Merge pull request #17 from LyricTian/develop

The realization of the optimization of details

Author: LyricTian

README.md

@@ -1,11 +1,35 @@
 OAuth 2.0
 =========
->  [OAuth 2.0](http://oauth.net/2/) is the next evolution of the OAuth protocol which was originally created in late 2006.
+>  An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
 
 [![GoDoc](https://godoc.org/gopkg.in/oauth2.v3?status.svg)](https://godoc.org/gopkg.in/oauth2.v3)
 [![Go Report Card](https://goreportcard.com/badge/gopkg.in/oauth2.v3)](https://goreportcard.com/report/gopkg.in/oauth2.v3)
 [![Build Status](https://travis-ci.org/go-oauth2/oauth2.svg?branch=master)](https://travis-ci.org/go-oauth2/oauth2)
 
+Protocol Flow
+-------------
+
+```
+     +--------+                               +---------------+
+     |        |--(A)- Authorization Request ->|   Resource    |
+     |        |                               |     Owner     |
+     |        |<-(B)-- Authorization Grant ---|               |
+     |        |                               +---------------+
+     |        |
+     |        |                               +---------------+
+     |        |--(C)-- Authorization Grant -->| Authorization |
+     | Client |                               |     Server    |
+     |        |<-(D)----- Access Token -------|               |
+     |        |                               +---------------+
+     |        |
+     |        |                               +---------------+
+     |        |--(E)----- Access Token ------>|    Resource   |
+     |        |                               |     Server    |
+     |        |<-(F)--- Protected Resource ---|               |
+     +--------+                               +---------------+
+```
+
+
 Quick Start
 -----------
 
@@ -73,10 +97,12 @@ http://localhost:9096/authorize?response_type=code&client_id=1&redirect_uri=http
 Features
 --------
 
-* Based on the [RFC 6749](https://tools.ietf.org/html/rfc6749) implementation
 * Easy to use
-* Modularity
-* Flexible
+* Based on the [RFC 6749](https://tools.ietf.org/html/rfc6749) implementation
+* Token storage support TTL
+* Support custom extension field
+* Support custom scope
+* Support custom expiration time of the access token
 
 Example
 -------

example/README.md

@@ -22,6 +22,9 @@ Open the browser
 
 [http://localhost:9094](http://localhost:9094)
 
+![login](/server/testdata/login.png)
+![authorize](/server/testdata/authorize.png)
+
 ``` json
 {
     "access_token": "BIX-RYRPMHYY4L7O4QTP3Q",

example/server/static/auth.html

@@ -13,9 +13,11 @@
     <div class="container">
         <div class="jumbotron">
         <form action="/auth" method="POST">
-            <h1>The user authorization!</h1>
-            <p>...</p>
-            <p><button type="submit" class="btn btn-danger btn-lg">Authorize</button></p>
+            <h1>Authorize</h1>
+            <p>The client would like to perform actions on your behalf.</p>
+            <p>
+                <button type="submit" class="btn btn-primary btn-lg" style="width:200px;">Allow</button>
+            </p>
         </form>
     </div>
     </div>

example/server/static/login.html

@@ -11,7 +11,7 @@
 
 <body>
     <div class="container">
-        <h1>Login</h1>
+        <h1>Login In</h1>
         <form action="/login" method="POST">
             <div class="form-group">
                 <label for="username">User Name</label>
@@ -21,7 +21,7 @@ <h1>Login</h1>
                 <label for="password">Password</label>
                 <input type="password" class="form-control" name="password" placeholder="Please enter your password">
             </div>
-            <button type="submit" class="btn btn-primary">Submit</button>
+            <button type="submit" class="btn btn-success">Login</button>
         </form>
     </div>
 </body>

example/server/testdata/authorize.png

@@ -1,14 +1,19 @@
 package oauth2
 
+import (
+	"time"
+)
+
 // TokenGenerateRequest Provide to generate the token request parameters
 type TokenGenerateRequest struct {
-	ClientID     string // The client information
-	ClientSecret string // The client secret
-	UserID       string // The user id
-	RedirectURI  string // Redirect URI
-	Scope        string // Scope of authorization
-	Code         string // Authorization code
-	Refresh      string // Refreshing token
+	ClientID       string        // The client information
+	ClientSecret   string        // The client secret
+	UserID         string        // The user id
+	RedirectURI    string        // Redirect URI
+	Scope          string        // Scope of authorization
+	Code           string        // Authorization code
+	Refresh        string        // Refreshing token
+	AccessTokenExp time.Duration // Access token expiration time (in seconds)
 }
 
 // Manager Authorization management interface

example/server/testdata/login.png

@@ -21,7 +21,7 @@ func TestManager(t *testing.T) {
 			So(cli.GetSecret(), ShouldEqual, "11")
 		})
 
-		Convey("Memory store test", func() {
+		Convey("Token test", func() {
 			manager.MustTokenStorage(store.NewMemoryTokenStore())
 			testManager(manager)
 		})
@@ -37,8 +37,9 @@ func testManager(manager oauth2.Manager) {
 	}
 	cti, err := manager.GenerateAuthToken(oauth2.Code, reqParams)
 	So(err, ShouldBeNil)
+	Println(cti.GetCode())
 
-	code := cti.GetAccess()
+	code := cti.GetCode()
 	So(code, ShouldNotBeEmpty)
 
 	atParams := &oauth2.TokenGenerateRequest{
@@ -54,9 +55,6 @@ func testManager(manager oauth2.Manager) {
 	So(accessToken, ShouldNotBeEmpty)
 	So(refreshToken, ShouldNotBeEmpty)
 
-	_, err = manager.LoadAccessToken(code)
-	So(err, ShouldNotBeNil)
-
 	ainfo, err := manager.LoadAccessToken(accessToken)
 	So(err, ShouldBeNil)
 	So(ainfo.GetClientID(), ShouldEqual, atParams.ClientID)

manage.go

@@ -24,8 +24,8 @@ func NewDefaultManager() *Manager {
 
 	// default config
 	m.SetAuthorizeCodeExp(time.Minute * 10)
-	m.SetImplicitTokenExp(time.Hour * 1)
-	m.SetClientTokenExp(time.Hour * 2)
+	m.SetImplicitTokenCfg(&Config{AccessTokenExp: time.Hour * 1})
+	m.SetClientTokenCfg(&Config{AccessTokenExp: time.Hour * 2})
 	m.SetAuthorizeCodeTokenCfg(&Config{IsGenerateRefresh: true, AccessTokenExp: time.Hour * 2, RefreshTokenExp: time.Hour * 24 * 3})
 	m.SetPasswordTokenCfg(&Config{IsGenerateRefresh: true, AccessTokenExp: time.Hour * 2, RefreshTokenExp: time.Hour * 24 * 7})
 
@@ -70,19 +70,24 @@ func (m *Manager) SetAuthorizeCodeTokenCfg(cfg *Config) {
 	m.gtcfg[oauth2.AuthorizationCode] = cfg
 }
 
-// SetImplicitTokenExp Set the implicit grant token expiration time
-func (m *Manager) SetImplicitTokenExp(exp time.Duration) {
-	m.gtcfg[oauth2.Implicit] = &Config{AccessTokenExp: exp}
+// SetImplicitTokenCfg Set the implicit grant token config
+func (m *Manager) SetImplicitTokenCfg(cfg *Config) {
+	m.gtcfg[oauth2.Implicit] = cfg
 }
 
 // SetPasswordTokenCfg Set the password grant token config
 func (m *Manager) SetPasswordTokenCfg(cfg *Config) {
 	m.gtcfg[oauth2.PasswordCredentials] = cfg
 }
 
-// SetClientTokenExp Set the client grant token expiration time
-func (m *Manager) SetClientTokenExp(exp time.Duration) {
-	m.gtcfg[oauth2.ClientCredentials] = &Config{AccessTokenExp: exp}
+// SetClientTokenCfg Set the client grant token config
+func (m *Manager) SetClientTokenCfg(cfg *Config) {
+	m.gtcfg[oauth2.ClientCredentials] = cfg
+}
+
+// SetRefreshTokenCfg Set the refreshing token config
+func (m *Manager) SetRefreshTokenCfg(cfg *Config) {
+	m.gtcfg[oauth2.Refreshing] = cfg
 }
 
 // MapTokenModel Mapping the token information model
@@ -179,28 +184,44 @@ func (m *Manager) GenerateAuthToken(rt oauth2.ResponseType, tgr *oauth2.TokenGen
 	}
 	_, ierr := m.injector.Invoke(func(ti oauth2.TokenInfo, gen oauth2.AuthorizeGenerate, tgen oauth2.AccessGenerate, stor oauth2.TokenStore) {
 		ti = m.newTokenInfo(ti)
-		var (
-			tv   string
-			terr error
-		)
+
 		td := &oauth2.GenerateBasic{
 			Client:   cli,
 			UserID:   tgr.UserID,
 			CreateAt: time.Now(),
 		}
-		if rt == oauth2.Code {
-			ti.SetAccessExpiresIn(m.codeExp)
-			tv, terr = gen.Token(td)
-		} else {
-			ti.SetAccessExpiresIn(m.gtcfg[oauth2.Implicit].AccessTokenExp)
-			tv, _, terr = tgen.Token(td, false)
-		}
-		if terr != nil {
-			err = terr
-			return
+		switch rt {
+		case oauth2.Code:
+			tv, terr := gen.Token(td)
+			if terr != nil {
+				err = terr
+				return
+			}
+			ti.SetCode(tv)
+			ti.SetCodeExpiresIn(m.codeExp)
+			ti.SetCodeCreateAt(td.CreateAt)
+			if exp := tgr.AccessTokenExp; exp > 0 {
+				ti.SetAccessExpiresIn(exp)
+			}
+		case oauth2.Token:
+			tv, rv, terr := tgen.Token(td, m.gtcfg[oauth2.Implicit].IsGenerateRefresh)
+			if terr != nil {
+				err = terr
+				return
+			}
+			ti.SetAccess(tv)
+			ti.SetAccessCreateAt(td.CreateAt)
+			aexp := m.gtcfg[oauth2.Implicit].AccessTokenExp
+			if exp := tgr.AccessTokenExp; exp > 0 {
+				aexp = exp
+			}
+			ti.SetAccessExpiresIn(aexp)
+			if rv != "" && m.gtcfg[oauth2.Implicit].IsGenerateRefresh {
+				ti.SetRefresh(rv)
+				ti.SetRefreshCreateAt(td.CreateAt)
+				ti.SetRefreshExpiresIn(m.gtcfg[oauth2.Implicit].RefreshTokenExp)
+			}
 		}
-		ti.SetAccess(tv)
-		ti.SetAccessCreateAt(td.CreateAt)
 		ti.SetClientID(tgr.ClientID)
 		ti.SetUserID(tgr.UserID)
 		ti.SetRedirectURI(tgr.RedirectURI)
@@ -217,26 +238,58 @@ func (m *Manager) GenerateAuthToken(rt oauth2.ResponseType, tgr *oauth2.TokenGen
 	return
 }
 
+// get authorization code data
+func (m *Manager) getAuthorizationCode(code string) (info oauth2.TokenInfo, err error) {
+	_, ierr := m.injector.Invoke(func(stor oauth2.TokenStore) {
+		ti, terr := stor.GetByCode(code)
+		if terr != nil {
+			err = terr
+			return
+		} else if ti == nil {
+			err = errors.ErrInvalidAuthorizeCode
+			return
+		} else if ti.GetCodeCreateAt().Add(ti.GetCodeExpiresIn()).Before(time.Now()) {
+			err = errors.ErrInvalidAuthorizeCode
+			return
+		}
+		info = ti
+	})
+	if ierr != nil && err == nil {
+		err = ierr
+	}
+	return
+}
+
+// delete authorization code data
+func (m *Manager) delAuthorizationCode(code string) (err error) {
+	_, ierr := m.injector.Invoke(func(stor oauth2.TokenStore) {
+		err = stor.RemoveByCode(code)
+	})
+	if ierr != nil && err == nil {
+		err = ierr
+	}
+	return
+}
+
 // GenerateAccessToken Generate the access token
 func (m *Manager) GenerateAccessToken(gt oauth2.GrantType, tgr *oauth2.TokenGenerateRequest) (accessToken oauth2.TokenInfo, err error) {
 	if gt == oauth2.AuthorizationCode {
-		ti, terr := m.LoadAccessToken(tgr.Code)
+		ti, terr := m.getAuthorizationCode(tgr.Code)
 		if terr != nil {
-			if terr == errors.ErrInvalidAccessToken {
-				err = errors.ErrInvalidAuthorizeCode
-				return
-			}
 			err = terr
 			return
 		} else if ti.GetRedirectURI() != tgr.RedirectURI || ti.GetClientID() != tgr.ClientID {
 			err = errors.ErrInvalidAuthorizeCode
 			return
-		} else if verr := m.RemoveAccessToken(tgr.Code); verr != nil { // remove authorize code
+		} else if verr := m.delAuthorizationCode(tgr.Code); verr != nil {
 			err = verr
 			return
 		}
 		tgr.UserID = ti.GetUserID()
 		tgr.Scope = ti.GetScope()
+		if exp := ti.GetAccessExpiresIn(); exp > 0 {
+			tgr.AccessTokenExp = exp
+		}
 	}
 	cli, err := m.GetClient(tgr.ClientID)
 	if err != nil {
@@ -262,13 +315,19 @@ func (m *Manager) GenerateAccessToken(gt oauth2.GrantType, tgr *oauth2.TokenGene
 		ti.SetRedirectURI(tgr.RedirectURI)
 		ti.SetScope(tgr.Scope)
 		ti.SetAccessCreateAt(td.CreateAt)
-		ti.SetAccessExpiresIn(m.gtcfg[gt].AccessTokenExp)
 		ti.SetAccess(av)
-		if m.gtcfg[gt].IsGenerateRefresh && rv != "" {
+
+		aexp := m.gtcfg[gt].AccessTokenExp
+		if exp := tgr.AccessTokenExp; exp > 0 {
+			aexp = exp
+		}
+		ti.SetAccessExpiresIn(aexp)
+		if rv != "" && m.gtcfg[gt].IsGenerateRefresh {
 			ti.SetRefreshCreateAt(td.CreateAt)
 			ti.SetRefreshExpiresIn(m.gtcfg[gt].RefreshTokenExp)
 			ti.SetRefresh(rv)
 		}
+
 		err = stor.Create(ti)
 		if err != nil {
 			return
@@ -304,7 +363,11 @@ func (m *Manager) RefreshAccessToken(tgr *oauth2.TokenGenerateRequest) (accessTo
 			UserID:   ti.GetUserID(),
 			CreateAt: time.Now(),
 		}
-		tv, _, terr := gen.Token(td, false)
+		isGenRefresh := false
+		if rcfg, ok := m.gtcfg[oauth2.Refreshing]; ok {
+			isGenRefresh = rcfg.IsGenerateRefresh
+		}
+		tv, rv, terr := gen.Token(td, isGenRefresh)
 		if terr != nil {
 			err = terr
 			return
@@ -314,6 +377,9 @@ func (m *Manager) RefreshAccessToken(tgr *oauth2.TokenGenerateRequest) (accessTo
 		if scope := tgr.Scope; scope != "" {
 			ti.SetScope(scope)
 		}
+		if rv != "" {
+			ti.SetRefresh(rv)
+		}
 		if verr := stor.Create(ti); verr != nil {
 			err = verr
 			return

manage/manage_test.go

@@ -34,6 +34,19 @@ type (
 		// Set Scope of authorization
 		SetScope(string)
 
+		// Get Authorization code
+		GetCode() string
+		// Set Authorization code
+		SetCode(string)
+		// Get Create Time
+		GetCodeCreateAt() time.Time
+		// Set Create Time
+		SetCodeCreateAt(time.Time)
+		// Get The lifetime in seconds of the authorization code
+		GetCodeExpiresIn() time.Duration
+		// Set The lifetime in seconds of the authorization code
+		SetCodeExpiresIn(time.Duration)
+
 		// Get Access Token
 		GetAccess() string
 		// Set Access Token