Skip to content

Commit

Permalink
refactor: revert oauth handler changes
Browse files Browse the repository at this point in the history
  • Loading branch information
nsklikas committed Nov 6, 2024
1 parent c4099c1 commit ef4a35e
Show file tree
Hide file tree
Showing 20 changed files with 693 additions and 856 deletions.
3 changes: 1 addition & 2 deletions compose/compose.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,7 @@ func ComposeAllEnabled(config *fosite.Config, storage interface{}, key interface
OpenIDConnectTokenStrategy: NewOpenIDConnectStrategy(keyGetter, config),
Signer: &jwt.DefaultSigner{GetPrivateKey: keyGetter},
},
OAuth2AuthorizeExplicitAuthFactory,
Oauth2AuthorizeExplicitTokenFactory,
OAuth2AuthorizeExplicitFactory,
OAuth2AuthorizeImplicitFactory,
OAuth2ClientCredentialsGrantFactory,
OAuth2RefreshTokenGrantFactory,
Expand Down
37 changes: 9 additions & 28 deletions compose/compose_oauth2.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,35 +9,16 @@ import (
"github.com/ory/fosite/token/jwt"
)

// OAuth2AuthorizeExplicitAuthFactory creates an OAuth2 authorize code grant ("authorize explicit flow") handler and registers
// OAuth2AuthorizeExplicitFactory creates an OAuth2 authorize code grant ("authorize explicit flow") handler and registers
// an access token, refresh token and authorize code validator.
func OAuth2AuthorizeExplicitAuthFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
return &oauth2.AuthorizeExplicitGrantAuthHandler{
AuthorizeCodeStrategy: strategy.(oauth2.AuthorizeCodeStrategy),
AuthorizeCodeStorage: storage.(oauth2.AuthorizeCodeStorage),
Config: config,
}
}

// Oauth2AuthorizeExplicitTokenFactory creates an OAuth2 authorize code grant ("authorize explicit flow") token handler and registers
// an access token, refresh token and authorize code validator.
func Oauth2AuthorizeExplicitTokenFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
return &oauth2.AuthorizeExplicitTokenEndpointHandler{
GenericCodeTokenEndpointHandler: oauth2.GenericCodeTokenEndpointHandler{
AccessRequestValidator: &oauth2.AuthorizeExplicitGrantAccessRequestValidator{},
CodeHandler: &oauth2.AuthorizeCodeHandler{
AuthorizeCodeStrategy: strategy.(oauth2.AuthorizeCodeStrategy),
},
SessionHandler: &oauth2.AuthorizeExplicitGrantSessionHandler{
AuthorizeCodeStorage: storage.(oauth2.AuthorizeCodeStorage),
},

AccessTokenStrategy: strategy.(oauth2.AccessTokenStrategy),
RefreshTokenStrategy: strategy.(oauth2.RefreshTokenStrategy),
CoreStorage: storage.(oauth2.CoreStorage),
TokenRevocationStorage: storage.(oauth2.TokenRevocationStorage),
Config: config,
},
func OAuth2AuthorizeExplicitFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
return &oauth2.AuthorizeExplicitGrantHandler{
AccessTokenStrategy: strategy.(oauth2.AccessTokenStrategy),
RefreshTokenStrategy: strategy.(oauth2.RefreshTokenStrategy),
AuthorizeCodeStrategy: strategy.(oauth2.AuthorizeCodeStrategy),
CoreStorage: storage.(oauth2.CoreStorage),
TokenRevocationStorage: storage.(oauth2.TokenRevocationStorage),
Config: config,
}
}

Expand Down
6 changes: 4 additions & 2 deletions compose/compose_openid.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,11 @@ func OpenIDConnectImplicitFactory(config fosite.Configurator, storage interface{
// **Important note:** You must add this handler *after* you have added an OAuth2 authorize code handler!
func OpenIDConnectHybridFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
return &openid.OpenIDConnectHybridHandler{
AuthorizeExplicitGrantAuthHandler: &oauth2.AuthorizeExplicitGrantAuthHandler{
AuthorizeExplicitGrantHandler: &oauth2.AuthorizeExplicitGrantHandler{
AccessTokenStrategy: strategy.(oauth2.AccessTokenStrategy),
RefreshTokenStrategy: strategy.(oauth2.RefreshTokenStrategy),
AuthorizeCodeStrategy: strategy.(oauth2.AuthorizeCodeStrategy),
AuthorizeCodeStorage: storage.(oauth2.AuthorizeCodeStorage),
CoreStorage: storage.(oauth2.CoreStorage),
Config: config,
},
Config: config,
Expand Down
24 changes: 8 additions & 16 deletions compose/compose_rfc8628.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,21 +25,13 @@ func RFC8628DeviceFactory(config fosite.Configurator, storage interface{}, strat
// an access token, refresh token and authorize code validator.
func RFC8628DeviceAuthorizationTokenFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
return &rfc8628.DeviceCodeTokenEndpointHandler{
GenericCodeTokenEndpointHandler: oauth2.GenericCodeTokenEndpointHandler{
AccessRequestValidator: &rfc8628.DeviceAccessRequestValidator{},
CodeHandler: &rfc8628.DeviceCodeHandler{
DeviceRateLimitStrategy: strategy.(rfc8628.DeviceRateLimitStrategy),
DeviceCodeStrategy: strategy.(rfc8628.DeviceCodeStrategy),
},
SessionHandler: &rfc8628.DeviceSessionHandler{
DeviceCodeStorage: storage.(rfc8628.DeviceCodeStorage),
},

AccessTokenStrategy: strategy.(oauth2.AccessTokenStrategy),
RefreshTokenStrategy: strategy.(oauth2.RefreshTokenStrategy),
CoreStorage: storage.(oauth2.CoreStorage),
TokenRevocationStorage: storage.(oauth2.TokenRevocationStorage),
Config: config,
},
DeviceRateLimitStrategy: strategy.(rfc8628.DeviceRateLimitStrategy),
DeviceCodeStrategy: strategy.(rfc8628.DeviceCodeStrategy),
UserCodeStrategy: strategy.(rfc8628.UserCodeStrategy),
AccessTokenStrategy: strategy.(oauth2.AccessTokenStrategy),
RefreshTokenStrategy: strategy.(oauth2.RefreshTokenStrategy),
CoreStorage: storage.(rfc8628.RFC8628CoreStorage),
TokenRevocationStorage: storage.(oauth2.TokenRevocationStorage),
Config: config,
}
}
10 changes: 5 additions & 5 deletions fosite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,23 +16,23 @@ import (
)

func TestAuthorizeEndpointHandlers(t *testing.T) {
h := &oauth2.AuthorizeExplicitGrantAuthHandler{}
h := &oauth2.AuthorizeExplicitGrantHandler{}
hs := AuthorizeEndpointHandlers{}
hs.Append(h)
hs.Append(h)
hs.Append(&oauth2.AuthorizeExplicitGrantAuthHandler{})
hs.Append(&oauth2.AuthorizeExplicitGrantHandler{})
assert.Len(t, hs, 1)
assert.Equal(t, hs[0], h)
}

func TestTokenEndpointHandlers(t *testing.T) {
h := &oauth2.GenericCodeTokenEndpointHandler{}
h := &oauth2.AuthorizeExplicitGrantHandler{}
hs := TokenEndpointHandlers{}
hs.Append(h)
hs.Append(h)
// do some crazy type things and make sure dupe detection works
var f interface{} = &oauth2.GenericCodeTokenEndpointHandler{}
hs.Append(&oauth2.GenericCodeTokenEndpointHandler{})
var f interface{} = &oauth2.AuthorizeExplicitGrantHandler{}
hs.Append(&oauth2.AuthorizeExplicitGrantHandler{})
hs.Append(f.(TokenEndpointHandler))
require.Len(t, hs, 1)
assert.Equal(t, hs[0], h)
Expand Down
37 changes: 24 additions & 13 deletions handler/oauth2/flow_authorize_code_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,39 +14,50 @@ import (
"github.com/ory/fosite"
)

var _ fosite.AuthorizeEndpointHandler = (*AuthorizeExplicitGrantAuthHandler)(nil)
var _ fosite.AuthorizeEndpointHandler = (*AuthorizeExplicitGrantHandler)(nil)
var _ fosite.TokenEndpointHandler = (*AuthorizeExplicitGrantHandler)(nil)

// AuthorizeExplicitGrantAuthHandler is a response handler for the Authorize Code grant using the explicit grant type
// AuthorizeExplicitGrantHandler is a response handler for the Authorize Code grant using the explicit grant type
// as defined in https://tools.ietf.org/html/rfc6749#section-4.1
type AuthorizeExplicitGrantAuthHandler struct {
AuthorizeCodeStrategy AuthorizeCodeStrategy
AuthorizeCodeStorage AuthorizeCodeStorage

Config interface {
type AuthorizeExplicitGrantHandler struct {
AccessTokenStrategy AccessTokenStrategy
RefreshTokenStrategy RefreshTokenStrategy
AuthorizeCodeStrategy AuthorizeCodeStrategy
CoreStorage CoreStorage
TokenRevocationStorage TokenRevocationStorage
Config interface {
fosite.AuthorizeCodeLifespanProvider
fosite.AccessTokenLifespanProvider
fosite.RefreshTokenLifespanProvider
fosite.ScopeStrategyProvider
fosite.AudienceStrategyProvider
fosite.RedirectSecureCheckerProvider
fosite.RefreshTokenScopesProvider
fosite.OmitRedirectScopeParamProvider
fosite.SanitationAllowedProvider
}
}

func (c *AuthorizeExplicitGrantAuthHandler) secureChecker(ctx context.Context) func(context.Context, *url.URL) bool {
func (c *AuthorizeExplicitGrantHandler) secureChecker(ctx context.Context) func(context.Context, *url.URL) bool {
if c.Config.GetRedirectSecureChecker(ctx) == nil {
return fosite.IsRedirectURISecure
}
return c.Config.GetRedirectSecureChecker(ctx)
}

func (c *AuthorizeExplicitGrantAuthHandler) HandleAuthorizeEndpointRequest(ctx context.Context, ar fosite.AuthorizeRequester, resp fosite.AuthorizeResponder) error {
// This allows to define multiple response types, for example OpenID Connect `id_token`
func (c *AuthorizeExplicitGrantHandler) HandleAuthorizeEndpointRequest(ctx context.Context, ar fosite.AuthorizeRequester, resp fosite.AuthorizeResponder) error {
// This let's us define multiple response types, for example open id connect's id_token
if !ar.GetResponseTypes().ExactOne("code") {
return nil
}

ar.SetDefaultResponseMode(fosite.ResponseModeQuery)

// Disabled because this is already handled at the authorize_request_handler
// if !ar.GetClient().GetResponseTypes().Has("code") {
// return errorsx.WithStack(fosite.ErrInvalidGrant)
// }

if !c.secureChecker(ctx)(ctx, ar.GetRedirectURI()) {
return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("Redirect URL is using an insecure protocol, http is only allowed for hosts with suffix 'localhost', for example: http://myapp.localhost/."))
}
Expand All @@ -65,14 +76,14 @@ func (c *AuthorizeExplicitGrantAuthHandler) HandleAuthorizeEndpointRequest(ctx c
return c.IssueAuthorizeCode(ctx, ar, resp)
}

func (c *AuthorizeExplicitGrantAuthHandler) IssueAuthorizeCode(ctx context.Context, ar fosite.AuthorizeRequester, resp fosite.AuthorizeResponder) error {
func (c *AuthorizeExplicitGrantHandler) IssueAuthorizeCode(ctx context.Context, ar fosite.AuthorizeRequester, resp fosite.AuthorizeResponder) error {
code, signature, err := c.AuthorizeCodeStrategy.GenerateAuthorizeCode(ctx, ar)
if err != nil {
return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
}

ar.GetSession().SetExpiresAt(fosite.AuthorizeCode, time.Now().UTC().Add(c.Config.GetAuthorizeCodeLifespan(ctx)))
if err = c.AuthorizeCodeStorage.CreateAuthorizeCodeSession(ctx, signature, ar.Sanitize(c.GetSanitationWhiteList(ctx))); err != nil {
if err := c.CoreStorage.CreateAuthorizeCodeSession(ctx, signature, ar.Sanitize(c.GetSanitationWhiteList(ctx))); err != nil {
return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
}

Expand All @@ -86,7 +97,7 @@ func (c *AuthorizeExplicitGrantAuthHandler) IssueAuthorizeCode(ctx context.Conte
return nil
}

func (c *AuthorizeExplicitGrantAuthHandler) GetSanitationWhiteList(ctx context.Context) []string {
func (c *AuthorizeExplicitGrantHandler) GetSanitationWhiteList(ctx context.Context) []string {
if allowedList := c.Config.GetSanitationWhiteList(ctx); len(allowedList) > 0 {
return allowedList
}
Expand Down
10 changes: 5 additions & 5 deletions handler/oauth2/flow_authorize_code_auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,16 +28,16 @@ func TestAuthorizeCode_HandleAuthorizeEndpointRequest(t *testing.T) {
} {
t.Run("strategy="+k, func(t *testing.T) {
store := storage.NewMemoryStore()
handler := AuthorizeExplicitGrantAuthHandler{
handler := AuthorizeExplicitGrantHandler{
CoreStorage: store,
AuthorizeCodeStrategy: strategy,
AuthorizeCodeStorage: store,
Config: &fosite.Config{
AudienceMatchingStrategy: fosite.DefaultAudienceMatchingStrategy,
ScopeStrategy: fosite.HierarchicScopeStrategy,
},
}
for _, c := range []struct {
handler AuthorizeExplicitGrantAuthHandler
handler AuthorizeExplicitGrantHandler
areq *fosite.AuthorizeRequest
description string
expectErr error
Expand Down Expand Up @@ -122,9 +122,9 @@ func TestAuthorizeCode_HandleAuthorizeEndpointRequest(t *testing.T) {
},
},
{
handler: AuthorizeExplicitGrantAuthHandler{
handler: AuthorizeExplicitGrantHandler{
CoreStorage: store,
AuthorizeCodeStrategy: strategy,
AuthorizeCodeStorage: store,
Config: &fosite.Config{
ScopeStrategy: fosite.HierarchicScopeStrategy,
AudienceMatchingStrategy: fosite.DefaultAudienceMatchingStrategy,
Expand Down
Loading

0 comments on commit ef4a35e

Please sign in to comment.