token revocation / introspection

client/client.go

@@ -20,6 +20,7 @@ type Client struct {
 	ClientURI         string   `json:"client_uri" gorethink:"client_uri"`
 	LogoURI           string   `json:"logo_uri" gorethink:"logo_uri"`
 	Contacts          []string `json:"contacts" gorethink:"contacts"`
+	Public            bool `json:"public" gorethink:"public"`
 }
 
 func (c *Client) GetID() string {
@@ -65,3 +66,7 @@ func (c *Client) GetResponseTypes() fosite.Arguments {
 func (c *Client) GetOwner() string {
 	return c.Owner
 }
+
+func (c *Client) IsPublic() bool {
+	return c.Public
+}

client/handler.go

@@ -25,16 +25,16 @@ const (
 
 const (
 	ClientsResource = "rn:hydra:clients"
-	ClientResource  = "rn:hydra:clients:%s"
-	Scope           = "hydra.clients"
+	ClientResource = "rn:hydra:clients:%s"
+	Scope = "hydra.clients"
 )
 
 func (h *Handler) SetRoutes(r *httprouter.Router) {
 	r.GET(ClientsHandlerPath, h.GetAll)
 	r.POST(ClientsHandlerPath, h.Create)
-	r.GET(ClientsHandlerPath+"/:id", h.Get)
-	r.PUT(ClientsHandlerPath+"/:id", h.Update)
-	r.DELETE(ClientsHandlerPath+"/:id", h.Delete)
+	r.GET(ClientsHandlerPath + "/:id", h.Get)
+	r.PUT(ClientsHandlerPath + "/:id", h.Update)
+	r.DELETE(ClientsHandlerPath + "/:id", h.Delete)
 }
 
 func (h *Handler) Create(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
@@ -75,7 +75,7 @@ func (h *Handler) Create(w http.ResponseWriter, r *http.Request, _ httprouter.Pa
 	}
 
 	c.Secret = secret
-	h.H.WriteCreated(ctx, w, r, ClientsHandlerPath+"/"+c.GetID(), &c)
+	h.H.WriteCreated(ctx, w, r, ClientsHandlerPath + "/" + c.GetID(), &c)
 }
 
 func (h *Handler) Update(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
@@ -114,7 +114,7 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request, ps httprouter.P
 		return
 	}
 
-	h.H.WriteCreated(ctx, w, r, ClientsHandlerPath+"/"+c.GetID(), &c)
+	h.H.WriteCreated(ctx, w, r, ClientsHandlerPath + "/" + c.GetID(), &c)
 }
 
 func (h *Handler) GetAll(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {

client/manager_memory.go

@@ -5,15 +5,14 @@ import (
 
 	"github.com/imdario/mergo"
 	"github.com/ory-am/fosite"
-	"github.com/ory-am/fosite/hash"
 	"github.com/ory-am/hydra/pkg"
 	"github.com/pborman/uuid"
 	"github.com/pkg/errors"
 )
 
 type MemoryManager struct {
 	Clients map[string]Client
-	Hasher  hash.Hasher
+	Hasher  fosite.Hasher
 	sync.RWMutex
 }
 

client/manager_rethinkdb.go

@@ -7,7 +7,6 @@ import (
 	"github.com/Sirupsen/logrus"
 	"github.com/imdario/mergo"
 	"github.com/ory-am/fosite"
-	"github.com/ory-am/fosite/hash"
 	"github.com/ory-am/hydra/pkg"
 	"github.com/pborman/uuid"
 	"github.com/pkg/errors"
@@ -21,7 +20,7 @@ type RethinkManager struct {
 	sync.RWMutex
 
 	Clients map[string]Client
-	Hasher  hash.Hasher
+	Hasher  fosite.Hasher
 }
 
 func (m *RethinkManager) GetConcreteClient(id string) (*Client, error) {
@@ -157,7 +156,7 @@ func (m *RethinkManager) publishDelete(id string) error {
 }
 
 func (m *RethinkManager) Watch(ctx context.Context) {
-	go pkg.Retry(time.Second*15, time.Minute, func() error {
+	go pkg.Retry(time.Second * 15, time.Minute, func() error {
 		clients, err := m.Table.Changes().Run(m.Session)
 		if err != nil {
 			return errors.Wrap(err, "")

client/manager_test.go

@@ -14,7 +14,6 @@ import (
 	"github.com/julienschmidt/httprouter"
 	"github.com/ory-am/dockertest"
 	"github.com/ory-am/fosite"
-	"github.com/ory-am/fosite/hash"
 	. "github.com/ory-am/hydra/client"
 	"github.com/ory-am/hydra/herodot"
 	"github.com/ory-am/hydra/internal"
@@ -32,7 +31,7 @@ var ts *httptest.Server
 func init() {
 	clientManagers["memory"] = &MemoryManager{
 		Clients: map[string]Client{},
-		Hasher:  &hash.BCrypt{},
+		Hasher:  &fosite.BCrypt{},
 	}
 
 	localWarden, httpClient := internal.NewFirewall("foo", "alice", fosite.Arguments{Scope}, &ladon.DefaultPolicy{
@@ -46,7 +45,7 @@ func init() {
 	s := &Handler{
 		Manager: &MemoryManager{
 			Clients: map[string]Client{},
-			Hasher:  &hash.BCrypt{},
+			Hasher:  &fosite.BCrypt{},
 		},
 		H: &herodot.JSON{},
 		W: localWarden,
@@ -84,7 +83,7 @@ func TestMain(m *testing.M) {
 			Session: session,
 			Table:   r.Table("hydra_clients"),
 			Clients: make(map[string]Client),
-			Hasher: &hash.BCrypt{
+			Hasher: &fosite.BCrypt{
 				// Low workfactor reduces test time
 				WorkFactor: 4,
 			},
@@ -109,7 +108,7 @@ func TestMain(m *testing.M) {
 func TestAuthenticateClient(t *testing.T) {
 	var mem = &MemoryManager{
 		Clients: map[string]Client{},
-		Hasher:  &hash.BCrypt{},
+		Hasher:  &fosite.BCrypt{},
 	}
 	mem.CreateClient(&Client{
 		ID:           "1234",

cmd/helper.go

@@ -6,6 +6,6 @@ import (
 )
 
 func fatal(message string, args ...interface{}) {
-	fmt.Printf(message+"\n", args...)
+	fmt.Printf(message + "\n", args...)
 	os.Exit(1)
 }

cmd/server/handler_oauth2_factory.go

@@ -11,7 +11,6 @@ import (
 	"github.com/ory-am/hydra/client"
 	"github.com/ory-am/hydra/config"
 	"github.com/ory-am/hydra/herodot"
-	"github.com/ory-am/hydra/internal"
 	"github.com/ory-am/hydra/jwk"
 	"github.com/ory-am/hydra/oauth2"
 	"github.com/ory-am/hydra/pkg"
@@ -26,7 +25,7 @@ func injectFositeStore(c *config.Config, clients client.Manager) {
 
 	switch con := ctx.Connection.(type) {
 	case *config.MemoryConnection:
-		store = &internal.FositeMemoryStore{
+		store = &oauth2.FositeMemoryStore{
 			Manager:        clients,
 			AuthorizeCodes: make(map[string]fosite.Requester),
 			IDSessions:     make(map[string]fosite.Requester),
@@ -41,19 +40,19 @@ func injectFositeStore(c *config.Config, clients client.Manager) {
 		con.CreateTableIfNotExists("hydra_oauth2_access_token")
 		con.CreateTableIfNotExists("hydra_oauth2_implicit")
 		con.CreateTableIfNotExists("hydra_oauth2_refresh_token")
-		m := &internal.FositeRehinkDBStore{
+		m := &oauth2.FositeRehinkDBStore{
 			Session:             con.GetSession(),
 			Manager:             clients,
 			AuthorizeCodesTable: r.Table("hydra_oauth2_authorize_code"),
 			IDSessionsTable:     r.Table("hydra_oauth2_id_sessions"),
 			AccessTokensTable:   r.Table("hydra_oauth2_access_token"),
 			ImplicitTable:       r.Table("hydra_oauth2_implicit"),
 			RefreshTokensTable:  r.Table("hydra_oauth2_refresh_token"),
-			AuthorizeCodes:      make(internal.RDBItems),
-			IDSessions:          make(internal.RDBItems),
-			AccessTokens:        make(internal.RDBItems),
-			Implicit:            make(internal.RDBItems),
-			RefreshTokens:       make(internal.RDBItems),
+			AuthorizeCodes:      make(oauth2.RDBItems),
+			IDSessions:          make(oauth2.RDBItems),
+			AccessTokens:        make(oauth2.RDBItems),
+			Implicit:            make(oauth2.RDBItems),
+			RefreshTokens:       make(oauth2.RDBItems),
 		}
 		if err := m.ColdStart(); err != nil {
 			logrus.Fatalf("Could not fetch initial state: %s", err)
@@ -107,6 +106,7 @@ func newOAuth2Provider(c *config.Config, km jwk.Manager) fosite.OAuth2Provider {
 		compose.OpenIDConnectExplicit,
 		compose.OpenIDConnectHybrid,
 		compose.OpenIDConnectImplicit,
+		compose.OAuth2TokenRevocationFactory,
 	)
 }
 
@@ -136,11 +136,6 @@ func newOAuth2Handler(c *config.Config, router *httprouter.Router, km jwk.Manage
 			DefaultIDTokenLifespan:   c.GetIDTokenLifespan(),
 		},
 		ConsentURL: *consentURL,
-		Introspector: &oauth2.LocalIntrospector{
-			OAuth2:              o,
-			AccessTokenLifespan: c.GetAccessTokenLifespan(),
-			Issuer:              c.Issuer,
-		},
 		Firewall: ctx.Warden,
 		H:        &herodot.JSON{},
 	}

cmd/version.go

@@ -8,9 +8,9 @@ import (
 )
 
 var (
-	Version   = "dev-master"
+	Version = "dev-master"
 	BuildTime = time.Now().String()
-	GitHash   = "undefined"
+	GitHash = "undefined"
 )
 
 // versionCmd represents the version command

config/config.go

@@ -14,7 +14,6 @@ import (
 
 	"github.com/Sirupsen/logrus"
 	foauth2 "github.com/ory-am/fosite/handler/oauth2"
-	"github.com/ory-am/fosite/hash"
 	"github.com/ory-am/fosite/token/hmac"
 	"github.com/ory-am/hydra/pkg"
 	"github.com/ory-am/ladon"
@@ -26,6 +25,7 @@ import (
 	"golang.org/x/oauth2/clientcredentials"
 	r "gopkg.in/dancannon/gorethink.v2"
 	"gopkg.in/yaml.v2"
+	"github.com/ory-am/fosite"
 )
 
 type Config struct {
@@ -176,7 +176,7 @@ func (c *Config) Context() *Context {
 
 	c.context = &Context{
 		Connection: connection,
-		Hasher: &hash.BCrypt{
+		Hasher: &fosite.BCrypt{
 			WorkFactor: c.BCryptWorkFactor,
 		},
 		LadonManager: manager,

config/context.go

@@ -2,17 +2,17 @@ package config
 
 import (
 	"github.com/ory-am/fosite/handler/oauth2"
-	"github.com/ory-am/fosite/hash"
 	"github.com/ory-am/hydra/firewall"
 	"github.com/ory-am/hydra/jwk"
 	"github.com/ory-am/hydra/pkg"
 	"github.com/ory-am/ladon"
+	"github.com/ory-am/fosite"
 )
 
 type Context struct {
-	Connection interface{}
+	Connection     interface{}
 
-	Hasher         hash.Hasher
+	Hasher         fosite.Hasher
 	Warden         firewall.Firewall
 	LadonManager   ladon.Manager
 	FositeStrategy oauth2.CoreStrategy

glide.yaml

@@ -18,7 +18,7 @@ import:
 - package: github.com/dgrijalva/jwt-go
   version: ~3.0.0
 - package: github.com/ory-am/fosite
-  version: ~0.3.5
+  version: ~0.4.0
   subpackages:
   - compose
   - fosite-example/pkg

internal/firewall.go

@@ -35,7 +35,7 @@ func NewFirewall(issuer string, subject string, scopes fosite.Arguments, p ...la
 			Warden: ladonWarden,
 			OAuth2: &fosite.Fosite{
 				Store: fositeStore,
-				TokenValidators: fosite.TokenValidators{
+				TokenIntrospectionHandlers: fosite.TokenIntrospectionHandlers{
 					&foauth2.CoreValidator{
 						CoreStrategy:  pkg.HMACStrategy,
 						CoreStorage:   fositeStore,

jwk/aead_test.go

@@ -3,14 +3,25 @@ package jwk
 import (
 	"testing"
 
-	"github.com/ory-am/fosite/rand"
 	"github.com/ory-am/hydra/pkg"
 	"github.com/pborman/uuid"
 	"github.com/stretchr/testify/assert"
+	"github.com/pkg/errors"
+	"crypto/rand"
+	"io"
 )
 
+// RandomBytes returns n random bytes by reading from crypto/rand.Reader
+func randomBytes(n int) ([]byte, error) {
+	bytes := make([]byte, n)
+	if _, err := io.ReadFull(rand.Reader, bytes); err != nil {
+		return []byte{}, errors.Wrap(err, "")
+	}
+	return bytes, nil
+}
+
 func TestAEAD(t *testing.T) {
-	key, err := rand.RandomBytes(32)
+	key, err := randomBytes(32)
 	pkg.AssertError(t, false, err)
 
 	a := &AEAD{

jwk/manager_test.go

@@ -20,10 +20,12 @@ import (
 	"os"
 	"time"
 
-	"github.com/ory-am/fosite/rand"
 	"github.com/square/go-jose"
 	"golang.org/x/net/context"
 	"net/http"
+	"io"
+	"github.com/pkg/errors"
+	"crypto/rand"
 )
 
 var managers = map[string]Manager{}
@@ -73,6 +75,15 @@ func init() {
 
 var rethinkManager = new(RethinkManager)
 
+func randomBytes(n int) ([]byte, error) {
+	bytes := make([]byte, n)
+	if _, err := io.ReadFull(rand.Reader, bytes); err != nil {
+		return []byte{}, errors.Wrap(err, "")
+	}
+	return bytes, nil
+}
+
+
 func TestMain(m *testing.M) {
 	var session *r.Session
 	var err error
@@ -88,7 +99,7 @@ func TestMain(m *testing.M) {
 			return false
 		}
 
-		key, err := rand.RandomBytes(32)
+		key, err := randomBytes(32)
 		if err != nil {
 			log.Printf("Could not watch: %s", err)
 			return false

oauth2/consent_strategy.go

@@ -16,11 +16,11 @@ import (
 
 const (
 	ConsentChallengeKey = "hydra.consent.challenge"
-	ConsentEndpointKey  = "hydra.consent.response"
+	ConsentEndpointKey = "hydra.consent.response"
 )
 
 type DefaultConsentStrategy struct {
-	Issuer string
+	Issuer                   string
 
 	DefaultIDTokenLifespan   time.Duration
 	DefaultChallengeLifespan time.Duration