This repository has been archived by the owner on Oct 9, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 63
/
token.go
81 lines (65 loc) · 2.93 KB
/
token.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package authzserver
import (
"net/http"
"reflect"
"strings"
"github.com/ory/fosite"
"github.com/flyteorg/flytestdlib/logger"
"github.com/flyteorg/flyteadmin/auth/interfaces"
)
var (
supportedGrantTypes = []string{"client_credentials", "refresh_token", "authorization_code"}
)
func getTokenEndpointHandler(authCtx interfaces.AuthenticationContext) http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
tokenEndpoint(authCtx, writer, request)
}
}
func tokenEndpoint(authCtx interfaces.AuthenticationContext, rw http.ResponseWriter, req *http.Request) {
// This context will be passed to all methods.
ctx := req.Context()
oauth2Provider := authCtx.OAuth2Provider()
// Create an empty session object which will be passed to the request handlers
emptySession := oauth2Provider.NewJWTSessionToken("", "", "", "", nil)
// This will create an access request object and iterate through the registered TokenEndpointHandlers to validate the request.
accessRequest, err := oauth2Provider.NewAccessRequest(ctx, req, emptySession)
if err != nil {
logger.Infof(ctx, "Error occurred in NewAccessRequest: %+v", err)
oauth2Provider.WriteAccessError(rw, accessRequest, err)
return
}
fositeAccessRequest, casted := accessRequest.(*fosite.AccessRequest)
if !casted {
logger.Errorf(ctx, "Invalid type. Expected *fosite.AccessRequest. Found: %v", reflect.TypeOf(accessRequest))
oauth2Provider.WriteAccessError(rw, accessRequest, fosite.ErrInvalidRequest)
return
}
// If this is a client_credentials grant, grant all requested scopes
// NewAccessRequest validated that all requested scopes the client is allowed to perform
// based on configured scope matching strategy.
// If this is authorization_code, we should have consented the user for the requested scopes, so grant those too
if fositeAccessRequest.GetGrantTypes().HasOneOf(supportedGrantTypes...) {
requestedScopes := fositeAccessRequest.GetRequestedScopes()
fositeAccessRequest.GrantedScope = fosite.Arguments{}
for _, scope := range requestedScopes {
fositeAccessRequest.GrantScope(strings.TrimPrefix(scope, requestedScopePrefix))
}
aud := GetIssuer(ctx, req, authCtx.Options())
fositeAccessRequest.GrantAudience(aud)
} else {
logger.Infof(ctx, "Unsupported grant types [%+v]", fositeAccessRequest.GetGrantTypes())
oauth2Provider.WriteAccessError(rw, fositeAccessRequest, fosite.ErrUnsupportedGrantType)
return
}
// Next we create a response for the access request. Again, we iterate through the TokenEndpointHandlers
// and aggregate the result in response.
response, err := oauth2Provider.NewAccessResponse(ctx, fositeAccessRequest)
if err != nil {
logger.Infof(ctx, "Error occurred in NewAccessResponse: %+v", err)
oauth2Provider.WriteAccessError(rw, fositeAccessRequest, err)
return
}
// All done, send the response.
oauth2Provider.WriteAccessResponse(rw, fositeAccessRequest, response)
// The client now has a valid access token
}