Skip to content

Commit

Permalink
feat: filtering mode
Browse files Browse the repository at this point in the history
  • Loading branch information
james-d-elliott committed Jul 21, 2023
1 parent 6db02e8 commit 33e6bfc
Show file tree
Hide file tree
Showing 3 changed files with 275 additions and 150 deletions.
23 changes: 16 additions & 7 deletions handler/oauth2/flow_refresh.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ type RefreshTokenGrantHandler struct {
fosite.AudienceStrategyProvider
fosite.RefreshTokenScopesProvider
}

// IgnoreRequestedScopeNotInOriginalGrant determines the action to take when the requested scopes in the refresh
// flow were not originally granted. If false which is the default the handler will automatically return an error.
// If true the handler will filter out / ignore the scopes which were not originally granted.
IgnoreRequestedScopeNotInOriginalGrant bool
}

// HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-6
Expand Down Expand Up @@ -89,12 +94,10 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex
See https://www.rfc-editor.org/rfc/rfc6749#section-6
*/
switch scope := request.GetRequestForm().Get("scope"); scope {
case "":
// Addresses point 1 of the text in RFC6749 Section 6.

// Addresses point 1 of the text in RFC6749 Section 6.
if len(request.GetRequestedScopes()) == 0 {
request.SetRequestedScopes(originalRequest.GetGrantedScopes())
default:
request.SetRequestedScopes(fosite.RemoveEmpty(strings.Split(scope, " ")))
}

request.SetRequestedAudience(originalRequest.GetRequestedAudience())
Expand All @@ -103,9 +106,15 @@ func (c *RefreshTokenGrantHandler) HandleTokenEndpointRequest(ctx context.Contex
originalScopes := originalRequest.GetGrantedScopes()

for _, scope := range request.GetRequestedScopes() {
// Addresses point 2 of the text in RFC6749 Section 6.
if !strategy(originalScopes, scope) {
return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The requested scope '%s' was not originally granted by the resource owner.", scope))
if c.IgnoreRequestedScopeNotInOriginalGrant {
// Skips addressing point 2 of the text in RFC6749 Section 6 and instead just prevents the scope
// requested from being granted.
continue
} else {
// Addresses point 2 of the text in RFC6749 Section 6.
return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The requested scope '%s' was not originally granted by the resource owner.", scope))
}
}

if !strategy(request.GetClient().GetScopes(), scope) {
Expand Down
4 changes: 4 additions & 0 deletions handler/oauth2/flow_refresh_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,8 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {

areq.Form.Add("refresh_token", token)
areq.Form.Add("scope", "foo bar offline")
areq.SetRequestedScopes(fosite.Arguments{"foo", "bar", "offline"})

err = store.CreateRefreshTokenSession(nil, sig, &fosite.Request{
Client: areq.Client,
GrantedScope: fosite.Arguments{"foo", "bar", "baz", "offline"},
Expand Down Expand Up @@ -252,6 +254,8 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) {

areq.Form.Add("refresh_token", token)
areq.Form.Add("scope", "foo bar offline")
areq.SetRequestedScopes(fosite.Arguments{"foo", "bar", "offline"})

err = store.CreateRefreshTokenSession(nil, sig, &fosite.Request{
Client: areq.Client,
GrantedScope: fosite.Arguments{"foo", "baz", "offline"},
Expand Down
Loading

0 comments on commit 33e6bfc

Please sign in to comment.