oauth2/introspector: remove auth code, refresh scopes (#187)

Removes authorize code introspection in the HMAC-based strategy and now checks scopes of refresh tokens as well.

Author: arekkas

HISTORY.md

@@ -19,6 +19,11 @@ bumps (`0.1.0` -> `0.2.0`).
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
+## 0.10.0
+
+It is no longer possible to introspect authorize codes, and passing scopes to the introspector now also checks
+refresh token scopes.
+
 ## 0.9.0
 
 This patch adds the ability to pass a custom hasher to `compose.Compose`, which is a breaking change. You can pass nil for the fosite default hasher:

handler/oauth2/introspector.go

@@ -16,34 +16,37 @@ type CoreValidator struct {
 func (c *CoreValidator) IntrospectToken(ctx context.Context, token string, tokenType fosite.TokenType, accessRequest fosite.AccessRequester, scopes []string) (err error) {
 	switch tokenType {
 	case fosite.RefreshToken:
-		if err = c.introspectRefreshToken(ctx, token, accessRequest); err == nil {
-			return err
-		} else if err = c.introspectAuthorizeCode(ctx, token, accessRequest); err == nil {
-			return err
+		if err = c.introspectRefreshToken(ctx, token, accessRequest, scopes); err == nil {
+			return nil
 		} else if err = c.introspectAccessToken(ctx, token, accessRequest, scopes); err == nil {
-			return err
-		}
-		return err
-	case fosite.AuthorizeCode:
-		if err = c.introspectAuthorizeCode(ctx, token, accessRequest); err == nil {
-			return err
-		} else if err := c.introspectAccessToken(ctx, token, accessRequest, scopes); err == nil {
-			return err
-		} else if err := c.introspectRefreshToken(ctx, token, accessRequest); err == nil {
-			return err
+			return nil
 		}
 		return err
 	}
+
 	if err = c.introspectAccessToken(ctx, token, accessRequest, scopes); err == nil {
-		return err
-	} else if err := c.introspectRefreshToken(ctx, token, accessRequest); err == nil {
-		return err
-	} else if err := c.introspectAuthorizeCode(ctx, token, accessRequest); err == nil {
-		return err
+		return nil
+	} else if err := c.introspectRefreshToken(ctx, token, accessRequest, scopes); err == nil {
+		return nil
 	}
+
 	return err
 }
 
+func matchScopes(ss fosite.ScopeStrategy, granted, scopes []string) error {
+	for _, scope := range scopes {
+		if scope == "" {
+			continue
+		}
+
+		if !ss(granted, scope) {
+			return errors.Wrapf(fosite.ErrInvalidScope, "Scope %s was not granted", scope)
+		}
+	}
+
+	return nil
+}
+
 func (c *CoreValidator) introspectAccessToken(ctx context.Context, token string, accessRequest fosite.AccessRequester, scopes []string) error {
 	sig := c.CoreStrategy.AccessTokenSignature(token)
 	or, err := c.CoreStorage.GetAccessTokenSession(ctx, sig, accessRequest.GetSession())
@@ -53,42 +56,28 @@ func (c *CoreValidator) introspectAccessToken(ctx context.Context, token string,
 		return err
 	}
 
-	for _, scope := range scopes {
-		if scope == "" {
-			continue
-		}
-
-		if !c.ScopeStrategy(or.GetGrantedScopes(), scope) {
-			return errors.WithStack(fosite.ErrInvalidScope)
-		}
+	if err := matchScopes(c.ScopeStrategy, or.GetGrantedScopes(), scopes); err != nil {
+		return err
 	}
 
 	accessRequest.Merge(or)
 	return nil
 }
 
-func (c *CoreValidator) introspectRefreshToken(ctx context.Context, token string, accessRequest fosite.AccessRequester) error {
+func (c *CoreValidator) introspectRefreshToken(ctx context.Context, token string, accessRequest fosite.AccessRequester, scopes []string) error {
 	sig := c.CoreStrategy.RefreshTokenSignature(token)
-	if or, err := c.CoreStorage.GetRefreshTokenSession(ctx, sig, accessRequest.GetSession()); err != nil {
+	or, err := c.CoreStorage.GetRefreshTokenSession(ctx, sig, accessRequest.GetSession())
+
+	if err != nil {
 		return errors.Wrap(fosite.ErrRequestUnauthorized, err.Error())
 	} else if err := c.CoreStrategy.ValidateRefreshToken(ctx, or, token); err != nil {
 		return err
-	} else {
-		accessRequest.Merge(or)
 	}
 
-	return nil
-}
-
-func (c *CoreValidator) introspectAuthorizeCode(ctx context.Context, token string, accessRequest fosite.AccessRequester) error {
-	sig := c.CoreStrategy.AuthorizeCodeSignature(token)
-	if or, err := c.CoreStorage.GetAuthorizeCodeSession(ctx, sig, accessRequest.GetSession()); err != nil {
-		return errors.Wrap(err, fosite.ErrRequestUnauthorized.Error())
-	} else if err := c.CoreStrategy.ValidateAuthorizeCode(ctx, or, token); err != nil {
+	if err := matchScopes(c.ScopeStrategy, or.GetGrantedScopes(), scopes); err != nil {
 		return err
-	} else {
-		accessRequest.Merge(or)
 	}
 
+	accessRequest.Merge(or)
 	return nil
 }

handler/oauth2/introspector_test.go

@@ -37,8 +37,6 @@ func TestIntrospectToken(t *testing.T) {
 				store.EXPECT().GetAccessTokenSession(nil, "", nil).Return(nil, errors.New(""))
 				chgen.EXPECT().RefreshTokenSignature("").Return("")
 				store.EXPECT().GetRefreshTokenSession(nil, "", nil).Return(nil, errors.New(""))
-				chgen.EXPECT().AuthorizeCodeSignature("").Return("")
-				store.EXPECT().GetAuthorizeCodeSession(nil, "", nil).Return(nil, errors.New(""))
 			},
 			expectErr: fosite.ErrRequestUnauthorized,
 		},
@@ -50,8 +48,6 @@ func TestIntrospectToken(t *testing.T) {
 				store.EXPECT().GetAccessTokenSession(nil, "asdf", nil).Return(nil, errors.New(""))
 				chgen.EXPECT().RefreshTokenSignature("1234").Return("asdf")
 				store.EXPECT().GetRefreshTokenSession(nil, "asdf", nil).Return(nil, errors.New(""))
-				chgen.EXPECT().AuthorizeCodeSignature("1234").Return("asdf")
-				store.EXPECT().GetAuthorizeCodeSession(nil, "asdf", nil).Return(nil, errors.New(""))
 			},
 			expectErr: fosite.ErrRequestUnauthorized,
 		},
@@ -62,8 +58,6 @@ func TestIntrospectToken(t *testing.T) {
 				chgen.EXPECT().ValidateAccessToken(nil, areq, "1234").Return(errors.WithStack(fosite.ErrTokenExpired))
 				chgen.EXPECT().RefreshTokenSignature("1234").Return("asdf")
 				store.EXPECT().GetRefreshTokenSession(nil, "asdf", nil).Return(nil, errors.New(""))
-				chgen.EXPECT().AuthorizeCodeSignature("1234").Return("asdf")
-				store.EXPECT().GetAuthorizeCodeSession(nil, "asdf", nil).Return(nil, errors.New(""))
 			},
 			expectErr: fosite.ErrTokenExpired,
 		},