Do not refresh id token claims if refresh token is allowed to reuse

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
This commit is contained in:
m.nabokikh 2021-01-11 14:06:31 +04:00
parent 0c75ed12e2
commit 4e73f39f57

View file

@ -91,6 +91,7 @@ func (s *Server) getRefreshTokenFromStorage(clientID string, token *internal.Ref
s.logger.Errorf("refresh token with id %s expired", refresh.ID) s.logger.Errorf("refresh token with id %s expired", refresh.ID)
return storage.RefreshToken{}, &rerr return storage.RefreshToken{}, &rerr
} }
if s.refreshTokenPolicy.ExpiredBecauseUnused(refresh.LastUsed) { if s.refreshTokenPolicy.ExpiredBecauseUnused(refresh.LastUsed) {
s.logger.Errorf("refresh token with id %s expired because being unused", refresh.ID) s.logger.Errorf("refresh token with id %s expired because being unused", refresh.ID)
return storage.RefreshToken{}, &rerr return storage.RefreshToken{}, &rerr
@ -131,7 +132,7 @@ func (s *Server) getRefreshScopes(r *http.Request, refresh *storage.RefreshToken
return requestedScopes, nil return requestedScopes, nil
} }
func (s *Server) refreshWithConnector(ctx context.Context, refresh *storage.RefreshToken, scopes []string) (connector.Identity, *refreshError) { func (s *Server) refreshWithConnector(ctx context.Context, token *internal.RefreshToken, refresh *storage.RefreshToken, scopes []string) (connector.Identity, *refreshError) {
var connectorData []byte var connectorData []byte
rerr := refreshError{msg: errInvalidRequest, desc: "", code: http.StatusInternalServerError} rerr := refreshError{msg: errInvalidRequest, desc: "", code: http.StatusInternalServerError}
@ -166,6 +167,12 @@ func (s *Server) refreshWithConnector(ctx context.Context, refresh *storage.Refr
ConnectorData: connectorData, ConnectorData: connectorData,
} }
// user's token was previously updated by a connector and is allowed to reuse
// it is excessive to refresh identity in upstream
if s.refreshTokenPolicy.AllowedToReuse(refresh.LastUsed) && token.Token == refresh.ObsoleteToken {
return ident, nil
}
// Can the connector refresh the identity? If so, attempt to refresh the data // Can the connector refresh the identity? If so, attempt to refresh the data
// in the connector. // in the connector.
// //
@ -272,7 +279,7 @@ func (s *Server) handleRefreshToken(w http.ResponseWriter, r *http.Request, clie
return return
} }
ident, rerr := s.refreshWithConnector(r.Context(), &refresh, scopes) ident, rerr := s.refreshWithConnector(r.Context(), token, &refresh, scopes)
if rerr != nil { if rerr != nil {
s.refreshTokenErrHelper(w, rerr) s.refreshTokenErrHelper(w, rerr)
return return