token will only expose credentials

Author: ndyakov

identity_provider.go

@@ -23,6 +23,9 @@ type IdentityProviderResponse interface {
 	AccessToken() *azcore.AccessToken
 }
 
+// IdentityProviderResponseParserFunc is a function that parses the token and returns the username and password.
+type IdentityProviderResponseParserFunc func(response IdentityProviderResponse) (*Token, error)
+
 // IdentityProvider is an interface that defines the methods for an identity provider.
 // It is used to request a token for authentication.
 // The identity provider is responsible for providing the raw authentication token.

token.go

@@ -1,35 +1,86 @@
 package entraid
 
-import "time"
+import (
+	"time"
+)
 
 // Token represents the authentication token used to access the Entraid API.
 // It contains the username, password, expiration time, time to live, and the raw token.
 // The token is used to authenticate the user and authorize access to the API.
 // The token is typically obtained from an identity provider and is used to access the Entraid API.
 // The token is valid for a limited time and must be refreshed periodically.
 type Token struct {
-	// Username is the username of the user.
-	Username string `json:"username"`
-	// Password is the password of the user.
-	Password string `json:"password"`
-	// ExpiresOn is the expiration time of the token.
-	ExpiresOn time.Time `json:"expires_on"`
-	// TTL is the time to live of the token.
-	TTL int64 `json:"ttl"`
-	// RawToken is the authentication token.
-	RawToken string `json:"raw_token"`
+	// username is the username of the user.
+	username string `json:"username"`
+	// password is the password of the user.
+	password string `json:"password"`
+	// expiresOn is the expiration time of the token.
+	expiresOn time.Time `json:"expires_on"`
+	// ttl is the time to live of the token.
+	ttl int64 `json:"ttl"`
+	// rawToken is the authentication token.
+	rawToken string `json:"raw_token"`
+	// receivedAt is the time when the token was received.
+	receivedAt time.Time `json:"received_at"`
 }
 
-// IdentityProviderResponseParserFunc is a function that parses the token and returns the username and password.
-type IdentityProviderResponseParserFunc func(response IdentityProviderResponse) (*Token, error)
+// BasicAuth returns the username and password for basic authentication.
+// It implements the auth.Credentials interface.
+func (t *Token) BasicAuth() (string, string) {
+	return t.username, t.password
+}
 
-// copyToken creates a copy of the token.
-func copyToken(token *Token) *Token {
+// RawCredentials returns the raw credentials for authentication.
+// It implements the auth.Credentials interface.
+func (t *Token) RawCredentials() string {
+	return t.rawToken
+}
+
+// IsExpired checks if the token is expired.
+// It returns true if the token is expired, false otherwise.
+func (t *Token) IsExpired() bool {
+	return t.expiresOn.Before(time.Now())
+}
+
+// IsValid checks if the token is valid.
+// It returns true if the token is valid, false otherwise.
+func (t *Token) IsValid() bool {
+	return !t.IsExpired()
+}
+
+// ExpirationOn returns the expiration time of the token.
+func (t *Token) ExpirationOn() time.Time {
+	return t.expiresOn
+}
+
+// NewToken creates a new token with the specified username, password, raw token, expiration time, received at time, and time to live.
+func NewToken(username, password, rawToken string, expiresOn, receivedAt time.Time, ttl int64) *Token {
 	return &Token{
-		Username:  token.Username,
-		Password:  token.Password,
-		ExpiresOn: token.ExpiresOn,
-		TTL:       token.TTL,
-		RawToken:  token.RawToken,
+		username:   username,
+		password:   password,
+		expiresOn:  expiresOn,
+		receivedAt: receivedAt,
+		ttl:        ttl,
+		rawToken:   rawToken,
 	}
 }
+
+// copyToken creates a copy of the token.
+func copyToken(token *Token) *Token {
+	return NewToken(token.username, token.password, token.rawToken, token.expiresOn, token.receivedAt, token.ttl)
+}
+
+// compareCredentials two tokens if they are the same credentials
+func (t *Token) compareCredentials(token *Token) bool {
+	return t.username == token.username && t.password == token.password
+}
+
+// compareRawCredentials two tokens if they are the same raw credentials
+func (t *Token) compareRawCredentials(token *Token) bool {
+	return t.rawToken == token.rawToken
+}
+
+// compareToken compares two tokens if they are the same token
+func (t *Token) compareToken(token *Token) bool {
+	return t.compareCredentials(token) && t.compareRawCredentials(token)
+}

token_manager.go

@@ -7,6 +7,8 @@ import (
 	"net"
 	"sync"
 	"time"
+
+	"github.com/golang-jwt/jwt/v5"
 )
 
 const MinTokenTTL = 30 * time.Minute
@@ -98,11 +100,30 @@ var defaultIdentityProviderResponseParser = func(response IdentityProviderRespon
 		if authResult == nil {
 			return nil, fmt.Errorf("auth result is nil")
 		}
+		rawToken = authResult.IDToken.RawToken
+
+		username = authResult.IDToken.Oid
+		password = rawToken
+		expiresOn = authResult.ExpiresOn.UTC()
 	case typeAccessToken:
 		accessToken := response.AccessToken()
 		if accessToken == nil {
 			return nil, fmt.Errorf("access token is nil")
 		}
+
+		claims := struct {
+			jwt.RegisteredClaims
+			Oid string `json:"oid"`
+		}{}
+
+		_, err := jwt.ParseWithClaims(accessToken.Token, claims, nil)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse jwt token: %w", err)
+		}
+		rawToken = accessToken.Token
+		username = claims.Oid
+		password = rawToken
+		expiresOn = accessToken.ExpiresOn.UTC()
 	default:
 		return nil, fmt.Errorf("unknown response type: %s", response.Type())
 	}
@@ -118,13 +139,14 @@ var defaultIdentityProviderResponseParser = func(response IdentityProviderRespon
 	}
 	// parse token as jwt token and get claims
 
-	return &Token{
-		Username:  "username",
-		Password:  rawToken,
-		ExpiresOn: expiresOn.UTC(),
-		TTL:       expiresOn.UTC().Unix() - time.Now().UTC().Unix(),
-		RawToken:  rawToken,
-	}, nil
+	return NewToken(
+		username,
+		password,
+		rawToken,
+		expiresOn,
+		time.Now().UTC(),
+		int64(expiresOn.Sub(time.Now()).Seconds()),
+	), nil
 }
 
 // NewTokenManager creates a new TokenManager.
@@ -142,12 +164,12 @@ func NewTokenManager(idp IdentityProvider, options TokenManagerOptions) (TokenMa
 	}
 
 	return &entraidTokenManager{
-		idp:                    idp,
-		token:                  nil,
-		closed:                 make(chan struct{}),
-		expirationRefreshRatio: options.ExpirationRefreshRatio,
-		tokenParser:            options.TokenParser,
-		retryOptions:           options.RetryOptions,
+		idp:                            idp,
+		token:                          nil,
+		closed:                         make(chan struct{}),
+		expirationRefreshRatio:         options.ExpirationRefreshRatio,
+		identityProviderResponseParser: options.IdentityProviderResponseParser,
+		retryOptions:                   options.RetryOptions,
 	}, nil
 }
 
@@ -183,7 +205,7 @@ type entraidTokenManager struct {
 }
 
 func (e *entraidTokenManager) GetToken() (*Token, error) {
-	if e.token != nil && e.token.ExpiresOn.After(time.Now().Add(MinTokenTTL)) {
+	if e.token != nil && e.token.expiresOn.After(time.Now().Add(MinTokenTTL)) {
 		// copy the token so the caller can't modify it
 		return copyToken(e.token), nil
 	}
@@ -240,9 +262,19 @@ func (e *entraidTokenManager) Start(listener TokenListener) (cancelFunc, error)
 		// Simulate token refresh
 		for {
 			select {
-			case <-time.After(time.Until(token.ExpiresOn) * time.Duration(e.expirationRefreshRatio)):
+			case <-e.closed:
+				// Token manager is closed, stop the loop
+				return
+			case <-time.After(time.Until(token.expiresOn) * time.Duration(e.expirationRefreshRatio)):
 				// Token is about to expire, refresh it
 				for i := 0; i < e.retryOptions.MaxAttempts; i++ {
+					select {
+					case <-e.closed:
+						// Token manager is closed, stop the loop
+						return
+					default:
+						// continue to next attempt
+					}
 					token, err := e.GetToken()
 					if err == nil {
 						listener.OnTokenNext(token)
@@ -276,9 +308,6 @@ func (e *entraidTokenManager) Start(listener TokenListener) (cancelFunc, error)
 						delay = time.Duration(e.retryOptions.MaxDelayMs) * time.Millisecond
 					}
 				}
-			case <-e.closed:
-				// Token manager is closed, stop the loop
-				return
 			}
 		}
 	}(e.listener)