oauth2: resolve issues with token introspection on user tokens (#309)

ory · Nov 17, 2016 · 00bdd28 · 00bdd28
1 parent 9129ac8
commit 00bdd28
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 26 deletions.
diff --git a/cmd/server/handler_oauth2_factory.go b/cmd/server/handler_oauth2_factory.go
@@ -144,6 +144,7 @@ func newOAuth2Handler(c *config.Config, router *httprouter.Router, km jwk.Manage
 		},
 		ConsentURL: *consentURL,
 		H:          &herodot.JSON{},
+		AccessTokenLifespan:c.GetAccessTokenLifespan(),
 	}
 
 	handler.SetRoutes(router)

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -22,6 +22,9 @@ services:
 #     Uncomment the following line to use mysql instead.
 #      - DATABASE_URL=mysql://root:secret@tcp(mysqld:3306)/mysql?parseTime=true
       - FORCE_ROOT_CLIENT_CREDENTIALS=admin:demo-password
+      - ACCESS_TOKEN_LIFESPAN=${ACCESS_TOKEN_LIFESPAN}
+      - ID_TOKEN_LIFESPAN=${ID_TOKEN_LIFESPAN}
+      - AUTHORIZE_CODE_LIFESPAN=${AUTHORIZE_CODE_LIFESPAN}
     restart: unless-stopped
 
   consent:
@@ -39,6 +42,8 @@ services:
 
   postgresd:
     image: postgres:9.6
+    ports:
+      - "5432:5432"
     environment:
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=secret
@@ -50,4 +55,4 @@ services:
 
 volumes:
   hydravolume:
-    driver: local
+    driver: local
diff --git a/glide.lock b/glide.lock
diff --git a/glide.yaml b/glide.yaml
@@ -18,7 +18,7 @@ import:
 - package: github.com/dgrijalva/jwt-go
   version: ~3.0.0
 - package: github.com/ory-am/fosite
-  version: ~0.5.0
+  version: ~0.6.1
   subpackages:
   - compose
   - fosite-example/pkg

diff --git a/oauth2/fosite_store_sql.go b/oauth2/fosite_store_sql.go
@@ -87,10 +87,12 @@ func sqlSchemaFromRequest(signature string, r fosite.Requester) (*sqlData, error
 }
 
 func (s *sqlData) ToRequest(session fosite.Session, cm client.Manager) (*fosite.Request, error) {
-	if session != nil {
-		if err := json.Unmarshal(s.Session, session); err != nil {
-			return nil, errors.Wrap(err, "")
-		}
+	if session == nil {
+		return nil, errors.New("Session undefined")
+	}
+
+	if err := json.Unmarshal(s.Session, session); err != nil {
+		return nil, errors.Wrap(err, "")
 	}
 
 	c, err := cm.GetClient(s.Client)
@@ -103,15 +105,17 @@ func (s *sqlData) ToRequest(session fosite.Session, cm client.Manager) (*fosite.
 		return nil, errors.Wrap(err, "")
 	}
 
-	return &fosite.Request{
+	r := &fosite.Request{
 		ID:            s.Request,
 		RequestedAt:   s.RequestedAt,
 		Client:        c,
 		Scopes:        fosite.Arguments(strings.Split(s.Scopes, "|")),
 		GrantedScopes: fosite.Arguments(strings.Split(s.GrantedScopes, "|")),
 		Form:          val,
 		Session:       session,
-	}, nil
+	}
+
+	return r, nil
 }
 
 func (s *FositeSQLStore) createSession(signature string, requester fosite.Requester, table string) error {

diff --git a/oauth2/handler.go b/oauth2/handler.go
@@ -11,6 +11,7 @@ import (
 	"github.com/ory-am/hydra/pkg"
 	"github.com/pkg/errors"
 	"strings"
+	"time"
 )
 
 const (
@@ -33,6 +34,8 @@ type Handler struct {
 
 	ForcedHTTP bool
 	ConsentURL url.URL
+
+	AccessTokenLifespan time.Duration
 }
 
 func (h *Handler) SetRoutes(r *httprouter.Router) {
@@ -57,6 +60,7 @@ func (h *Handler) RevocationHandler(w http.ResponseWriter, r *http.Request, _ ht
 
 func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	var session = NewSession("")
+
 	var ctx = fosite.NewContext()
 	resp, err := h.OAuth2.NewIntrospectionRequest(ctx, r, session)
 	if err != nil {
@@ -70,11 +74,15 @@ func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ ht
 		return
 	}
 
+	exp := resp.GetAccessRequester().GetSession().GetExpiresAt(fosite.AccessToken)
+	if exp.IsZero() {
+		exp = resp.GetAccessRequester().GetRequestedAt().Add(h.AccessTokenLifespan)
+	}
 	_ = json.NewEncoder(w).Encode(&Introspection{
 		Active:    true,
 		ClientID:  resp.GetAccessRequester().GetClient().GetID(),
 		Scope:     strings.Join(resp.GetAccessRequester().GetGrantedScopes(), " "),
-		ExpiresAt: resp.GetAccessRequester().GetSession().GetExpiresAt(fosite.AccessToken).Unix(),
+		ExpiresAt: exp.Unix(),
 		IssuedAt:  resp.GetAccessRequester().GetRequestedAt().Unix(),
 		Subject:   resp.GetAccessRequester().GetSession().GetSubject(),
 		Username:  resp.GetAccessRequester().GetSession().GetUsername(),

diff --git a/oauth2/session.go b/oauth2/session.go
@@ -3,6 +3,9 @@ package oauth2
 import (
 	"github.com/ory-am/fosite/handler/openid"
 	"github.com/ory-am/fosite/token/jwt"
+	"github.com/ory-am/fosite"
+	"bytes"
+	"encoding/gob"
 )
 
 type Session struct {
@@ -19,3 +22,17 @@ func NewSession(subject string) *Session {
 		},
 	}
 }
+
+func (s *Session) Clone() fosite.Session {
+	if s == nil {
+		return nil
+	}
+
+	var clone Session
+	var mod bytes.Buffer
+	enc := gob.NewEncoder(&mod)
+	dec := gob.NewDecoder(&mod)
+	_ = enc.Encode(s)
+	_ = dec.Decode(&clone)
+	return &clone
+}
diff --git a/warden/warden_local.go b/warden/warden_local.go
@@ -81,13 +81,18 @@ func (w *LocalWarden) sessionAllowed(ctx context.Context, a *firewall.TokenAcces
 
 func (w *LocalWarden) newContext(oauthRequest fosite.AccessRequester) *firewall.Context {
 	session := oauthRequest.GetSession().(*oauth2.Session)
+
+	exp := oauthRequest.GetSession().GetExpiresAt(fosite.AccessToken)
+	if exp.IsZero() {
+		exp = oauthRequest.GetRequestedAt().Add(w.AccessTokenLifespan)
+	}
 	c := &firewall.Context{
 		Subject:       session.Subject,
 		GrantedScopes: oauthRequest.GetGrantedScopes(),
 		Issuer:        w.Issuer,
 		Audience:      oauthRequest.GetClient().GetID(),
 		IssuedAt:      oauthRequest.GetRequestedAt(),
-		ExpiresAt:     session.GetExpiresAt(fosite.AccessToken),
+		ExpiresAt:     exp,
 		Extra:         session.Extra,
 	}