fix: add provider to token creation

Author: lakhansamani

server/handlers/authorize.go

@@ -219,7 +219,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 		}
 
 		// if user is logged in
-		// based on the response type, generate the response
+		// based on the response type code, generate the response
 		if isResponseTypeCode {
 			// rollover the session for security
 			go memorystore.Provider.DeleteUserSession(user.ID, claims.Nonce)

server/token/auth_token.go

@@ -44,15 +44,17 @@ type SessionData struct {
 	Nonce     string   `json:"nonce"`
 	IssuedAt  int64    `json:"iat"`
 	ExpiresAt int64    `json:"exp"`
+	Provider  string   `json:"provider"`
 }
 
 // CreateSessionToken creates a new session token
-func CreateSessionToken(user models.User, nonce string, roles, scope []string) (*SessionData, string, error) {
+func CreateSessionToken(user models.User, nonce string, roles, scope []string, provider string) (*SessionData, string, error) {
 	fingerPrintMap := &SessionData{
 		Nonce:     nonce,
 		Roles:     roles,
 		Subject:   user.ID,
 		Scope:     scope,
+		Provider:  provider,
 		IssuedAt:  time.Now().Unix(),
 		ExpiresAt: time.Now().AddDate(1, 0, 0).Unix(),
 	}
@@ -66,19 +68,19 @@ func CreateSessionToken(user models.User, nonce string, roles, scope []string) (
 }
 
 // CreateAuthToken creates a new auth token when userlogs in
-func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string) (*Token, error) {
+func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, provider string) (*Token, error) {
 	hostname := parsers.GetHost(gc)
 	nonce := uuid.New().String()
-	_, fingerPrintHash, err := CreateSessionToken(user, nonce, roles, scope)
+	_, fingerPrintHash, err := CreateSessionToken(user, nonce, roles, scope, provider)
 	if err != nil {
 		return nil, err
 	}
-	accessToken, accessTokenExpiresAt, err := CreateAccessToken(user, roles, scope, hostname, nonce)
+	accessToken, accessTokenExpiresAt, err := CreateAccessToken(user, roles, scope, hostname, nonce, provider)
 	if err != nil {
 		return nil, err
 	}
 
-	idToken, idTokenExpiresAt, err := CreateIDToken(user, roles, hostname, nonce)
+	idToken, idTokenExpiresAt, err := CreateIDToken(user, roles, hostname, nonce, provider)
 	if err != nil {
 		return nil, err
 	}
@@ -91,7 +93,7 @@ func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string) (
 	}
 
 	if utils.StringSliceContains(scope, "offline_access") {
-		refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce)
+		refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce, provider)
 		if err != nil {
 			return nil, err
 		}
@@ -103,7 +105,7 @@ func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string) (
 }
 
 // CreateRefreshToken util to create JWT token
-func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonce string) (string, int64, error) {
+func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonce, provider string) (string, int64, error) {
 	// expires in 1 year
 	expiryBound := time.Hour * 8760
 	expiresAt := time.Now().Add(expiryBound).Unix()
@@ -121,6 +123,7 @@ func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonc
 		"roles":      roles,
 		"scope":      scopes,
 		"nonce":      nonce,
+		"provider":   provider,
 	}
 
 	token, err := SignJWTToken(customClaims)
@@ -133,7 +136,7 @@ func CreateRefreshToken(user models.User, roles, scopes []string, hostname, nonc
 
 // CreateAccessToken util to create JWT token, based on
 // user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT
-func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce string) (string, int64, error) {
+func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce, provider string) (string, int64, error) {
 	expireTime, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAccessTokenExpiryTime)
 	if err != nil {
 		return "", 0, err
@@ -159,6 +162,7 @@ func CreateAccessToken(user models.User, roles, scopes []string, hostName, nonce
 		"token_type": constants.TokenTypeAccessToken,
 		"scope":      scopes,
 		"roles":      roles,
+		"provider":   provider,
 	}
 
 	token, err := SignJWTToken(customClaims)
@@ -278,7 +282,12 @@ func ValidateBrowserSession(gc *gin.Context, encryptedSession string) (*SessionD
 		return nil, err
 	}
 
-	token, err := memorystore.Provider.GetUserSession(res.Subject, constants.TokenTypeSessionToken+"_"+res.Nonce)
+	sessionStoreKey := res.Subject
+	if res.Provider != "" {
+		sessionStoreKey = res.Provider + ":" + res.Subject
+	}
+
+	token, err := memorystore.Provider.GetUserSession(sessionStoreKey, constants.TokenTypeSessionToken+"_"+res.Nonce)
 	if token == "" || err != nil {
 		log.Debug("invalid browser session:", err)
 		return nil, fmt.Errorf(`unauthorized`)
@@ -297,7 +306,7 @@ func ValidateBrowserSession(gc *gin.Context, encryptedSession string) (*SessionD
 
 // CreateIDToken util to create JWT token, based on
 // user information, roles config and CUSTOM_ACCESS_TOKEN_SCRIPT
-func CreateIDToken(user models.User, roles []string, hostname, nonce string) (string, int64, error) {
+func CreateIDToken(user models.User, roles []string, hostname, nonce, provider string) (string, int64, error) {
 	expireTime, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAccessTokenExpiryTime)
 	if err != nil {
 		return "", 0, err
@@ -332,6 +341,7 @@ func CreateIDToken(user models.User, roles []string, hostname, nonce string) (st
 		"iat":           time.Now().Unix(),
 		"token_type":    constants.TokenTypeIdentityToken,
 		"allowed_roles": strings.Split(user.Roles, ","),
+		"provider":      provider,
 		claimKey:        roles,
 	}