func tokenEndpointHandler(t *testing.T, oauth2 fosite.OAuth2Provider) func(rw http.ResponseWriter, req *http.Request) {
return func(rw http.ResponseWriter, req *http.Request) {
req.ParseForm()
ctx := fosite.NewContext()
accessRequest, err := oauth2.NewAccessRequest(ctx, req, &fosite.DefaultSession{})
if err != nil {
t.Logf("Access request failed because %s.", err.Error())
t.Logf("Request: %s.", accessRequest)
t.Logf("Stack: %v.", err.(stackTracer).StackTrace())
oauth2.WriteAccessError(rw, accessRequest, err)
return
}
if accessRequest.GetRequestedScopes().Has("fosite") {
accessRequest.GrantScope("fosite")
}
response, err := oauth2.NewAccessResponse(ctx, req, accessRequest)
if err != nil {
t.Logf("Access request failed because %s.", err.Error())
t.Logf("Request: %s.", accessRequest)
t.Logf("Stack: %v.", err.(stackTracer).StackTrace())
oauth2.WriteAccessError(rw, accessRequest, err)
return
}
oauth2.WriteAccessResponse(rw, accessRequest, response)
}
}
func tokenRevocationHandler(t *testing.T, oauth2 fosite.OAuth2Provider, session fosite.Session) func(rw http.ResponseWriter, req *http.Request) {
return func(rw http.ResponseWriter, req *http.Request) {
ctx := fosite.NewContext()
err := oauth2.NewRevocationRequest(ctx, req)
if err != nil {
t.Logf("Revoke request failed because %s.", err.Error())
t.Logf("Stack: %v", err.(stackTracer).StackTrace())
}
oauth2.WriteRevocationResponse(rw, err)
}
}
func tokenInfoHandler(t *testing.T, oauth2 fosite.OAuth2Provider, session fosite.Session) func(rw http.ResponseWriter, req *http.Request) {
return func(rw http.ResponseWriter, req *http.Request) {
ctx := fosite.NewContext()
if _, err := oauth2.IntrospectToken(ctx, fosite.AccessTokenFromRequest(req), fosite.AccessToken, session); err != nil {
rfcerr := fosite.ErrorToRFC6749Error(err)
t.Logf("Info request failed because `%s`.", err.Error())
t.Logf("Stack: %s", err.(stackTracer).StackTrace())
http.Error(rw, rfcerr.Description, rfcerr.StatusCode)
return
}
rw.WriteHeader(http.StatusNoContent)
}
}
func tokenIntrospectionHandler(t *testing.T, oauth2 fosite.OAuth2Provider, session fosite.Session) func(rw http.ResponseWriter, req *http.Request) {
return func(rw http.ResponseWriter, req *http.Request) {
ctx := fosite.NewContext()
ar, err := oauth2.NewIntrospectionRequest(ctx, req, session)
if err != nil {
t.Logf("Introspection request failed because %s.", err.Error())
t.Logf("Stack: %s", err.(stackTracer).StackTrace())
oauth2.WriteIntrospectionError(rw, err)
return
}
oauth2.WriteIntrospectionResponse(rw, ar)
}
}
func (o *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
var ctx = fosite.NewContext()
authorizeRequest, err := o.OAuth2.NewAuthorizeRequest(ctx, r)
if err != nil {
pkg.LogError(err)
o.writeAuthorizeError(w, authorizeRequest, err)
return
}
// A session_token will be available if the user was authenticated an gave consent
consentToken := authorizeRequest.GetRequestForm().Get("consent")
if consentToken == "" {
// otherwise redirect to log in endpoint
if err := o.redirectToConsent(w, r, authorizeRequest); err != nil {
pkg.LogError(err)
o.writeAuthorizeError(w, authorizeRequest, err)
return
}
return
}
// decode consent_token claims
// verify anti-CSRF (inject state) and anti-replay token (expiry time, good value would be 10 seconds)
session, err := o.Consent.ValidateResponse(authorizeRequest, consentToken)
if err != nil {
pkg.LogError(err)
o.writeAuthorizeError(w, authorizeRequest, errors.New(fosite.ErrAccessDenied))
return
}
// done
response, err := o.OAuth2.NewAuthorizeResponse(ctx, r, authorizeRequest, session)
if err != nil {
pkg.LogError(err)
o.writeAuthorizeError(w, authorizeRequest, err)
return
}
o.OAuth2.WriteAuthorizeResponse(w, authorizeRequest, response)
}
func authEndpointHandler(t *testing.T, oauth2 fosite.OAuth2Provider, session fosite.Session) func(rw http.ResponseWriter, req *http.Request) {
return func(rw http.ResponseWriter, req *http.Request) {
ctx := fosite.NewContext()
ar, err := oauth2.NewAuthorizeRequest(ctx, req)
if err != nil {
t.Logf("Access request failed because %s.", err.Error())
t.Logf("Request: %s.", ar)
t.Logf("Stack: %s.", err.(stackTracer).StackTrace())
oauth2.WriteAuthorizeError(rw, ar, err)
return
}
if ar.GetRequestedScopes().Has("fosite") {
ar.GrantScope("fosite")
}
if ar.GetRequestedScopes().Has("offline") {
ar.GrantScope("offline")
}
if ar.GetRequestedScopes().Has("openid") {
ar.GrantScope("openid")
}
// Normally, this would be the place where you would check if the user is logged in and gives his consent.
// For this test, let's assume that the user exists, is logged in, and gives his consent...
response, err := oauth2.NewAuthorizeResponse(ctx, req, ar, session)
if err != nil {
t.Logf("Access request failed because %s.", err.Error())
t.Logf("Request: %s.", ar)
t.Logf("Stack: %s.", err.(stackTracer).StackTrace())
oauth2.WriteAuthorizeError(rw, ar, err)
return
}
oauth2.WriteAuthorizeResponse(rw, ar, response)
}
}
func (o *Handler) TokenHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
var session Session
var ctx = fosite.NewContext()
accessRequest, err := o.OAuth2.NewAccessRequest(ctx, r, &session)
if err != nil {
pkg.LogError(err)
o.OAuth2.WriteAccessError(w, accessRequest, err)
return
}
if accessRequest.GetGrantTypes().Exact("client_credentials") {
session.Subject = accessRequest.GetClient().GetID()
}
accessResponse, err := o.OAuth2.NewAccessResponse(ctx, r, accessRequest)
if err != nil {
pkg.LogError(err)
o.OAuth2.WriteAccessError(w, accessRequest, err)
return
}
o.OAuth2.WriteAccessResponse(w, accessRequest, accessResponse)
}