/hydra
-
Notifications
You must be signed in to change notification settings - Fork 0
/
handler_oauth2_factory.go
125 lines (112 loc) · 3.81 KB
/
handler_oauth2_factory.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
package server
import (
"fmt"
"net/url"
"github.com/gorilla/sessions"
"github.com/julienschmidt/httprouter"
"github.com/ory/fosite"
"github.com/ory/fosite/compose"
"github.com/ory/herodot"
"github.com/ory/hydra/client"
"github.com/ory/hydra/config"
"github.com/ory/hydra/jwk"
"github.com/ory/hydra/oauth2"
"github.com/ory/hydra/pkg"
"github.com/pkg/errors"
)
func injectFositeStore(c *config.Config, clients client.Manager) {
var ctx = c.Context()
var store pkg.FositeStorer
switch con := ctx.Connection.(type) {
case *config.MemoryConnection:
store = &oauth2.FositeMemoryStore{
Manager: clients,
AuthorizeCodes: make(map[string]fosite.Requester),
IDSessions: make(map[string]fosite.Requester),
AccessTokens: make(map[string]fosite.Requester),
RefreshTokens: make(map[string]fosite.Requester),
}
break
case *config.SQLConnection:
store = &oauth2.FositeSQLStore{
DB: con.GetDatabase(),
Manager: clients,
L: c.GetLogger(),
}
break
default:
panic("Unknown connection type.")
}
ctx.FositeStore = store
}
func newOAuth2Provider(c *config.Config, km jwk.Manager) fosite.OAuth2Provider {
var ctx = c.Context()
var store = ctx.FositeStore
createRS256KeysIfNotExist(c, oauth2.OpenIDConnectKeyName, "private", "sig")
keys, err := km.GetKey(oauth2.OpenIDConnectKeyName, "private")
if errors.Cause(err) == pkg.ErrNotFound {
c.GetLogger().Warnln("Could not find OpenID Connect signing keys. Generating a new keypair...")
keys, err = new(jwk.RS256Generator).Generate("")
pkg.Must(err, "Could not generate signing key for OpenID Connect")
km.AddKeySet(oauth2.OpenIDConnectKeyName, keys)
c.GetLogger().Infoln("Keypair generated.")
c.GetLogger().Warnln("WARNING: Automated key creation causes low entropy. Replace the keys as soon as possible.")
} else {
pkg.Must(err, "Could not fetch signing key for OpenID Connect - did you forget to set the SYSTEM_SECRET?")
}
rsaKey := jwk.MustRSAPrivate(jwk.First(keys.Keys))
fc := &compose.Config{
AccessTokenLifespan: c.GetAccessTokenLifespan(),
AuthorizeCodeLifespan: c.GetAuthCodeLifespan(),
IDTokenLifespan: c.GetIDTokenLifespan(),
HashCost: c.BCryptWorkFactor,
}
return compose.Compose(
fc,
store,
&compose.CommonStrategy{
CoreStrategy: compose.NewOAuth2HMACStrategy(fc, c.GetSystemSecret()),
OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(rsaKey),
},
compose.OAuth2AuthorizeExplicitFactory,
compose.OAuth2AuthorizeImplicitFactory,
compose.OAuth2ClientCredentialsGrantFactory,
compose.OAuth2RefreshTokenGrantFactory,
compose.OpenIDConnectExplicitFactory,
compose.OpenIDConnectHybridFactory,
compose.OpenIDConnectImplicitFactory,
compose.OAuth2TokenRevocationFactory,
compose.OAuth2TokenIntrospectionFactory,
)
}
func newOAuth2Handler(c *config.Config, router *httprouter.Router, km jwk.Manager, o fosite.OAuth2Provider) *oauth2.Handler {
if c.ConsentURL == "" {
proto := "https"
if c.ForceHTTP {
proto = "http"
}
host := "localhost"
if c.BindHost != "" {
host = c.BindHost
}
c.ConsentURL = fmt.Sprintf("%s://%s:%d/oauth2/consent", proto, host, c.BindPort)
}
consentURL, err := url.Parse(c.ConsentURL)
pkg.Must(err, "Could not parse consent url %s.", c.ConsentURL)
handler := &oauth2.Handler{
ForcedHTTP: c.ForceHTTP,
OAuth2: o,
Consent: &oauth2.DefaultConsentStrategy{
Issuer: c.Issuer,
KeyManager: km,
DefaultChallengeLifespan: c.GetChallengeTokenLifespan(),
DefaultIDTokenLifespan: c.GetIDTokenLifespan(),
},
ConsentURL: *consentURL,
H: herodot.NewJSONWriter(c.GetLogger()),
AccessTokenLifespan: c.GetAccessTokenLifespan(),
CookieStore: sessions.NewCookieStore(c.GetCookieSecret()),
}
handler.SetRoutes(router)
return handler
}