|
|
|
|
@@ -42,6 +42,7 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|
|
|
|
scopeString := strings.TrimSpace(gc.Query("scope"))
|
|
|
|
|
clientID := strings.TrimSpace(gc.Query("client_id"))
|
|
|
|
|
responseMode := strings.TrimSpace(gc.Query("response_mode"))
|
|
|
|
|
nonce := strings.TrimSpace(gc.Query("nonce"))
|
|
|
|
|
|
|
|
|
|
var scope []string
|
|
|
|
|
if scopeString == "" {
|
|
|
|
|
@@ -64,7 +65,7 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|
|
|
|
|
|
|
|
|
if err := validateAuthorizeRequest(responseType, responseMode, clientID, state, codeChallenge); err != nil {
|
|
|
|
|
log.Debug("invalid authorization request: ", err)
|
|
|
|
|
gc.JSON(http.StatusBadRequest, gin.H{"error": err})
|
|
|
|
|
gc.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -77,13 +78,41 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|
|
|
|
"redirect_uri": redirectURI,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
code := uuid.New().String()
|
|
|
|
|
if nonce == "" {
|
|
|
|
|
nonce = uuid.New().String()
|
|
|
|
|
}
|
|
|
|
|
memorystore.Provider.SetState(codeChallenge, code)
|
|
|
|
|
|
|
|
|
|
// used for response mode query or fragment
|
|
|
|
|
loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI
|
|
|
|
|
loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI + "&code=" + code
|
|
|
|
|
loginURL := "/app?" + loginState
|
|
|
|
|
|
|
|
|
|
if responseMode == constants.ResponseModeFragment {
|
|
|
|
|
loginURL = "/app#" + loginState
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if state == "" {
|
|
|
|
|
handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
|
|
|
|
|
"type": "authorization_response",
|
|
|
|
|
"response": map[string]interface{}{
|
|
|
|
|
"error": "state_required",
|
|
|
|
|
"error_description": "state is required",
|
|
|
|
|
},
|
|
|
|
|
}, http.StatusOK)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if responseType == constants.ResponseTypeCode && codeChallenge == "" {
|
|
|
|
|
handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
|
|
|
|
|
"type": "authorization_response",
|
|
|
|
|
"response": map[string]interface{}{
|
|
|
|
|
"error": "code_challenge_required",
|
|
|
|
|
"error_description": "code challenge is required",
|
|
|
|
|
},
|
|
|
|
|
}, http.StatusOK)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
loginError := map[string]interface{}{
|
|
|
|
|
"type": "authorization_response",
|
|
|
|
|
"response": map[string]interface{}{
|
|
|
|
|
@@ -91,7 +120,6 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|
|
|
|
"error_description": "Login is required",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sessionToken, err := cookie.GetSession(gc)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Debug("GetSession failed: ", err)
|
|
|
|
|
@@ -126,17 +154,22 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|
|
|
|
sessionKey = claims.LoginMethod + ":" + user.ID
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Debug("CreateSessionToken failed: ", err)
|
|
|
|
|
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken); err != nil {
|
|
|
|
|
log.Debug("SetState failed: ", err)
|
|
|
|
|
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// rollover the session for security
|
|
|
|
|
go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
|
|
|
|
|
if responseType == constants.ResponseTypeCode {
|
|
|
|
|
nonce := uuid.New().String()
|
|
|
|
|
newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Debug("CreateSessionToken failed: ", err)
|
|
|
|
|
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken); err != nil {
|
|
|
|
|
log.Debug("SetUserSession failed: ", err)
|
|
|
|
|
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
|
|
|
|
@@ -144,12 +177,6 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cookie.SetSession(gc, newSessionToken)
|
|
|
|
|
code := uuid.New().String()
|
|
|
|
|
if err := memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken); err != nil {
|
|
|
|
|
log.Debug("SetState failed: ", err)
|
|
|
|
|
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// in case, response type is code and user is already logged in send the code and state
|
|
|
|
|
// and cookie session will already be rolled over and set
|
|
|
|
|
@@ -219,7 +246,7 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// used of query mode
|
|
|
|
|
params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token
|
|
|
|
|
params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token + "&code=" + code
|
|
|
|
|
|
|
|
|
|
res := map[string]interface{}{
|
|
|
|
|
"access_token": authToken.AccessToken.Token,
|
|
|
|
|
@@ -228,6 +255,7 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|
|
|
|
"scope": scope,
|
|
|
|
|
"token_type": "Bearer",
|
|
|
|
|
"expires_in": expiresIn,
|
|
|
|
|
"code": code,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if authToken.RefreshToken != nil {
|
|
|
|
|
@@ -270,18 +298,10 @@ func validateAuthorizeRequest(responseType, responseMode, clientID, state, codeC
|
|
|
|
|
return fmt.Errorf("invalid response mode %s. 'query', 'fragment', 'form_post' and 'web_message' are valid response_mode", responseMode)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if responseType == constants.ResponseTypeCode && strings.TrimSpace(codeChallenge) == "" {
|
|
|
|
|
return fmt.Errorf("code_challenge is required for %s '%s'", responseType, constants.ResponseTypeCode)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if client, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID); client != clientID || err != nil {
|
|
|
|
|
return fmt.Errorf("invalid client_id %s", clientID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if strings.TrimSpace(state) == "" {
|
|
|
|
|
return fmt.Errorf("state is required")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
