This repository has been archived on 2022-08-17. You can view files and clone it, but cannot push or open issues or pull requests.
dex/refresh/repo.go

66 lines
2 KiB
Go
Raw Normal View History

2015-08-18 05:57:27 +05:30
package refresh
import (
"crypto/rand"
"errors"
"github.com/coreos/dex/client"
"github.com/coreos/dex/scope"
2015-08-18 05:57:27 +05:30
)
const (
DefaultRefreshTokenPayloadLength = 64
TokenDelimer = "/"
)
var (
ErrorInvalidUserID = errors.New("invalid user ID")
ErrorInvalidClientID = errors.New("invalid client ID")
ErrorInvalidToken = errors.New("invalid token")
2015-08-18 05:57:27 +05:30
)
type RefreshTokenGenerator func() ([]byte, error)
2015-08-18 05:57:27 +05:30
func (g RefreshTokenGenerator) Generate() ([]byte, error) {
2015-08-18 05:57:27 +05:30
return g()
}
func DefaultRefreshTokenGenerator() ([]byte, error) {
2015-08-18 05:57:27 +05:30
// TODO(yifan) Remove this duplicated token generate function.
b := make([]byte, DefaultRefreshTokenPayloadLength)
n, err := rand.Read(b)
if err != nil {
return nil, err
}
if n != DefaultRefreshTokenPayloadLength {
return nil, errors.New("unable to read enough random bytes")
2015-08-18 05:57:27 +05:30
}
return b, nil
2015-08-18 05:57:27 +05:30
}
type RefreshTokenRepo interface {
// Create generates and returns a new refresh token for the given client-user pair.
// The scopes will be stored with the refresh token, and used to verify
// against future OIDC refresh requests' scopes.
// On success the token will be returned.
2016-07-16 04:30:59 +05:30
Create(userID, clientID, connectorID string, scope []string) (string, error)
2015-08-18 05:57:27 +05:30
// Verify verifies that a token belongs to the client.
// It returns the user ID to which the token belongs, and the scopes stored
// with token.
2016-07-16 04:30:59 +05:30
Verify(clientID, token string) (userID, connectorID string, scope scope.Scopes, err error)
2015-08-18 05:57:27 +05:30
// Revoke deletes the refresh token if the token belongs to the given userID.
Revoke(userID, token string) error
// Revoke old refresh token and generates a new one
RenewRefreshToken(clientID, userID, oldToken string) (newRefreshToken string, err error)
// RevokeTokensForClient revokes all tokens issued for the userID for the provided client.
RevokeTokensForClient(userID, clientID string) error
// ClientsWithRefreshTokens returns a list of all clients the user has an outstanding client with.
ClientsWithRefreshTokens(userID string) ([]client.Client, error)
2015-08-18 05:57:27 +05:30
}