flow_explicit_token.go

Documentation: github.com/ory/fosite/handler/openid

     1  /*
     2   * Copyright © 2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io>
     3   *
     4   * Licensed under the Apache License, Version 2.0 (the "License");
     5   * you may not use this file except in compliance with the License.
     6   * You may obtain a copy of the License at
     7   *
     8   *     http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13   * See the License for the specific language governing permissions and
    14   * limitations under the License.
    15   *
    16   * @author		Aeneas Rekkas <aeneas+oss@aeneas.io>
    17   * @copyright 	2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io>
    18   * @license 	Apache-2.0
    19   *
    20   */
    21  
    22  package openid
    23  
    24  import (
    25  	"context"
    26  
    27  	"github.com/ory/x/errorsx"
    28  
    29  	"github.com/pkg/errors"
    30  
    31  	"github.com/ory/fosite"
    32  )
    33  
    34  func (c *OpenIDConnectExplicitHandler) HandleTokenEndpointRequest(ctx context.Context, request fosite.AccessRequester) error {
    35  	return errorsx.WithStack(fosite.ErrUnknownRequest)
    36  }
    37  
    38  func (c *OpenIDConnectExplicitHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, responder fosite.AccessResponder) error {
    39  	if !c.CanHandleTokenEndpointRequest(requester) {
    40  		return errorsx.WithStack(fosite.ErrUnknownRequest)
    41  	}
    42  
    43  	authorize, err := c.OpenIDConnectRequestStorage.GetOpenIDConnectSession(ctx, requester.GetRequestForm().Get("code"), requester)
    44  	if errors.Is(err, ErrNoSessionFound) {
    45  		return errorsx.WithStack(fosite.ErrUnknownRequest.WithWrap(err).WithDebug(err.Error()))
    46  	} else if err != nil {
    47  		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
    48  	}
    49  
    50  	if !authorize.GetGrantedScopes().Has("openid") {
    51  		return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("An OpenID Connect session was found but the openid scope is missing, probably due to a broken code configuration."))
    52  	}
    53  
    54  	if !requester.GetClient().GetGrantTypes().Has("authorization_code") {
    55  		return errorsx.WithStack(fosite.ErrUnauthorizedClient.WithHint("The OAuth 2.0 Client is not allowed to use the authorization grant \"authorization_code\"."))
    56  	}
    57  
    58  	sess, ok := requester.GetSession().(Session)
    59  	if !ok {
    60  		return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to generate id token because session must be of type fosite/handler/openid.Session."))
    61  	}
    62  
    63  	claims := sess.IDTokenClaims()
    64  	if claims.Subject == "" {
    65  		return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to generate id token because subject is an empty string."))
    66  	}
    67  
    68  	claims.AccessTokenHash = c.GetAccessTokenHash(ctx, requester, responder)
    69  
    70  	// The response type `id_token` is only required when performing the implicit or hybrid flow, see:
    71  	// https://openid.net/specs/openid-connect-registration-1_0.html
    72  	//
    73  	// if !requester.GetClient().GetResponseTypes().Has("id_token") {
    74  	// 	return errorsx.WithStack(fosite.ErrInvalidGrant.WithDebug("The client is not allowed to use response type id_token"))
    75  	// }
    76  
    77  	return c.IssueExplicitIDToken(ctx, authorize, responder)
    78  }
    79  
    80  func (c *OpenIDConnectExplicitHandler) CanSkipClientAuth(requester fosite.AccessRequester) bool {
    81  	return false
    82  }
    83  
    84  func (c *OpenIDConnectExplicitHandler) CanHandleTokenEndpointRequest(requester fosite.AccessRequester) bool {
    85  	return requester.GetGrantTypes().ExactOne("authorization_code")
    86  }
    87
View as plain text