forked from mystiq/dex
32a1994a5e
A refresh request must fail if it asks for scopes that were not originally granted when the refresh token was obtained. This Commit: * changes repo to store scopes with tokens * changes repo interface signatures so that scopes can be stored and verified * updates dependent code to pass along scopes
48 lines
984 B
Go
48 lines
984 B
Go
package scope
|
|
|
|
import "strings"
|
|
|
|
const (
|
|
// Scope prefix which indicates initiation of a cross-client authentication flow.
|
|
// See https://developers.google.com/identity/protocols/CrossClientAuth
|
|
ScopeGoogleCrossClient = "audience:server:client_id:"
|
|
)
|
|
|
|
type Scopes []string
|
|
|
|
func (s Scopes) OfflineAccess() bool {
|
|
return s.HasScope("offline_access")
|
|
}
|
|
|
|
func (s Scopes) HasScope(scope string) bool {
|
|
for _, curScope := range s {
|
|
if curScope == scope {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func (s Scopes) CrossClientIDs() []string {
|
|
clients := []string{}
|
|
for _, scope := range s {
|
|
if strings.HasPrefix(scope, ScopeGoogleCrossClient) {
|
|
clients = append(clients, scope[len(ScopeGoogleCrossClient):])
|
|
}
|
|
}
|
|
return clients
|
|
}
|
|
|
|
func (s Scopes) Contains(other Scopes) bool {
|
|
rScopes := map[string]struct{}{}
|
|
for _, scope := range s {
|
|
rScopes[scope] = struct{}{}
|
|
}
|
|
|
|
for _, scope := range other {
|
|
if _, ok := rScopes[scope]; !ok {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|