|
|
|
@ -115,7 +115,7 @@ type AccessTokenResponse struct { |
|
|
|
|
IDToken string `json:"id_token,omitempty"` |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) { |
|
|
|
|
func newAccessTokenResponse(grant *models.OAuth2Grant, serverKey, clientKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) { |
|
|
|
|
if setting.OAuth2.InvalidateRefreshTokens { |
|
|
|
|
if err := grant.IncreaseCounter(); err != nil { |
|
|
|
|
return nil, &AccessTokenError{ |
|
|
|
@ -133,7 +133,7 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSign |
|
|
|
|
ExpiresAt: expirationDate.AsTime().Unix(), |
|
|
|
|
}, |
|
|
|
|
} |
|
|
|
|
signedAccessToken, err := accessToken.SignToken() |
|
|
|
|
signedAccessToken, err := accessToken.SignToken(serverKey) |
|
|
|
|
if err != nil { |
|
|
|
|
return nil, &AccessTokenError{ |
|
|
|
|
ErrorCode: AccessTokenErrorCodeInvalidRequest, |
|
|
|
@ -151,7 +151,7 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSign |
|
|
|
|
ExpiresAt: refreshExpirationDate, |
|
|
|
|
}, |
|
|
|
|
} |
|
|
|
|
signedRefreshToken, err := refreshToken.SignToken() |
|
|
|
|
signedRefreshToken, err := refreshToken.SignToken(serverKey) |
|
|
|
|
if err != nil { |
|
|
|
|
return nil, &AccessTokenError{ |
|
|
|
|
ErrorCode: AccessTokenErrorCodeInvalidRequest, |
|
|
|
@ -207,7 +207,7 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSign |
|
|
|
|
idToken.EmailVerified = user.IsActive |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
signedIDToken, err = idToken.SignToken(signingKey) |
|
|
|
|
signedIDToken, err = idToken.SignToken(clientKey) |
|
|
|
|
if err != nil { |
|
|
|
|
return nil, &AccessTokenError{ |
|
|
|
|
ErrorCode: AccessTokenErrorCodeInvalidRequest, |
|
|
|
@ -265,7 +265,7 @@ func IntrospectOAuth(ctx *context.Context) { |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
form := web.GetForm(ctx).(*forms.IntrospectTokenForm) |
|
|
|
|
token, err := oauth2.ParseToken(form.Token) |
|
|
|
|
token, err := oauth2.ParseToken(form.Token, oauth2.DefaultSigningKey) |
|
|
|
|
if err == nil { |
|
|
|
|
if token.Valid() == nil { |
|
|
|
|
grant, err := models.GetOAuth2GrantByID(token.GrantID) |
|
|
|
@ -544,9 +544,11 @@ func AccessTokenOAuth(ctx *context.Context) { |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
signingKey := oauth2.DefaultSigningKey |
|
|
|
|
if signingKey.IsSymmetric() { |
|
|
|
|
clientKey, err := oauth2.CreateJWTSigningKey(signingKey.SigningMethod().Alg(), []byte(form.ClientSecret)) |
|
|
|
|
serverKey := oauth2.DefaultSigningKey |
|
|
|
|
clientKey := serverKey |
|
|
|
|
if serverKey.IsSymmetric() { |
|
|
|
|
var err error |
|
|
|
|
clientKey, err = oauth2.CreateJWTSigningKey(serverKey.SigningMethod().Alg(), []byte(form.ClientSecret)) |
|
|
|
|
if err != nil { |
|
|
|
|
handleAccessTokenError(ctx, AccessTokenError{ |
|
|
|
|
ErrorCode: AccessTokenErrorCodeInvalidRequest, |
|
|
|
@ -554,14 +556,13 @@ func AccessTokenOAuth(ctx *context.Context) { |
|
|
|
|
}) |
|
|
|
|
return |
|
|
|
|
} |
|
|
|
|
signingKey = clientKey |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
switch form.GrantType { |
|
|
|
|
case "refresh_token": |
|
|
|
|
handleRefreshToken(ctx, form, signingKey) |
|
|
|
|
handleRefreshToken(ctx, form, serverKey, clientKey) |
|
|
|
|
case "authorization_code": |
|
|
|
|
handleAuthorizationCode(ctx, form, signingKey) |
|
|
|
|
handleAuthorizationCode(ctx, form, serverKey, clientKey) |
|
|
|
|
default: |
|
|
|
|
handleAccessTokenError(ctx, AccessTokenError{ |
|
|
|
|
ErrorCode: AccessTokenErrorCodeUnsupportedGrantType, |
|
|
|
@ -570,8 +571,8 @@ func AccessTokenOAuth(ctx *context.Context) { |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, signingKey oauth2.JWTSigningKey) { |
|
|
|
|
token, err := oauth2.ParseToken(form.RefreshToken) |
|
|
|
|
func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) { |
|
|
|
|
token, err := oauth2.ParseToken(form.RefreshToken, serverKey) |
|
|
|
|
if err != nil { |
|
|
|
|
handleAccessTokenError(ctx, AccessTokenError{ |
|
|
|
|
ErrorCode: AccessTokenErrorCodeUnauthorizedClient, |
|
|
|
@ -598,7 +599,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, signin |
|
|
|
|
log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID) |
|
|
|
|
return |
|
|
|
|
} |
|
|
|
|
accessToken, tokenErr := newAccessTokenResponse(grant, signingKey) |
|
|
|
|
accessToken, tokenErr := newAccessTokenResponse(grant, serverKey, clientKey) |
|
|
|
|
if tokenErr != nil { |
|
|
|
|
handleAccessTokenError(ctx, *tokenErr) |
|
|
|
|
return |
|
|
|
@ -606,7 +607,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, signin |
|
|
|
|
ctx.JSON(http.StatusOK, accessToken) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, signingKey oauth2.JWTSigningKey) { |
|
|
|
|
func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) { |
|
|
|
|
app, err := models.GetOAuth2ApplicationByClientID(form.ClientID) |
|
|
|
|
if err != nil { |
|
|
|
|
handleAccessTokenError(ctx, AccessTokenError{ |
|
|
|
@ -660,7 +661,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s |
|
|
|
|
ErrorDescription: "cannot proceed your request", |
|
|
|
|
}) |
|
|
|
|
} |
|
|
|
|
resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, signingKey) |
|
|
|
|
resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, serverKey, clientKey) |
|
|
|
|
if tokenErr != nil { |
|
|
|
|
handleAccessTokenError(ctx, *tokenErr) |
|
|
|
|
return |
|
|
|
|