From d404d104b7b720a0d07a600f919fba820a533b0e Mon Sep 17 00:00:00 2001 From: LyricTian Date: Sun, 28 Mar 2021 17:29:57 +0800 Subject: [PATCH] Passthrough token request --- README.md | 64 +++++++++++++++++++++---------------------- server/handler.go | 6 ++-- server/server.go | 14 ++++++++-- server/server_test.go | 2 +- 4 files changed, 47 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index e4f516f..d555875 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,11 @@ > An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. -[![Build][Build-Status-Image]][Build-Status-Url] [![Codecov][codecov-image]][codecov-url] [![ReportCard][reportcard-image]][reportcard-url] [![GoDoc][godoc-image]][godoc-url] [![License][license-image]][license-url] +[![Build][build-status-image]][build-status-url] [![Codecov][codecov-image]][codecov-url] [![ReportCard][reportcard-image]][reportcard-url] [![GoDoc][godoc-image]][godoc-url] [![License][license-image]][license-url] ## Protocol Flow -``` text +```text +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | @@ -30,13 +30,13 @@ ### Download and install -``` bash +```bash go get -u -v github.com/go-oauth2/oauth2/v4/... ``` ### Create file `server.go` -``` go +```go package main import ( @@ -95,7 +95,7 @@ func main() { ### Build and run -``` bash +```bash go build server.go ./server @@ -105,24 +105,24 @@ go build server.go [http://localhost:9096/token?grant_type=client_credentials&client_id=000000&client_secret=999999&scope=read](http://localhost:9096/token?grant_type=client_credentials&client_id=000000&client_secret=999999&scope=read) -``` json +```json { - "access_token": "J86XVRYSNFCFI233KXDL0Q", - "expires_in": 7200, - "scope": "read", - "token_type": "Bearer" + "access_token": "J86XVRYSNFCFI233KXDL0Q", + "expires_in": 7200, + "scope": "read", + "token_type": "Bearer" } ``` ## Features -* Easy to use -* Based on the [RFC 6749](https://tools.ietf.org/html/rfc6749) implementation -* Token storage support TTL -* Support custom expiration time of the access token -* Support custom extension field -* Support custom scope -* Support jwt to generate access tokens +- Easy to use +- Based on the [RFC 6749](https://tools.ietf.org/html/rfc6749) implementation +- Token storage support TTL +- Support custom expiration time of the access token +- Support custom extension field +- Support custom scope +- Support jwt to generate access tokens ## Example @@ -161,28 +161,28 @@ if !ok || !token.Valid { ## Store Implements -* [BuntDB](https://github.com/tidwall/buntdb)(default store) -* [Redis](https://github.com/go-oauth2/redis) -* [MongoDB](https://github.com/go-oauth2/mongo) -* [MySQL](https://github.com/go-oauth2/mysql) -* [MySQL (Provides both client and token store)](https://github.com/imrenagi/go-oauth2-mysql) -* [PostgreSQL](https://github.com/vgarvardt/go-oauth2-pg) -* [DynamoDB](https://github.com/contamobi/go-oauth2-dynamodb) -* [XORM](https://github.com/techknowlogick/go-oauth2-xorm) -* [XORM (MySQL, client and token store)](https://github.com/rainlay/go-oauth2-xorm) -* [GORM](https://github.com/techknowlogick/go-oauth2-gorm) -* [Firestore](https://github.com/tslamic/go-oauth2-firestore) +- [BuntDB](https://github.com/tidwall/buntdb)(default store) +- [Redis](https://github.com/go-oauth2/redis) +- [MongoDB](https://github.com/go-oauth2/mongo) +- [MySQL](https://github.com/go-oauth2/mysql) +- [MySQL (Provides both client and token store)](https://github.com/imrenagi/go-oauth2-mysql) +- [PostgreSQL](https://github.com/vgarvardt/go-oauth2-pg) +- [DynamoDB](https://github.com/contamobi/go-oauth2-dynamodb) +- [XORM](https://github.com/techknowlogick/go-oauth2-xorm) +- [XORM (MySQL, client and token store)](https://github.com/rainlay/go-oauth2-xorm) +- [GORM](https://github.com/techknowlogick/go-oauth2-gorm) +- [Firestore](https://github.com/tslamic/go-oauth2-firestore) ## Handy Utilities -* [OAuth2 Proxy Logger (Debug utility that proxies interfaces and logs)](https://github.com/aubelsb2/oauth2-logger-proxy) +- [OAuth2 Proxy Logger (Debug utility that proxies interfaces and logs)](https://github.com/aubelsb2/oauth2-logger-proxy) ## MIT License - Copyright (c) 2016 Lyric +Copyright (c) 2016 Lyric -[Build-Status-Url]: https://travis-ci.org/go-oauth2/oauth2 -[Build-Status-Image]: https://travis-ci.org/go-oauth2/oauth2.svg?branch=master +[build-status-url]: https://travis-ci.org/go-oauth2/oauth2 +[build-status-image]: https://travis-ci.org/go-oauth2/oauth2.svg?branch=master [codecov-url]: https://codecov.io/gh/go-oauth2/oauth2 [codecov-image]: https://codecov.io/gh/go-oauth2/oauth2/branch/master/graph/badge.svg [reportcard-url]: https://goreportcard.com/report/github.com/go-oauth2/oauth2/v4 diff --git a/server/handler.go b/server/handler.go index a5fd139..bb2c6d8 100755 --- a/server/handler.go +++ b/server/handler.go @@ -16,7 +16,7 @@ type ( ClientAuthorizedHandler func(clientID string, grant oauth2.GrantType) (allowed bool, err error) // ClientScopeHandler check the client allows to use scope - ClientScopeHandler func(clientID, scope string) (allowed bool, err error) + ClientScopeHandler func(tgr *oauth2.TokenGenerateRequest) (allowed bool, err error) // UserAuthorizationHandler get user id from request authorization UserAuthorizationHandler func(w http.ResponseWriter, r *http.Request) (userID string, err error) @@ -25,9 +25,9 @@ type ( PasswordAuthorizationHandler func(username, password string) (userID string, err error) // RefreshingScopeHandler check the scope of the refreshing token - RefreshingScopeHandler func(newScope, oldScope string) (allowed bool, err error) + RefreshingScopeHandler func(tgr *oauth2.TokenGenerateRequest, oldScope string) (allowed bool, err error) - //RefreshingValidationHandler check if refresh_token is still valid. eg no revocation or other + // RefreshingValidationHandler check if refresh_token is still valid. eg no revocation or other RefreshingValidationHandler func(ti oauth2.TokenInfo) (allowed bool, err error) // ResponseErrorHandler response error handing diff --git a/server/server.go b/server/server.go index 6854a4f..af911f4 100755 --- a/server/server.go +++ b/server/server.go @@ -214,7 +214,15 @@ func (s *Server) GetAuthorizeToken(ctx context.Context, req *AuthorizeRequest) ( // check the client allows the authorized scope if fn := s.ClientScopeHandler; fn != nil { - allowed, err := fn(req.ClientID, req.Scope) + tgr := &oauth2.TokenGenerateRequest{ + ClientID: req.ClientID, + UserID: req.UserID, + RedirectURI: req.RedirectURI, + Scope: req.Scope, + AccessTokenExp: req.AccessTokenExp, + Request: req.Request, + } + allowed, err := fn(tgr) if err != nil { return nil, err } else if !allowed { @@ -402,7 +410,7 @@ func (s *Server) GetAccessToken(ctx context.Context, gt oauth2.GrantType, tgr *o return ti, nil case oauth2.PasswordCredentials, oauth2.ClientCredentials: if fn := s.ClientScopeHandler; fn != nil { - allowed, err := fn(tgr.ClientID, tgr.Scope) + allowed, err := fn(tgr) if err != nil { return nil, err } else if !allowed { @@ -421,7 +429,7 @@ func (s *Server) GetAccessToken(ctx context.Context, gt oauth2.GrantType, tgr *o return nil, err } - allowed, err := scopeFn(scope, rti.GetScope()) + allowed, err := scopeFn(tgr, rti.GetScope()) if err != nil { return nil, err } else if !allowed { diff --git a/server/server_test.go b/server/server_test.go index b365f18..12756ef 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -306,7 +306,7 @@ func TestClientCredentials(t *testing.T) { srv.SetAuthorizeScopeHandler(func(w http.ResponseWriter, r *http.Request) (scope string, err error) { return }) - srv.SetClientScopeHandler(func(clientID, scope string) (allowed bool, err error) { + srv.SetClientScopeHandler(func(tgr *oauth2.TokenGenerateRequest) (allowed bool, err error) { allowed = true return })