/
authorization.clj
124 lines (102 loc) · 4.04 KB
/
authorization.clj
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
(ns cerber.oauth2.authorization
(:require [cerber
[config :refer [app-config]]
[form :as form]
[error :as error]]
[cerber.oauth2
[context :as ctx]
[response :as response]]
[cerber.stores.user :as user]
[failjure.core :as f]
[mount.core :refer [defstate]]))
(defmulti authorization-request-handler (comp :response_type :params))
(defmulti token-request-handler (comp :grant_type :params))
;; authorization request handler for Authorization Code grant type
(defmethod authorization-request-handler "code"
[req]
(let [result (f/attempt-> req
(ctx/client-valid?)
(ctx/redirect-allowed?)
(ctx/state-allowed?)
(ctx/scopes-allowed?)
(ctx/user-authenticated?)
(ctx/request-approved?))]
(if (f/failed? result)
result
(response/redirect-with-code result))))
;; authorization request handler for Implict grant type
(defmethod authorization-request-handler "token"
[req]
(let [result (f/attempt-> req
(ctx/client-valid?)
(ctx/redirect-allowed?)
(ctx/grant-allowed? "token")
(ctx/state-allowed?)
(ctx/scopes-allowed?)
(ctx/user-authenticated?))]
(if (f/failed? result)
result
(response/redirect-with-token result))))
;; default response handler for unknown grant types
(defmethod authorization-request-handler :default
[req]
error/unsupported-response-type)
;; token request handler for Authorization Code grant type
(defmethod token-request-handler "authorization_code"
[req]
(let [result (f/attempt-> req
(ctx/client-authenticated?)
(ctx/grant-allowed? "authorization_code")
(ctx/authcode-valid?)
(ctx/redirect-valid?)
(ctx/user-valid?))]
(if (f/failed? result)
result
(response/access-token-response result))))
;; token request handler for Resource Owner Password Credentials grant
(defmethod token-request-handler "password"
[req]
(let [result (f/attempt-> req
(ctx/client-authenticated?)
(ctx/grant-allowed? "password")
(ctx/scopes-allowed?)
(ctx/user-password-valid? (form/default-authenticator)))]
(if (f/failed? result)
result
(response/access-token-response result))))
;; token request handler for Client Credentials grant
(defmethod token-request-handler "client_credentials"
[req]
(let [result (f/attempt-> req
(ctx/client-authenticated?)
(ctx/grant-allowed? "client_credentials")
(ctx/scopes-allowed?))]
(if (f/failed? result)
result
(response/access-token-response result))))
;; refresh-token request handler
(defmethod token-request-handler "refresh_token"
[req]
(let [result (f/attempt-> req
(ctx/client-authenticated?)
(ctx/refresh-token-valid?)
(ctx/scopes-allowed?))]
(if (f/failed? result)
result
(response/refresh-token-response result))))
;; default response handler for unknown token requests
(defmethod token-request-handler :default
[req]
error/unsupported-grant-type)
(defn authorize! [req]
(let [response (authorization-request-handler req)]
(condp = (:error response)
"unapproved" (response/approval-form-response req (:client response))
"unauthorized" (response/authorization-form-response req)
response)))
(defn approve! [req]
(authorize! (ctx/approve-authorization req)))
(defn refuse! [req]
error/access-denied)
(defn issue-token! [req]
(token-request-handler req))