You've already forked authentication-service
mirror of
https://github.com/matrix-org/matrix-authentication-service.git
synced 2025-11-20 12:02:22 +03:00
Remove support for the token response type
This commit is contained in:
Quentin Gliech
@@ -21,26 +21,22 @@ use axum::{
|
||||
Extension,
|
||||
};
|
||||
use axum_extra::extract::PrivateCookieJar;
|
||||
use chrono::Duration;
|
||||
use hyper::StatusCode;
|
||||
use mas_axum_utils::SessionInfoExt;
|
||||
use mas_config::Encrypter;
|
||||
use mas_data_model::{AuthorizationGrant, BrowserSession, TokenType};
|
||||
use mas_data_model::{AuthorizationGrant, BrowserSession};
|
||||
use mas_policy::PolicyFactory;
|
||||
use mas_router::{PostAuthAction, Route};
|
||||
use mas_storage::{
|
||||
oauth2::{
|
||||
access_token::add_access_token,
|
||||
authorization_grant::{derive_session, fulfill_grant, get_grant_by_id},
|
||||
consent::fetch_client_consent,
|
||||
refresh_token::add_refresh_token,
|
||||
},
|
||||
user::ActiveSessionLookupError,
|
||||
PostgresqlBackend,
|
||||
};
|
||||
use mas_templates::Templates;
|
||||
use oauth2_types::requests::{AccessTokenResponse, AuthorizationResponse};
|
||||
use rand::thread_rng;
|
||||
use sqlx::{PgPool, Postgres, Transaction};
|
||||
use thiserror::Error;
|
||||
|
||||
@@ -240,32 +236,9 @@ pub(crate) async fn complete(
|
||||
params.code = Some(code.code);
|
||||
}
|
||||
|
||||
// Did they request an access token?
|
||||
// TODO: maybe we don't want to support the implicit flows
|
||||
if grant.response_type_token {
|
||||
let ttl = Duration::minutes(5);
|
||||
let (access_token_str, refresh_token_str) = {
|
||||
let mut rng = thread_rng();
|
||||
(
|
||||
TokenType::AccessToken.generate(&mut rng),
|
||||
TokenType::RefreshToken.generate(&mut rng),
|
||||
)
|
||||
};
|
||||
|
||||
let access_token = add_access_token(&mut txn, &session, &access_token_str, ttl).await?;
|
||||
|
||||
let _refresh_token =
|
||||
add_refresh_token(&mut txn, &session, access_token, &refresh_token_str).await?;
|
||||
|
||||
params.response = Some(
|
||||
AccessTokenResponse::new(access_token_str)
|
||||
.with_expires_in(ttl)
|
||||
.with_refresh_token(refresh_token_str),
|
||||
);
|
||||
}
|
||||
|
||||
// Did they request an ID token?
|
||||
if grant.response_type_id_token {
|
||||
// TODO
|
||||
return Err(anyhow!("id tokens are not implemented yet").into());
|
||||
}
|
||||
|
||||
|
||||
@@ -215,6 +215,28 @@ pub(crate) async fn get(
|
||||
.await?);
|
||||
}
|
||||
|
||||
// Check if the client asked for a `token` response type, and bail out if it's
|
||||
// the case, since we don't support them
|
||||
if response_type.has_token() {
|
||||
return Ok(callback_destination
|
||||
.go(
|
||||
&templates,
|
||||
ClientError::from(ClientErrorCode::UnsupportedResponseType),
|
||||
)
|
||||
.await?);
|
||||
}
|
||||
|
||||
// If the client asked for a `id_token` response type, we must check if it can
|
||||
// use the `implicit` grant type
|
||||
if response_type.has_id_token() && !client.grant_types.contains(&GrantType::Implicit) {
|
||||
return Ok(callback_destination
|
||||
.go(
|
||||
&templates,
|
||||
ClientError::from(ClientErrorCode::UnauthorizedClient),
|
||||
)
|
||||
.await?);
|
||||
}
|
||||
|
||||
if params.auth.registration.is_some() {
|
||||
return Ok(callback_destination
|
||||
.go(
|
||||
@@ -224,16 +246,6 @@ pub(crate) async fn get(
|
||||
.await?);
|
||||
}
|
||||
|
||||
// Check if it is allowed to use this grant type
|
||||
if !client.grant_types.contains(&GrantType::AuthorizationCode) {
|
||||
return Ok(callback_destination
|
||||
.go(
|
||||
&templates,
|
||||
ClientError::from(ClientErrorCode::UnauthorizedClient),
|
||||
)
|
||||
.await?);
|
||||
}
|
||||
|
||||
// Fail early if prompt=none and there is no active session
|
||||
if prompt.contains(&Prompt::None) && maybe_session.is_none() {
|
||||
return Ok(callback_destination
|
||||
@@ -245,6 +257,16 @@ pub(crate) async fn get(
|
||||
}
|
||||
|
||||
let code: Option<AuthorizationCode> = if response_type.has_code() {
|
||||
// Check if it is allowed to use this grant type
|
||||
if !client.grant_types.contains(&GrantType::AuthorizationCode) {
|
||||
return Ok(callback_destination
|
||||
.go(
|
||||
&templates,
|
||||
ClientError::from(ClientErrorCode::UnauthorizedClient),
|
||||
)
|
||||
.await?);
|
||||
}
|
||||
|
||||
// 32 random alphanumeric characters, about 190bit of entropy
|
||||
let code: String = thread_rng()
|
||||
.sample_iter(&Alphanumeric)
|
||||
@@ -286,7 +308,6 @@ pub(crate) async fn get(
|
||||
params.auth.max_age,
|
||||
None,
|
||||
response_mode,
|
||||
response_type.has_token(),
|
||||
response_type.has_id_token(),
|
||||
requires_consent,
|
||||
)
|
||||
|
||||
@@ -74,11 +74,7 @@ pub(crate) async fn get(
|
||||
|
||||
let response_types_supported = Some(vec![
|
||||
OAuthAuthorizationEndpointResponseType::Code,
|
||||
OAuthAuthorizationEndpointResponseType::Token,
|
||||
OAuthAuthorizationEndpointResponseType::IdToken,
|
||||
OAuthAuthorizationEndpointResponseType::CodeToken,
|
||||
OAuthAuthorizationEndpointResponseType::CodeIdToken,
|
||||
OAuthAuthorizationEndpointResponseType::IdTokenToken,
|
||||
OAuthAuthorizationEndpointResponseType::CodeIdToken,
|
||||
]);
|
||||
|
||||
@@ -88,11 +84,7 @@ pub(crate) async fn get(
|
||||
ResponseMode::Fragment,
|
||||
]);
|
||||
|
||||
let grant_types_supported = Some(vec![
|
||||
GrantType::AuthorizationCode,
|
||||
GrantType::Implicit,
|
||||
GrantType::RefreshToken,
|
||||
]);
|
||||
let grant_types_supported = Some(vec![GrantType::AuthorizationCode, GrantType::RefreshToken]);
|
||||
|
||||
let token_endpoint_auth_methods_supported = client_auth_methods_supported.clone();
|
||||
let token_endpoint_auth_signing_alg_values_supported =
|
||||
|
||||
Reference in New Issue
Block a user