mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-05 14:37:45 +00:00
778b4041ca
# Which Problems Are Solved Do not return an access token for implicit flow from v1 login, if the `response_type` is `id_token` # How the Problems Are Solved Do not create the access token event if if the `response_type` is `id_token`. # Additional Changes Token endpoint calls without auth request, such as machine users, token exchange and refresh token, do not have a `response_type`. For such calls the `OIDCResponseTypeUnspecified` enum is added at a `-1` offset, in order not to break existing client configs. # Additional Context - https://discord.com/channels/927474939156643850/1294001717725237298 - Fixes https://github.com/zitadel/zitadel/issues/8776
576 lines
21 KiB
Go
576 lines
21 KiB
Go
package command
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/zitadel/logging"
|
|
"golang.org/x/text/language"
|
|
|
|
"github.com/zitadel/zitadel/internal/activity"
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/id"
|
|
"github.com/zitadel/zitadel/internal/repository/authrequest"
|
|
"github.com/zitadel/zitadel/internal/repository/oidcsession"
|
|
"github.com/zitadel/zitadel/internal/repository/sessionlogout"
|
|
"github.com/zitadel/zitadel/internal/repository/user"
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
const (
|
|
TokenDelimiter = "-"
|
|
AccessTokenPrefix = "at_"
|
|
RefreshTokenPrefix = "rt_"
|
|
oidcTokenSubjectDelimiter = ":"
|
|
oidcTokenFormat = "%s" + oidcTokenSubjectDelimiter + "%s"
|
|
)
|
|
|
|
type OIDCSession struct {
|
|
SessionID string
|
|
TokenID string
|
|
ClientID string
|
|
UserID string
|
|
Audience []string
|
|
Expiration time.Time
|
|
Scope []string
|
|
AuthMethods []domain.UserAuthMethodType
|
|
AuthTime time.Time
|
|
Nonce string
|
|
PreferredLanguage *language.Tag
|
|
UserAgent *domain.UserAgent
|
|
Reason domain.TokenReason
|
|
Actor *domain.TokenActor
|
|
RefreshToken string
|
|
}
|
|
|
|
type AuthRequestComplianceChecker func(context.Context, *AuthRequestWriteModel) error
|
|
|
|
// CreateOIDCSessionFromAuthRequest creates a new OIDC Session, creates an access token and refresh token.
|
|
// It returns the access token id, expiration and the refresh token.
|
|
// If the underlying [AuthRequest] is a OIDC Auth Code Flow, it will set the code as exchanged.
|
|
func (c *Commands) CreateOIDCSessionFromAuthRequest(ctx context.Context, authReqId string, complianceCheck AuthRequestComplianceChecker, needRefreshToken bool) (session *OIDCSession, state string, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
if authReqId == "" {
|
|
return nil, "", zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sf3g2", "Errors.AuthRequest.InvalidCode")
|
|
}
|
|
|
|
authReqModel, err := c.getAuthRequestWriteModel(ctx, authReqId)
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
|
|
if authReqModel.ResponseType == domain.OIDCResponseTypeCode && authReqModel.AuthRequestState != domain.AuthRequestStateCodeAdded {
|
|
return nil, "", zerrors.ThrowPreconditionFailed(nil, "COMMAND-Iung5", "Errors.AuthRequest.NoCode")
|
|
}
|
|
|
|
instanceID := authz.GetInstance(ctx).InstanceID()
|
|
sessionModel := NewSessionWriteModel(authReqModel.SessionID, instanceID)
|
|
err = c.eventstore.FilterToQueryReducer(ctx, sessionModel)
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
if err = sessionModel.CheckIsActive(); err != nil {
|
|
return nil, "", err
|
|
}
|
|
|
|
cmd, err := c.newOIDCSessionAddEvents(ctx, sessionModel.UserID, sessionModel.UserResourceOwner)
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
if authReqModel.ResponseType == domain.OIDCResponseTypeCode {
|
|
if err = cmd.SetAuthRequestCodeExchanged(ctx, authReqModel); err != nil {
|
|
return nil, "", err
|
|
}
|
|
}
|
|
if err = complianceCheck(ctx, authReqModel); err != nil {
|
|
return nil, "", err
|
|
}
|
|
|
|
cmd.AddSession(ctx,
|
|
sessionModel.UserID,
|
|
sessionModel.UserResourceOwner,
|
|
sessionModel.AggregateID,
|
|
authReqModel.ClientID,
|
|
authReqModel.Audience,
|
|
authReqModel.Scope,
|
|
authReqModel.AuthMethods,
|
|
authReqModel.AuthTime,
|
|
authReqModel.Nonce,
|
|
sessionModel.PreferredLanguage,
|
|
sessionModel.UserAgent,
|
|
)
|
|
|
|
if authReqModel.ResponseType != domain.OIDCResponseTypeIDToken {
|
|
if err = cmd.AddAccessToken(ctx, authReqModel.Scope, sessionModel.UserID, sessionModel.UserResourceOwner, domain.TokenReasonAuthRequest, nil); err != nil {
|
|
return nil, "", err
|
|
}
|
|
}
|
|
if authReqModel.NeedRefreshToken && needRefreshToken {
|
|
if err = cmd.AddRefreshToken(ctx, sessionModel.UserID); err != nil {
|
|
return nil, "", err
|
|
}
|
|
}
|
|
cmd.SetAuthRequestSuccessful(ctx, authReqModel.aggregate)
|
|
postCommit, err := cmd.SetMilestones(ctx, authReqModel.ClientID, true)
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
if session, err = cmd.PushEvents(ctx); err != nil {
|
|
return nil, "", err
|
|
}
|
|
postCommit(ctx)
|
|
return session, authReqModel.State, nil
|
|
}
|
|
|
|
func (c *Commands) CreateOIDCSession(ctx context.Context,
|
|
userID,
|
|
resourceOwner,
|
|
clientID,
|
|
backChannelLogoutURI string,
|
|
scope,
|
|
audience []string,
|
|
authMethods []domain.UserAuthMethodType,
|
|
authTime time.Time,
|
|
nonce string,
|
|
preferredLanguage *language.Tag,
|
|
userAgent *domain.UserAgent,
|
|
reason domain.TokenReason,
|
|
actor *domain.TokenActor,
|
|
needRefreshToken bool,
|
|
sessionID string,
|
|
responseType domain.OIDCResponseType,
|
|
) (session *OIDCSession, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
cmd, err := c.newOIDCSessionAddEvents(ctx, userID, resourceOwner)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if reason == domain.TokenReasonImpersonation {
|
|
if err := c.checkPermission(ctx, "impersonation", resourceOwner, userID); err != nil {
|
|
return nil, err
|
|
}
|
|
cmd.UserImpersonated(ctx, userID, resourceOwner, clientID, actor)
|
|
}
|
|
|
|
cmd.AddSession(ctx, userID, resourceOwner, sessionID, clientID, audience, scope, authMethods, authTime, nonce, preferredLanguage, userAgent)
|
|
cmd.RegisterLogout(ctx, sessionID, userID, clientID, backChannelLogoutURI)
|
|
if responseType != domain.OIDCResponseTypeIDToken {
|
|
if err = cmd.AddAccessToken(ctx, scope, userID, resourceOwner, reason, actor); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
if needRefreshToken {
|
|
if err = cmd.AddRefreshToken(ctx, userID); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
postCommit, err := cmd.SetMilestones(ctx, clientID, sessionID != "")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if session, err = cmd.PushEvents(ctx); err != nil {
|
|
return nil, err
|
|
}
|
|
postCommit(ctx)
|
|
return session, nil
|
|
}
|
|
|
|
type RefreshTokenComplianceChecker func(ctx context.Context, wm *OIDCSessionWriteModel, requestedScope []string) (scope []string, err error)
|
|
|
|
// ExchangeOIDCSessionRefreshAndAccessToken updates an existing OIDC Session, creates a new access and refresh token.
|
|
// It returns the access token id and expiration and the new refresh token.
|
|
func (c *Commands) ExchangeOIDCSessionRefreshAndAccessToken(ctx context.Context, refreshToken string, scope []string, complianceCheck RefreshTokenComplianceChecker) (_ *OIDCSession, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
cmd, err := c.newOIDCSessionUpdateEvents(ctx, refreshToken)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
scope, err = complianceCheck(ctx, cmd.oidcSessionWriteModel, scope)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = cmd.AddAccessToken(ctx, scope,
|
|
cmd.oidcSessionWriteModel.UserID,
|
|
cmd.oidcSessionWriteModel.UserResourceOwner,
|
|
domain.TokenReasonRefresh,
|
|
cmd.oidcSessionWriteModel.AccessTokenActor,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if err = cmd.RenewRefreshToken(ctx); err != nil {
|
|
return nil, err
|
|
}
|
|
return cmd.PushEvents(ctx)
|
|
}
|
|
|
|
// OIDCSessionByRefreshToken computes the current state of an existing OIDCSession by a refresh_token (to start a Refresh Token Grant).
|
|
// If either the session is not active, the token is invalid or expired (incl. idle expiration) an invalid refresh token error will be returned.
|
|
func (c *Commands) OIDCSessionByRefreshToken(ctx context.Context, refreshToken string) (_ *OIDCSessionWriteModel, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
oidcSessionID, refreshTokenID, err := parseRefreshToken(refreshToken)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
writeModel := NewOIDCSessionWriteModel(oidcSessionID, "")
|
|
err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
|
|
if err != nil {
|
|
return nil, zerrors.ThrowPreconditionFailed(err, "OIDCS-SAF31", "Errors.OIDCSession.RefreshTokenInvalid")
|
|
}
|
|
if err = writeModel.CheckRefreshToken(refreshTokenID); err != nil {
|
|
return nil, err
|
|
}
|
|
return writeModel, nil
|
|
}
|
|
|
|
func oidcSessionTokenIDsFromToken(token string) (oidcSessionID, refreshTokenID, accessTokenID string, err error) {
|
|
split := strings.Split(token, TokenDelimiter)
|
|
if len(split) != 2 {
|
|
return "", "", "", zerrors.ThrowPreconditionFailed(nil, "OIDCS-S87kl", "Errors.OIDCSession.Token.Invalid")
|
|
}
|
|
if strings.HasPrefix(split[1], RefreshTokenPrefix) {
|
|
return split[0], split[1], "", nil
|
|
}
|
|
if strings.HasPrefix(split[1], AccessTokenPrefix) {
|
|
return split[0], "", split[1], nil
|
|
}
|
|
return "", "", "", zerrors.ThrowPreconditionFailed(nil, "OIDCS-S87kl", "Errors.OIDCSession.Token.Invalid")
|
|
}
|
|
|
|
// RevokeOIDCSessionToken revokes an access_token or refresh_token
|
|
// if the OIDCSession cannot be retrieved by the provided token, is not active or if the token is already revoked,
|
|
// then no error will be returned.
|
|
// The only possible error (except db connection or other internal errors) occurs if a client tries to revoke a token,
|
|
// which was not part of the audience.
|
|
func (c *Commands) RevokeOIDCSessionToken(ctx context.Context, token, clientID string) (err error) {
|
|
oidcSessionID, refreshTokenID, accessTokenID, err := oidcSessionTokenIDsFromToken(token)
|
|
if err != nil {
|
|
logging.WithError(err).Info("token revocation with invalid token format")
|
|
return nil
|
|
}
|
|
writeModel := NewOIDCSessionWriteModel(oidcSessionID, "")
|
|
err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
|
|
if err != nil {
|
|
return zerrors.ThrowInternal(err, "OIDCS-NB3t2", "Errors.Internal")
|
|
}
|
|
if err = writeModel.CheckClient(clientID); err != nil {
|
|
return err
|
|
}
|
|
if refreshTokenID != "" {
|
|
if err = writeModel.CheckRefreshToken(refreshTokenID); err != nil {
|
|
logging.WithFields("oidcSessionID", oidcSessionID, "refreshTokenID", refreshTokenID).WithError(err).
|
|
Info("refresh token revocation with invalid token")
|
|
return nil
|
|
}
|
|
return c.pushAppendAndReduce(ctx, writeModel, oidcsession.NewRefreshTokenRevokedEvent(ctx, writeModel.aggregate))
|
|
}
|
|
if err = writeModel.CheckAccessToken(accessTokenID); err != nil {
|
|
logging.WithFields("oidcSessionID", oidcSessionID, "accessTokenID", accessTokenID).WithError(err).
|
|
Info("access token revocation with invalid token")
|
|
return nil
|
|
}
|
|
return c.pushAppendAndReduce(ctx, writeModel, oidcsession.NewAccessTokenRevokedEvent(ctx, writeModel.aggregate))
|
|
}
|
|
|
|
func (c *Commands) newOIDCSessionAddEvents(ctx context.Context, userID, resourceOwner string, pending ...eventstore.Command) (*OIDCSessionEvents, error) {
|
|
userStateModel, err := c.userStateWriteModel(ctx, userID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !userStateModel.UserState.IsEnabled() {
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "OIDCS-kj3g2", "Errors.User.NotActive")
|
|
}
|
|
accessTokenLifetime, refreshTokenLifeTime, refreshTokenIdleLifetime, err := c.tokenTokenLifetimes(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
sessionID, err := c.idGenerator.Next()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
sessionID = IDPrefixV2 + sessionID
|
|
return &OIDCSessionEvents{
|
|
commands: c,
|
|
idGenerator: c.idGenerator,
|
|
encryptionAlg: c.keyAlgorithm,
|
|
events: pending,
|
|
oidcSessionWriteModel: NewOIDCSessionWriteModel(sessionID, resourceOwner),
|
|
userStateModel: userStateModel,
|
|
accessTokenLifetime: accessTokenLifetime,
|
|
refreshTokenLifeTime: refreshTokenLifeTime,
|
|
refreshTokenIdleLifetime: refreshTokenIdleLifetime,
|
|
}, nil
|
|
}
|
|
|
|
func (c *Commands) decryptRefreshToken(refreshToken string) (sessionID, refreshTokenID string, err error) {
|
|
decoded, err := base64.RawURLEncoding.DecodeString(refreshToken)
|
|
if err != nil {
|
|
return "", "", zerrors.ThrowInvalidArgument(err, "OIDCS-Cux9a", "Errors.User.RefreshToken.Invalid")
|
|
}
|
|
decrypted, err := c.keyAlgorithm.DecryptString(decoded, c.keyAlgorithm.EncryptionKeyID())
|
|
if err != nil {
|
|
return "", "", zerrors.ThrowInvalidArgument(err, "OIDCS-Jei0i", "Errors.User.RefreshToken.Invalid")
|
|
}
|
|
return parseRefreshToken(decrypted)
|
|
}
|
|
|
|
func parseRefreshToken(refreshToken string) (oidcSessionID, refreshTokenID string, err error) {
|
|
split := strings.Split(refreshToken, TokenDelimiter)
|
|
if len(split) < 2 || !strings.HasPrefix(split[1], RefreshTokenPrefix) {
|
|
return "", "", zerrors.ThrowPreconditionFailed(nil, "OIDCS-JOI23", "Errors.OIDCSession.RefreshTokenInvalid")
|
|
}
|
|
// the oidc library requires that every token has the format of <tokenID>:<userID>
|
|
// the V2 tokens don't use the userID anymore, so let's just remove it
|
|
return split[0], strings.Split(split[1], oidcTokenSubjectDelimiter)[0], nil
|
|
}
|
|
|
|
func (c *Commands) newOIDCSessionUpdateEvents(ctx context.Context, refreshToken string) (*OIDCSessionEvents, error) {
|
|
oidcSessionID, refreshTokenID, err := c.decryptRefreshToken(refreshToken)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
sessionWriteModel := NewOIDCSessionWriteModel(oidcSessionID, "")
|
|
if err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel); err != nil {
|
|
return nil, err
|
|
}
|
|
if err = sessionWriteModel.CheckRefreshToken(refreshTokenID); err != nil {
|
|
return nil, err
|
|
}
|
|
userStateWriteModel, err := c.userStateWriteModel(ctx, sessionWriteModel.UserID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !userStateWriteModel.UserState.IsEnabled() {
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "OIDCS-J39h2", "Errors.User.NotActive")
|
|
}
|
|
accessTokenLifetime, refreshTokenLifeTime, refreshTokenIdleLifetime, err := c.tokenTokenLifetimes(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &OIDCSessionEvents{
|
|
commands: c,
|
|
idGenerator: c.idGenerator,
|
|
encryptionAlg: c.keyAlgorithm,
|
|
oidcSessionWriteModel: sessionWriteModel,
|
|
accessTokenLifetime: accessTokenLifetime,
|
|
refreshTokenLifeTime: refreshTokenLifeTime,
|
|
refreshTokenIdleLifetime: refreshTokenIdleLifetime,
|
|
}, nil
|
|
}
|
|
|
|
type OIDCSessionEvents struct {
|
|
commands *Commands
|
|
idGenerator id.Generator
|
|
encryptionAlg crypto.EncryptionAlgorithm
|
|
events []eventstore.Command
|
|
oidcSessionWriteModel *OIDCSessionWriteModel
|
|
userStateModel *UserV2WriteModel
|
|
|
|
accessTokenLifetime time.Duration
|
|
refreshTokenLifeTime time.Duration
|
|
refreshTokenIdleLifetime time.Duration
|
|
|
|
// accessTokenID is set by the command
|
|
accessTokenID string
|
|
|
|
// refreshToken is set by the command
|
|
refreshTokenID string
|
|
refreshToken string
|
|
}
|
|
|
|
func (c *OIDCSessionEvents) AddSession(
|
|
ctx context.Context,
|
|
userID,
|
|
userResourceOwner,
|
|
sessionID,
|
|
clientID string,
|
|
audience,
|
|
scope []string,
|
|
authMethods []domain.UserAuthMethodType,
|
|
authTime time.Time,
|
|
nonce string,
|
|
preferredLanguage *language.Tag,
|
|
userAgent *domain.UserAgent,
|
|
) {
|
|
c.events = append(c.events, oidcsession.NewAddedEvent(
|
|
ctx,
|
|
c.oidcSessionWriteModel.aggregate,
|
|
userID,
|
|
userResourceOwner,
|
|
sessionID,
|
|
clientID,
|
|
audience,
|
|
scope,
|
|
authMethods,
|
|
authTime,
|
|
nonce,
|
|
preferredLanguage,
|
|
userAgent,
|
|
))
|
|
}
|
|
|
|
func (c *OIDCSessionEvents) SetAuthRequestCodeExchanged(ctx context.Context, model *AuthRequestWriteModel) error {
|
|
event := authrequest.NewCodeExchangedEvent(ctx, model.aggregate)
|
|
model.AppendEvents(event)
|
|
c.events = append(c.events, event)
|
|
return model.Reduce()
|
|
}
|
|
|
|
func (c *OIDCSessionEvents) SetAuthRequestSuccessful(ctx context.Context, authRequestAggregate *eventstore.Aggregate) {
|
|
c.events = append(c.events, authrequest.NewSucceededEvent(ctx, authRequestAggregate))
|
|
}
|
|
|
|
func (c *OIDCSessionEvents) SetAuthRequestFailed(ctx context.Context, authRequestAggregate *eventstore.Aggregate, err error) {
|
|
c.events = append(c.events, authrequest.NewFailedEvent(ctx, authRequestAggregate, domain.OIDCErrorReasonFromError(err)))
|
|
}
|
|
|
|
func (c *OIDCSessionEvents) RegisterLogout(ctx context.Context, sessionID, userID, clientID, backChannelLogoutURI string) {
|
|
// If there's no SSO session (e.g. service accounts) we do not need to register a logout handler.
|
|
// Also, if the client did not register a backchannel_logout_uri it will not support it (https://openid.net/specs/openid-connect-backchannel-1_0.html#BCRegistration)
|
|
if sessionID == "" || backChannelLogoutURI == "" {
|
|
return
|
|
}
|
|
if !authz.GetFeatures(ctx).EnableBackChannelLogout {
|
|
return
|
|
}
|
|
|
|
c.events = append(c.events, sessionlogout.NewBackChannelLogoutRegisteredEvent(
|
|
ctx,
|
|
&sessionlogout.NewAggregate(sessionID, authz.GetInstance(ctx).InstanceID()).Aggregate,
|
|
c.oidcSessionWriteModel.AggregateID,
|
|
userID,
|
|
clientID,
|
|
backChannelLogoutURI,
|
|
))
|
|
}
|
|
|
|
func (c *OIDCSessionEvents) AddAccessToken(ctx context.Context, scope []string, userID, resourceOwner string, reason domain.TokenReason, actor *domain.TokenActor) error {
|
|
accessTokenID, err := c.idGenerator.Next()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
c.accessTokenID = AccessTokenPrefix + accessTokenID
|
|
c.events = append(c.events, oidcsession.NewAccessTokenAddedEvent(ctx, c.oidcSessionWriteModel.aggregate, c.accessTokenID, scope, c.accessTokenLifetime, reason, actor))
|
|
if !authz.GetFeatures(ctx).DisableUserTokenEvent {
|
|
c.events = append(c.events, user.NewUserTokenV2AddedEvent(ctx, &user.NewAggregate(userID, resourceOwner).Aggregate, c.accessTokenID))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *OIDCSessionEvents) AddRefreshToken(ctx context.Context, userID string) (err error) {
|
|
c.refreshTokenID, c.refreshToken, err = c.generateRefreshToken(userID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
c.events = append(c.events, oidcsession.NewRefreshTokenAddedEvent(ctx, c.oidcSessionWriteModel.aggregate, c.refreshTokenID, c.refreshTokenLifeTime, c.refreshTokenIdleLifetime))
|
|
return nil
|
|
}
|
|
|
|
func (c *OIDCSessionEvents) RenewRefreshToken(ctx context.Context) (err error) {
|
|
var refreshTokenID string
|
|
refreshTokenID, c.refreshToken, err = c.generateRefreshToken(c.oidcSessionWriteModel.UserID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
c.events = append(c.events, oidcsession.NewRefreshTokenRenewedEvent(ctx, c.oidcSessionWriteModel.aggregate, refreshTokenID, c.refreshTokenIdleLifetime))
|
|
return nil
|
|
}
|
|
|
|
func (c *OIDCSessionEvents) UserImpersonated(ctx context.Context, userID, resourceOwner, clientID string, actor *domain.TokenActor) {
|
|
c.events = append(c.events, user.NewUserImpersonatedEvent(ctx, &user.NewAggregate(userID, resourceOwner).Aggregate, clientID, actor))
|
|
}
|
|
|
|
func (c *OIDCSessionEvents) generateRefreshToken(userID string) (refreshTokenID, refreshToken string, err error) {
|
|
refreshTokenID, err = c.idGenerator.Next()
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
refreshTokenID = RefreshTokenPrefix + refreshTokenID
|
|
token, err := c.encryptionAlg.Encrypt([]byte(fmt.Sprintf(oidcTokenFormat, c.oidcSessionWriteModel.OIDCRefreshTokenID(refreshTokenID), userID)))
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
return refreshTokenID, base64.RawURLEncoding.EncodeToString(token), nil
|
|
}
|
|
|
|
func (c *OIDCSessionEvents) PushEvents(ctx context.Context) (*OIDCSession, error) {
|
|
pushedEvents, err := c.commands.eventstore.Push(ctx, c.events...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = AppendAndReduce(c.oidcSessionWriteModel, pushedEvents...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
session := &OIDCSession{
|
|
SessionID: c.oidcSessionWriteModel.SessionID,
|
|
ClientID: c.oidcSessionWriteModel.ClientID,
|
|
UserID: c.oidcSessionWriteModel.UserID,
|
|
Audience: c.oidcSessionWriteModel.Audience,
|
|
Expiration: c.oidcSessionWriteModel.AccessTokenExpiration,
|
|
Scope: c.oidcSessionWriteModel.Scope,
|
|
AuthMethods: c.oidcSessionWriteModel.AuthMethods,
|
|
AuthTime: c.oidcSessionWriteModel.AuthTime,
|
|
Nonce: c.oidcSessionWriteModel.Nonce,
|
|
PreferredLanguage: c.oidcSessionWriteModel.PreferredLanguage,
|
|
UserAgent: c.oidcSessionWriteModel.UserAgent,
|
|
Reason: c.oidcSessionWriteModel.AccessTokenReason,
|
|
Actor: c.oidcSessionWriteModel.AccessTokenActor,
|
|
RefreshToken: c.refreshToken,
|
|
}
|
|
if c.accessTokenID != "" {
|
|
// prefix the returned id with the oidcSessionID so that we can retrieve it later on
|
|
// we need to use `-` as a delimiter because the OIDC library uses `:` and will check for a length of 2 parts
|
|
session.TokenID = c.oidcSessionWriteModel.AggregateID + TokenDelimiter + c.accessTokenID
|
|
}
|
|
activity.Trigger(ctx, c.oidcSessionWriteModel.UserResourceOwner, c.oidcSessionWriteModel.UserID, tokenReasonToActivityMethodType(c.oidcSessionWriteModel.AccessTokenReason), c.commands.eventstore.FilterToQueryReducer)
|
|
return session, nil
|
|
}
|
|
|
|
func (c *Commands) tokenTokenLifetimes(ctx context.Context) (accessTokenLifetime time.Duration, refreshTokenLifetime time.Duration, refreshTokenIdleLifetime time.Duration, err error) {
|
|
oidcSettings := NewInstanceOIDCSettingsWriteModel(ctx)
|
|
err = c.eventstore.FilterToQueryReducer(ctx, oidcSettings)
|
|
if err != nil {
|
|
return 0, 0, 0, err
|
|
}
|
|
accessTokenLifetime = c.defaultAccessTokenLifetime
|
|
refreshTokenLifetime = c.defaultRefreshTokenLifetime
|
|
refreshTokenIdleLifetime = c.defaultRefreshTokenIdleLifetime
|
|
if oidcSettings.AccessTokenLifetime > 0 {
|
|
accessTokenLifetime = oidcSettings.AccessTokenLifetime
|
|
}
|
|
if oidcSettings.RefreshTokenExpiration > 0 {
|
|
refreshTokenLifetime = oidcSettings.RefreshTokenExpiration
|
|
}
|
|
if oidcSettings.RefreshTokenIdleExpiration > 0 {
|
|
refreshTokenIdleLifetime = oidcSettings.RefreshTokenIdleExpiration
|
|
}
|
|
return accessTokenLifetime, refreshTokenLifetime, refreshTokenIdleLifetime, nil
|
|
}
|
|
|
|
func tokenReasonToActivityMethodType(r domain.TokenReason) activity.TriggerMethod {
|
|
if r == domain.TokenReasonUnspecified {
|
|
return activity.Unspecified
|
|
}
|
|
if r == domain.TokenReasonRefresh {
|
|
return activity.OIDCRefreshToken
|
|
}
|
|
// all other reasons result in an access token
|
|
return activity.OIDCAccessToken
|
|
}
|