1 /* 2 * Copyright © 2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io> 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 * @author Aeneas Rekkas <aeneas+oss@aeneas.io> 17 * @copyright 2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io> 18 * @license Apache-2.0 19 * 20 */ 21 22 package compose 23 24 import ( 25 "html/template" 26 "net/url" 27 "time" 28 29 "github.com/ory/fosite" 30 "github.com/ory/fosite/i18n" 31 ) 32 33 type Config struct { 34 // AccessTokenLifespan sets how long an access token is going to be valid. Defaults to one hour. 35 AccessTokenLifespan time.Duration 36 37 // RefreshTokenLifespan sets how long a refresh token is going to be valid. Defaults to 30 days. Set to -1 for 38 // refresh tokens that never expire. 39 RefreshTokenLifespan time.Duration 40 41 // AuthorizeCodeLifespan sets how long an authorize code is going to be valid. Defaults to fifteen minutes. 42 AuthorizeCodeLifespan time.Duration 43 44 // IDTokenLifespan sets the default id token lifetime. Defaults to one hour. 45 IDTokenLifespan time.Duration 46 47 // IDTokenIssuer sets the default issuer of the ID Token. 48 IDTokenIssuer string 49 50 // HashCost sets the cost of the password hashing cost. Defaults to 12. 51 HashCost int 52 53 // DisableRefreshTokenValidation sets the introspection endpoint to disable refresh token validation. 54 DisableRefreshTokenValidation bool 55 56 // SendDebugMessagesToClients if set to true, includes error debug messages in response payloads. Be aware that sensitive 57 // data may be exposed, depending on your implementation of Fosite. Such sensitive data might include database error 58 // codes or other information. Proceed with caution! 59 SendDebugMessagesToClients bool 60 61 // ScopeStrategy sets the scope strategy that should be supported, for example fosite.WildcardScopeStrategy. 62 ScopeStrategy fosite.ScopeStrategy 63 64 // AudienceMatchingStrategy sets the audience matching strategy that should be supported, defaults to fosite.DefaultsAudienceMatchingStrategy. 65 AudienceMatchingStrategy fosite.AudienceMatchingStrategy 66 67 // EnforcePKCE, if set to true, requires clients to perform authorize code flows with PKCE. Defaults to false. 68 EnforcePKCE bool 69 70 // EnforcePKCEForPublicClients requires only public clients to use PKCE with the authorize code flow. Defaults to false. 71 EnforcePKCEForPublicClients bool 72 73 // EnablePKCEPlainChallengeMethod sets whether or not to allow the plain challenge method (S256 should be used whenever possible, plain is really discouraged). Defaults to false. 74 EnablePKCEPlainChallengeMethod bool 75 76 // AllowedPromptValues sets which OpenID Connect prompt values the server supports. Defaults to []string{"login", "none", "consent", "select_account"}. 77 AllowedPromptValues []string 78 79 // TokenURL is the the URL of the Authorization Server's Token Endpoint. If the authorization server is intended 80 // to be compatible with the private_key_jwt client authentication method (see http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth), 81 // this value MUST be set. 82 TokenURL string 83 84 // JWKSFetcherStrategy is responsible for fetching JSON Web Keys from remote URLs. This is required when the private_key_jwt 85 // client authentication method is used. Defaults to fosite.DefaultJWKSFetcherStrategy. 86 JWKSFetcher fosite.JWKSFetcherStrategy 87 88 // TokenEntropy indicates the entropy of the random string, used as the "message" part of the HMAC token. 89 // Defaults to 32. 90 TokenEntropy int 91 92 // RedirectSecureChecker is a function that returns true if the provided URL can be securely used as a redirect URL. 93 RedirectSecureChecker func(*url.URL) bool 94 95 // RefreshTokenScopes defines which OAuth scopes will be given refresh tokens during the authorization code grant exchange. This defaults to "offline" and "offline_access". When set to an empty array, all exchanges will be given refresh tokens. 96 RefreshTokenScopes []string 97 98 // MinParameterEntropy controls the minimum size of state and nonce parameters. Defaults to fosite.MinParameterEntropy. 99 MinParameterEntropy int 100 101 // UseLegacyErrorFormat controls whether the legacy error format (with `error_debug`, `error_hint`, ...) 102 // should be used or not. 103 UseLegacyErrorFormat bool 104 105 // GrantTypeJWTBearerCanSkipClientAuth indicates, if client authentication can be skipped, when using jwt as assertion. 106 GrantTypeJWTBearerCanSkipClientAuth bool 107 108 // GrantTypeJWTBearerIDOptional indicates, if jti (JWT ID) claim required or not in JWT. 109 GrantTypeJWTBearerIDOptional bool 110 111 // GrantTypeJWTBearerIssuedDateOptional indicates, if "iat" (issued at) claim required or not in JWT. 112 GrantTypeJWTBearerIssuedDateOptional bool 113 114 // GrantTypeJWTBearerMaxDuration sets the maximum time after JWT issued date, during which the JWT is considered valid. 115 GrantTypeJWTBearerMaxDuration time.Duration 116 117 // ClientAuthenticationStrategy indicates the Strategy to authenticate client requests 118 ClientAuthenticationStrategy fosite.ClientAuthenticationStrategy 119 120 // ResponseModeHandlerExtension provides a handler for custom response modes 121 ResponseModeHandlerExtension fosite.ResponseModeHandler 122 123 // MessageCatalog is the message bundle used for i18n 124 MessageCatalog i18n.MessageCatalog 125 126 // FormPostHTMLTemplate sets html template for rendering the authorization response when the request has response_mode=form_post. 127 FormPostHTMLTemplate *template.Template 128 } 129 130 // GetScopeStrategy returns the scope strategy to be used. Defaults to glob scope strategy. 131 func (c *Config) GetScopeStrategy() fosite.ScopeStrategy { 132 if c.ScopeStrategy == nil { 133 c.ScopeStrategy = fosite.WildcardScopeStrategy 134 } 135 return c.ScopeStrategy 136 } 137 138 // GetAudienceStrategy returns the scope strategy to be used. Defaults to glob scope strategy. 139 func (c *Config) GetAudienceStrategy() fosite.AudienceMatchingStrategy { 140 if c.AudienceMatchingStrategy == nil { 141 c.AudienceMatchingStrategy = fosite.DefaultAudienceMatchingStrategy 142 } 143 return c.AudienceMatchingStrategy 144 } 145 146 // GetAuthorizeCodeLifespan returns how long an authorize code should be valid. Defaults to one fifteen minutes. 147 func (c *Config) GetAuthorizeCodeLifespan() time.Duration { 148 if c.AuthorizeCodeLifespan == 0 { 149 return time.Minute * 15 150 } 151 return c.AuthorizeCodeLifespan 152 } 153 154 // GeIDTokenLifespan returns how long an id token should be valid. Defaults to one hour. 155 func (c *Config) GetIDTokenLifespan() time.Duration { 156 if c.IDTokenLifespan == 0 { 157 return time.Hour 158 } 159 return c.IDTokenLifespan 160 } 161 162 // GetAccessTokenLifespan returns how long an access token should be valid. Defaults to one hour. 163 func (c *Config) GetAccessTokenLifespan() time.Duration { 164 if c.AccessTokenLifespan == 0 { 165 return time.Hour 166 } 167 return c.AccessTokenLifespan 168 } 169 170 // GetRefreshTokenLifespan sets how long a refresh token is going to be valid. Defaults to 30 days. Set to -1 for 171 // refresh tokens that never expire. 172 func (c *Config) GetRefreshTokenLifespan() time.Duration { 173 if c.RefreshTokenLifespan == 0 { 174 return time.Hour * 24 * 30 175 } 176 return c.RefreshTokenLifespan 177 } 178 179 // GetHashCost returns the bcrypt cost factor. Defaults to 12. 180 func (c *Config) GetHashCost() int { 181 if c.HashCost == 0 { 182 return fosite.DefaultBCryptWorkFactor 183 } 184 return c.HashCost 185 } 186 187 // GetJWKSFetcherStrategy returns the JWKSFetcherStrategy. 188 func (c *Config) GetJWKSFetcherStrategy() fosite.JWKSFetcherStrategy { 189 if c.JWKSFetcher == nil { 190 c.JWKSFetcher = fosite.NewDefaultJWKSFetcherStrategy() 191 } 192 return c.JWKSFetcher 193 } 194 195 // GetTokenEntropy returns the entropy of the "message" part of a HMAC Token. Defaults to 32. 196 func (c *Config) GetTokenEntropy() int { 197 if c.TokenEntropy == 0 { 198 return 32 199 } 200 return c.TokenEntropy 201 } 202 203 // GetRedirectSecureChecker returns the checker to check if redirect URI is secure. Defaults to fosite.IsRedirectURISecure. 204 func (c *Config) GetRedirectSecureChecker() func(*url.URL) bool { 205 if c.RedirectSecureChecker == nil { 206 return fosite.IsRedirectURISecure 207 } 208 return c.RedirectSecureChecker 209 } 210 211 // GetRefreshTokenScopes returns which scopes will provide refresh tokens. 212 func (c *Config) GetRefreshTokenScopes() []string { 213 if c.RefreshTokenScopes == nil { 214 return []string{"offline", "offline_access"} 215 } 216 return c.RefreshTokenScopes 217 } 218 219 // GetMinParameterEntropy returns MinParameterEntropy if set. Defaults to fosite.MinParameterEntropy. 220 func (c *Config) GetMinParameterEntropy() int { 221 if c.MinParameterEntropy == 0 { 222 return fosite.MinParameterEntropy 223 } else { 224 return c.MinParameterEntropy 225 } 226 } 227 228 // GetJWTMaxDuration specified the maximum amount of allowed `exp` time for a JWT. It compares 229 // the time with the JWT's `exp` time if the JWT time is larger, will cause the JWT to be invalid. 230 // 231 // Defaults to a day. 232 func (c *Config) GetJWTMaxDuration() time.Duration { 233 if c.GrantTypeJWTBearerMaxDuration == 0 { 234 return time.Hour * 24 235 } 236 return c.GrantTypeJWTBearerMaxDuration 237 } 238 239 // GetClientAuthenticationStrategy returns the configured client authentication strategy. 240 // Defaults to nil. 241 // Note that on a nil strategy `fosite.Fosite` fallbacks to its default client authentication strategy 242 // `fosite.Fosite.DefaultClientAuthenticationStrategy` 243 func (c *Config) GetClientAuthenticationStrategy() fosite.ClientAuthenticationStrategy { 244 return c.ClientAuthenticationStrategy 245 } 246