登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
开源项目 > WEB应用开发 > OAuth/单点登录/统一认证 &&
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 2

NilOrganization / oauth2

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
server.go 11.68 KB
一键复制 编辑 原始数据 按行查看 历史
Keng 提交于 2021-07-08 11:39 . add custom grant type authentication
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417
package oauth2



import (

	"fmt"

	"net/http"

	"net/url"

	"strings"

)



// Server OAuth2Server

type Server struct {

	VerifyClient                VerifyClientFunc

	VerifyClientID              VerifyClientIDFunc

	VerifyScope                 VerifyScopeFunc

	VerifyPassword              VerifyPasswordFunc

	VerifyRedirectURI           VerifyRedirectURIFunc

	GenerateCode                GenerateCodeFunc

	VerifyCode                  VerifyCodeFunc

	GenerateAccessToken         GenerateAccessTokenFunc

	GenerateDeviceAuthorization GenerateDeviceAuthorizationFunc

	VerifyDeviceCode            VerifyDeviceCodeFunc

	RefreshAccessToken          RefreshAccessTokenFunc

	ParseAccessToken            ParseAccessTokenFunc

	VerifyIntrospectionToken    VerifyIntrospectionTokenFunc

	TokenRevocation             TokenRevocationFunc

	opts                        ServerOptions

}



// NewServer 创建服务器

func NewServer(opts ...ServerOption) *Server {

	options := newServerOptions(opts...)

	return &Server{

		opts: options,

	}

}



// Init 初始化

func (srv *Server) Init(opts ...ServerOption) {

	for _, o := range opts {

		o(&srv.opts)

	}



	if srv.VerifyClient == nil {

		panic(ErrVerifyClientFuncNil)

	}

	if srv.VerifyClientID == nil {

		panic(ErrVerifyClientIDFuncNil)

	}

	if srv.VerifyPassword == nil {

		panic(ErrVerifyPasswordFuncNil)

	}

	if srv.VerifyRedirectURI == nil {

		panic(ErrVerifyRedirectURIFuncNil)

	}

	if srv.GenerateCode == nil {

		panic(ErrGenerateCodeFuncNil)

	}

	if srv.VerifyCode == nil {

		panic(ErrVerifyCodeFuncNil)

	}

	if srv.VerifyScope == nil {

		panic(ErrVerifyScopeFuncNil)

	}

	if srv.GenerateAccessToken == nil {

		panic(ErrGenerateAccessTokenFuncNil)

	}

	if srv.RefreshAccessToken == nil {

		panic(ErrRefreshAccessTokenFuncNil)

	}

	if srv.ParseAccessToken == nil {

		panic(ErrParseAccessTokenFuncNil)

	}



	if srv.opts.DeviceAuthorizationEndpointEnabled {

		if srv.GenerateDeviceAuthorization == nil {

			panic(ErrGenerateDeviceAuthorizationFuncNil)

		}

		if srv.VerifyDeviceCode == nil {

			panic(ErrVerifyDeviceCodeFuncNil)

		}

	}

	if srv.opts.IntrospectEndpointEnabled {

		if srv.VerifyIntrospectionToken == nil {

			panic(ErrVerifyIntrospectionTokenFuncNil)

		}

	}

	if srv.opts.TokenRevocationEnabled {

		if srv.TokenRevocation == nil {

			panic(ErrTokenRevocationFuncNil)

		}

	}

}



// HandleAuthorize 处理Authorize

func (srv *Server) HandleAuthorize(w http.ResponseWriter, r *http.Request) {

	// 判断参数

	responseType := r.FormValue(ResponseTypeKey)

	clientID := r.FormValue(ClientIDKey)

	scope := r.FormValue(ScopeKey)

	state := r.FormValue(StateKey)

	redirectURIStr := r.FormValue(RedirectURIKey)

	redirectURI, err := url.Parse(redirectURIStr)

	if err != nil {

		WriterError(w, ErrInvalidRequest)

		return

	}

	if responseType == "" || clientID == "" {

		RedirectError(w, r, redirectURI, ErrInvalidRequest)

		return

	}



	err = srv.VerifyRedirectURI(clientID, redirectURI.String())

	if err != nil {

		RedirectError(w, r, redirectURI, err)

		return

	}



	if err = srv.VerifyScope(StringSplit(scope, " "), clientID); err != nil {

		// ErrInvalidScope

		RedirectError(w, r, redirectURI, err)

		return

	}

	var openID string

	openID, err = OpenIDFromContext(r.Context())

	if err != nil {

		RedirectError(w, r, redirectURI, ErrServerError)

		return

	}

	switch responseType {

	case CodeKey:

		var code string

		code, err = srv.authorizeAuthorizationCode(clientID, redirectURIStr, scope, openID)

		if err != nil {

			RedirectError(w, r, redirectURI, err)

		} else {

			RedirectSuccess(w, r, redirectURI, code)

		}

	case TokenKey:

		var token *TokenResponse

		token, err = srv.authorizeImplicit(clientID, scope, openID)

		if err != nil {

			RedirectError(w, r, redirectURI, err)

		} else {

			http.Redirect(w, r, fmt.Sprintf("%s#access_token=%s&state=%s&token_type=%s&expires_in=%d", redirectURIStr, token.AccessToken, state, token.TokenType, token.ExpiresIn), http.StatusFound)

		}

	default:

		RedirectError(w, r, redirectURI, ErrUnsupportedResponseType)

	}

}



// HandleDeviceAuthorization 处理DeviceAuthorization

// https://tools.ietf.org/html/rfc8628#section-3.1

func (srv *Server) HandleDeviceAuthorization(w http.ResponseWriter, r *http.Request) {

	// 判断参数

	clientID := r.FormValue(ClientIDKey)

	scope := r.FormValue(ScopeKey)

	if clientID == "" {

		WriterError(w, ErrInvalidRequest)

		return

	}

	resp, err := srv.authorizeDeviceCode(clientID, scope)

	if err != nil {

		WriterError(w, err)

	} else {

		WriterJSON(w, resp)

	}

}



// HandleTokenIntrospection 处理内省端点

// https://tools.ietf.org/html/rfc7662#section-2.1

func (srv *Server) HandleTokenIntrospection(w http.ResponseWriter, r *http.Request) {

	var reqClientBasic *ClientBasic

	var err error

	reqClientBasic, err = RequestClientBasic(r)

	if err != nil {

		WriterError(w, err)

		return

	}

	err = srv.VerifyClient(reqClientBasic)

	if err != nil {

		WriterError(w, err)

		return

	}



	token := r.FormValue(TokenKey)

	tokenTypeHint := r.FormValue(TokenTypeHintKey)

	if tokenTypeHint != "" && tokenTypeHint != AccessTokenKey && tokenTypeHint != RefreshTokenKey {

		WriterError(w, ErrUnsupportedTokenType)

		return

	}

	var resp *IntrospectionResponse

	resp, err = srv.VerifyIntrospectionToken(token, reqClientBasic.ID, tokenTypeHint)

	if err != nil {

		WriterError(w, err)

	} else {

		WriterJSON(w, resp)

	}

}



// HandleTokenRevocation 处理Token销毁

// https://tools.ietf.org/html/rfc7009

func (srv *Server) HandleTokenRevocation(w http.ResponseWriter, r *http.Request) {

	var reqClientBasic *ClientBasic

	var err error

	reqClientBasic, err = RequestClientBasic(r)

	if err != nil {

		WriterError(w, err)

		return

	}

	err = srv.VerifyClient(reqClientBasic)

	if err != nil {

		WriterError(w, err)

		return

	}



	// 判断参数

	clientID := r.FormValue(ClientIDKey)

	if clientID == "" {

		WriterError(w, ErrInvalidRequest)

		return

	}

	if reqClientBasic.ID != clientID {

		WriterError(w, ErrInvalidRequest)

		return

	}

	token := r.FormValue(TokenKey)

	tokenTypeHint := r.FormValue(TokenTypeHintKey)

	if tokenTypeHint != "" && tokenTypeHint != AccessTokenKey && tokenTypeHint != RefreshTokenKey {

		WriterError(w, ErrUnsupportedTokenType)

		return

	}

	srv.TokenRevocation(token, clientID, tokenTypeHint)

	w.WriteHeader(http.StatusOK)

}



// HandleToken 处理Token

func (srv *Server) HandleToken(w http.ResponseWriter, r *http.Request) {



	grantType := r.PostFormValue(GrantTypeKey)

	if grantType == "" {

		WriterError(w, ErrInvalidRequest)

		return

	}



	var reqClientBasic *ClientBasic

	var err error

	var clientID string

	// explain: https://tools.ietf.org/html/rfc8628#section-3.4 {

	if grantType != DeviceCodeKey && grantType != UrnIetfParamsOAuthGrantTypeDeviceCodeKey {

		reqClientBasic, err = RequestClientBasic(r)

		if err != nil {

			WriterError(w, err)

			return

		}

		err = srv.VerifyClient(reqClientBasic)

		if err != nil {

			WriterError(w, err)

			return

		}

		clientID = reqClientBasic.ID

	} else {

		clientID = r.PostFormValue(ClientIDKey)

		err = srv.VerifyClientID(clientID)

		if err != nil {

			WriterError(w, err)

			return

		}

	}



	scope := r.PostFormValue(ScopeKey)

	if err = srv.VerifyScope(StringSplit(scope, " "), clientID); err != nil {

		// ErrInvalidScope

		WriterError(w, err)

		return

	}



	if grantType == RefreshTokenKey {

		refreshToken := r.PostFormValue(RefreshTokenKey)

		model, err := srv.RefreshAccessToken(reqClientBasic.ID, refreshToken)

		if err != nil {

			WriterError(w, err)

		} else {

			WriterJSON(w, model)

		}

	} else if grantType == AuthorizationCodeKey {

		code := r.PostFormValue(CodeKey)

		redirectURIStr := r.PostFormValue(RedirectURIKey)

		clientID := r.PostFormValue(ClientIDKey)

		if code == "" || redirectURIStr == "" || clientID == "" {

			WriterError(w, ErrInvalidRequest)

			return

		}

		var model *TokenResponse

		model, err = srv.tokenAuthorizationCode(reqClientBasic, clientID, code, redirectURIStr)

		if err != nil {

			WriterError(w, err)

		} else {

			WriterJSON(w, model)

		}

	} else if grantType == PasswordKey {

		username := r.PostFormValue(UsernameKey)

		password := r.PostFormValue(PasswordKey)

		if username == "" || password == "" {

			WriterError(w, ErrInvalidRequest)

			return

		}

		var model *TokenResponse

		model, err := srv.tokenResourceOwnerPasswordCredentials(reqClientBasic, username, password, scope)

		if err != nil {

			WriterError(w, err)

		} else {

			WriterJSON(w, model)

		}

	} else if grantType == ClientCredentialsKey {

		model, err := srv.tokenClientCredentials(reqClientBasic, scope)

		if err != nil {

			WriterError(w, err)

		} else {

			WriterJSON(w, model)

		}

	} else if grantType == UrnIetfParamsOAuthGrantTypeDeviceCodeKey || grantType == DeviceCodeKey { // https://tools.ietf.org/html/rfc8628#section-3.4

		deviceCode := r.PostFormValue(DeviceCodeKey)

		clientID := r.PostFormValue(ClientIDKey)

		model, err := srv.tokenDeviceCode(clientID, deviceCode)

		if err != nil {

			WriterError(w, err)

		} else {

			WriterJSON(w, model)

		}

	} else {

		if srv.opts.CustomGrantTypeEnabled {

			custom, ok := srv.opts.CustomGrantTypeAuthentication[grantType]

			if ok {

				model, err := srv.generateCustomGrantTypeAccessToken(reqClientBasic, scope, r, custom)

				if err != nil {

					WriterError(w, err)

				} else {

					WriterJSON(w, model)

				}

				return

			}

		}

		WriterError(w, ErrUnsupportedGrantType)

	}

}



// 授权码(authorization-code)

func (srv *Server) authorizeAuthorizationCode(clientID, redirectURI, scope, openID string) (code string, err error) {

	return srv.GenerateCode(clientID, openID, redirectURI, StringSplit(scope, " "))

}



func (srv *Server) tokenAuthorizationCode(client *ClientBasic, clientID, code, redirectURI string) (token *TokenResponse, err error) {

	if client.ID != clientID {

		err = ErrInvalidClient

		return

	}

	var value *CodeValue

	value, err = srv.VerifyCode(code, client.ID, redirectURI)

	if err != nil {

		return

	}

	scope := strings.Join(value.Scope, " ")

	token, err = srv.GenerateAccessToken(srv.opts.Issuer, client.ID, scope, value.OpenID, value)

	return

}



// 隐藏式(implicit)

func (srv *Server) authorizeImplicit(clientID, scope, openID string) (token *TokenResponse, err error) {

	token, err = srv.GenerateAccessToken(srv.opts.Issuer, clientID, scope, openID, nil)

	return

}



// 设备模式(Device Code)

func (srv *Server) authorizeDeviceCode(clientID, scope string) (resp *DeviceAuthorizationResponse, err error) {

	resp, err = srv.GenerateDeviceAuthorization(srv.opts.Issuer, srv.opts.DeviceVerificationURI, clientID, StringSplit(scope, " "))

	return

}



// 密码式(password)

func (srv *Server) tokenResourceOwnerPasswordCredentials(client *ClientBasic, username, password, scope string) (token *TokenResponse, err error) {

	var openID string

	openID, err = srv.VerifyPassword(username, password)

	if err != nil {

		return

	}

	token, err = srv.GenerateAccessToken(srv.opts.Issuer, client.ID, scope, openID, nil)

	return

}



// generateCustomGrantTypeAccessToken 生成自定义GrantType Token

func (srv *Server) generateCustomGrantTypeAccessToken(client *ClientBasic, scope string, req *http.Request, custom CustomGrantTypeAuthenticationFunc) (token *TokenResponse, err error) {

	var openID string

	openID, err = custom(client, req)

	if err != nil {

		return

	}

	token, err = srv.GenerateAccessToken(srv.opts.Issuer, client.ID, scope, openID, nil)

	return

}



// 客户端凭证(client credentials)

func (srv *Server) tokenClientCredentials(client *ClientBasic, scope string) (token *TokenResponse, err error) {

	token, err = srv.GenerateAccessToken(srv.opts.Issuer, client.ID, scope, "", nil)

	return

}



// 设备模式(Device Code)

func (srv *Server) tokenDeviceCode(clientID, deviceCode string) (token *TokenResponse, err error) {

	var value *DeviceCodeValue

	value, err = srv.VerifyDeviceCode(deviceCode, clientID)

	if err != nil {

		return

	}

	scope := strings.Join(value.Scope, " ")

	token, err = srv.GenerateAccessToken(srv.opts.Issuer, clientID, scope, value.OpenID, nil)

	return

}
Go
1
https://gitee.com/nilorg/oauth2.git
git@gitee.com:nilorg/oauth2.git
nilorg
oauth2
oauth2
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部