Use JWT token for access token

This commit is contained in:
2022-04-15 20:08:31 +02:00
parent 69bb2816b9
commit 94c601119a
4 changed files with 77 additions and 37 deletions

View File

@ -9,7 +9,7 @@ use askama::Template;
use crate::actors::{openid_sessions_actor, users_actor};
use crate::actors::openid_sessions_actor::{OpenIDSessionsActor, Session, SessionID};
use crate::actors::users_actor::UsersActor;
use crate::constants::{AUTHORIZE_URI, CERT_URI, OPEN_ID_ACCESS_TOKEN_LEN, OPEN_ID_ACCESS_TOKEN_TIMEOUT, OPEN_ID_AUTHORIZATION_CODE_LEN, OPEN_ID_AUTHORIZATION_CODE_TIMEOUT, OPEN_ID_REFRESH_TOKEN_LEN, OPEN_ID_REFRESH_TOKEN_TIMEOUT, OPEN_ID_SESSION_LEN, TOKEN_URI, USERINFO_URI};
use crate::constants::*;
use crate::controllers::base_controller::FatalErrorPage;
use crate::data::app_config::AppConfig;
use crate::data::client::{ClientID, ClientManager};
@ -139,11 +139,10 @@ pub async fn authorize(user: CurrentUser, id: Identity, query: web::Query<Author
redirect_uri,
authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
authorization_code_used: false,
access_token: rand_str(OPEN_ID_ACCESS_TOKEN_LEN),
access_token: None,
access_token_expire_at: time() + OPEN_ID_ACCESS_TOKEN_TIMEOUT,
refresh_token: rand_str(OPEN_ID_REFRESH_TOKEN_LEN),
refresh_token_expire_at: time() + OPEN_ID_REFRESH_TOKEN_TIMEOUT,
refresh_token: "".to_string(),
refresh_token_expire_at: 0,
nonce: query.0.nonce,
code_challenge,
};
@ -272,7 +271,7 @@ pub async fn token(req: HttpRequest,
&query.authorization_code_query,
&query.refresh_token_query) {
("authorization_code", Some(q), _) => {
let session: Session = match sessions
let mut session: Session = match sessions
.send(openid_sessions_actor::FindSessionByAuthorizationCode(q.code.clone()))
.await.unwrap()
{
@ -310,17 +309,18 @@ pub async fn token(req: HttpRequest,
}
}
if session.authorization_code_used {
if let Some(_) = session.access_token {
return Ok(error_response(&query, "invalid_request", "Authorization code already used!"));
}
// Mark session as used
sessions.send(openid_sessions_actor::MarkAuthorizationCodeUsed(session.authorization_code))
session.regenerate_access_and_refresh_tokens(&app_config, &jwt_signer)?;
sessions.send(openid_sessions_actor::UpdateSession(session.clone()))
.await.unwrap();
// Generate id token
let token = IdToken {
let id_token = IdToken {
issuer: app_config.website_origin.to_string(),
subject_identifier: session.user,
audience: session.client.0.to_string(),
@ -331,11 +331,11 @@ pub async fn token(req: HttpRequest,
};
TokenResponse {
access_token: session.access_token,
access_token: session.access_token.expect("Missing access token!"),
token_type: "Bearer",
refresh_token: session.refresh_token,
expires_in: session.access_token_expire_at - time(),
id_token: Some(jwt_signer.sign_token(token.to_jwt_claims())?),
id_token: Some(jwt_signer.sign_token(id_token.to_jwt_claims())?),
}
}
@ -358,17 +358,14 @@ pub async fn token(req: HttpRequest,
return Ok(error_response(&query, "access_denied", "Refresh token has expired!"));
}
session.refresh_token = rand_str(OPEN_ID_REFRESH_TOKEN_LEN);
session.refresh_token_expire_at = OPEN_ID_REFRESH_TOKEN_TIMEOUT + time();
session.access_token = rand_str(OPEN_ID_ACCESS_TOKEN_LEN);
session.access_token_expire_at = OPEN_ID_ACCESS_TOKEN_TIMEOUT + time();
session.regenerate_access_and_refresh_tokens(&app_config, &jwt_signer)?;
sessions
.send(openid_sessions_actor::UpdateSession(session.clone()))
.await.unwrap();
TokenResponse {
access_token: session.access_token,
access_token: session.access_token.expect("Missing access token!"),
token_type: "Bearer",
refresh_token: session.refresh_token,
expires_in: session.access_token_expire_at - time(),