Update jwt-go and resolve warden regression issue

client/manager_test.go

@@ -176,8 +176,8 @@ func BenchmarkRethinkAuthenticate(b *testing.B) {
 }
 
 func TestColdStartRethinkManager(t *testing.T) {
-	assert.Nil(t, rethinkManager.CreateClient(&Client{ID:                "foo"        }))
-	assert.Nil(t, rethinkManager.CreateClient(&Client{ID:                "bar"        }))
+	assert.Nil(t, rethinkManager.CreateClient(&Client{ID: "foo"}))
+	assert.Nil(t, rethinkManager.CreateClient(&Client{ID: "bar"}))
 
 	time.Sleep(time.Second / 2)
 	rethinkManager.Clients = make(map[string]Client)

cmd/server/handler_oauth2_factory.go

@@ -11,13 +11,13 @@ import (
 	"github.com/ory-am/fosite/compose"
 	"github.com/ory-am/hydra/client"
 	"github.com/ory-am/hydra/config"
+	"github.com/ory-am/hydra/herodot"
 	"github.com/ory-am/hydra/internal"
 	"github.com/ory-am/hydra/jwk"
 	"github.com/ory-am/hydra/oauth2"
 	"github.com/ory-am/hydra/pkg"
 	"golang.org/x/net/context"
 	r "gopkg.in/dancannon/gorethink.v2"
-	"github.com/ory-am/hydra/herodot"
 )
 
 func injectFositeStore(c *config.Config, clients client.Manager) {
@@ -135,13 +135,12 @@ func newOAuth2Handler(c *config.Config, router *httprouter.Router, km jwk.Manage
 		},
 		ConsentURL: *consentURL,
 		Introspector: &oauth2.LocalIntrospector{
-			OAuth2: o,
+			OAuth2:              o,
 			AccessTokenLifespan: c.GetAccessTokenLifespan(),
-			Issuer : c.Issuer,
-
+			Issuer:              c.Issuer,
 		},
-		Firewall:       ctx.Warden,
-		H:      &herodot.JSON{},
+		Firewall: ctx.Warden,
+		H:        &herodot.JSON{},
 	}
 
 	handler.SetRoutes(router)

cmd/token_user.go

@@ -38,7 +38,7 @@ var tokenUserCmd = &cobra.Command{
 				AuthURL:  pkg.JoinURLStrings(c.ClusterURL, "/oauth2/auth"),
 			},
 			RedirectURL: "http://localhost:4445/callback",
-			Scopes: scopes,
+			Scopes:      scopes,
 		}
 
 		state, err := sequence.RuneSequence(24, []rune("abcdefghijklmnopqrstuvwxyz"))

glide.yaml

@@ -15,8 +15,10 @@ import:
   subpackages:
   - pkg
   - rand/sequence
+- package: github.com/dgrijalva/jwt-go
+  version: ~3.0.0
 - package: github.com/ory-am/fosite
-  version: ~0.2.3
+  version: ~0.3.0
   subpackages:
   - compose
   - fosite-example/pkg
@@ -54,8 +56,6 @@ import:
 - package: golang.org/x/oauth2
   subpackages:
   - clientcredentials
-- package: github.com/dgrijalva/jwt-go
-  version: ~2.7.0
 - package: gopkg.in/tylerb/graceful.v1
   version: ~1.2.11
 - package: gopkg.in/yaml.v2

internal/fosite_store_test.go

@@ -13,9 +13,9 @@ import (
 	"github.com/ory-am/hydra/client"
 	"github.com/ory-am/hydra/pkg"
 	"github.com/pborman/uuid"
+	"github.com/stretchr/testify/assert"
 	"golang.org/x/net/context"
 	r "gopkg.in/dancannon/gorethink.v2"
-	"github.com/stretchr/testify/assert"
 )
 
 var rethinkManager *FositeRehinkDBStore
@@ -111,8 +111,8 @@ func TestColdStartRethinkManager(t *testing.T) {
 	err := m.CreateAuthorizeCodeSession(ctx, id, &defaultRequest)
 	pkg.AssertError(t, false, err)
 	err = m.CreateAccessTokenSession(ctx, "12345", &fosite.Request{
-		RequestedAt:   time.Now().Round(time.Second),
-		Client:        &client.Client{ID: "baz"},
+		RequestedAt: time.Now().Round(time.Second),
+		Client:      &client.Client{ID: "baz"},
 	})
 	pkg.AssertError(t, false, err)
 

oauth2/consent_strategy.go

@@ -3,10 +3,9 @@ package oauth2
 import (
 	"fmt"
 	"time"
-
 	"crypto/rsa"
-	"github.com/dgrijalva/jwt-go"
 
+	"github.com/dgrijalva/jwt-go"
 	"github.com/go-errors/errors"
 	"github.com/ory-am/fosite"
 	"github.com/ory-am/fosite/handler/openid"
@@ -46,32 +45,34 @@ func (s *DefaultConsentStrategy) ValidateResponse(a fosite.AuthorizeRequester, t
 		return rsaKey, nil
 	})
 
-	if err != nil {
+	// make sure to use MapClaims since that is the default..
+	jwtClaims, ok := t.Claims.(jwt.MapClaims)
+	if err != nil || !ok {
 		return nil, errors.Errorf("Couldn't parse token: %v", err)
 	} else if !t.Valid {
 		return nil, errors.Errorf("Token is invalid")
 	}
 
-	if time.Now().After(ejwt.ToTime(t.Claims["exp"])) {
+	if time.Now().After(ejwt.ToTime(jwtClaims["exp"])) {
 		return nil, errors.Errorf("Token expired")
 	}
 
-	if ejwt.ToString(t.Claims["aud"]) != a.GetClient().GetID() {
+	if ejwt.ToString(jwtClaims["aud"]) != a.GetClient().GetID() {
 		return nil, errors.Errorf("Audience mismatch")
 	}
 
-	subject := ejwt.ToString(t.Claims["sub"])
-	scopes := toStringSlice(t.Claims["scp"])
+	subject := ejwt.ToString(jwtClaims["sub"])
+	scopes := toStringSlice(jwtClaims["scp"])
 	for _, scope := range scopes {
 		a.GrantScope(scope)
 	}
 
 	var idExt map[string]interface{}
 	var atExt map[string]interface{}
-	if ext, ok := t.Claims["id_ext"].(map[string]interface{}); ok {
+	if ext, ok := jwtClaims["id_ext"].(map[string]interface{}); ok {
 		idExt = ext
 	}
-	if ext, ok := t.Claims["at_ext"].(map[string]interface{}); ok {
+	if ext, ok := jwtClaims["at_ext"].(map[string]interface{}); ok {
 		atExt = ext
 	}
 
@@ -107,14 +108,13 @@ func toStringSlice(i interface{}) []string {
 			}
 		}
 		return ret
-	} else {
-		return []string{}
 	}
+	return []string{}
 }
 
 func (s *DefaultConsentStrategy) IssueChallenge(authorizeRequest fosite.AuthorizeRequester, redirectURL string) (string, error) {
 	token := jwt.New(jwt.SigningMethodRS256)
-	token.Claims = map[string]interface{}{
+	token.Claims = jwt.MapClaims{
 		"jti":   uuid.New(),
 		"scp":   authorizeRequest.GetRequestedScopes(),
 		"aud":   authorizeRequest.GetClient().GetID(),

oauth2/handler.go

@@ -7,9 +7,9 @@ import (
 	"github.com/go-errors/errors"
 	"github.com/julienschmidt/httprouter"
 	"github.com/ory-am/fosite"
+	"github.com/ory-am/hydra/firewall"
 	"github.com/ory-am/hydra/herodot"
 	"github.com/ory-am/hydra/pkg"
-	"github.com/ory-am/hydra/firewall"
 )
 
 const (
@@ -24,15 +24,15 @@ const (
 )
 
 type Handler struct {
-	OAuth2       fosite.OAuth2Provider
-	Consent      ConsentStrategy
+	OAuth2  fosite.OAuth2Provider
+	Consent ConsentStrategy
 
 	Introspector Introspector
 	Firewall     firewall.Firewall
-	H      herodot.Herodot
+	H            herodot.Herodot
 
-	ForcedHTTP   bool
-	ConsentURL   url.URL
+	ForcedHTTP bool
+	ConsentURL url.URL
 }
 
 func (this *Handler) SetRoutes(r *httprouter.Router) {

oauth2/introspector_http.go

@@ -1,17 +1,17 @@
 package oauth2
 
 import (
-	"net/url"
 	"bytes"
-	"io/ioutil"
-	"net/http"
-	"golang.org/x/net/context"
-	"strconv"
 	"encoding/json"
+	"github.com/go-errors/errors"
 	"github.com/ory-am/fosite"
-	"golang.org/x/oauth2/clientcredentials"
+	"golang.org/x/net/context"
 	"golang.org/x/oauth2"
-	"github.com/go-errors/errors"
+	"golang.org/x/oauth2/clientcredentials"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strconv"
 )
 
 type HTTPIntrospector struct {
@@ -61,4 +61,4 @@ func (this *HTTPIntrospector) IntrospectToken(ctx context.Context, token string)
 	}
 
 	return resp, nil
-}
+}

oauth2/introspector_local.go

@@ -1,12 +1,12 @@
 package oauth2
 
 import (
+	"github.com/Sirupsen/logrus"
 	"github.com/ory-am/fosite"
-	"time"
-	"strings"
-	"net/http"
 	"golang.org/x/net/context"
-	"github.com/Sirupsen/logrus"
+	"net/http"
+	"strings"
+	"time"
 )
 
 type LocalIntrospector struct {
@@ -40,6 +40,6 @@ func (w *LocalIntrospector) IntrospectToken(ctx context.Context, token string) (
 		IssuedAt:  auth.GetRequestedAt().Unix(),
 		NotBefore: auth.GetRequestedAt().Unix(),
 		ExpiresAt: session.AccessTokenExpiresAt(auth.GetRequestedAt().Add(w.AccessTokenLifespan)).Unix(),
-		Extra: session.Extra,
+		Extra:     session.Extra,
 	}, nil
-}
+}