refresh tokens: store and validate scopes.

A refresh request must fail if it asks for scopes that were not
originally granted when the refresh token was obtained.

This Commit:

* changes repo to store scopes with tokens
* changes repo interface signatures so that scopes can be stored and
  verified
* updates dependent code to pass along scopes
This commit is contained in:
Bobby Rullo 2016-06-09 15:56:37 -07:00
parent ea2f0a3264
commit 32a1994a5e
15 changed files with 447 additions and 285 deletions

View file

@ -39,7 +39,8 @@ CREATE TABLE refresh_token (
id integer PRIMARY KEY, id integer PRIMARY KEY,
payload_hash blob, payload_hash blob,
user_id text, user_id text,
client_id text client_id text,
scopes text
); );
CREATE TABLE remote_identity_mapping ( CREATE TABLE remote_identity_mapping (

View file

@ -0,0 +1,4 @@
-- +migrate Up
ALTER TABLE refresh_token ADD COLUMN "scopes" text;
UPDATE refresh_token SET scopes = 'openid profile email offline_access';

View file

@ -78,5 +78,11 @@ var PostgresMigrations migrate.MigrationSource = &migrate.MemoryMigrationSource{
"-- +migrate Up\nCREATE TABLE IF NOT EXISTS \"trusted_peers\" (\n \"client_id\" text not null,\n \"trusted_client_id\" text not null,\n primary key (\"client_id\", \"trusted_client_id\")) ;\n", "-- +migrate Up\nCREATE TABLE IF NOT EXISTS \"trusted_peers\" (\n \"client_id\" text not null,\n \"trusted_client_id\" text not null,\n primary key (\"client_id\", \"trusted_client_id\")) ;\n",
}, },
}, },
{
Id: "0013_add_scopes_to_refresh_tokens.sql",
Up: []string{
"-- +migrate Up\nALTER TABLE refresh_token ADD COLUMN \"scopes\" text;\n\nUPDATE refresh_token SET scopes = 'openid profile email offline_access';\n",
},
},
}, },
} }

View file

@ -15,6 +15,7 @@ import (
"github.com/coreos/dex/pkg/log" "github.com/coreos/dex/pkg/log"
"github.com/coreos/dex/refresh" "github.com/coreos/dex/refresh"
"github.com/coreos/dex/repo" "github.com/coreos/dex/repo"
"github.com/coreos/dex/scope"
) )
const ( const (
@ -38,10 +39,9 @@ type refreshTokenRepo struct {
type refreshTokenModel struct { type refreshTokenModel struct {
ID int64 `db:"id"` ID int64 `db:"id"`
PayloadHash []byte `db:"payload_hash"` PayloadHash []byte `db:"payload_hash"`
// TODO(yifan): Use some sort of foreign key to manage database level
// data integrity.
UserID string `db:"user_id"` UserID string `db:"user_id"`
ClientID string `db:"client_id"` ClientID string `db:"client_id"`
Scopes string `db:"scopes"`
} }
// buildToken combines the token ID and token payload to create a new token. // buildToken combines the token ID and token payload to create a new token.
@ -89,7 +89,7 @@ func NewRefreshTokenRepoWithGenerator(dbm *gorp.DbMap, gen refresh.RefreshTokenG
} }
} }
func (r *refreshTokenRepo) Create(userID, clientID string) (string, error) { func (r *refreshTokenRepo) Create(userID, clientID string, scopes []string) (string, error) {
if userID == "" { if userID == "" {
return "", refresh.ErrorInvalidUserID return "", refresh.ErrorInvalidUserID
} }
@ -112,6 +112,7 @@ func (r *refreshTokenRepo) Create(userID, clientID string) (string, error) {
PayloadHash: payloadHash, PayloadHash: payloadHash,
UserID: userID, UserID: userID,
ClientID: clientID, ClientID: clientID,
Scopes: strings.Join(scopes, " "),
} }
if err := r.executor(nil).Insert(record); err != nil { if err := r.executor(nil).Insert(record); err != nil {
@ -121,27 +122,31 @@ func (r *refreshTokenRepo) Create(userID, clientID string) (string, error) {
return buildToken(record.ID, tokenPayload), nil return buildToken(record.ID, tokenPayload), nil
} }
func (r *refreshTokenRepo) Verify(clientID, token string) (string, error) { func (r *refreshTokenRepo) Verify(clientID, token string) (string, scope.Scopes, error) {
tokenID, tokenPayload, err := parseToken(token) tokenID, tokenPayload, err := parseToken(token)
if err != nil { if err != nil {
return "", err return "", nil, err
} }
record, err := r.get(nil, tokenID) record, err := r.get(nil, tokenID)
if err != nil { if err != nil {
return "", err return "", nil, err
} }
if record.ClientID != clientID { if record.ClientID != clientID {
return "", refresh.ErrorInvalidClientID return "", nil, refresh.ErrorInvalidClientID
} }
if err := checkTokenPayload(record.PayloadHash, tokenPayload); err != nil { if err := checkTokenPayload(record.PayloadHash, tokenPayload); err != nil {
return "", err return "", nil, err
} }
return record.UserID, nil var scopes []string
if len(record.Scopes) > 0 {
scopes = strings.Split(record.Scopes, " ")
}
return record.UserID, scopes, nil
} }
func (r *refreshTokenRepo) Revoke(userID, token string) error { func (r *refreshTokenRepo) Revoke(userID, token string) error {
@ -190,7 +195,6 @@ func (r *refreshTokenRepo) ClientsWithRefreshTokens(userID string) ([]client.Cli
q := `SELECT c.* FROM %s as c q := `SELECT c.* FROM %s as c
INNER JOIN %s as r ON c.id = r.client_id WHERE r.user_id = $1;` INNER JOIN %s as r ON c.id = r.client_id WHERE r.user_id = $1;`
q = fmt.Sprintf(q, r.quote(clientTableName), r.quote(refreshTokenTableName)) q = fmt.Sprintf(q, r.quote(clientTableName), r.quote(refreshTokenTableName))
var clients []clientModel var clients []clientModel
if _, err := r.executor(nil).Select(&clients, q, userID); err != nil { if _, err := r.executor(nil).Select(&clients, q, userID); err != nil {
return nil, err return nil, err
@ -206,6 +210,7 @@ func (r *refreshTokenRepo) ClientsWithRefreshTokens(userID string) ([]client.Cli
// Do not share the secret. // Do not share the secret.
c[i].Credentials.Secret = "" c[i].Credentials.Secret = ""
} }
return c, nil return c, nil
} }

View file

@ -1,7 +1,6 @@
package functional package functional
import ( import (
"encoding/base64"
"fmt" "fmt"
"net/url" "net/url"
"os" "os"
@ -16,7 +15,6 @@ import (
"github.com/coreos/dex/client" "github.com/coreos/dex/client"
"github.com/coreos/dex/client/manager" "github.com/coreos/dex/client/manager"
"github.com/coreos/dex/db" "github.com/coreos/dex/db"
"github.com/coreos/dex/refresh"
"github.com/coreos/dex/session" "github.com/coreos/dex/session"
) )
@ -411,207 +409,3 @@ func TestDBClientAll(t *testing.T) {
t.Fatalf("Retrieved incorrect number of ClientIdentities: want=2 got=%d", count) t.Fatalf("Retrieved incorrect number of ClientIdentities: want=2 got=%d", count)
} }
} }
// buildRefreshToken combines the token ID and token payload to create a new token.
// used in the tests to created a refresh token.
func buildRefreshToken(tokenID int64, tokenPayload []byte) string {
return fmt.Sprintf("%d%s%s", tokenID, refresh.TokenDelimer, base64.URLEncoding.EncodeToString(tokenPayload))
}
func TestDBRefreshRepoCreate(t *testing.T) {
r := db.NewRefreshTokenRepo(connect(t))
tests := []struct {
userID string
clientID string
err error
}{
{
"",
"client-foo",
refresh.ErrorInvalidUserID,
},
{
"user-foo",
"",
refresh.ErrorInvalidClientID,
},
{
"user-foo",
"client-foo",
nil,
},
}
for i, tt := range tests {
token, err := r.Create(tt.userID, tt.clientID)
if err != nil {
if tt.err == nil {
t.Errorf("case %d: create failed: %v", i, err)
}
continue
}
if tt.err != nil {
t.Errorf("case %d: expected error, didn't get one", i)
continue
}
userID, err := r.Verify(tt.clientID, token)
if err != nil {
t.Errorf("case %d: failed to verify good token: %v", i, err)
continue
}
if userID != tt.userID {
t.Errorf("case %d: want userID=%s, got userID=%s", i, tt.userID, userID)
}
}
}
func TestDBRefreshRepoVerify(t *testing.T) {
r := db.NewRefreshTokenRepo(connect(t))
token, err := r.Create("user-foo", "client-foo")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
badTokenPayload, err := refresh.DefaultRefreshTokenGenerator()
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
tokenWithBadID := "404" + token[1:]
tokenWithBadPayload := buildRefreshToken(1, badTokenPayload)
tests := []struct {
token string
creds oidc.ClientCredentials
err error
expected string
}{
{
"invalid-token-format",
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
"b/invalid-base64-encoded-format",
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
"1/invalid-base64-encoded-format",
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
token + "corrupted-token-payload",
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
// The token's ID content is invalid.
tokenWithBadID,
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
// The token's payload content is invalid.
tokenWithBadPayload,
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
token,
oidc.ClientCredentials{ID: "invalid-client", Secret: "secret-foo"},
refresh.ErrorInvalidClientID,
"",
},
{
token,
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
nil,
"user-foo",
},
}
for i, tt := range tests {
result, err := r.Verify(tt.creds.ID, tt.token)
if err != tt.err {
t.Errorf("Case #%d: expected: %v, got: %v", i, tt.err, err)
}
if result != tt.expected {
t.Errorf("Case #%d: expected: %v, got: %v", i, tt.expected, result)
}
}
}
func TestDBRefreshRepoRevoke(t *testing.T) {
r := db.NewRefreshTokenRepo(connect(t))
token, err := r.Create("user-foo", "client-foo")
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
badTokenPayload, err := refresh.DefaultRefreshTokenGenerator()
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
tokenWithBadID := "404" + token[1:]
tokenWithBadPayload := buildRefreshToken(1, badTokenPayload)
tests := []struct {
token string
userID string
err error
}{
{
"invalid-token-format",
"user-foo",
refresh.ErrorInvalidToken,
},
{
"1/invalid-base64-encoded-format",
"user-foo",
refresh.ErrorInvalidToken,
},
{
token + "corrupted-token-payload",
"user-foo",
refresh.ErrorInvalidToken,
},
{
// The token's ID is invalid.
tokenWithBadID,
"user-foo",
refresh.ErrorInvalidToken,
},
{
// The token's payload is invalid.
tokenWithBadPayload,
"user-foo",
refresh.ErrorInvalidToken,
},
{
token,
"invalid-user",
refresh.ErrorInvalidUserID,
},
{
token,
"user-foo",
nil,
},
}
for i, tt := range tests {
if err := r.Revoke(tt.userID, tt.token); err != tt.err {
t.Errorf("Case #%d: expected: %v, got: %v", i, tt.err, err)
}
}
}

View file

@ -2,13 +2,13 @@ package repo
import ( import (
"encoding/base64" "encoding/base64"
"fmt"
"net/url" "net/url"
"os" "sort"
"testing" "testing"
"time" "time"
"github.com/coreos/go-oidc/oidc" "github.com/coreos/go-oidc/oidc"
"github.com/go-gorp/gorp"
"github.com/kylelemons/godebug/pretty" "github.com/kylelemons/godebug/pretty"
"github.com/coreos/dex/client" "github.com/coreos/dex/client"
@ -17,27 +17,14 @@ import (
"github.com/coreos/dex/user" "github.com/coreos/dex/user"
) )
func newRefreshRepo(t *testing.T, users []user.UserWithRemoteIdentities, clients []client.Client) refresh.RefreshTokenRepo { var (
var dbMap *gorp.DbMap testRefreshClientID = "client1"
if dsn := os.Getenv("DEX_TEST_DSN"); dsn == "" { testRefreshClientID2 = "client2"
dbMap = db.NewMemDB() testRefreshClients = []client.LoadableClient{
} else {
dbMap = connect(t)
}
if _, err := db.NewUserRepoFromUsers(dbMap, users); err != nil {
t.Fatalf("Unable to add users: %v", err)
}
return db.NewRefreshTokenRepo(dbMap)
}
func TestRefreshTokenRepo(t *testing.T) {
clientID := "client1"
userID := "user1"
clients := []client.Client{
{ {
Client: client.Client{
Credentials: oidc.ClientCredentials{ Credentials: oidc.ClientCredentials{
ID: clientID, ID: testRefreshClientID,
Secret: base64.URLEncoding.EncodeToString([]byte("secret-2")), Secret: base64.URLEncoding.EncodeToString([]byte("secret-2")),
}, },
Metadata: oidc.ClientMetadata{ Metadata: oidc.ClientMetadata{
@ -46,11 +33,27 @@ func TestRefreshTokenRepo(t *testing.T) {
}, },
}, },
}, },
},
{
Client: client.Client{
Credentials: oidc.ClientCredentials{
ID: testRefreshClientID2,
Secret: base64.URLEncoding.EncodeToString([]byte("secret-2")),
},
Metadata: oidc.ClientMetadata{
RedirectURIs: []url.URL{
url.URL{Scheme: "https", Host: "client2.example.com", Path: "/callback"},
},
},
},
},
} }
users := []user.UserWithRemoteIdentities{
testRefreshUserID = "user1"
testRefreshUsers = []user.UserWithRemoteIdentities{
{ {
User: user.User{ User: user.User{
ID: userID, ID: testRefreshUserID,
Email: "Email-1@example.com", Email: "Email-1@example.com",
CreatedAt: time.Now().Truncate(time.Second), CreatedAt: time.Now().Truncate(time.Second),
}, },
@ -62,31 +65,318 @@ func TestRefreshTokenRepo(t *testing.T) {
}, },
}, },
} }
)
repo := newRefreshRepo(t, users, clients) func newRefreshRepo(t *testing.T, users []user.UserWithRemoteIdentities, clients []client.LoadableClient) refresh.RefreshTokenRepo {
tok, err := repo.Create(userID, clientID) dbMap := connect(t)
if _, err := db.NewUserRepoFromUsers(dbMap, users); err != nil {
t.Fatalf("Unable to add users: %v", err)
}
if _, err := db.NewClientRepoFromClients(dbMap, clients); err != nil {
t.Fatalf("Unable to add clients: %v", err)
}
return db.NewRefreshTokenRepo(dbMap)
}
func TestRefreshTokenRepoCreateVerify(t *testing.T) {
tests := []struct {
createScopes []string
verifyClientID string
wantVerifyErr bool
}{
{
createScopes: []string{"openid", "profile"},
verifyClientID: testRefreshClientID,
},
{
createScopes: []string{},
verifyClientID: testRefreshClientID,
},
{
createScopes: []string{"openid", "profile"},
verifyClientID: "not-a-client",
wantVerifyErr: true,
},
}
for i, tt := range tests {
repo := newRefreshRepo(t, testRefreshUsers, testRefreshClients)
tok, err := repo.Create(testRefreshUserID, testRefreshClientID, tt.createScopes)
if err != nil { if err != nil {
t.Fatalf("failed to create refresh token: %v", err) t.Fatalf("case %d: failed to create refresh token: %v", i, err)
}
if tokUserID, err := repo.Verify(clientID, tok); err != nil {
t.Errorf("Could not verify token: %v", err)
} else if tokUserID != userID {
t.Errorf("Verified token returned wrong user id, want=%s, got=%s", userID, tokUserID)
} }
if userClients, err := repo.ClientsWithRefreshTokens(userID); err != nil { tokUserID, gotScopes, err := repo.Verify(tt.verifyClientID, tok)
t.Errorf("Failed to get the list of clients the user was logged into: %v", err) if tt.wantVerifyErr {
} else { if err == nil {
if diff := pretty.Compare(userClients, clients); diff == "" { t.Errorf("case %d: want non-nil error.", i)
t.Errorf("Clients user logged into: want did not equal got %s", diff)
} }
continue
} }
if err := repo.RevokeTokensForClient(userID, clientID); err != nil { if diff := pretty.Compare(tt.createScopes, gotScopes); diff != "" {
t.Errorf("Failed to revoke refresh token: %v", err) t.Errorf("case %d: Compare(want, got): %v", i, diff)
} }
if _, err := repo.Verify(clientID, tok); err == nil { if err != nil {
t.Errorf("Token which should have been revoked was verified") t.Errorf("case %d: Could not verify token: %v", i, err)
} else if tokUserID != testRefreshUserID {
t.Errorf("case %d: Verified token returned wrong user id, want=%s, got=%s", i,
testRefreshUserID, tokUserID)
}
}
}
// buildRefreshToken combines the token ID and token payload to create a new token.
// used in the tests to created a refresh token.
func buildRefreshToken(tokenID int64, tokenPayload []byte) string {
return fmt.Sprintf("%d%s%s", tokenID, refresh.TokenDelimer, base64.URLEncoding.EncodeToString(tokenPayload))
}
func TestRefreshRepoVerifyInvalidTokens(t *testing.T) {
r := db.NewRefreshTokenRepo(connect(t))
token, err := r.Create("user-foo", "client-foo", oidc.DefaultScope)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
badTokenPayload, err := refresh.DefaultRefreshTokenGenerator()
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
tokenWithBadID := "404" + token[1:]
tokenWithBadPayload := buildRefreshToken(1, badTokenPayload)
tests := []struct {
token string
creds oidc.ClientCredentials
err error
expected string
}{
{
"invalid-token-format",
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
"b/invalid-base64-encoded-format",
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
"1/invalid-base64-encoded-format",
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
token + "corrupted-token-payload",
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
// The token's ID content is invalid.
tokenWithBadID,
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
// The token's payload content is invalid.
tokenWithBadPayload,
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
refresh.ErrorInvalidToken,
"",
},
{
token,
oidc.ClientCredentials{ID: "invalid-client", Secret: "secret-foo"},
refresh.ErrorInvalidClientID,
"",
},
{
token,
oidc.ClientCredentials{ID: "client-foo", Secret: "secret-foo"},
nil,
"user-foo",
},
}
for i, tt := range tests {
result, _, err := r.Verify(tt.creds.ID, tt.token)
if err != tt.err {
t.Errorf("Case #%d: expected: %v, got: %v", i, tt.err, err)
}
if result != tt.expected {
t.Errorf("Case #%d: expected: %v, got: %v", i, tt.expected, result)
}
}
}
func TestRefreshTokenRepoClientsWithRefreshTokens(t *testing.T) {
tests := []struct {
clientIDs []string
}{
{clientIDs: []string{"client1", "client2"}},
{clientIDs: []string{"client1"}},
{clientIDs: []string{}},
}
for i, tt := range tests {
repo := newRefreshRepo(t, testRefreshUsers, testRefreshClients)
for _, clientID := range tt.clientIDs {
_, err := repo.Create(testRefreshUserID, clientID, []string{"openid"})
if err != nil {
t.Fatalf("case %d: client_id: %s couldn't create refresh token: %v", i, clientID, err)
}
}
clients, err := repo.ClientsWithRefreshTokens(testRefreshUserID)
if err != nil {
t.Fatalf("case %d: unexpected error fetching clients %q", i, err)
}
var clientIDs []string
for _, client := range clients {
clientIDs = append(clientIDs, client.Credentials.ID)
}
sort.Strings(clientIDs)
if diff := pretty.Compare(clientIDs, tt.clientIDs); diff != "" {
t.Errorf("case %d: Compare(want, got): %v", i, diff)
}
}
}
func TestRefreshTokenRepoRevokeForClient(t *testing.T) {
tests := []struct {
createIDs []string
revokeID string
}{
{
createIDs: []string{"client1", "client2"},
revokeID: "client1",
},
{
createIDs: []string{"client2"},
revokeID: "client1",
},
{
createIDs: []string{"client1"},
revokeID: "client1",
},
{
createIDs: []string{},
revokeID: "oops",
},
}
for i, tt := range tests {
repo := newRefreshRepo(t, testRefreshUsers, testRefreshClients)
for _, clientID := range tt.createIDs {
_, err := repo.Create(testRefreshUserID, clientID, []string{"openid"})
if err != nil {
t.Fatalf("case %d: client_id: %s couldn't create refresh token: %v", i, clientID, err)
}
if err := repo.RevokeTokensForClient(testRefreshUserID, tt.revokeID); err != nil {
t.Fatalf("case %d: couldn't revoke refresh token(s): %v", i, err)
}
}
var wantIDs []string
for _, id := range tt.createIDs {
if id != tt.revokeID {
wantIDs = append(wantIDs, id)
}
}
clients, err := repo.ClientsWithRefreshTokens(testRefreshUserID)
if err != nil {
t.Fatalf("case %d: unexpected error fetching clients %q", i, err)
}
var gotIDs []string
for _, client := range clients {
gotIDs = append(gotIDs, client.Credentials.ID)
}
sort.Strings(gotIDs)
if diff := pretty.Compare(wantIDs, gotIDs); diff != "" {
t.Errorf("case %d: Compare(wantIDs, gotIDs): %v", i, diff)
}
}
}
func TestRefreshRepoRevoke(t *testing.T) {
r := db.NewRefreshTokenRepo(connect(t))
token, err := r.Create("user-foo", "client-foo", oidc.DefaultScope)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
badTokenPayload, err := refresh.DefaultRefreshTokenGenerator()
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
tokenWithBadID := "404" + token[1:]
tokenWithBadPayload := buildRefreshToken(1, badTokenPayload)
tests := []struct {
token string
userID string
err error
}{
{
"invalid-token-format",
"user-foo",
refresh.ErrorInvalidToken,
},
{
"1/invalid-base64-encoded-format",
"user-foo",
refresh.ErrorInvalidToken,
},
{
token + "corrupted-token-payload",
"user-foo",
refresh.ErrorInvalidToken,
},
{
// The token's ID is invalid.
tokenWithBadID,
"user-foo",
refresh.ErrorInvalidToken,
},
{
// The token's payload is invalid.
tokenWithBadPayload,
"user-foo",
refresh.ErrorInvalidToken,
},
{
token,
"invalid-user",
refresh.ErrorInvalidUserID,
},
{
token,
"user-foo",
nil,
},
}
for i, tt := range tests {
if err := r.Revoke(tt.userID, tt.token); err != tt.err {
t.Errorf("Case #%d: expected: %v, got: %v", i, tt.err, err)
}
} }
} }

View file

@ -12,7 +12,8 @@ import (
func connect(t *testing.T) *gorp.DbMap { func connect(t *testing.T) *gorp.DbMap {
dsn := os.Getenv("DEX_TEST_DSN") dsn := os.Getenv("DEX_TEST_DSN")
if dsn == "" { if dsn == "" {
t.Fatal("DEX_TEST_DSN environment variable not set") return db.NewMemDB()
} }
c, err := db.NewConnection(db.Config{DSN: dsn}) c, err := db.NewConnection(db.Config{DSN: dsn})
if err != nil { if err != nil {

View file

@ -231,7 +231,7 @@ func TestHTTPExchangeTokenRefreshToken(t *testing.T) {
// this will actually happen due to some interaction between the // this will actually happen due to some interaction between the
// end-user and a remote identity provider // end-user and a remote identity provider
sessionID, err := sm.NewSession("bogus_idpc", ci.Credentials.ID, "bogus", url.URL{}, "", false, []string{"openid", "offline_access"}) sessionID, err := sm.NewSession("bogus_idpc", ci.Credentials.ID, "bogus", url.URL{}, "", false, []string{"openid", "offline_access", "email", "profile"})
if err != nil { if err != nil {
t.Fatalf("Unexpected error: %v", err) t.Fatalf("Unexpected error: %v", err)
} }

View file

@ -147,8 +147,10 @@ func makeUserAPITestFixtures() *userAPITestFixtures {
} }
refreshRepo := db.NewRefreshTokenRepo(dbMap) refreshRepo := db.NewRefreshTokenRepo(dbMap)
fmt.Println("DEFAULT: ", oidc.DefaultScope)
for _, user := range userUsers { for _, user := range userUsers {
if _, err := refreshRepo.Create(user.User.ID, testClientID); err != nil { if _, err := refreshRepo.Create(user.User.ID, testClientID,
append([]string{"offline_access"}, oidc.DefaultScope...)); err != nil {
panic("Failed to create refresh token: " + err.Error()) panic("Failed to create refresh token: " + err.Error())
} }
} }

View file

@ -5,6 +5,7 @@ import (
"errors" "errors"
"github.com/coreos/dex/client" "github.com/coreos/dex/client"
"github.com/coreos/dex/scope"
) )
const ( const (
@ -41,11 +42,12 @@ func DefaultRefreshTokenGenerator() ([]byte, error) {
type RefreshTokenRepo interface { type RefreshTokenRepo interface {
// Create generates and returns a new refresh token for the given client-user pair. // Create generates and returns a new refresh token for the given client-user pair.
// On success the token will be return. // On success the token will be return.
Create(userID, clientID string) (string, error) Create(userID, clientID string, scope []string) (string, error)
// Verify verifies that a token belongs to the client, and returns the corresponding user ID. // Verify verifies that a token belongs to the client.
// Note that this assumes the client validation is currently done in the application layer, // It returns the user ID to which the token belongs, and the scopes stored
Verify(clientID, token string) (string, error) // with token.
Verify(clientID, token string) (string, scope.Scopes, error)
// Revoke deletes the refresh token if the token belongs to the given userID. // Revoke deletes the refresh token if the token belongs to the given userID.
Revoke(userID, token string) error Revoke(userID, token string) error

View file

@ -32,3 +32,17 @@ func (s Scopes) CrossClientIDs() []string {
} }
return clients return clients
} }
func (s Scopes) Contains(other Scopes) bool {
rScopes := map[string]struct{}{}
for _, scope := range s {
rScopes[scope] = struct{}{}
}
for _, scope := range other {
if _, ok := rScopes[scope]; !ok {
return false
}
}
return true
}

View file

@ -518,11 +518,12 @@ func handleTokenFunc(srv OIDCServer) http.HandlerFunc {
} }
case oauth2.GrantTypeRefreshToken: case oauth2.GrantTypeRefreshToken:
token := r.PostForm.Get("refresh_token") token := r.PostForm.Get("refresh_token")
scopes := r.PostForm.Get("scope")
if token == "" { if token == "" {
writeTokenError(w, oauth2.NewError(oauth2.ErrorInvalidRequest), state) writeTokenError(w, oauth2.NewError(oauth2.ErrorInvalidRequest), state)
return return
} }
jwt, err = srv.RefreshToken(creds, token) jwt, err = srv.RefreshToken(creds, strings.Split(scopes, " "), token)
if err != nil { if err != nil {
writeTokenError(w, err, state) writeTokenError(w, err, state)
return return

View file

@ -23,6 +23,7 @@ import (
"github.com/coreos/dex/connector" "github.com/coreos/dex/connector"
"github.com/coreos/dex/pkg/log" "github.com/coreos/dex/pkg/log"
"github.com/coreos/dex/refresh" "github.com/coreos/dex/refresh"
"github.com/coreos/dex/scope"
"github.com/coreos/dex/session" "github.com/coreos/dex/session"
sessionmanager "github.com/coreos/dex/session/manager" sessionmanager "github.com/coreos/dex/session/manager"
"github.com/coreos/dex/user" "github.com/coreos/dex/user"
@ -53,7 +54,7 @@ type OIDCServer interface {
// RefreshToken takes a previously generated refresh token and returns a new ID token // RefreshToken takes a previously generated refresh token and returns a new ID token
// if the token is valid. // if the token is valid.
RefreshToken(creds oidc.ClientCredentials, token string) (*jose.JWT, error) RefreshToken(creds oidc.ClientCredentials, scopes scope.Scopes, token string) (*jose.JWT, error)
KillSession(string) error KillSession(string) error
@ -487,7 +488,7 @@ func (s *Server) CodeToken(creds oidc.ClientCredentials, sessionKey string) (*jo
if scope == "offline_access" { if scope == "offline_access" {
log.Infof("Session %s requests offline access, will generate refresh token", sessionID) log.Infof("Session %s requests offline access, will generate refresh token", sessionID)
refreshToken, err = s.RefreshTokenRepo.Create(ses.UserID, creds.ID) refreshToken, err = s.RefreshTokenRepo.Create(ses.UserID, creds.ID, ses.Scope)
switch err { switch err {
case nil: case nil:
break break
@ -503,7 +504,7 @@ func (s *Server) CodeToken(creds oidc.ClientCredentials, sessionKey string) (*jo
return jwt, refreshToken, nil return jwt, refreshToken, nil
} }
func (s *Server) RefreshToken(creds oidc.ClientCredentials, token string) (*jose.JWT, error) { func (s *Server) RefreshToken(creds oidc.ClientCredentials, scopes scope.Scopes, token string) (*jose.JWT, error) {
ok, err := s.ClientManager.Authenticate(creds) ok, err := s.ClientManager.Authenticate(creds)
if err != nil { if err != nil {
log.Errorf("Failed fetching client %s from repo: %v", creds.ID, err) log.Errorf("Failed fetching client %s from repo: %v", creds.ID, err)
@ -514,7 +515,7 @@ func (s *Server) RefreshToken(creds oidc.ClientCredentials, token string) (*jose
return nil, oauth2.NewError(oauth2.ErrorInvalidClient) return nil, oauth2.NewError(oauth2.ErrorInvalidClient)
} }
userID, err := s.RefreshTokenRepo.Verify(creds.ID, token) userID, rtScopes, err := s.RefreshTokenRepo.Verify(creds.ID, token)
switch err { switch err {
case nil: case nil:
break break
@ -526,6 +527,14 @@ func (s *Server) RefreshToken(creds oidc.ClientCredentials, token string) (*jose
return nil, oauth2.NewError(oauth2.ErrorServerError) return nil, oauth2.NewError(oauth2.ErrorServerError)
} }
if len(scopes) == 0 {
scopes = rtScopes
} else {
if !rtScopes.Contains(scopes) {
return nil, oauth2.NewError(oauth2.ErrorInvalidRequest)
}
}
user, err := s.UserRepo.Get(nil, userID) user, err := s.UserRepo.Get(nil, userID)
if err != nil { if err != nil {
// The error can be user.ErrorNotFound, but we are not deleting // The error can be user.ErrorNotFound, but we are not deleting

View file

@ -488,6 +488,8 @@ func TestServerRefreshToken(t *testing.T) {
clientID string // The client that associates with the token. clientID string // The client that associates with the token.
creds oidc.ClientCredentials creds oidc.ClientCredentials
signer jose.Signer signer jose.Signer
createScopes []string
refreshScopes []string
err error err error
}{ }{
// Everything is good. // Everything is good.
@ -496,14 +498,28 @@ func TestServerRefreshToken(t *testing.T) {
testClientID, testClientID,
testClientCredentials, testClientCredentials,
signerFixture, signerFixture,
[]string{"openid", "profile"},
[]string{"openid", "profile"},
nil, nil,
}, },
// Asking for a scope not originally granted to you.
{
fmt.Sprintf("1/%s", base64.URLEncoding.EncodeToString([]byte("refresh-1"))),
testClientID,
testClientCredentials,
signerFixture,
[]string{"openid", "profile"},
[]string{"openid", "profile", "extra_scope"},
oauth2.NewError(oauth2.ErrorInvalidRequest),
},
// Invalid refresh token(malformatted). // Invalid refresh token(malformatted).
{ {
"invalid-token", "invalid-token",
testClientID, testClientID,
testClientCredentials, testClientCredentials,
signerFixture, signerFixture,
[]string{"openid", "profile"},
[]string{"openid", "profile"},
oauth2.NewError(oauth2.ErrorInvalidRequest), oauth2.NewError(oauth2.ErrorInvalidRequest),
}, },
// Invalid refresh token(invalid payload content). // Invalid refresh token(invalid payload content).
@ -512,6 +528,8 @@ func TestServerRefreshToken(t *testing.T) {
testClientID, testClientID,
testClientCredentials, testClientCredentials,
signerFixture, signerFixture,
[]string{"openid", "profile"},
[]string{"openid", "profile"},
oauth2.NewError(oauth2.ErrorInvalidRequest), oauth2.NewError(oauth2.ErrorInvalidRequest),
}, },
// Invalid refresh token(invalid ID content). // Invalid refresh token(invalid ID content).
@ -520,6 +538,8 @@ func TestServerRefreshToken(t *testing.T) {
testClientID, testClientID,
testClientCredentials, testClientCredentials,
signerFixture, signerFixture,
[]string{"openid", "profile"},
[]string{"openid", "profile"},
oauth2.NewError(oauth2.ErrorInvalidRequest), oauth2.NewError(oauth2.ErrorInvalidRequest),
}, },
// Invalid client(client is not associated with the token). // Invalid client(client is not associated with the token).
@ -528,6 +548,8 @@ func TestServerRefreshToken(t *testing.T) {
testClientID, testClientID,
clientB.Credentials, clientB.Credentials,
signerFixture, signerFixture,
[]string{"openid", "profile"},
[]string{"openid", "profile"},
oauth2.NewError(oauth2.ErrorInvalidClient), oauth2.NewError(oauth2.ErrorInvalidClient),
}, },
// Invalid client(no client ID). // Invalid client(no client ID).
@ -536,6 +558,8 @@ func TestServerRefreshToken(t *testing.T) {
testClientID, testClientID,
oidc.ClientCredentials{ID: "", Secret: "aaa"}, oidc.ClientCredentials{ID: "", Secret: "aaa"},
signerFixture, signerFixture,
[]string{"openid", "profile"},
[]string{"openid", "profile"},
oauth2.NewError(oauth2.ErrorInvalidClient), oauth2.NewError(oauth2.ErrorInvalidClient),
}, },
// Invalid client(no such client). // Invalid client(no such client).
@ -544,6 +568,8 @@ func TestServerRefreshToken(t *testing.T) {
testClientID, testClientID,
oidc.ClientCredentials{ID: "AAA", Secret: "aaa"}, oidc.ClientCredentials{ID: "AAA", Secret: "aaa"},
signerFixture, signerFixture,
[]string{"openid", "profile"},
[]string{"openid", "profile"},
oauth2.NewError(oauth2.ErrorInvalidClient), oauth2.NewError(oauth2.ErrorInvalidClient),
}, },
// Invalid client(no secrets). // Invalid client(no secrets).
@ -552,6 +578,8 @@ func TestServerRefreshToken(t *testing.T) {
testClientID, testClientID,
oidc.ClientCredentials{ID: testClientID}, oidc.ClientCredentials{ID: testClientID},
signerFixture, signerFixture,
[]string{"openid", "profile"},
[]string{"openid", "profile"},
oauth2.NewError(oauth2.ErrorInvalidClient), oauth2.NewError(oauth2.ErrorInvalidClient),
}, },
// Invalid client(invalid secret). // Invalid client(invalid secret).
@ -560,6 +588,8 @@ func TestServerRefreshToken(t *testing.T) {
testClientID, testClientID,
oidc.ClientCredentials{ID: "bad-id", Secret: "bad-secret"}, oidc.ClientCredentials{ID: "bad-id", Secret: "bad-secret"},
signerFixture, signerFixture,
[]string{"openid", "profile"},
[]string{"openid", "profile"},
oauth2.NewError(oauth2.ErrorInvalidClient), oauth2.NewError(oauth2.ErrorInvalidClient),
}, },
// Signing operation fails. // Signing operation fails.
@ -568,6 +598,8 @@ func TestServerRefreshToken(t *testing.T) {
testClientID, testClientID,
testClientCredentials, testClientCredentials,
&StaticSigner{sig: nil, err: errors.New("fail")}, &StaticSigner{sig: nil, err: errors.New("fail")},
[]string{"openid", "profile"},
[]string{"openid", "profile"},
oauth2.NewError(oauth2.ErrorServerError), oauth2.NewError(oauth2.ErrorServerError),
}, },
} }
@ -587,11 +619,12 @@ func TestServerRefreshToken(t *testing.T) {
t.Errorf("case %d: error creating other client: %v", i, err) t.Errorf("case %d: error creating other client: %v", i, err)
} }
if _, err := f.srv.RefreshTokenRepo.Create(testUserID1, tt.clientID); err != nil { if _, err := f.srv.RefreshTokenRepo.Create(testUserID1, tt.clientID,
tt.createScopes); err != nil {
t.Fatalf("Unexpected error: %v", err) t.Fatalf("Unexpected error: %v", err)
} }
jwt, err := f.srv.RefreshToken(tt.creds, tt.token) jwt, err := f.srv.RefreshToken(tt.creds, tt.refreshScopes, tt.token)
if !reflect.DeepEqual(err, tt.err) { if !reflect.DeepEqual(err, tt.err) {
t.Errorf("Case %d: expect: %v, got: %v", i, tt.err, err) t.Errorf("Case %d: expect: %v, got: %v", i, tt.err, err)
} }

View file

@ -192,7 +192,7 @@ func makeTestFixtures() (*UsersAPI, *testEmailer) {
} }
refreshRepo := db.NewRefreshTokenRepo(dbMap) refreshRepo := db.NewRefreshTokenRepo(dbMap)
for _, token := range refreshTokens { for _, token := range refreshTokens {
if _, err := refreshRepo.Create(token.userID, token.clientID); err != nil { if _, err := refreshRepo.Create(token.userID, token.clientID, []string{"openid"}); err != nil {
panic("Failed to create refresh token: " + err.Error()) panic("Failed to create refresh token: " + err.Error())
} }
} }