2015-08-18 05:57:27 +05:30
|
|
|
package refresh
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/rand"
|
|
|
|
"errors"
|
2016-04-06 23:55:50 +05:30
|
|
|
|
2016-04-15 04:27:53 +05:30
|
|
|
"github.com/coreos/dex/client"
|
2016-06-10 04:26:37 +05:30
|
|
|
"github.com/coreos/dex/scope"
|
2015-08-18 05:57:27 +05:30
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
DefaultRefreshTokenPayloadLength = 64
|
|
|
|
TokenDelimer = "/"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
ErrorInvalidUserID = errors.New("invalid user ID")
|
|
|
|
ErrorInvalidClientID = errors.New("invalid client ID")
|
2015-09-01 07:54:45 +05:30
|
|
|
|
|
|
|
ErrorInvalidToken = errors.New("invalid token")
|
2015-08-18 05:57:27 +05:30
|
|
|
)
|
|
|
|
|
2015-09-01 07:54:45 +05:30
|
|
|
type RefreshTokenGenerator func() ([]byte, error)
|
2015-08-18 05:57:27 +05:30
|
|
|
|
2015-09-01 07:54:45 +05:30
|
|
|
func (g RefreshTokenGenerator) Generate() ([]byte, error) {
|
2015-08-18 05:57:27 +05:30
|
|
|
return g()
|
|
|
|
}
|
|
|
|
|
2015-09-01 07:54:45 +05:30
|
|
|
func DefaultRefreshTokenGenerator() ([]byte, error) {
|
2015-08-18 05:57:27 +05:30
|
|
|
// TODO(yifan) Remove this duplicated token generate function.
|
|
|
|
b := make([]byte, DefaultRefreshTokenPayloadLength)
|
|
|
|
n, err := rand.Read(b)
|
|
|
|
if err != nil {
|
2015-09-01 07:54:45 +05:30
|
|
|
return nil, err
|
2015-09-05 01:15:32 +05:30
|
|
|
}
|
|
|
|
if n != DefaultRefreshTokenPayloadLength {
|
2015-09-01 07:54:45 +05:30
|
|
|
return nil, errors.New("unable to read enough random bytes")
|
2015-08-18 05:57:27 +05:30
|
|
|
}
|
2015-09-01 07:54:45 +05:30
|
|
|
return b, nil
|
2015-08-18 05:57:27 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
type RefreshTokenRepo interface {
|
|
|
|
// Create generates and returns a new refresh token for the given client-user pair.
|
2016-06-11 04:17:40 +05:30
|
|
|
// The scopes will be stored with the refresh token, and used to verify
|
|
|
|
// against future OIDC refresh requests' scopes.
|
|
|
|
// On success the token will be returned.
|
2016-07-16 04:30:59 +05:30
|
|
|
Create(userID, clientID, connectorID string, scope []string) (string, error)
|
2015-08-18 05:57:27 +05:30
|
|
|
|
2016-06-10 04:26:37 +05:30
|
|
|
// Verify verifies that a token belongs to the client.
|
|
|
|
// It returns the user ID to which the token belongs, and the scopes stored
|
|
|
|
// with token.
|
2016-07-16 04:30:59 +05:30
|
|
|
Verify(clientID, token string) (userID, connectorID string, scope scope.Scopes, err error)
|
2015-08-18 05:57:27 +05:30
|
|
|
|
|
|
|
// Revoke deletes the refresh token if the token belongs to the given userID.
|
|
|
|
Revoke(userID, token string) error
|
2016-04-06 23:55:50 +05:30
|
|
|
|
|
|
|
// RevokeTokensForClient revokes all tokens issued for the userID for the provided client.
|
|
|
|
RevokeTokensForClient(userID, clientID string) error
|
|
|
|
|
|
|
|
// ClientsWithRefreshTokens returns a list of all clients the user has an outstanding client with.
|
2016-04-15 04:27:53 +05:30
|
|
|
ClientsWithRefreshTokens(userID string) ([]client.Client, error)
|
2015-08-18 05:57:27 +05:30
|
|
|
}
|