63 lines
1.7 KiB
Go
63 lines
1.7 KiB
Go
|
package application
|
||
|
|
||
|
import (
|
||
|
"encoding/json"
|
||
|
"net/http"
|
||
|
"net/url"
|
||
|
"strings"
|
||
|
)
|
||
|
|
||
|
func (a *Application) checkAuthHeaderBearer(r *http.Request) string {
|
||
|
auth := r.Header.Get(HeaderAuthorization)
|
||
|
if auth == "" {
|
||
|
return ""
|
||
|
}
|
||
|
if len(auth) < len(AuthBearer) || !strings.EqualFold(auth[:len(AuthBearer)], AuthBearer) {
|
||
|
return ""
|
||
|
}
|
||
|
return auth[len(AuthBearer):]
|
||
|
}
|
||
|
|
||
|
type TokenIntrospectionResponse struct {
|
||
|
Claims
|
||
|
Scope string `json:"scope"`
|
||
|
Active bool `json:"active"`
|
||
|
ClientID string `json:"client_id"`
|
||
|
}
|
||
|
|
||
|
func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenIntrospectionResponse {
|
||
|
values := url.Values{
|
||
|
"client_id": []string{a.oauthConfig.ClientID},
|
||
|
"client_secret": []string{a.oauthConfig.ClientSecret},
|
||
|
"token": []string{token},
|
||
|
}
|
||
|
req, err := http.NewRequest("POST", a.endpoint.TokenIntrospection, strings.NewReader(values.Encode()))
|
||
|
if err != nil {
|
||
|
a.log.WithError(err).Warning("failed to create introspection request")
|
||
|
return nil
|
||
|
}
|
||
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||
|
res, err := a.httpClient.Do(req)
|
||
|
if err != nil || res.StatusCode > 200 {
|
||
|
a.log.WithError(err).Warning("failed to send introspection request")
|
||
|
return nil
|
||
|
}
|
||
|
intro := TokenIntrospectionResponse{}
|
||
|
err = json.NewDecoder(res.Body).Decode(&intro)
|
||
|
if err != nil {
|
||
|
a.log.WithError(err).Warning("failed to parse introspection response")
|
||
|
return nil
|
||
|
}
|
||
|
if !intro.Active {
|
||
|
a.log.Warning("token is not active")
|
||
|
return nil
|
||
|
}
|
||
|
if !strings.Contains(intro.Scope, "openid") || !strings.Contains(intro.Scope, "profile") {
|
||
|
a.log.Error("token missing openid or profile scope")
|
||
|
return nil
|
||
|
}
|
||
|
intro.RawToken = token
|
||
|
a.log.Trace("successfully introspected bearer token")
|
||
|
return &intro
|
||
|
}
|