func (c *AccessTokenGenJWT) GenerateAccessToken(data *osin.AccessData, generaterefresh bool) (accesstoken string, refreshtoken string, err error) {
// generate JWT access token
token := jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["cid"] = data.Client.GetId()
token.Claims["exp"] = data.ExpireAt().Unix()
accesstoken, err = token.SignedString(c.PrivateKey)
if err != nil {
return "", "", err
}
if generaterefresh {
// generate JWT access token
token = jwt.New(jwt.GetSigningMethod("RS256"))
token.Claims["cid"] = data.Client.GetId()
token.Claims["at"] = accesstoken
token.Claims["exp"] = data.ExpireAt().Unix()
refreshtoken, err = token.SignedString(c.PrivateKey)
if err != nil {
return "", "", err
}
}
return
}
// LoadRefresh will load access data from Redis
func (r RedisOsinStorageInterface) LoadRefresh(token string) (*osin.AccessData, error) {
key := REFRESH_PREFIX + token
log.Debug("Loading REFRESH key: ", key)
accessJSON, storeErr := r.store.GetKey(key)
if storeErr != nil {
log.Error("Failure retreiving access token by key")
log.Error(storeErr)
return nil, storeErr
}
// new interface means having to make this nested... ick.
thisAccessData := osin.AccessData{}
thisAccessData.Client = new(osin.DefaultClient)
thisAccessData.AuthorizeData = &osin.AuthorizeData{}
thisAccessData.AuthorizeData.Client = new(osin.DefaultClient)
if marshalErr := json.Unmarshal([]byte(accessJSON), &thisAccessData); marshalErr != nil {
log.Error("Couldn't unmarshal OAuth auth data object (LoadRefresh)")
log.Error(marshalErr)
return nil, marshalErr
}
return &thisAccessData, nil
}
func (c *AccessTokenGenJWT) GenerateAccessToken(data *osin.AccessData, generaterefresh bool) (accesstoken string, refreshtoken string, err error) {
// generate JWT access token
token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
"cid": data.Client.GetId(),
"exp": data.ExpireAt().Unix(),
})
accesstoken, err = token.SignedString(c.PrivateKey)
if err != nil {
return "", "", err
}
if !generaterefresh {
return
}
// generate JWT refresh token
token = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
"cid": data.Client.GetId(),
})
refreshtoken, err = token.SignedString(c.PrivateKey)
if err != nil {
return "", "", err
}
return
}
func (s *Storage) LoadAccess(code string) (*osin.AccessData, error) {
var userData string
var cid, prevAccessToken, authorizeCode string
var result osin.AccessData
row := s.db.QueryRow("SELECT client, authorize, previous, access_token, refresh_token, expires_in, scope, redirect_uri, created_at, extra FROM access WHERE access_token=$1 LIMIT 1", code)
err := row.Scan(&cid, &authorizeCode, &prevAccessToken, &result.AccessToken, &result.RefreshToken, &result.ExpiresIn, &result.Scope, &result.RedirectUri, &result.CreatedAt, &userData)
result.UserData = userData
client, err := s.GetClient(cid)
if err != nil {
return nil, err
}
result.Client = client
authorize, err := s.LoadAuthorize(authorizeCode)
if err != nil {
return nil, err
}
result.AuthorizeData = authorize
if prevAccessToken != "" {
prevAccess, err := s.LoadAccess(prevAccessToken)
if err != nil {
return nil, err
}
result.AccessData = prevAccess
}
return &result, err
}
// LoadAccess retrieves access data by token. Client information MUST be loaded together.
// AuthorizeData and AccessData DON'T NEED to be loaded if not easily available.
// Optionally can return error if expired.
func (s *Storage) LoadAccess(code string) (*osin.AccessData, error) {
var extra, cid, prevAccessToken, authorizeCode string
var result osin.AccessData
args := map[string]interface{}{
"code": code,
}
nstmt, err := s.db.PrepareNamed("SELECT client, authorize, previous, access_token, refresh_token, expires_in, scope, redirect_uri, created_at, extra FROM access WHERE access_token=:code LIMIT 1")
if err := nstmt.QueryRowx(args).Scan(
&cid,
&authorizeCode,
&prevAccessToken,
&result.AccessToken,
&result.RefreshToken,
&result.ExpiresIn,
&result.Scope,
&result.RedirectUri,
&result.CreatedAt,
&extra,
); err == sql.ErrNoRows {
return nil, errors.New("not found")
} else if err != nil {
return nil, errors.New(err)
}
result.UserData = extra
client, err := s.GetClient(cid)
if err != nil {
return nil, err
}
result.Client = client
authorize, err := s.LoadAuthorize(authorizeCode)
if err != nil {
return nil, err
}
result.AuthorizeData = authorize
if prevAccessToken != "" {
prevAccess, err := s.LoadAccess(prevAccessToken)
if err != nil {
return nil, err
}
result.AccessData = prevAccess
}
return &result, nil
}
func (old *AccessData) transfer() *osin.AccessData {
var accessData osin.AccessData = osin.AccessData{}
accessData.Client = &old.Client
accessData.AccessToken = old.AccessToken
accessData.RefreshToken = old.RefreshToken
accessData.ExpiresIn = old.ExpiresIn
accessData.Scope = old.Scope
accessData.RedirectUri = old.RedirectUri
accessData.CreatedAt = old.CreatedAt
accessData.UserData = old.UserData
return &accessData
}
// LoadAccess retrieves access data by token. Client information MUST be loaded together.
// AuthorizeData and AccessData DON'T NEED to be loaded if not easily available.
// Optionally can return error if expired.
func (s *Storage) LoadAccess(code string) (*osin.AccessData, error) {
var extra, cid, prevAccessToken, authorizeCode string
var result osin.AccessData
if err := s.db.QueryRow(
"SELECT client, authorize, previous, access_token, refresh_token, expires_in, scope, redirect_uri, created_at, extra FROM access WHERE access_token=$1 LIMIT 1",
code,
).Scan(
&cid,
&authorizeCode,
&prevAccessToken,
&result.AccessToken,
&result.RefreshToken,
&result.ExpiresIn,
&result.Scope,
&result.RedirectUri,
&result.CreatedAt,
&extra,
); err == sql.ErrNoRows {
return nil, pkg.ErrNotFound
} else if err != nil {
return nil, errors.New(err)
}
result.UserData = extra
client, err := s.GetClient(cid)
if err != nil {
return nil, err
}
result.Client = client
authorize, err := s.LoadAuthorize(authorizeCode)
if err != nil {
return nil, err
}
result.AuthorizeData = authorize
if prevAccessToken != "" {
prevAccess, err := s.LoadAccess(prevAccessToken)
if err != nil {
return nil, err
}
result.AccessData = prevAccess
}
return &result, nil
}
func (j *JWT) GenerateAccessToken(data *osin.AccessData, generateRefresh bool) (accessToken string, refreshToken string, err error) {
claims, ok := data.UserData.(ClaimsCarrier)
if !ok {
return "", "", errors.Errorf("Could not assert claims to ClaimsCarrier: %v", claims)
}
claims["exp"] = data.ExpireAt()
if accessToken, err = j.SignToken(claims, map[string]interface{}{}); err != nil {
return "", "", err
} else if !generateRefresh {
return
}
if refreshToken, err = j.SignToken(claims, map[string]interface{}{}); err != nil {
return "", "", err
}
return
}
// LoadAccess will load access data from redis
func (r RedisOsinStorageInterface) LoadAccess(token string) (*osin.AccessData, error) {
key := ACCESS_PREFIX + token
log.Debug("Loading ACCESS key: ", key)
accessJSON, storeErr := r.store.GetKey(key)
if storeErr != nil {
log.Error("Failure retreiving access token by key")
log.Error(storeErr)
return nil, storeErr
}
thisAccessData := osin.AccessData{}
thisAccessData.Client = new(osin.DefaultClient)
if marshalErr := json.Unmarshal([]byte(accessJSON), &thisAccessData); marshalErr != nil {
log.Error("Couldn't unmarshal OAuth auth data object (LoadAccess)")
log.Error(marshalErr)
return nil, marshalErr
}
return &thisAccessData, nil
}
// SaveAccess writes AccessData.
// If RefreshToken is not blank, it must save in a way that can be loaded using LoadRefresh.
func (s *Storage) SaveAccess(d *osin.AccessData) error {
data := &accessData{
ID: bson.NewObjectId(),
ClientID: d.Client.GetUserData().(*Client).ID,
AccessToken: d.AccessToken,
RefreshToken: d.RefreshToken,
Scope: d.Scope,
RedirectUri: d.RedirectUri,
CreatedAt: d.CreatedAt,
ExpiresIn: d.ExpiresIn,
}
err := s.accessData.Insert(&data)
if err != nil {
return errgo.Mask(err)
}
d.UserData = data
return nil
}
// LoadAccess retrieves access data by token. osin.Client information MUST be loaded together.
// osin.AuthorizeData and osin.AccessData DON'T NEED to be loaded if not easily available.
// Optionally can return error if expired.
func (s *OAuth2Storage) LoadAccess(token string) (*osin.AccessData, error) {
oad := new(OAuth2AccessData)
if err := Db().Model(OAuth2AccessData{}).Where(&OAuth2AccessData{AccessToken: token}).Scan(oad); err != nil {
return nil, errors.New("LoadAccess: AccessToken not found")
}
var ret osin.AccessData
ret.CreatedAt = oad.CreatedAt
ret.ExpiresIn = int32(oad.ExpiresIn)
if ret.IsExpired() {
return nil, errors.New("Access token expired")
}
if client, err := s.GetClient(strconv.FormatUint(oad.ClientID, 10)); err == nil {
ret.Client = client
} else {
return nil, err
}
ret.AccessToken = token
ret.Scope = oad.Scope
ret.RedirectUri = oad.RedirectURI
ret.UserData = oad.UserID
if oad.RefreshTokenID.Valid {
var refreshToken OAuth2RefreshToken
if err := Db().First(&refreshToken, uint64(oad.RefreshTokenID.Int64)); err != nil {
return nil, err
}
ret.RefreshToken = refreshToken.Token
}
return &ret, nil
}
func (store *MongoStorage) createAccessData(copyFrom *AccessData, osinData *osin.AccessData) *osin.AccessData {
if copyFrom.AccessData != nil {
osinAccessData := store.createAccessData(copyFrom.AccessData, &osin.AccessData{})
osinData.AccessData = osinAccessData
}
osinData.AccessToken = copyFrom.AccessToken
osinData.RefreshToken = copyFrom.RefreshToken
osinData.ExpiresIn = copyFrom.ExpiresIn
osinData.Scope = copyFrom.Scope
osinData.RedirectUri = copyFrom.RedirectUri
osinData.CreatedAt = copyFrom.CreatedAt
osinData.UserData = copyFrom.UserData
client, err := store.GetClientWithUserData(copyFrom.UserData)
if err != nil || client == nil {
osinData.Client = &osin.DefaultClient{}
} else {
osinData.Client = client
}
authorizeData, err := store.GetAuthorizeDataWithUserData(copyFrom.UserData)
if err != nil || client == nil {
osinData.AuthorizeData = &osin.AuthorizeData{}
} else {
osinData.AuthorizeData = authorizeData
}
return osinData
}
