IDToken string `json:"id_token,omitempty"`
}
-func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) {
+func newAccessTokenResponse(grant *models.OAuth2Grant, serverKey, clientKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) {
if setting.OAuth2.InvalidateRefreshTokens {
if err := grant.IncreaseCounter(); err != nil {
return nil, &AccessTokenError{
ExpiresAt: expirationDate.AsTime().Unix(),
},
}
- signedAccessToken, err := accessToken.SignToken()
+ signedAccessToken, err := accessToken.SignToken(serverKey)
if err != nil {
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
ExpiresAt: refreshExpirationDate,
},
}
- signedRefreshToken, err := refreshToken.SignToken()
+ signedRefreshToken, err := refreshToken.SignToken(serverKey)
if err != nil {
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
idToken.EmailVerified = user.IsActive
}
- signedIDToken, err = idToken.SignToken(signingKey)
+ signedIDToken, err = idToken.SignToken(clientKey)
if err != nil {
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
}
form := web.GetForm(ctx).(*forms.IntrospectTokenForm)
- token, err := oauth2.ParseToken(form.Token)
+ token, err := oauth2.ParseToken(form.Token, oauth2.DefaultSigningKey)
if err == nil {
if token.Valid() == nil {
grant, err := models.GetOAuth2GrantByID(token.GrantID)
}
}
- signingKey := oauth2.DefaultSigningKey
- if signingKey.IsSymmetric() {
- clientKey, err := oauth2.CreateJWTSigningKey(signingKey.SigningMethod().Alg(), []byte(form.ClientSecret))
+ serverKey := oauth2.DefaultSigningKey
+ clientKey := serverKey
+ if serverKey.IsSymmetric() {
+ var err error
+ clientKey, err = oauth2.CreateJWTSigningKey(serverKey.SigningMethod().Alg(), []byte(form.ClientSecret))
if err != nil {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
})
return
}
- signingKey = clientKey
}
switch form.GrantType {
case "refresh_token":
- handleRefreshToken(ctx, form, signingKey)
+ handleRefreshToken(ctx, form, serverKey, clientKey)
case "authorization_code":
- handleAuthorizationCode(ctx, form, signingKey)
+ handleAuthorizationCode(ctx, form, serverKey, clientKey)
default:
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeUnsupportedGrantType,
}
}
-func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, signingKey oauth2.JWTSigningKey) {
- token, err := oauth2.ParseToken(form.RefreshToken)
+func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
+ token, err := oauth2.ParseToken(form.RefreshToken, serverKey)
if err != nil {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)
return
}
- accessToken, tokenErr := newAccessTokenResponse(grant, signingKey)
+ accessToken, tokenErr := newAccessTokenResponse(grant, serverKey, clientKey)
if tokenErr != nil {
handleAccessTokenError(ctx, *tokenErr)
return
ctx.JSON(http.StatusOK, accessToken)
}
-func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, signingKey oauth2.JWTSigningKey) {
+func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)
if err != nil {
handleAccessTokenError(ctx, AccessTokenError{
ErrorDescription: "cannot proceed your request",
})
}
- resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, signingKey)
+ resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, serverKey, clientKey)
if tokenErr != nil {
handleAccessTokenError(ctx, *tokenErr)
return
}
// ParseToken parses a signed jwt string
-func ParseToken(jwtToken string) (*Token, error) {
+func ParseToken(jwtToken string, signingKey JWTSigningKey) (*Token, error) {
parsedToken, err := jwt.ParseWithClaims(jwtToken, &Token{}, func(token *jwt.Token) (interface{}, error) {
- if token.Method == nil || token.Method.Alg() != DefaultSigningKey.SigningMethod().Alg() {
+ if token.Method == nil || token.Method.Alg() != signingKey.SigningMethod().Alg() {
return nil, fmt.Errorf("unexpected signing algo: %v", token.Header["alg"])
}
- return DefaultSigningKey.VerifyKey(), nil
+ return signingKey.VerifyKey(), nil
})
if err != nil {
return nil, err
}
// SignToken signs the token with the JWT secret
-func (token *Token) SignToken() (string, error) {
+func (token *Token) SignToken(signingKey JWTSigningKey) (string, error) {
token.IssuedAt = time.Now().Unix()
- jwtToken := jwt.NewWithClaims(DefaultSigningKey.SigningMethod(), token)
- DefaultSigningKey.PreProcessToken(jwtToken)
- return jwtToken.SignedString(DefaultSigningKey.SignKey())
+ jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)
+ signingKey.PreProcessToken(jwtToken)
+ return jwtToken.SignedString(signingKey.SignKey())
}
// OIDCToken represents an OpenID Connect id_token