...

Source file src/github.com/ory/fosite/handler/openid/flow_refresh_token.go

Documentation: github.com/ory/fosite/handler/openid 

     1  /*
     2   * Copyright © 2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io>
     3   *
     4   * Licensed under the Apache License, Version 2.0 (the "License");
     5   * you may not use this file except in compliance with the License.
     6   * You may obtain a copy of the License at
     7   *
     8   *     http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13   * See the License for the specific language governing permissions and
    14   * limitations under the License.
    15   *
    16   * @author		Aeneas Rekkas <aeneas+oss@aeneas.io>
    17   * @copyright 	2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io>
    18   * @license 	Apache-2.0
    19   *
    20   */
    21  
    22  package openid
    23  
    24  import (
    25  	"context"
    26  	"time"
    27  
    28  	"github.com/pborman/uuid"
    29  
    30  	"github.com/ory/x/errorsx"
    31  
    32  	"github.com/pkg/errors"
    33  
    34  	"github.com/ory/fosite"
    35  )
    36  
    37  type OpenIDConnectRefreshHandler struct {
    38  	*IDTokenHandleHelper
    39  }
    40  
    41  func (c *OpenIDConnectRefreshHandler) HandleTokenEndpointRequest(ctx context.Context, request fosite.AccessRequester) error {
    42  	if !c.CanHandleTokenEndpointRequest(request) {
    43  		return errorsx.WithStack(fosite.ErrUnknownRequest)
    44  	}
    45  
    46  	if !request.GetGrantedScopes().Has("openid") {
    47  		return errorsx.WithStack(fosite.ErrUnknownRequest)
    48  	}
    49  
    50  	if !request.GetClient().GetGrantTypes().Has("refresh_token") {
    51  		return errorsx.WithStack(fosite.ErrUnauthorizedClient.WithHint("The OAuth 2.0 Client is not allowed to use the authorization grant \"refresh_token\"."))
    52  	}
    53  
    54  	// Refresh tokens can only be issued by an authorize_code which in turn disables the need to check if the id_token
    55  	// response type is enabled by the client.
    56  	//
    57  	// if !request.GetClient().GetResponseTypes().Has("id_token") {
    58  	// 	return errorsx.WithStack(fosite.ErrUnknownRequest.WithDebug("The client is not allowed to use response type id_token"))
    59  	// }
    60  
    61  	sess, ok := request.GetSession().(Session)
    62  	if !ok {
    63  		return errors.New("Failed to generate id token because session must be of type fosite/handler/openid.Session")
    64  	}
    65  
    66  	// We need to reset the expires at value as this would be the previous expiry.
    67  	sess.IDTokenClaims().ExpiresAt = time.Time{}
    68  
    69  	// These will be recomputed in PopulateTokenEndpointResponse
    70  	sess.IDTokenClaims().JTI = ""
    71  	sess.IDTokenClaims().AccessTokenHash = ""
    72  
    73  	// We are not issuing a code so there is no need for this field.
    74  	sess.IDTokenClaims().CodeHash = ""
    75  
    76  	return nil
    77  }
    78  
    79  func (c *OpenIDConnectRefreshHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, responder fosite.AccessResponder) error {
    80  	if !c.CanHandleTokenEndpointRequest(requester) {
    81  		return errorsx.WithStack(fosite.ErrUnknownRequest)
    82  	}
    83  
    84  	if !requester.GetGrantedScopes().Has("openid") {
    85  		return errorsx.WithStack(fosite.ErrUnknownRequest)
    86  	}
    87  
    88  	if !requester.GetClient().GetGrantTypes().Has("refresh_token") {
    89  		return errorsx.WithStack(fosite.ErrInvalidGrant.WithHint("The OAuth 2.0 Client is not allowed to use the authorization grant \"refresh_token\"."))
    90  	}
    91  
    92  	// Disabled because this is already handled at the authorize_request_handler
    93  	// if !requester.GetClient().GetResponseTypes().Has("id_token") {
    94  	// 	 return errorsx.WithStack(fosite.ErrUnknownRequest.WithDebug("The client is not allowed to use response type id_token"))
    95  	// }
    96  
    97  	sess, ok := requester.GetSession().(Session)
    98  	if !ok {
    99  		return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to generate id token because session must be of type fosite/handler/openid.Session."))
   100  	}
   101  
   102  	claims := sess.IDTokenClaims()
   103  	if claims.Subject == "" {
   104  		return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to generate id token because subject is an empty string."))
   105  	}
   106  
   107  	claims.AccessTokenHash = c.GetAccessTokenHash(ctx, requester, responder)
   108  	claims.JTI = uuid.New()
   109  	claims.CodeHash = ""
   110  	claims.IssuedAt = time.Now().Truncate(time.Second)
   111  
   112  	return c.IssueExplicitIDToken(ctx, requester, responder)
   113  }
   114  
   115  func (c *OpenIDConnectRefreshHandler) CanSkipClientAuth(requester fosite.AccessRequester) bool {
   116  	return false
   117  }
   118  
   119  func (c *OpenIDConnectRefreshHandler) CanHandleTokenEndpointRequest(requester fosite.AccessRequester) bool {
   120  	// grant_type REQUIRED.
   121  	// Value MUST be set to "refresh_token"
   122  	return requester.GetGrantTypes().ExactOne("refresh_token")
   123  }
   124  

View as plain text