// HandleAuthorize implements osinserver.AuthorizeHandler to ensure the requested scopes have been authorized. // The AuthorizeRequest.Authorized field must already be set to true for the grant check to occur. // If the requested scopes are authorized, the AuthorizeRequest is unchanged. // If the requested scopes are not authorized, or an error occurs, AuthorizeRequest.Authorized is set to false. // If the response is written, true is returned. // If the response is not written, false is returned. func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) { // Requests must already be authorized before we will check grants if !ar.Authorized { return false, nil } // Reset request to unauthorized until we verify the grant ar.Authorized = false user, ok := ar.UserData.(user.Info) if !ok || user == nil { utilruntime.HandleError(fmt.Errorf("the provided user data is not a user.Info object: %#v", user)) resp.SetError("server_error", "") return false, nil } client, ok := ar.Client.GetUserData().(*oauthapi.OAuthClient) if !ok || client == nil { utilruntime.HandleError(fmt.Errorf("the provided client is not an *api.OAuthClient object: %#v", client)) resp.SetError("server_error", "") return false, nil } // Normalize the scope request, and ensure all tokens contain a scope scopes := scope.Split(ar.Scope) if len(scopes) == 0 { scopes = append(scopes, scopeauthorizer.UserFull) } ar.Scope = scope.Join(scopes) // Validate the requested scopes if scopeErrors := validation.ValidateScopes(scopes, nil); len(scopeErrors) > 0 { resp.SetError("invalid_scope", scopeErrors.ToAggregate().Error()) return false, nil } invalidScopes := sets.NewString() for _, scope := range scopes { if err := scopeauthorizer.ValidateScopeRestrictions(client, scope); err != nil { invalidScopes.Insert(scope) } } if len(invalidScopes) > 0 { resp.SetError("access_denied", fmt.Sprintf("scope denied: %s", strings.Join(invalidScopes.List(), " "))) return false, nil } grant := &api.Grant{ Client: ar.Client, Scope: ar.Scope, Expiration: int64(ar.Expiration), RedirectURI: ar.RedirectUri, } // Check if the user has already authorized this grant authorized, err := h.check.HasAuthorizedClient(user, grant) if err != nil { utilruntime.HandleError(err) resp.SetError("server_error", "") return false, nil } if authorized { ar.Authorized = true return false, nil } // React to an unauthorized grant authorized, handled, err := h.handler.GrantNeeded(user, grant, w, ar.HttpRequest) if authorized { ar.Authorized = true } return handled, err }