func (s *DefaultConsentStrategy) ValidateResponse(a fosite.AuthorizeRequester, token string) (claims *Session, err error) {
t, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
if _, ok := t.Method.(*jwt.SigningMethodRSA); !ok {
return nil, errors.Errorf("Unexpected signing method: %v", t.Header["alg"])
}
pk, err := s.KeyManager.GetKey(ConsentEndpointKey, "public")
if err != nil {
return nil, err
}
rsaKey, ok := jwk.First(pk.Keys).Key.(*rsa.PublicKey)
if !ok {
return nil, errors.New("Could not convert to RSA Private Key")
}
return rsaKey, nil
})
if err != nil {
return nil, errors.Errorf("Couldn't parse token: %v", err)
} else if !t.Valid {
return nil, errors.Errorf("Token is invalid")
}
if time.Now().After(ejwt.ToTime(t.Claims["exp"])) {
return nil, errors.Errorf("Token expired")
}
if ejwt.ToString(t.Claims["aud"]) != a.GetClient().GetID() {
return nil, errors.Errorf("Audience mismatch")
}
subject := ejwt.ToString(t.Claims["sub"])
for _, scope := range toStringSlice(t.Claims["scp"]) {
a.GrantScope(scope)
}
return &Session{
Subject: subject,
DefaultSession: &strategy.DefaultSession{
Claims: &ejwt.IDTokenClaims{
Audience: a.GetClient().GetID(),
Subject: subject,
Issuer: s.Issuer,
IssuedAt: time.Now(),
ExpiresAt: time.Now(),
Extra: t.Claims,
},
Headers: &ejwt.Headers{},
},
}, err
}
func TestAuthCode(t *testing.T) {
var code string
var validConsent bool
router.GET("/consent", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
tok, err := jwt.Parse(r.URL.Query().Get("challenge"), func(tt *jwt.Token) (interface{}, error) {
if _, ok := tt.Method.(*jwt.SigningMethodRSA); !ok {
return nil, errors.Errorf("Unexpected signing method: %v", tt.Header["alg"])
}
pk, err := keyManager.GetKey(ConsentChallengeKey, "public")
pkg.RequireError(t, false, err)
return jwk.MustRSAPublic(jwk.First(pk.Keys)), nil
})
pkg.RequireError(t, false, err)
require.True(t, tok.Valid)
consent, err := signConsentToken(map[string]interface{}{
"jti": uuid.New(),
"exp": time.Now().Add(time.Hour).Unix(),
"iat": time.Now().Unix(),
"aud": "app-client",
})
pkg.RequireError(t, false, err)
http.Redirect(w, r, ejwt.ToString(tok.Claims["redir"])+"&consent="+consent, http.StatusFound)
validConsent = true
})
router.GET("/callback", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
code = r.URL.Query().Get("code")
w.Write([]byte(r.URL.Query().Get("code")))
})
resp, err := http.Get(oauthConfig.AuthCodeURL("some-foo-state"))
pkg.RequireError(t, false, err)
defer resp.Body.Close()
_, err = ioutil.ReadAll(resp.Body)
pkg.RequireError(t, false, err)
require.True(t, validConsent)
require.NotEmpty(t, code)
_, err = oauthConfig.Exchange(oauth2.NoContext, code)
pkg.RequireError(t, false, err)
}