Example validating requests with acess tokens

[cristiangraz]

All of the examples show how to create authorization codes and access tokens, but there is no example to show how to actually verify the access token on an incoming http request. I looked through the library and think the functionality may be missing since it's more than just calling the storage's GetAccessTokenSession, but wanted to discuss first to see if I had missed it.

[aeneasr]

Hey good point, this is currently missing. Once #20 #18 are merged I'll look for a good place to document this

[cristiangraz]

In case anyone comes across this in the meantime, I was able to get this working with the code below, but wasn't able to get the signature validation against the bearer token working ahead of the storage lookup... the client (secret) isn't available off of just an access token.

accessChallenge := &enigma.Challenge{}
accessChallenge.FromString(bearerToken)

var session oauth.Session
ar, err := store.GetAccessTokenSession(accessChallenge.Signature, &core.TokenSession{Extra: &session})
if err != nil {
    api.GetError(OAuthInvalidAccessTokenError).Send(c)
    return
}

// Token is valid

[aeneasr]

Hey @cristiangraz yes indeed, not having the client secret around is actually a problem with validating the token cryptographically using HMACSHA. Maybe #18 will suit you better?

I'd like to keep the client secret for validating the tokens because it enables us to invalidate tokens when the secrent changes.

[aeneasr]

Closed as per #18