matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-31 09:24:31 +03:00
Code Activity

Remove support for the token response type

Browse Source
This commit is contained in:
Quentin Gliech
2022-09-02 12:00:14 +02:00
parent 7b281f4c21
commit 495285162b
8 changed files with 499 additions and 501 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crates/data-model/src/oauth2/authorization_grant.rs
View File

@ -173,7 +173,6 @@ pub struct AuthorizationGrant<T: StorageBackend> {
pub max_age: Option<NonZeroU32>, pub max_age: Option<NonZeroU32>,
pub acr_values: Option<String>, pub acr_values: Option<String>,
pub response_mode: ResponseMode, pub response_mode: ResponseMode,
pub response_type_token: bool,
pub response_type_id_token: bool, pub response_type_id_token: bool,
pub created_at: DateTime<Utc>, pub created_at: DateTime<Utc>,
pub requires_consent: bool, pub requires_consent: bool,
@ -193,7 +192,6 @@ impl<S: StorageBackendMarker> From<AuthorizationGrant<S>> for AuthorizationGrant
max_age: g.max_age, max_age: g.max_age,
acr_values: g.acr_values, acr_values: g.acr_values,
response_mode: g.response_mode, response_mode: g.response_mode,
response_type_token: g.response_type_token,
response_type_id_token: g.response_type_id_token, response_type_id_token: g.response_type_id_token,
created_at: g.created_at, created_at: g.created_at,
requires_consent: g.requires_consent, requires_consent: g.requires_consent,

31
crates/handlers/src/oauth2/authorization/complete.rs
View File

@ -21,26 +21,22 @@ use axum::{
Extension, Extension,
}; };
use axum_extra::extract::PrivateCookieJar; use axum_extra::extract::PrivateCookieJar;
use chrono::Duration;
use hyper::StatusCode; use hyper::StatusCode;
use mas_axum_utils::SessionInfoExt; use mas_axum_utils::SessionInfoExt;
use mas_config::Encrypter; use mas_config::Encrypter;
use mas_data_model::{AuthorizationGrant, BrowserSession, TokenType}; use mas_data_model::{AuthorizationGrant, BrowserSession};
use mas_policy::PolicyFactory; use mas_policy::PolicyFactory;
use mas_router::{PostAuthAction, Route}; use mas_router::{PostAuthAction, Route};
use mas_storage::{ use mas_storage::{
oauth2::{ oauth2::{
access_token::add_access_token,
authorization_grant::{derive_session, fulfill_grant, get_grant_by_id}, authorization_grant::{derive_session, fulfill_grant, get_grant_by_id},
consent::fetch_client_consent, consent::fetch_client_consent,
refresh_token::add_refresh_token,
}, },
user::ActiveSessionLookupError, user::ActiveSessionLookupError,
PostgresqlBackend, PostgresqlBackend,
}; };
use mas_templates::Templates; use mas_templates::Templates;
use oauth2_types::requests::{AccessTokenResponse, AuthorizationResponse}; use oauth2_types::requests::{AccessTokenResponse, AuthorizationResponse};
use rand::thread_rng;
use sqlx::{PgPool, Postgres, Transaction}; use sqlx::{PgPool, Postgres, Transaction};
use thiserror::Error; use thiserror::Error;
@ -240,32 +236,9 @@ pub(crate) async fn complete(
params.code = Some(code.code); params.code = Some(code.code);
} }
// Did they request an access token?
// TODO: maybe we don't want to support the implicit flows
if grant.response_type_token {
let ttl = Duration::minutes(5);
let (access_token_str, refresh_token_str) = {
let mut rng = thread_rng();
(
TokenType::AccessToken.generate(&mut rng),
TokenType::RefreshToken.generate(&mut rng),
)
};
let access_token = add_access_token(&mut txn, &session, &access_token_str, ttl).await?;
let _refresh_token =
add_refresh_token(&mut txn, &session, access_token, &refresh_token_str).await?;
params.response = Some(
AccessTokenResponse::new(access_token_str)
.with_expires_in(ttl)
.with_refresh_token(refresh_token_str),
);
}
// Did they request an ID token? // Did they request an ID token?
if grant.response_type_id_token { if grant.response_type_id_token {
// TODO
return Err(anyhow!("id tokens are not implemented yet").into()); return Err(anyhow!("id tokens are not implemented yet").into());
} }

43
crates/handlers/src/oauth2/authorization/mod.rs
View File

@ -215,6 +215,28 @@ pub(crate) async fn get(
.await?); .await?);
} }
// Check if the client asked for a `token` response type, and bail out if it's
// the case, since we don't support them
if response_type.has_token() {
return Ok(callback_destination
.go(
&templates,
ClientError::from(ClientErrorCode::UnsupportedResponseType),
)
.await?);
}
// If the client asked for a `id_token` response type, we must check if it can
// use the `implicit` grant type
if response_type.has_id_token() && !client.grant_types.contains(&GrantType::Implicit) {
return Ok(callback_destination
.go(
&templates,
ClientError::from(ClientErrorCode::UnauthorizedClient),
)
.await?);
}
if params.auth.registration.is_some() { if params.auth.registration.is_some() {
return Ok(callback_destination return Ok(callback_destination
.go( .go(
@ -224,16 +246,6 @@ pub(crate) async fn get(
.await?); .await?);
} }
// Check if it is allowed to use this grant type
if !client.grant_types.contains(&GrantType::AuthorizationCode) {
return Ok(callback_destination
.go(
&templates,
ClientError::from(ClientErrorCode::UnauthorizedClient),
)
.await?);
}
// Fail early if prompt=none and there is no active session // Fail early if prompt=none and there is no active session
if prompt.contains(&Prompt::None) && maybe_session.is_none() { if prompt.contains(&Prompt::None) && maybe_session.is_none() {
return Ok(callback_destination return Ok(callback_destination
@ -245,6 +257,16 @@ pub(crate) async fn get(
} }
let code: Option<AuthorizationCode> = if response_type.has_code() { let code: Option<AuthorizationCode> = if response_type.has_code() {
// Check if it is allowed to use this grant type
if !client.grant_types.contains(&GrantType::AuthorizationCode) {
return Ok(callback_destination
.go(
&templates,
ClientError::from(ClientErrorCode::UnauthorizedClient),
)
.await?);
}
// 32 random alphanumeric characters, about 190bit of entropy // 32 random alphanumeric characters, about 190bit of entropy
let code: String = thread_rng() let code: String = thread_rng()
.sample_iter(&Alphanumeric) .sample_iter(&Alphanumeric)
@ -286,7 +308,6 @@ pub(crate) async fn get(
params.auth.max_age, params.auth.max_age,
None, None,
response_mode, response_mode,
response_type.has_token(),
response_type.has_id_token(), response_type.has_id_token(),
requires_consent, requires_consent,
) )

10
crates/handlers/src/oauth2/discovery.rs
View File

@ -74,11 +74,7 @@ pub(crate) async fn get(
let response_types_supported = Some(vec![ let response_types_supported = Some(vec![
OAuthAuthorizationEndpointResponseType::Code, OAuthAuthorizationEndpointResponseType::Code,
OAuthAuthorizationEndpointResponseType::Token,
OAuthAuthorizationEndpointResponseType::IdToken, OAuthAuthorizationEndpointResponseType::IdToken,
OAuthAuthorizationEndpointResponseType::CodeToken,
OAuthAuthorizationEndpointResponseType::CodeIdToken,
OAuthAuthorizationEndpointResponseType::IdTokenToken,
OAuthAuthorizationEndpointResponseType::CodeIdToken, OAuthAuthorizationEndpointResponseType::CodeIdToken,
]); ]);
@ -88,11 +84,7 @@ pub(crate) async fn get(
ResponseMode::Fragment, ResponseMode::Fragment,
]); ]);
let grant_types_supported = Some(vec![ let grant_types_supported = Some(vec![GrantType::AuthorizationCode, GrantType::RefreshToken]);
GrantType::AuthorizationCode,
GrantType::Implicit,
GrantType::RefreshToken,
]);
let token_endpoint_auth_methods_supported = client_auth_methods_supported.clone(); let token_endpoint_auth_methods_supported = client_auth_methods_supported.clone();
let token_endpoint_auth_signing_alg_values_supported = let token_endpoint_auth_signing_alg_values_supported =

19
crates/storage/migrations/20220902093231_oauth_remove_token_grant.down.sql Normal file
View File

@ -0,0 +1,19 @@
-- Copyright 2022 The Matrix.org Foundation C.I.C.
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
ALTER TABLE oauth2_authorization_grants
ADD COLUMN "response_type_token" BOOLEAN NOT NULL DEFAULT 'f';
ALTER TABLE oauth2_authorization_grants
ALTER COLUMN "response_type_token" DROP DEFAULT;

16
crates/storage/migrations/20220902093231_oauth_remove_token_grant.up.sql Normal file
View File

@ -0,0 +1,16 @@
-- Copyright 2022 The Matrix.org Foundation C.I.C.
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
ALTER TABLE oauth2_authorization_grants
DROP COLUMN "response_type_token";

867
crates/storage/sqlx-data.json
View File

@ -13,206 +13,6 @@
}, },
"query": "\n UPDATE compat_refresh_tokens\n SET next_token_id = $2\n WHERE id = $1\n " "query": "\n UPDATE compat_refresh_tokens\n SET next_token_id = $2\n WHERE id = $1\n "
}, },
"08896e50738af687ac53dc5ac5ae0b19bcac7503230ba90e11de799978d7a026": {
"describe": {
"columns": [
{
"name": "grant_id",
"ordinal": 0,
"type_info": "Int8"
},
{
"name": "grant_created_at",
"ordinal": 1,
"type_info": "Timestamptz"
},
{
"name": "grant_cancelled_at",
"ordinal": 2,
"type_info": "Timestamptz"
},
{
"name": "grant_fulfilled_at",
"ordinal": 3,
"type_info": "Timestamptz"
},
{
"name": "grant_exchanged_at",
"ordinal": 4,
"type_info": "Timestamptz"
},
{
"name": "grant_scope",
"ordinal": 5,
"type_info": "Text"
},
{
"name": "grant_state",
"ordinal": 6,
"type_info": "Text"
},
{
"name": "grant_redirect_uri",
"ordinal": 7,
"type_info": "Text"
},
{
"name": "grant_response_mode",
"ordinal": 8,
"type_info": "Text"
},
{
"name": "grant_nonce",
"ordinal": 9,
"type_info": "Text"
},
{
"name": "grant_max_age",
"ordinal": 10,
"type_info": "Int4"
},
{
"name": "grant_acr_values",
"ordinal": 11,
"type_info": "Text"
},
{
"name": "oauth2_client_id",
"ordinal": 12,
"type_info": "Int8"
},
{
"name": "grant_code",
"ordinal": 13,
"type_info": "Text"
},
{
"name": "grant_response_type_code",
"ordinal": 14,
"type_info": "Bool"
},
{
"name": "grant_response_type_token",
"ordinal": 15,
"type_info": "Bool"
},
{
"name": "grant_response_type_id_token",
"ordinal": 16,
"type_info": "Bool"
},
{
"name": "grant_code_challenge",
"ordinal": 17,
"type_info": "Text"
},
{
"name": "grant_code_challenge_method",
"ordinal": 18,
"type_info": "Text"
},
{
"name": "grant_requires_consent",
"ordinal": 19,
"type_info": "Bool"
},
{
"name": "session_id?",
"ordinal": 20,
"type_info": "Int8"
},
{
"name": "user_session_id?",
"ordinal": 21,
"type_info": "Int8"
},
{
"name": "user_session_created_at?",
"ordinal": 22,
"type_info": "Timestamptz"
},
{
"name": "user_id?",
"ordinal": 23,
"type_info": "Int8"
},
{
"name": "user_username?",
"ordinal": 24,
"type_info": "Text"
},
{
"name": "user_session_last_authentication_id?",
"ordinal": 25,
"type_info": "Int8"
},
{
"name": "user_session_last_authentication_created_at?",
"ordinal": 26,
"type_info": "Timestamptz"
},
{
"name": "user_email_id?",
"ordinal": 27,
"type_info": "Int8"
},
{
"name": "user_email?",
"ordinal": 28,
"type_info": "Text"
},
{
"name": "user_email_created_at?",
"ordinal": 29,
"type_info": "Timestamptz"
},
{
"name": "user_email_confirmed_at?",
"ordinal": 30,
"type_info": "Timestamptz"
}
],
"nullable": [
false,
false,
true,
true,
true,
false,
true,
false,
false,
true,
true,
true,
false,
true,
false,
false,
false,
true,
true,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
true
],
"parameters": {
"Left": [
"Int8"
]
}
},
"query": "\n SELECT\n og.id AS grant_id,\n og.created_at AS grant_created_at,\n og.cancelled_at AS grant_cancelled_at,\n og.fulfilled_at AS grant_fulfilled_at,\n og.exchanged_at AS grant_exchanged_at,\n og.scope AS grant_scope,\n og.state AS grant_state,\n og.redirect_uri AS grant_redirect_uri,\n og.response_mode AS grant_response_mode,\n og.nonce AS grant_nonce,\n og.max_age AS grant_max_age,\n og.acr_values AS grant_acr_values,\n og.oauth2_client_id AS oauth2_client_id,\n og.code AS grant_code,\n og.response_type_code AS grant_response_type_code,\n og.response_type_token AS grant_response_type_token,\n og.response_type_id_token AS grant_response_type_id_token,\n og.code_challenge AS grant_code_challenge,\n og.code_challenge_method AS grant_code_challenge_method,\n og.requires_consent AS grant_requires_consent,\n os.id AS \"session_id?\",\n us.id AS \"user_session_id?\",\n us.created_at AS \"user_session_created_at?\",\n u.id AS \"user_id?\",\n u.username AS \"user_username?\",\n usa.id AS \"user_session_last_authentication_id?\",\n usa.created_at AS \"user_session_last_authentication_created_at?\",\n ue.id AS \"user_email_id?\",\n ue.email AS \"user_email?\",\n ue.created_at AS \"user_email_created_at?\",\n ue.confirmed_at AS \"user_email_confirmed_at?\"\n FROM\n oauth2_authorization_grants og\n LEFT JOIN oauth2_sessions os\n ON os.id = og.oauth2_session_id\n LEFT JOIN user_sessions us\n ON us.id = os.user_session_id\n LEFT JOIN users u\n ON u.id = us.user_id\n LEFT JOIN user_session_authentications usa\n ON usa.session_id = us.id\n LEFT JOIN user_emails ue\n ON ue.id = u.primary_email_id\n\n WHERE og.id = $1\n\n ORDER BY usa.created_at DESC\n LIMIT 1\n "
},
"096060f2be446fd77ee29308c673f9ba9210fb110444f4fccfeb976424ef4376": { "096060f2be446fd77ee29308c673f9ba9210fb110444f4fccfeb976424ef4376": {
"describe": { "describe": {
"columns": [], "columns": [],
@ -253,46 +53,6 @@
}, },
"query": "\n INSERT INTO oauth2_refresh_tokens\n (oauth2_session_id, oauth2_access_token_id, token)\n VALUES\n ($1, $2, $3)\n RETURNING\n id, created_at\n " "query": "\n INSERT INTO oauth2_refresh_tokens\n (oauth2_session_id, oauth2_access_token_id, token)\n VALUES\n ($1, $2, $3)\n RETURNING\n id, created_at\n "
}, },
"0ce16ae459b815e4fbef78784fafea08b30443741b6817dd1d722f4960dc19f8": {
"describe": {
"columns": [
{
"name": "id",
"ordinal": 0,
"type_info": "Int8"
},
{
"name": "created_at",
"ordinal": 1,
"type_info": "Timestamptz"
}
],
"nullable": [
false,
false
],
"parameters": {
"Left": [
"Int8",
"Text",
"Text",
"Text",
"Text",
"Int4",
"Text",
"Text",
"Text",
"Text",
"Bool",
"Bool",
"Bool",
"Text",
"Bool"
]
}
},
"query": "\n INSERT INTO oauth2_authorization_grants\n (oauth2_client_id, redirect_uri, scope, state, nonce, max_age,\n acr_values, response_mode, code_challenge, code_challenge_method,\n response_type_code, response_type_token, response_type_id_token,\n code, requires_consent)\n VALUES\n ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15)\n RETURNING id, created_at\n "
},
"11f29a7b467bef1cf483d91eede7849707e01847542e4fc3c1be702560bf36bf": { "11f29a7b467bef1cf483d91eede7849707e01847542e4fc3c1be702560bf36bf": {
"describe": { "describe": {
"columns": [ "columns": [
@ -1498,6 +1258,200 @@
}, },
"query": "\n SELECT\n cl.id AS \"compat_sso_login_id\",\n cl.token AS \"compat_sso_login_token\",\n cl.redirect_uri AS \"compat_sso_login_redirect_uri\",\n cl.created_at AS \"compat_sso_login_created_at\",\n cl.fullfilled_at AS \"compat_sso_login_fullfilled_at\",\n cl.exchanged_at AS \"compat_sso_login_exchanged_at\",\n cs.id AS \"compat_session_id?\",\n cs.created_at AS \"compat_session_created_at?\",\n cs.deleted_at AS \"compat_session_deleted_at?\",\n cs.device_id AS \"compat_session_device_id?\",\n u.id AS \"user_id?\",\n u.username AS \"user_username?\",\n ue.id AS \"user_email_id?\",\n ue.email AS \"user_email?\",\n ue.created_at AS \"user_email_created_at?\",\n ue.confirmed_at AS \"user_email_confirmed_at?\"\n FROM compat_sso_logins cl\n LEFT JOIN compat_sessions cs\n ON cs.id = cl.compat_session_id\n LEFT JOIN users u\n ON u.id = cs.user_id\n LEFT JOIN user_emails ue\n ON ue.id = u.primary_email_id\n WHERE cl.id = $1\n " "query": "\n SELECT\n cl.id AS \"compat_sso_login_id\",\n cl.token AS \"compat_sso_login_token\",\n cl.redirect_uri AS \"compat_sso_login_redirect_uri\",\n cl.created_at AS \"compat_sso_login_created_at\",\n cl.fullfilled_at AS \"compat_sso_login_fullfilled_at\",\n cl.exchanged_at AS \"compat_sso_login_exchanged_at\",\n cs.id AS \"compat_session_id?\",\n cs.created_at AS \"compat_session_created_at?\",\n cs.deleted_at AS \"compat_session_deleted_at?\",\n cs.device_id AS \"compat_session_device_id?\",\n u.id AS \"user_id?\",\n u.username AS \"user_username?\",\n ue.id AS \"user_email_id?\",\n ue.email AS \"user_email?\",\n ue.created_at AS \"user_email_created_at?\",\n ue.confirmed_at AS \"user_email_confirmed_at?\"\n FROM compat_sso_logins cl\n LEFT JOIN compat_sessions cs\n ON cs.id = cl.compat_session_id\n LEFT JOIN users u\n ON u.id = cs.user_id\n LEFT JOIN user_emails ue\n ON ue.id = u.primary_email_id\n WHERE cl.id = $1\n "
}, },
"841760e75d0a3a5b4bad5988cf35757d0812389dd765c05c7487dad07160173a": {
"describe": {
"columns": [
{
"name": "grant_id",
"ordinal": 0,
"type_info": "Int8"
},
{
"name": "grant_created_at",
"ordinal": 1,
"type_info": "Timestamptz"
},
{
"name": "grant_cancelled_at",
"ordinal": 2,
"type_info": "Timestamptz"
},
{
"name": "grant_fulfilled_at",
"ordinal": 3,
"type_info": "Timestamptz"
},
{
"name": "grant_exchanged_at",
"ordinal": 4,
"type_info": "Timestamptz"
},
{
"name": "grant_scope",
"ordinal": 5,
"type_info": "Text"
},
{
"name": "grant_state",
"ordinal": 6,
"type_info": "Text"
},
{
"name": "grant_redirect_uri",
"ordinal": 7,
"type_info": "Text"
},
{
"name": "grant_response_mode",
"ordinal": 8,
"type_info": "Text"
},
{
"name": "grant_nonce",
"ordinal": 9,
"type_info": "Text"
},
{
"name": "grant_max_age",
"ordinal": 10,
"type_info": "Int4"
},
{
"name": "grant_acr_values",
"ordinal": 11,
"type_info": "Text"
},
{
"name": "oauth2_client_id",
"ordinal": 12,
"type_info": "Int8"
},
{
"name": "grant_code",
"ordinal": 13,
"type_info": "Text"
},
{
"name": "grant_response_type_code",
"ordinal": 14,
"type_info": "Bool"
},
{
"name": "grant_response_type_id_token",
"ordinal": 15,
"type_info": "Bool"
},
{
"name": "grant_code_challenge",
"ordinal": 16,
"type_info": "Text"
},
{
"name": "grant_code_challenge_method",
"ordinal": 17,
"type_info": "Text"
},
{
"name": "grant_requires_consent",
"ordinal": 18,
"type_info": "Bool"
},
{
"name": "session_id?",
"ordinal": 19,
"type_info": "Int8"
},
{
"name": "user_session_id?",
"ordinal": 20,
"type_info": "Int8"
},
{
"name": "user_session_created_at?",
"ordinal": 21,
"type_info": "Timestamptz"
},
{
"name": "user_id?",
"ordinal": 22,
"type_info": "Int8"
},
{
"name": "user_username?",
"ordinal": 23,
"type_info": "Text"
},
{
"name": "user_session_last_authentication_id?",
"ordinal": 24,
"type_info": "Int8"
},
{
"name": "user_session_last_authentication_created_at?",
"ordinal": 25,
"type_info": "Timestamptz"
},
{
"name": "user_email_id?",
"ordinal": 26,
"type_info": "Int8"
},
{
"name": "user_email?",
"ordinal": 27,
"type_info": "Text"
},
{
"name": "user_email_created_at?",
"ordinal": 28,
"type_info": "Timestamptz"
},
{
"name": "user_email_confirmed_at?",
"ordinal": 29,
"type_info": "Timestamptz"
}
],
"nullable": [
false,
false,
true,
true,
true,
false,
true,
false,
false,
true,
true,
true,
false,
true,
false,
false,
true,
true,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
true
],
"parameters": {
"Left": [
"Int8"
]
}
},
"query": "\n SELECT\n og.id AS grant_id,\n og.created_at AS grant_created_at,\n og.cancelled_at AS grant_cancelled_at,\n og.fulfilled_at AS grant_fulfilled_at,\n og.exchanged_at AS grant_exchanged_at,\n og.scope AS grant_scope,\n og.state AS grant_state,\n og.redirect_uri AS grant_redirect_uri,\n og.response_mode AS grant_response_mode,\n og.nonce AS grant_nonce,\n og.max_age AS grant_max_age,\n og.acr_values AS grant_acr_values,\n og.oauth2_client_id AS oauth2_client_id,\n og.code AS grant_code,\n og.response_type_code AS grant_response_type_code,\n og.response_type_id_token AS grant_response_type_id_token,\n og.code_challenge AS grant_code_challenge,\n og.code_challenge_method AS grant_code_challenge_method,\n og.requires_consent AS grant_requires_consent,\n os.id AS \"session_id?\",\n us.id AS \"user_session_id?\",\n us.created_at AS \"user_session_created_at?\",\n u.id AS \"user_id?\",\n u.username AS \"user_username?\",\n usa.id AS \"user_session_last_authentication_id?\",\n usa.created_at AS \"user_session_last_authentication_created_at?\",\n ue.id AS \"user_email_id?\",\n ue.email AS \"user_email?\",\n ue.created_at AS \"user_email_created_at?\",\n ue.confirmed_at AS \"user_email_confirmed_at?\"\n FROM\n oauth2_authorization_grants og\n LEFT JOIN oauth2_sessions os\n ON os.id = og.oauth2_session_id\n LEFT JOIN user_sessions us\n ON us.id = os.user_session_id\n LEFT JOIN users u\n ON u.id = us.user_id\n LEFT JOIN user_session_authentications usa\n ON usa.session_id = us.id\n LEFT JOIN user_emails ue\n ON ue.id = u.primary_email_id\n\n WHERE og.id = $1\n\n ORDER BY usa.created_at DESC\n LIMIT 1\n "
},
"860722788c244caf722d1941e4b83aa421fd179586f9a1c2342c539fcb6c6361": { "860722788c244caf722d1941e4b83aa421fd179586f9a1c2342c539fcb6c6361": {
"describe": { "describe": {
"columns": [ "columns": [
@ -1674,206 +1628,6 @@
}, },
"query": "\n INSERT INTO compat_sso_logins (token, redirect_uri)\n VALUES ($1, $2)\n RETURNING id, created_at\n " "query": "\n INSERT INTO compat_sso_logins (token, redirect_uri)\n VALUES ($1, $2)\n RETURNING id, created_at\n "
}, },
"9882e49f34dff80c1442565f035a1b47ed4dbae1a405f58cf2db198885bb9f47": {
"describe": {
"columns": [
{
"name": "grant_id",
"ordinal": 0,
"type_info": "Int8"
},
{
"name": "grant_created_at",
"ordinal": 1,
"type_info": "Timestamptz"
},
{
"name": "grant_cancelled_at",
"ordinal": 2,
"type_info": "Timestamptz"
},
{
"name": "grant_fulfilled_at",
"ordinal": 3,
"type_info": "Timestamptz"
},
{
"name": "grant_exchanged_at",
"ordinal": 4,
"type_info": "Timestamptz"
},
{
"name": "grant_scope",
"ordinal": 5,
"type_info": "Text"
},
{
"name": "grant_state",
"ordinal": 6,
"type_info": "Text"
},
{
"name": "grant_redirect_uri",
"ordinal": 7,
"type_info": "Text"
},
{
"name": "grant_response_mode",
"ordinal": 8,
"type_info": "Text"
},
{
"name": "grant_nonce",
"ordinal": 9,
"type_info": "Text"
},
{
"name": "grant_max_age",
"ordinal": 10,
"type_info": "Int4"
},
{
"name": "grant_acr_values",
"ordinal": 11,
"type_info": "Text"
},
{
"name": "oauth2_client_id",
"ordinal": 12,
"type_info": "Int8"
},
{
"name": "grant_code",
"ordinal": 13,
"type_info": "Text"
},
{
"name": "grant_response_type_code",
"ordinal": 14,
"type_info": "Bool"
},
{
"name": "grant_response_type_token",
"ordinal": 15,
"type_info": "Bool"
},
{
"name": "grant_response_type_id_token",
"ordinal": 16,
"type_info": "Bool"
},
{
"name": "grant_code_challenge",
"ordinal": 17,
"type_info": "Text"
},
{
"name": "grant_code_challenge_method",
"ordinal": 18,
"type_info": "Text"
},
{
"name": "grant_requires_consent",
"ordinal": 19,
"type_info": "Bool"
},
{
"name": "session_id?",
"ordinal": 20,
"type_info": "Int8"
},
{
"name": "user_session_id?",
"ordinal": 21,
"type_info": "Int8"
},
{
"name": "user_session_created_at?",
"ordinal": 22,
"type_info": "Timestamptz"
},
{
"name": "user_id?",
"ordinal": 23,
"type_info": "Int8"
},
{
"name": "user_username?",
"ordinal": 24,
"type_info": "Text"
},
{
"name": "user_session_last_authentication_id?",
"ordinal": 25,
"type_info": "Int8"
},
{
"name": "user_session_last_authentication_created_at?",
"ordinal": 26,
"type_info": "Timestamptz"
},
{
"name": "user_email_id?",
"ordinal": 27,
"type_info": "Int8"
},
{
"name": "user_email?",
"ordinal": 28,
"type_info": "Text"
},
{
"name": "user_email_created_at?",
"ordinal": 29,
"type_info": "Timestamptz"
},
{
"name": "user_email_confirmed_at?",
"ordinal": 30,
"type_info": "Timestamptz"
}
],
"nullable": [
false,
false,
true,
true,
true,
false,
true,
false,
false,
true,
true,
true,
false,
true,
false,
false,
false,
true,
true,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
true
],
"parameters": {
"Left": [
"Text"
]
}
},
"query": "\n SELECT\n og.id AS grant_id,\n og.created_at AS grant_created_at,\n og.cancelled_at AS grant_cancelled_at,\n og.fulfilled_at AS grant_fulfilled_at,\n og.exchanged_at AS grant_exchanged_at,\n og.scope AS grant_scope,\n og.state AS grant_state,\n og.redirect_uri AS grant_redirect_uri,\n og.response_mode AS grant_response_mode,\n og.nonce AS grant_nonce,\n og.max_age AS grant_max_age,\n og.acr_values AS grant_acr_values,\n og.oauth2_client_id AS oauth2_client_id,\n og.code AS grant_code,\n og.response_type_code AS grant_response_type_code,\n og.response_type_token AS grant_response_type_token,\n og.response_type_id_token AS grant_response_type_id_token,\n og.code_challenge AS grant_code_challenge,\n og.code_challenge_method AS grant_code_challenge_method,\n og.requires_consent AS grant_requires_consent,\n os.id AS \"session_id?\",\n us.id AS \"user_session_id?\",\n us.created_at AS \"user_session_created_at?\",\n u.id AS \"user_id?\",\n u.username AS \"user_username?\",\n usa.id AS \"user_session_last_authentication_id?\",\n usa.created_at AS \"user_session_last_authentication_created_at?\",\n ue.id AS \"user_email_id?\",\n ue.email AS \"user_email?\",\n ue.created_at AS \"user_email_created_at?\",\n ue.confirmed_at AS \"user_email_confirmed_at?\"\n FROM\n oauth2_authorization_grants og\n LEFT JOIN oauth2_sessions os\n ON os.id = og.oauth2_session_id\n LEFT JOIN user_sessions us\n ON us.id = os.user_session_id\n LEFT JOIN users u\n ON u.id = us.user_id\n LEFT JOIN user_session_authentications usa\n ON usa.session_id = us.id\n LEFT JOIN user_emails ue\n ON ue.id = u.primary_email_id\n\n WHERE og.code = $1\n\n ORDER BY usa.created_at DESC\n LIMIT 1\n "
},
"a09dfe1019110f2ec6eba0d35bafa467ab4b7980dd8b556826f03863f8edb0ab": { "a09dfe1019110f2ec6eba0d35bafa467ab4b7980dd8b556826f03863f8edb0ab": {
"describe": { "describe": {
"columns": [], "columns": [],
@ -2020,6 +1774,45 @@
}, },
"query": "\n SELECT \n ue.id AS \"user_email_id\",\n ue.email AS \"user_email\",\n ue.created_at AS \"user_email_created_at\",\n ue.confirmed_at AS \"user_email_confirmed_at\"\n FROM user_emails ue\n\n WHERE ue.user_id = $1\n AND ue.id = $2\n " "query": "\n SELECT \n ue.id AS \"user_email_id\",\n ue.email AS \"user_email\",\n ue.created_at AS \"user_email_created_at\",\n ue.confirmed_at AS \"user_email_confirmed_at\"\n FROM user_emails ue\n\n WHERE ue.user_id = $1\n AND ue.id = $2\n "
}, },
"b6849f9289c7559a3ea02bea4d231871107a7fdd4e9587e53ca9d54bdd483623": {
"describe": {
"columns": [
{
"name": "id",
"ordinal": 0,
"type_info": "Int8"
},
{
"name": "created_at",
"ordinal": 1,
"type_info": "Timestamptz"
}
],
"nullable": [
false,
false
],
"parameters": {
"Left": [
"Int8",
"Text",
"Text",
"Text",
"Text",
"Int4",
"Text",
"Text",
"Text",
"Text",
"Bool",
"Bool",
"Text",
"Bool"
]
}
},
"query": "\n INSERT INTO oauth2_authorization_grants\n (oauth2_client_id, redirect_uri, scope, state, nonce, max_age,\n acr_values, response_mode, code_challenge, code_challenge_method,\n response_type_code, response_type_id_token, code, requires_consent)\n VALUES\n ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14)\n RETURNING id, created_at\n "
},
"ba431a27a4b256ceacb5724bd746424ed1f059e59ae1aa818fdd5f44c01d70a0": { "ba431a27a4b256ceacb5724bd746424ed1f059e59ae1aa818fdd5f44c01d70a0": {
"describe": { "describe": {
"columns": [ "columns": [
@ -2482,6 +2275,200 @@
}, },
"query": "\n INSERT INTO oauth2_consents (user_id, oauth2_client_id, scope_token)\n SELECT $1, $2, scope_token FROM UNNEST($3::text[]) scope_token\n ON CONFLICT (user_id, oauth2_client_id, scope_token) DO UPDATE SET updated_at = NOW()\n " "query": "\n INSERT INTO oauth2_consents (user_id, oauth2_client_id, scope_token)\n SELECT $1, $2, scope_token FROM UNNEST($3::text[]) scope_token\n ON CONFLICT (user_id, oauth2_client_id, scope_token) DO UPDATE SET updated_at = NOW()\n "
}, },
"e2854f442e1d85484c5e9aa150a1f8c1f0c68a2496d2b2e0e97f4a1f527e2895": {
"describe": {
"columns": [
{
"name": "grant_id",
"ordinal": 0,
"type_info": "Int8"
},
{
"name": "grant_created_at",
"ordinal": 1,
"type_info": "Timestamptz"
},
{
"name": "grant_cancelled_at",
"ordinal": 2,
"type_info": "Timestamptz"
},
{
"name": "grant_fulfilled_at",
"ordinal": 3,
"type_info": "Timestamptz"
},
{
"name": "grant_exchanged_at",
"ordinal": 4,
"type_info": "Timestamptz"
},
{
"name": "grant_scope",
"ordinal": 5,
"type_info": "Text"
},
{
"name": "grant_state",
"ordinal": 6,
"type_info": "Text"
},
{
"name": "grant_redirect_uri",
"ordinal": 7,
"type_info": "Text"
},
{
"name": "grant_response_mode",
"ordinal": 8,
"type_info": "Text"
},
{
"name": "grant_nonce",
"ordinal": 9,
"type_info": "Text"
},
{
"name": "grant_max_age",
"ordinal": 10,
"type_info": "Int4"
},
{
"name": "grant_acr_values",
"ordinal": 11,
"type_info": "Text"
},
{
"name": "oauth2_client_id",
"ordinal": 12,
"type_info": "Int8"
},
{
"name": "grant_code",
"ordinal": 13,
"type_info": "Text"
},
{
"name": "grant_response_type_code",
"ordinal": 14,
"type_info": "Bool"
},
{
"name": "grant_response_type_id_token",
"ordinal": 15,
"type_info": "Bool"
},
{
"name": "grant_code_challenge",
"ordinal": 16,
"type_info": "Text"
},
{
"name": "grant_code_challenge_method",
"ordinal": 17,
"type_info": "Text"
},
{
"name": "grant_requires_consent",
"ordinal": 18,
"type_info": "Bool"
},
{
"name": "session_id?",
"ordinal": 19,
"type_info": "Int8"
},
{
"name": "user_session_id?",
"ordinal": 20,
"type_info": "Int8"
},
{
"name": "user_session_created_at?",
"ordinal": 21,
"type_info": "Timestamptz"
},
{
"name": "user_id?",
"ordinal": 22,
"type_info": "Int8"
},
{
"name": "user_username?",
"ordinal": 23,
"type_info": "Text"
},
{
"name": "user_session_last_authentication_id?",
"ordinal": 24,
"type_info": "Int8"
},
{
"name": "user_session_last_authentication_created_at?",
"ordinal": 25,
"type_info": "Timestamptz"
},
{
"name": "user_email_id?",
"ordinal": 26,
"type_info": "Int8"
},
{
"name": "user_email?",
"ordinal": 27,
"type_info": "Text"
},
{
"name": "user_email_created_at?",
"ordinal": 28,
"type_info": "Timestamptz"
},
{
"name": "user_email_confirmed_at?",
"ordinal": 29,
"type_info": "Timestamptz"
}
],
"nullable": [
false,
false,
true,
true,
true,
false,
true,
false,
false,
true,
true,
true,
false,
true,
false,
false,
true,
true,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
false,
true
],
"parameters": {
"Left": [
"Text"
]
}
},
"query": "\n SELECT\n og.id AS grant_id,\n og.created_at AS grant_created_at,\n og.cancelled_at AS grant_cancelled_at,\n og.fulfilled_at AS grant_fulfilled_at,\n og.exchanged_at AS grant_exchanged_at,\n og.scope AS grant_scope,\n og.state AS grant_state,\n og.redirect_uri AS grant_redirect_uri,\n og.response_mode AS grant_response_mode,\n og.nonce AS grant_nonce,\n og.max_age AS grant_max_age,\n og.acr_values AS grant_acr_values,\n og.oauth2_client_id AS oauth2_client_id,\n og.code AS grant_code,\n og.response_type_code AS grant_response_type_code,\n og.response_type_id_token AS grant_response_type_id_token,\n og.code_challenge AS grant_code_challenge,\n og.code_challenge_method AS grant_code_challenge_method,\n og.requires_consent AS grant_requires_consent,\n os.id AS \"session_id?\",\n us.id AS \"user_session_id?\",\n us.created_at AS \"user_session_created_at?\",\n u.id AS \"user_id?\",\n u.username AS \"user_username?\",\n usa.id AS \"user_session_last_authentication_id?\",\n usa.created_at AS \"user_session_last_authentication_created_at?\",\n ue.id AS \"user_email_id?\",\n ue.email AS \"user_email?\",\n ue.created_at AS \"user_email_created_at?\",\n ue.confirmed_at AS \"user_email_confirmed_at?\"\n FROM\n oauth2_authorization_grants og\n LEFT JOIN oauth2_sessions os\n ON os.id = og.oauth2_session_id\n LEFT JOIN user_sessions us\n ON us.id = os.user_session_id\n LEFT JOIN users u\n ON u.id = us.user_id\n LEFT JOIN user_session_authentications usa\n ON usa.session_id = us.id\n LEFT JOIN user_emails ue\n ON ue.id = u.primary_email_id\n\n WHERE og.code = $1\n\n ORDER BY usa.created_at DESC\n LIMIT 1\n "
},
"e5cd99bdaf9c678fc659431fecc5d76b25bb08b781fd17e50eda82ea3aa8cea8": { "e5cd99bdaf9c678fc659431fecc5d76b25bb08b781fd17e50eda82ea3aa8cea8": {
"describe": { "describe": {
"columns": [ "columns": [

12
crates/storage/src/oauth2/authorization_grant.rs
View File

@ -42,7 +42,6 @@ pub async fn new_authorization_grant(
max_age: Option<NonZeroU32>, max_age: Option<NonZeroU32>,
acr_values: Option<String>, acr_values: Option<String>,
response_mode: ResponseMode, response_mode: ResponseMode,
response_type_token: bool,
response_type_id_token: bool, response_type_id_token: bool,
requires_consent: bool, requires_consent: bool,
) -> anyhow::Result<AuthorizationGrant<PostgresqlBackend>> { ) -> anyhow::Result<AuthorizationGrant<PostgresqlBackend>> {
@ -61,10 +60,9 @@ pub async fn new_authorization_grant(
INSERT INTO oauth2_authorization_grants INSERT INTO oauth2_authorization_grants
(oauth2_client_id, redirect_uri, scope, state, nonce, max_age, (oauth2_client_id, redirect_uri, scope, state, nonce, max_age,
acr_values, response_mode, code_challenge, code_challenge_method, acr_values, response_mode, code_challenge, code_challenge_method,
response_type_code, response_type_token, response_type_id_token, response_type_code, response_type_id_token, code, requires_consent)
code, requires_consent)
VALUES VALUES
($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15) ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14)
RETURNING id, created_at RETURNING id, created_at
"#, "#,
&client.data, &client.data,
@ -79,7 +77,6 @@ pub async fn new_authorization_grant(
code_challenge, code_challenge,
code_challenge_method, code_challenge_method,
code.is_some(), code.is_some(),
response_type_token,
response_type_id_token, response_type_id_token,
code_str, code_str,
requires_consent, requires_consent,
@ -101,7 +98,6 @@ pub async fn new_authorization_grant(
acr_values, acr_values,
response_mode, response_mode,
created_at: res.created_at, created_at: res.created_at,
response_type_token,
response_type_id_token, response_type_id_token,
requires_consent, requires_consent,
}) })
@ -122,7 +118,6 @@ struct GrantLookup {
grant_max_age: Option<i32>, grant_max_age: Option<i32>,
grant_acr_values: Option<String>, grant_acr_values: Option<String>,
grant_response_type_code: bool, grant_response_type_code: bool,
grant_response_type_token: bool,
grant_response_type_id_token: bool, grant_response_type_id_token: bool,
grant_code: Option<String>, grant_code: Option<String>,
grant_code_challenge: Option<String>, grant_code_challenge: Option<String>,
@ -318,7 +313,6 @@ impl GrantLookup {
response_mode, response_mode,
redirect_uri, redirect_uri,
created_at: self.grant_created_at, created_at: self.grant_created_at,
response_type_token: self.grant_response_type_token,
response_type_id_token: self.grant_response_type_id_token, response_type_id_token: self.grant_response_type_id_token,
requires_consent: self.grant_requires_consent, requires_consent: self.grant_requires_consent,
}) })
@ -349,7 +343,6 @@ pub async fn get_grant_by_id(
og.oauth2_client_id AS oauth2_client_id, og.oauth2_client_id AS oauth2_client_id,
og.code AS grant_code, og.code AS grant_code,
og.response_type_code AS grant_response_type_code, og.response_type_code AS grant_response_type_code,
og.response_type_token AS grant_response_type_token,
og.response_type_id_token AS grant_response_type_id_token, og.response_type_id_token AS grant_response_type_id_token,
og.code_challenge AS grant_code_challenge, og.code_challenge AS grant_code_challenge,
og.code_challenge_method AS grant_code_challenge_method, og.code_challenge_method AS grant_code_challenge_method,
@ -418,7 +411,6 @@ pub async fn lookup_grant_by_code(
og.oauth2_client_id AS oauth2_client_id, og.oauth2_client_id AS oauth2_client_id,
og.code AS grant_code, og.code AS grant_code,
og.response_type_code AS grant_response_type_code, og.response_type_code AS grant_response_type_code,
og.response_type_token AS grant_response_type_token,
og.response_type_id_token AS grant_response_type_id_token, og.response_type_id_token AS grant_response_type_id_token,
og.code_challenge AS grant_code_challenge, og.code_challenge AS grant_code_challenge,
og.code_challenge_method AS grant_code_challenge_method, og.code_challenge_method AS grant_code_challenge_method,