-
Notifications
You must be signed in to change notification settings - Fork 0
/
authorization.go
159 lines (131 loc) · 3.96 KB
/
authorization.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
package authorization
import (
"encoding/json"
"errors"
"log"
"net/http"
"strings"
jwtmiddleware "github.com/auth0/go-jwt-middleware"
"github.com/dgrijalva/jwt-go"
jwtV4 "github.com/dgrijalva/jwt-go/v4"
)
type Response struct {
Message string `json:"message"`
}
type Jwks struct {
Keys []JSONWebKeys `json:"keys"`
}
type JSONWebKeys struct {
Kty string `json:"kty"`
Kid string `json:"kid"`
Use string `json:"use"`
N string `json:"n"`
E string `json:"e"`
X5c []string `json:"x5c"`
}
//CreateAuthorizationMiddleware creates authorization middleware with the given parameters
func CreateAuthorizationMiddleware(audience string, authorizationServer string) *jwtmiddleware.JWTMiddleware {
return jwtmiddleware.New(jwtmiddleware.Options{
ValidationKeyGetter: func(token *jwt.Token) (interface{}, error) {
// Verify 'aud' claim
aud := audience
checkAud := token.Claims.(jwt.MapClaims).VerifyAudience(aud, false)
if !checkAud {
return token, errors.New("invalid audience")
}
// Verify 'iss' claim
iss := authorizationServer
checkIss := token.Claims.(jwt.MapClaims).VerifyIssuer(iss, false)
if !checkIss {
return token, errors.New("invalid issuer")
}
cert, err := getPemCert(token.Header, authorizationServer)
if err != nil {
panic(err.Error())
}
result, _ := jwt.ParseRSAPublicKeyFromPEM([]byte(cert))
return result, nil
},
SigningMethod: jwt.SigningMethodRS256,
})
}
func getPemCert(tokenHeader map[string]interface{}, authorizationServer string) (string, error) {
cert := ""
resp, err := http.Get(authorizationServer + ".well-known/jwks.json")
if err != nil {
return cert, err
}
defer resp.Body.Close()
var jwks = Jwks{}
err = json.NewDecoder(resp.Body).Decode(&jwks)
if err != nil {
return cert, err
}
for k := range jwks.Keys {
if tokenHeader["kid"] == jwks.Keys[k].Kid {
cert = "-----BEGIN CERTIFICATE-----\n" + jwks.Keys[k].X5c[0] + "\n-----END CERTIFICATE-----"
}
}
if cert == "" {
err := errors.New("unable to find appropriate key")
return cert, err
}
return cert, nil
}
//CreateScopeMiddleware creates a middleware the check the given scope
func CreateScopeMiddleware(scope string, authorizationServer string, audience string) func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
return func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
authHeaderParts := strings.Split(r.Header.Get("Authorization"), " ")
token := authHeaderParts[1]
hasScope := checkScope(scope, token, authorizationServer, audience)
if !hasScope {
message := "Insufficient scope."
response := Response{message}
jsonResponse, err := json.Marshal(response)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusForbidden)
w.Write(jsonResponse)
return
}
// Call the next handler, which can be another middleware in the chain, or the final handler.
next.ServeHTTP(w, r)
}
}
type customClaims struct {
Scope string `json:"scope"`
jwtV4.StandardClaims
}
func checkScope(scope string, tokenString string, authorizationServer string, audience string) bool {
token, err := jwtV4.ParseWithClaims(tokenString, &customClaims{}, func(token *jwtV4.Token) (interface{}, error) {
cert, err := getPemCert(token.Header, authorizationServer)
if err != nil {
return nil, err
}
result, _ := jwt.ParseRSAPublicKeyFromPEM([]byte(cert))
return result, nil
}, jwtV4.WithAudience(audience))
if err != nil {
log.Println(err)
return false
}
claims, ok := token.Claims.(*customClaims)
hasScope := false
if ok && token.Valid {
result := strings.Split(claims.Scope, " ")
for i := range result {
if result[i] == scope {
hasScope = true
}
}
}
return hasScope
}
func DefaultExtractUserID(r *http.Request) string {
user := r.Context().Value("user")
email := user.(*jwt.Token).Claims.(jwt.MapClaims)["sub"].(string)
return email
}