// HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-6
func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Context, req *http.Request, requester fosite.AccessRequester, responder fosite.AccessResponder, session interface{}) error {
if requester.GetGrantType() != "refresh_token" {
return nil
}
access, err := c.Enigma.GenerateChallenge(requester.GetClient().GetHashedSecret())
if err != nil {
return errors.New(fosite.ErrServerError)
} else if err := c.Store.CreateAccessTokenSession(access.Signature, requester, &core.TokenSession{Extra: session}); err != nil {
return errors.New(fosite.ErrServerError)
}
refresh, err := c.Enigma.GenerateChallenge(requester.GetClient().GetHashedSecret())
if err != nil {
return errors.New(fosite.ErrServerError)
} else if err := c.Store.CreateRefreshTokenSession(refresh.Signature, requester, &core.TokenSession{Extra: session}); err != nil {
return errors.New(fosite.ErrServerError)
}
challenge := new(enigma.Challenge)
challenge.FromString(req.Form.Get("refresh_token"))
if err := c.Store.DeleteRefreshTokenSession(challenge.Signature); err != nil {
return errors.New(fosite.ErrServerError)
}
responder.SetAccessToken(access.String())
responder.SetTokenType("bearer")
responder.SetExtra("expires_in", strconv.Itoa(int(c.AccessTokenLifespan/time.Second)))
responder.SetExtra("scope", strings.Join(requester.GetGrantedScopes(), " "))
responder.SetExtra("refresh_token", refresh.String())
return nil
}
// ValidateTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-6
func (c *RefreshTokenGrantHandler) ValidateTokenEndpointRequest(_ context.Context, req *http.Request, request fosite.AccessRequester, session interface{}) error {
// grant_type REQUIRED.
// Value MUST be set to "client_credentials".
if request.GetGrantType() != "refresh_token" {
return nil
}
// The authorization server MUST ... validate the refresh token.
challenge := new(enigma.Challenge)
challenge.FromString(req.Form.Get("refresh_token"))
if err := c.Enigma.ValidateChallenge(request.GetClient().GetHashedSecret(), challenge); err != nil {
return errors.New(fosite.ErrInvalidRequest)
}
ar, err := c.Store.GetRefreshTokenSession(challenge.Signature, &core.TokenSession{Extra: session})
if err == pkg.ErrNotFound {
return errors.New(fosite.ErrInvalidRequest)
} else if err != nil {
return errors.New(fosite.ErrServerError)
}
// The authorization server MUST ... and ensure that the refresh token was issued to the authenticated client
if ar.GetClient().GetID() != request.GetClient().GetID() {
return errors.New(fosite.ErrInvalidRequest)
}
request.SetGrantTypeHandled("refresh_token")
return nil
}
// HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-6
func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Context, req *http.Request, requester fosite.AccessRequester, responder fosite.AccessResponder) error {
if requester.GetGrantType() != "refresh_token" {
return nil
}
accessToken, accessSignature, err := c.AccessTokenStrategy.GenerateAccessToken(ctx, req, requester)
if err != nil {
return errors.New(fosite.ErrServerError)
} else if err := c.Store.CreateAccessTokenSession(accessSignature, requester); err != nil {
return errors.New(fosite.ErrServerError)
}
refreshToken, refreshSignature, err := c.RefreshTokenStrategy.GenerateRefreshToken(ctx, req, requester)
if err != nil {
return errors.New(fosite.ErrServerError)
} else if err := c.Store.CreateRefreshTokenSession(refreshSignature, requester); err != nil {
return errors.New(fosite.ErrServerError)
}
signature, err := c.RefreshTokenStrategy.ValidateRefreshToken(req.PostForm.Get("refresh_token"), ctx, req, requester)
if err != nil {
return errors.New(fosite.ErrInvalidRequest)
}
if err := c.Store.DeleteRefreshTokenSession(signature); err != nil {
return errors.New(fosite.ErrServerError)
}
responder.SetAccessToken(accessToken)
responder.SetTokenType("bearer")
responder.SetExtra("expires_in", strconv.Itoa(int(c.AccessTokenLifespan/time.Second)))
responder.SetExtra("scope", strings.Join(requester.GetGrantedScopes(), " "))
responder.SetExtra("refresh_token", refreshToken)
return nil
}
// ValidateTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-6
func (c *RefreshTokenGrantHandler) ValidateTokenEndpointRequest(ctx context.Context, req *http.Request, request fosite.AccessRequester) error {
// grant_type REQUIRED.
// Value MUST be set to "client_credentials".
if request.GetGrantType() != "refresh_token" {
return nil
}
// The authorization server MUST ... validate the refresh token.
signature, err := c.RefreshTokenStrategy.ValidateRefreshToken(req.Form.Get("refresh_token"), ctx, req, request)
if err != nil {
return errors.New(fosite.ErrInvalidRequest)
}
accessRequest, err := c.Store.GetRefreshTokenSession(signature, nil)
if err == pkg.ErrNotFound {
return errors.New(fosite.ErrInvalidRequest)
} else if err != nil {
return errors.New(fosite.ErrServerError)
}
// The authorization server MUST ... and ensure that the refresh token was issued to the authenticated client
if accessRequest.GetClient().GetID() != request.GetClient().GetID() {
return errors.New(fosite.ErrInvalidRequest)
}
request.SetGrantTypeHandled("refresh_token")
return nil
}
// ValidateTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.4.2
func (c *ClientCredentialsGrantHandler) ValidateTokenEndpointRequest(_ context.Context, req *http.Request, request fosite.AccessRequester, session interface{}) error {
// grant_type REQUIRED.
// Value MUST be set to "client_credentials".
if request.GetGrantType() != "client_credentials" {
return nil
}
// The client MUST authenticate with the authorization server as described in Section 3.2.1.
// This requirement is already fulfilled because fosite requries all token requests to be authenticated as described
// in https://tools.ietf.org/html/rfc6749#section-3.2.1
// There's nothing else to do. All other security considerations are for the client side.
request.SetGrantTypeHandled("client_credentials")
return nil
}
// ValidateTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.3.2
func (c *ResourceOwnerPasswordCredentialsGrantHandler) ValidateTokenEndpointRequest(_ context.Context, req *http.Request, request fosite.AccessRequester, session interface{}) error {
// grant_type REQUIRED.
// Value MUST be set to "password".
if request.GetGrantType() != "password" {
return nil
}
username := req.PostForm.Get("username")
password := req.PostForm.Get("password")
if username == "" || password == "" {
return errors.New(fosite.ErrInvalidRequest)
} else if err := c.Store.DoCredentialsAuthenticate(username, password); err == pkg.ErrNotFound {
return errors.New(fosite.ErrInvalidRequest)
} else if err != nil {
return errors.New(fosite.ErrServerError)
}
request.SetGrantTypeHandled("password")
return nil
}
// HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.4.3
func (c *ClientCredentialsGrantHandler) HandleTokenEndpointRequest(ctx context.Context, req *http.Request, requester fosite.AccessRequester, responder fosite.AccessResponder, session interface{}) error {
if requester.GetGrantType() != "client_credentials" {
return nil
}
access, err := c.Enigma.GenerateChallenge(requester.GetClient().GetHashedSecret())
if err != nil {
return errors.New(fosite.ErrServerError)
} else if err := c.Store.CreateAccessTokenSession(access.Signature, requester, &core.TokenSession{Extra: session}); err != nil {
return errors.New(fosite.ErrServerError)
}
responder.SetAccessToken(access.String())
responder.SetTokenType("bearer")
responder.SetExtra("expires_in", strconv.Itoa(int(c.AccessTokenLifespan/time.Second)))
responder.SetExtra("scope", strings.Join(requester.GetGrantedScopes(), " "))
// "A refresh token SHOULD NOT be included."
// -> we won't issue one
return nil
}
// HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.4.3
func (c *ClientCredentialsGrantHandler) HandleTokenEndpointRequest(ctx context.Context, r *http.Request, request fosite.AccessRequester, response fosite.AccessResponder) error {
if request.GetGrantType() != "client_credentials" {
return nil
}
token, signature, err := c.AccessTokenStrategy.GenerateAccessToken(ctx, r, request)
if err != nil {
return errors.New(fosite.ErrServerError)
} else if err := c.Store.CreateAccessTokenSession(signature, request); err != nil {
return errors.New(fosite.ErrServerError)
}
response.SetAccessToken(token)
response.SetTokenType("bearer")
response.SetExtra("expires_in", strconv.Itoa(int(c.AccessTokenLifespan/time.Second)))
response.SetExtra("scope", strings.Join(request.GetGrantedScopes(), " "))
// "A refresh token SHOULD NOT be included."
// -> we won't issue one
return nil
}
// HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.3.3
func (c *ResourceOwnerPasswordCredentialsGrantHandler) HandleTokenEndpointRequest(ctx context.Context, req *http.Request, requester fosite.AccessRequester, responder fosite.AccessResponder, session interface{}) error {
if requester.GetGrantType() != "password" {
return nil
}
access, err := c.Enigma.GenerateChallenge(requester.GetClient().GetHashedSecret())
if err != nil {
return errors.New(fosite.ErrServerError)
} else if err := c.Store.CreateAccessTokenSession(access.Signature, requester, &core.TokenSession{Extra: session}); err != nil {
return errors.New(fosite.ErrServerError)
}
responder.SetAccessToken(access.String())
responder.SetTokenType("bearer")
responder.SetExtra("expires_in", strconv.Itoa(int(c.AccessTokenLifespan/time.Second)))
responder.SetExtra("scope", strings.Join(requester.GetGrantedScopes(), " "))
// As of https://tools.ietf.org/html/rfc6819#section-5.2.2.1 and
// https://tools.ietf.org/html/rfc6819#section-4.4.3.3 we decided not to include refresh tokens
// as part of the resource owner grant
return nil
}