Use JWT token for access token
This commit is contained in:
@ -9,7 +9,7 @@ use askama::Template;
|
||||
use crate::actors::{openid_sessions_actor, users_actor};
|
||||
use crate::actors::openid_sessions_actor::{OpenIDSessionsActor, Session, SessionID};
|
||||
use crate::actors::users_actor::UsersActor;
|
||||
use crate::constants::{AUTHORIZE_URI, CERT_URI, OPEN_ID_ACCESS_TOKEN_LEN, OPEN_ID_ACCESS_TOKEN_TIMEOUT, OPEN_ID_AUTHORIZATION_CODE_LEN, OPEN_ID_AUTHORIZATION_CODE_TIMEOUT, OPEN_ID_REFRESH_TOKEN_LEN, OPEN_ID_REFRESH_TOKEN_TIMEOUT, OPEN_ID_SESSION_LEN, TOKEN_URI, USERINFO_URI};
|
||||
use crate::constants::*;
|
||||
use crate::controllers::base_controller::FatalErrorPage;
|
||||
use crate::data::app_config::AppConfig;
|
||||
use crate::data::client::{ClientID, ClientManager};
|
||||
@ -139,11 +139,10 @@ pub async fn authorize(user: CurrentUser, id: Identity, query: web::Query<Author
|
||||
redirect_uri,
|
||||
authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
|
||||
authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
|
||||
authorization_code_used: false,
|
||||
access_token: rand_str(OPEN_ID_ACCESS_TOKEN_LEN),
|
||||
access_token: None,
|
||||
access_token_expire_at: time() + OPEN_ID_ACCESS_TOKEN_TIMEOUT,
|
||||
refresh_token: rand_str(OPEN_ID_REFRESH_TOKEN_LEN),
|
||||
refresh_token_expire_at: time() + OPEN_ID_REFRESH_TOKEN_TIMEOUT,
|
||||
refresh_token: "".to_string(),
|
||||
refresh_token_expire_at: 0,
|
||||
nonce: query.0.nonce,
|
||||
code_challenge,
|
||||
};
|
||||
@ -272,7 +271,7 @@ pub async fn token(req: HttpRequest,
|
||||
&query.authorization_code_query,
|
||||
&query.refresh_token_query) {
|
||||
("authorization_code", Some(q), _) => {
|
||||
let session: Session = match sessions
|
||||
let mut session: Session = match sessions
|
||||
.send(openid_sessions_actor::FindSessionByAuthorizationCode(q.code.clone()))
|
||||
.await.unwrap()
|
||||
{
|
||||
@ -310,17 +309,18 @@ pub async fn token(req: HttpRequest,
|
||||
}
|
||||
}
|
||||
|
||||
if session.authorization_code_used {
|
||||
if let Some(_) = session.access_token {
|
||||
return Ok(error_response(&query, "invalid_request", "Authorization code already used!"));
|
||||
}
|
||||
|
||||
// Mark session as used
|
||||
sessions.send(openid_sessions_actor::MarkAuthorizationCodeUsed(session.authorization_code))
|
||||
session.regenerate_access_and_refresh_tokens(&app_config, &jwt_signer)?;
|
||||
|
||||
sessions.send(openid_sessions_actor::UpdateSession(session.clone()))
|
||||
.await.unwrap();
|
||||
|
||||
|
||||
// Generate id token
|
||||
let token = IdToken {
|
||||
let id_token = IdToken {
|
||||
issuer: app_config.website_origin.to_string(),
|
||||
subject_identifier: session.user,
|
||||
audience: session.client.0.to_string(),
|
||||
@ -331,11 +331,11 @@ pub async fn token(req: HttpRequest,
|
||||
};
|
||||
|
||||
TokenResponse {
|
||||
access_token: session.access_token,
|
||||
access_token: session.access_token.expect("Missing access token!"),
|
||||
token_type: "Bearer",
|
||||
refresh_token: session.refresh_token,
|
||||
expires_in: session.access_token_expire_at - time(),
|
||||
id_token: Some(jwt_signer.sign_token(token.to_jwt_claims())?),
|
||||
id_token: Some(jwt_signer.sign_token(id_token.to_jwt_claims())?),
|
||||
}
|
||||
}
|
||||
|
||||
@ -358,17 +358,14 @@ pub async fn token(req: HttpRequest,
|
||||
return Ok(error_response(&query, "access_denied", "Refresh token has expired!"));
|
||||
}
|
||||
|
||||
session.refresh_token = rand_str(OPEN_ID_REFRESH_TOKEN_LEN);
|
||||
session.refresh_token_expire_at = OPEN_ID_REFRESH_TOKEN_TIMEOUT + time();
|
||||
session.access_token = rand_str(OPEN_ID_ACCESS_TOKEN_LEN);
|
||||
session.access_token_expire_at = OPEN_ID_ACCESS_TOKEN_TIMEOUT + time();
|
||||
session.regenerate_access_and_refresh_tokens(&app_config, &jwt_signer)?;
|
||||
|
||||
sessions
|
||||
.send(openid_sessions_actor::UpdateSession(session.clone()))
|
||||
.await.unwrap();
|
||||
|
||||
TokenResponse {
|
||||
access_token: session.access_token,
|
||||
access_token: session.access_token.expect("Missing access token!"),
|
||||
token_type: "Bearer",
|
||||
refresh_token: session.refresh_token,
|
||||
expires_in: session.access_token_expire_at - time(),
|
||||
|
Reference in New Issue
Block a user