From 3ec8db807b5ee7a9070f46304c9a183f2bba7c7b Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:27:43 +0200 Subject: [PATCH] refactor: improve dependency injection capabilities (#816) This PR addresses improvements to the OAuth2 package, making it easier to inject custom strategies. As part of this change, the HMAC strategy has been split into a prefixed and unprefixed strategy. Due to this, the instantiation of `HMACSHAStrategy` has changed. This patch addresses improvements over #813 which has been reverted and fixed here. BREAKING CHANGES: Going forward, please instantiate the HMACSHAStrategy using `oauth2.NewHMACSHAStrategy()`: ```patch -var hmacshaStrategy = oauth2.HMACSHAStrategy{ - Enigma: &hmac.HMACStrategy{Config: &fosite.Config{GlobalSecret: []byte("foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar")}}, - Config: &fosite.Config{ - AccessTokenLifespan: time.Hour * 24, - AuthorizeCodeLifespan: time.Hour * 24, - }, -} +var hmacshaStrategy = oauth2.NewHMACSHAStrategy( + &hmac.HMACStrategy{Config: &fosite.Config{GlobalSecret: []byte("foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar")}}, + &fosite.Config{ + AccessTokenLifespan: time.Hour * 24, + AuthorizeCodeLifespan: time.Hour * 24, + }, +) ``` --- compose/compose_strategy.go | 7 +- .../oauth2/flow_authorize_code_auth_test.go | 2 +- .../oauth2/flow_authorize_code_token_test.go | 12 +- handler/oauth2/flow_refresh_test.go | 12 +- handler/oauth2/providers.go | 12 ++ handler/oauth2/strategy_hmacsha.go | 122 ------------------ handler/oauth2/strategy_hmacsha_plain.go | 108 ++++++++++++++++ handler/oauth2/strategy_hmacsha_prefixed.go | 71 ++++++++++ handler/oauth2/strategy_hmacsha_test.go | 51 ++++++-- handler/oauth2/strategy_jwt.go | 2 +- handler/openid/flow_hybrid_test.go | 11 +- handler/pkce/handler_test.go | 2 +- integration/helper_setup_test.go | 8 +- 13 files changed, 253 insertions(+), 167 deletions(-) create mode 100644 handler/oauth2/providers.go delete mode 100644 handler/oauth2/strategy_hmacsha.go create mode 100644 handler/oauth2/strategy_hmacsha_plain.go create mode 100644 handler/oauth2/strategy_hmacsha_prefixed.go diff --git a/compose/compose_strategy.go b/compose/compose_strategy.go index 267e3295..eb7d1ba1 100644 --- a/compose/compose_strategy.go +++ b/compose/compose_strategy.go @@ -30,13 +30,10 @@ type HMACSHAStrategyConfigurator interface { } func NewOAuth2HMACStrategy(config HMACSHAStrategyConfigurator) *oauth2.HMACSHAStrategy { - return &oauth2.HMACSHAStrategy{ - Enigma: &hmac.HMACStrategy{Config: config}, - Config: config, - } + return oauth2.NewHMACSHAStrategy(&hmac.HMACStrategy{Config: config}, config) } -func NewOAuth2JWTStrategy(keyGetter func(context.Context) (interface{}, error), strategy *oauth2.HMACSHAStrategy, config fosite.Configurator) *oauth2.DefaultJWTStrategy { +func NewOAuth2JWTStrategy(keyGetter func(context.Context) (interface{}, error), strategy oauth2.CoreStrategy, config fosite.Configurator) *oauth2.DefaultJWTStrategy { return &oauth2.DefaultJWTStrategy{ Signer: &jwt.DefaultSigner{GetPrivateKey: keyGetter}, HMACSHAStrategy: strategy, diff --git a/handler/oauth2/flow_authorize_code_auth_test.go b/handler/oauth2/flow_authorize_code_auth_test.go index 625ccb49..f915fefb 100644 --- a/handler/oauth2/flow_authorize_code_auth_test.go +++ b/handler/oauth2/flow_authorize_code_auth_test.go @@ -24,7 +24,7 @@ func parseUrl(uu string) *url.URL { func TestAuthorizeCode_HandleAuthorizeEndpointRequest(t *testing.T) { for k, strategy := range map[string]CoreStrategy{ - "hmac": &hmacshaStrategy, + "hmac": hmacshaStrategy, } { t.Run("strategy="+k, func(t *testing.T) { store := storage.NewMemoryStore() diff --git a/handler/oauth2/flow_authorize_code_token_test.go b/handler/oauth2/flow_authorize_code_token_test.go index bd854fbb..b90ca524 100644 --- a/handler/oauth2/flow_authorize_code_token_test.go +++ b/handler/oauth2/flow_authorize_code_token_test.go @@ -25,7 +25,7 @@ import ( func TestAuthorizeCode_PopulateTokenEndpointResponse(t *testing.T) { for k, strategy := range map[string]CoreStrategy{ - "hmac": &hmacshaStrategy, + "hmac": hmacshaStrategy, } { t.Run("strategy="+k, func(t *testing.T) { store := storage.NewMemoryStore() @@ -241,14 +241,14 @@ func TestAuthorizeCode_PopulateTokenEndpointResponse(t *testing.T) { func TestAuthorizeCode_HandleTokenEndpointRequest(t *testing.T) { for k, strategy := range map[string]CoreStrategy{ - "hmac": &hmacshaStrategy, + "hmac": hmacshaStrategy, } { t.Run("strategy="+k, func(t *testing.T) { store := storage.NewMemoryStore() h := AuthorizeExplicitGrantHandler{ CoreStorage: store, - AuthorizeCodeStrategy: &hmacshaStrategy, + AuthorizeCodeStrategy: hmacshaStrategy, TokenRevocationStorage: store, Config: &fosite.Config{ ScopeStrategy: fosite.HierarchicScopeStrategy, @@ -657,9 +657,9 @@ func TestAuthorizeCodeTransactional_HandleTokenEndpointRequest(t *testing.T) { mockTransactional, mockCoreStore, }, - AccessTokenStrategy: &strategy, - RefreshTokenStrategy: &strategy, - AuthorizeCodeStrategy: &strategy, + AccessTokenStrategy: strategy, + RefreshTokenStrategy: strategy, + AuthorizeCodeStrategy: strategy, Config: &fosite.Config{ ScopeStrategy: fosite.HierarchicScopeStrategy, AudienceMatchingStrategy: fosite.DefaultAudienceMatchingStrategy, diff --git a/handler/oauth2/flow_refresh_test.go b/handler/oauth2/flow_refresh_test.go index 54df6cda..f9b00526 100644 --- a/handler/oauth2/flow_refresh_test.go +++ b/handler/oauth2/flow_refresh_test.go @@ -32,7 +32,7 @@ func TestRefreshFlow_HandleTokenEndpointRequest(t *testing.T) { } for k, strategy := range map[string]RefreshTokenStrategy{ - "hmac": &hmacshaStrategy, + "hmac": hmacshaStrategy, } { t.Run("strategy="+k, func(t *testing.T) { store := storage.NewMemoryStore() @@ -419,8 +419,8 @@ func TestRefreshFlowTransactional_HandleTokenEndpointRequest(t *testing.T) { mockTransactional, mockRevocationStore, }, - AccessTokenStrategy: &hmacshaStrategy, - RefreshTokenStrategy: &hmacshaStrategy, + AccessTokenStrategy: hmacshaStrategy, + RefreshTokenStrategy: hmacshaStrategy, Config: &fosite.Config{ AccessTokenLifespan: time.Hour, ScopeStrategy: fosite.HierarchicScopeStrategy, @@ -440,7 +440,7 @@ func TestRefreshFlow_PopulateTokenEndpointResponse(t *testing.T) { var aresp *fosite.AccessResponse for k, strategy := range map[string]CoreStrategy{ - "hmac": &hmacshaStrategy, + "hmac": hmacshaStrategy, } { t.Run("strategy="+k, func(t *testing.T) { store := storage.NewMemoryStore() @@ -1071,8 +1071,8 @@ func TestRefreshFlowTransactional_PopulateTokenEndpointResponse(t *testing.T) { mockTransactional, mockRevocationStore, }, - AccessTokenStrategy: &hmacshaStrategy, - RefreshTokenStrategy: &hmacshaStrategy, + AccessTokenStrategy: hmacshaStrategy, + RefreshTokenStrategy: hmacshaStrategy, Config: &fosite.Config{ AccessTokenLifespan: time.Hour, ScopeStrategy: fosite.HierarchicScopeStrategy, diff --git a/handler/oauth2/providers.go b/handler/oauth2/providers.go new file mode 100644 index 00000000..e02a696e --- /dev/null +++ b/handler/oauth2/providers.go @@ -0,0 +1,12 @@ +// Copyright © 2024 Ory Corp +// SPDX-License-Identifier: Apache-2.0 + +package oauth2 + +import "github.com/ory/fosite" + +type LifespanConfigProvider interface { + fosite.AccessTokenLifespanProvider + fosite.RefreshTokenLifespanProvider + fosite.AuthorizeCodeLifespanProvider +} diff --git a/handler/oauth2/strategy_hmacsha.go b/handler/oauth2/strategy_hmacsha.go deleted file mode 100644 index 71193459..00000000 --- a/handler/oauth2/strategy_hmacsha.go +++ /dev/null @@ -1,122 +0,0 @@ -// Copyright © 2024 Ory Corp -// SPDX-License-Identifier: Apache-2.0 - -package oauth2 - -import ( - "context" - "fmt" - "strings" - "time" - - "github.com/ory/x/errorsx" - - "github.com/ory/fosite" - enigma "github.com/ory/fosite/token/hmac" -) - -type HMACSHAStrategy struct { - Enigma *enigma.HMACStrategy - Config interface { - fosite.AccessTokenLifespanProvider - fosite.RefreshTokenLifespanProvider - fosite.AuthorizeCodeLifespanProvider - } - prefix *string -} - -func (h *HMACSHAStrategy) AccessTokenSignature(ctx context.Context, token string) string { - return h.Enigma.Signature(token) -} -func (h *HMACSHAStrategy) RefreshTokenSignature(ctx context.Context, token string) string { - return h.Enigma.Signature(token) -} -func (h *HMACSHAStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string { - return h.Enigma.Signature(token) -} - -func (h *HMACSHAStrategy) getPrefix(part string) string { - if h.prefix == nil { - prefix := "ory_%s_" - h.prefix = &prefix - } else if len(*h.prefix) == 0 { - return "" - } - - return fmt.Sprintf(*h.prefix, part) -} - -func (h *HMACSHAStrategy) trimPrefix(token, part string) string { - return strings.TrimPrefix(token, h.getPrefix(part)) -} - -func (h *HMACSHAStrategy) setPrefix(token, part string) string { - return h.getPrefix(part) + token -} - -func (h *HMACSHAStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) { - token, sig, err := h.Enigma.Generate(ctx) - if err != nil { - return "", "", err - } - - return h.setPrefix(token, "at"), sig, nil -} - -func (h *HMACSHAStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, token string) (err error) { - var exp = r.GetSession().GetExpiresAt(fosite.AccessToken) - if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx)).Before(time.Now().UTC()) { - return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx)))) - } - - if !exp.IsZero() && exp.Before(time.Now().UTC()) { - return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", exp)) - } - - return h.Enigma.Validate(ctx, h.trimPrefix(token, "at")) -} - -func (h *HMACSHAStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) { - token, sig, err := h.Enigma.Generate(ctx) - if err != nil { - return "", "", err - } - - return h.setPrefix(token, "rt"), sig, nil -} - -func (h *HMACSHAStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error) { - var exp = r.GetSession().GetExpiresAt(fosite.RefreshToken) - if exp.IsZero() { - // Unlimited lifetime - return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt")) - } - - if !exp.IsZero() && exp.Before(time.Now().UTC()) { - return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Refresh token expired at '%s'.", exp)) - } - - return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt")) -} - -func (h *HMACSHAStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) { - token, sig, err := h.Enigma.Generate(ctx) - if err != nil { - return "", "", err - } - - return h.setPrefix(token, "ac"), sig, nil -} - -func (h *HMACSHAStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error) { - var exp = r.GetSession().GetExpiresAt(fosite.AuthorizeCode) - if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)).Before(time.Now().UTC()) { - return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)))) - } - - if !exp.IsZero() && exp.Before(time.Now().UTC()) { - return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", exp)) - } - - return h.Enigma.Validate(ctx, h.trimPrefix(token, "ac")) -} diff --git a/handler/oauth2/strategy_hmacsha_plain.go b/handler/oauth2/strategy_hmacsha_plain.go new file mode 100644 index 00000000..13000a29 --- /dev/null +++ b/handler/oauth2/strategy_hmacsha_plain.go @@ -0,0 +1,108 @@ +// Copyright © 2024 Ory Corp +// SPDX-License-Identifier: Apache-2.0 + +package oauth2 + +import ( + "context" + "time" + + "github.com/ory/x/errorsx" + + "github.com/ory/fosite" + enigma "github.com/ory/fosite/token/hmac" +) + +var _ CoreStrategy = (*HMACSHAStrategyUnPrefixed)(nil) + +type HMACSHAStrategyUnPrefixed struct { + Enigma *enigma.HMACStrategy + Config LifespanConfigProvider +} + +func NewHMACSHAStrategyUnPrefixed( + enigma *enigma.HMACStrategy, + config LifespanConfigProvider, +) *HMACSHAStrategyUnPrefixed { + return &HMACSHAStrategyUnPrefixed{ + Enigma: enigma, + Config: config, + } +} + +func (h *HMACSHAStrategyUnPrefixed) AccessTokenSignature(ctx context.Context, token string) string { + return h.Enigma.Signature(token) +} +func (h *HMACSHAStrategyUnPrefixed) RefreshTokenSignature(ctx context.Context, token string) string { + return h.Enigma.Signature(token) +} +func (h *HMACSHAStrategyUnPrefixed) AuthorizeCodeSignature(ctx context.Context, token string) string { + return h.Enigma.Signature(token) +} + +func (h *HMACSHAStrategyUnPrefixed) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) { + token, sig, err := h.Enigma.Generate(ctx) + if err != nil { + return "", "", err + } + + return token, sig, nil +} + +func (h *HMACSHAStrategyUnPrefixed) ValidateAccessToken(ctx context.Context, r fosite.Requester, token string) (err error) { + var exp = r.GetSession().GetExpiresAt(fosite.AccessToken) + if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx)).Before(time.Now().UTC()) { + return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx)))) + } + + if !exp.IsZero() && exp.Before(time.Now().UTC()) { + return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", exp)) + } + + return h.Enigma.Validate(ctx, token) +} + +func (h *HMACSHAStrategyUnPrefixed) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) { + token, sig, err := h.Enigma.Generate(ctx) + if err != nil { + return "", "", err + } + + return token, sig, nil +} + +func (h *HMACSHAStrategyUnPrefixed) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error) { + var exp = r.GetSession().GetExpiresAt(fosite.RefreshToken) + if exp.IsZero() { + // Unlimited lifetime + return h.Enigma.Validate(ctx, token) + } + + if !exp.IsZero() && exp.Before(time.Now().UTC()) { + return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Refresh token expired at '%s'.", exp)) + } + + return h.Enigma.Validate(ctx, token) +} + +func (h *HMACSHAStrategyUnPrefixed) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) { + token, sig, err := h.Enigma.Generate(ctx) + if err != nil { + return "", "", err + } + + return token, sig, nil +} + +func (h *HMACSHAStrategyUnPrefixed) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error) { + var exp = r.GetSession().GetExpiresAt(fosite.AuthorizeCode) + if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)).Before(time.Now().UTC()) { + return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)))) + } + + if !exp.IsZero() && exp.Before(time.Now().UTC()) { + return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", exp)) + } + + return h.Enigma.Validate(ctx, token) +} diff --git a/handler/oauth2/strategy_hmacsha_prefixed.go b/handler/oauth2/strategy_hmacsha_prefixed.go new file mode 100644 index 00000000..19d7509e --- /dev/null +++ b/handler/oauth2/strategy_hmacsha_prefixed.go @@ -0,0 +1,71 @@ +// Copyright © 2024 Ory Corp +// SPDX-License-Identifier: Apache-2.0 + +package oauth2 + +import ( + "context" + "fmt" + "strings" + + enigma "github.com/ory/fosite/token/hmac" + + "github.com/ory/fosite" +) + +var _ CoreStrategy = (*HMACSHAStrategy)(nil) + +type HMACSHAStrategy struct { + *HMACSHAStrategyUnPrefixed +} + +func NewHMACSHAStrategy( + enigma *enigma.HMACStrategy, + config LifespanConfigProvider, +) *HMACSHAStrategy { + return &HMACSHAStrategy{ + HMACSHAStrategyUnPrefixed: NewHMACSHAStrategyUnPrefixed(enigma, config), + } +} + +func (h *HMACSHAStrategy) getPrefix(part string) string { + return fmt.Sprintf("ory_%s_", part) +} + +func (h *HMACSHAStrategy) trimPrefix(token, part string) string { + return strings.TrimPrefix(token, h.getPrefix(part)) +} + +func (h *HMACSHAStrategy) setPrefix(token, part string) string { + if token == "" { + return "" + } + return h.getPrefix(part) + token +} + +func (h *HMACSHAStrategy) GenerateAccessToken(ctx context.Context, r fosite.Requester) (token string, signature string, err error) { + token, sig, err := h.HMACSHAStrategyUnPrefixed.GenerateAccessToken(ctx, r) + return h.setPrefix(token, "at"), sig, err +} + +func (h *HMACSHAStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, token string) (err error) { + return h.HMACSHAStrategyUnPrefixed.ValidateAccessToken(ctx, r, h.trimPrefix(token, "at")) +} + +func (h *HMACSHAStrategy) GenerateRefreshToken(ctx context.Context, r fosite.Requester) (token string, signature string, err error) { + token, sig, err := h.HMACSHAStrategyUnPrefixed.GenerateRefreshToken(ctx, r) + return h.setPrefix(token, "rt"), sig, err +} + +func (h *HMACSHAStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error) { + return h.HMACSHAStrategyUnPrefixed.ValidateRefreshToken(ctx, r, h.trimPrefix(token, "rt")) +} + +func (h *HMACSHAStrategy) GenerateAuthorizeCode(ctx context.Context, r fosite.Requester) (token string, signature string, err error) { + token, sig, err := h.HMACSHAStrategyUnPrefixed.GenerateAuthorizeCode(ctx, r) + return h.setPrefix(token, "ac"), sig, err +} + +func (h *HMACSHAStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error) { + return h.HMACSHAStrategyUnPrefixed.ValidateAuthorizeCode(ctx, r, h.trimPrefix(token, "ac")) +} diff --git a/handler/oauth2/strategy_hmacsha_test.go b/handler/oauth2/strategy_hmacsha_test.go index 9b780d28..7a6bc287 100644 --- a/handler/oauth2/strategy_hmacsha_test.go +++ b/handler/oauth2/strategy_hmacsha_test.go @@ -16,13 +16,21 @@ import ( "github.com/ory/fosite/token/hmac" ) -var hmacshaStrategy = HMACSHAStrategy{ - Enigma: &hmac.HMACStrategy{Config: &fosite.Config{GlobalSecret: []byte("foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar")}}, - Config: &fosite.Config{ +var hmacshaStrategy = NewHMACSHAStrategy( + &hmac.HMACStrategy{Config: &fosite.Config{GlobalSecret: []byte("foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar")}}, + &fosite.Config{ AccessTokenLifespan: time.Hour * 24, AuthorizeCodeLifespan: time.Hour * 24, }, -} +) + +var hmacshaStrategyUnprefixed = NewHMACSHAStrategyUnPrefixed( + &hmac.HMACStrategy{Config: &fosite.Config{GlobalSecret: []byte("foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar")}}, + &fosite.Config{ + AccessTokenLifespan: time.Hour * 24, + AuthorizeCodeLifespan: time.Hour * 24, + }, +) var hmacExpiredCase = fosite.Request{ Client: &fosite.DefaultClient{ @@ -52,28 +60,43 @@ var hmacValidCase = fosite.Request{ func TestHMACAccessToken(t *testing.T) { for k, c := range []struct { - r fosite.Request - pass bool + r fosite.Request + pass bool + strat CoreStrategy + prefix string }{ { - r: hmacValidCase, - pass: true, + r: hmacValidCase, + pass: true, + strat: hmacshaStrategy, + prefix: "ory_at_", }, { - r: hmacExpiredCase, - pass: false, + r: hmacExpiredCase, + pass: false, + strat: hmacshaStrategy, + prefix: "ory_at_", + }, + { + r: hmacValidCase, + pass: true, + strat: hmacshaStrategyUnprefixed, }, } { t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) { token, signature, err := hmacshaStrategy.GenerateAccessToken(context.Background(), &c.r) assert.NoError(t, err) assert.Equal(t, strings.Split(token, ".")[1], signature) - assert.Contains(t, token, "ory_at_") + assert.Contains(t, token, c.prefix) - for k, token := range []string{ + cases := []string{ token, - strings.TrimPrefix(token, "ory_at_"), - } { + } + if c.prefix != "" { + cases = append(cases, strings.TrimPrefix(token, c.prefix)) + } + + for k, token := range cases { t.Run(fmt.Sprintf("prefix=%v", k == 0), func(t *testing.T) { err = hmacshaStrategy.ValidateAccessToken(context.Background(), &c.r, token) if c.pass { diff --git a/handler/oauth2/strategy_jwt.go b/handler/oauth2/strategy_jwt.go index 73664ead..6af6ad16 100644 --- a/handler/oauth2/strategy_jwt.go +++ b/handler/oauth2/strategy_jwt.go @@ -18,7 +18,7 @@ import ( // DefaultJWTStrategy is a JWT RS256 strategy. type DefaultJWTStrategy struct { jwt.Signer - HMACSHAStrategy *HMACSHAStrategy + HMACSHAStrategy CoreStrategy Config interface { fosite.AccessTokenIssuerProvider fosite.JWTScopeFieldProvider diff --git a/handler/openid/flow_hybrid_test.go b/handler/openid/flow_hybrid_test.go index 3412675a..943fa665 100644 --- a/handler/openid/flow_hybrid_test.go +++ b/handler/openid/flow_hybrid_test.go @@ -26,13 +26,10 @@ import ( "github.com/ory/fosite/token/jwt" ) -var hmacStrategy = &oauth2.HMACSHAStrategy{ - Enigma: &hmac.HMACStrategy{ - Config: &fosite.Config{ - GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows-nobody-knows"), - }, - }, -} +var hmacStrategy = oauth2.NewHMACSHAStrategy( + &hmac.HMACStrategy{Config: &fosite.Config{GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows-nobody-knows")}}, + nil, +) func makeOpenIDConnectHybridHandler(minParameterEntropy int) OpenIDConnectHybridHandler { var idStrategy = &DefaultStrategy{ diff --git a/handler/pkce/handler_test.go b/handler/pkce/handler_test.go index bdd50650..83a56362 100644 --- a/handler/pkce/handler_test.go +++ b/handler/pkce/handler_test.go @@ -39,7 +39,7 @@ func TestPKCEHandleAuthorizeEndpointRequest(t *testing.T) { var config fosite.Config h := &Handler{ Storage: storage.NewMemoryStore(), - AuthorizeCodeStrategy: new(oauth2.HMACSHAStrategy), + AuthorizeCodeStrategy: oauth2.NewHMACSHAStrategy(nil, nil), Config: &config, } w := fosite.NewAuthorizeResponse() diff --git a/integration/helper_setup_test.go b/integration/helper_setup_test.go index 62a99d4f..22e9627d 100644 --- a/integration/helper_setup_test.go +++ b/integration/helper_setup_test.go @@ -172,17 +172,17 @@ func newJWTBearerAppClient(ts *httptest.Server) *clients.JWTBearer { return clients.NewJWTBearer(ts.URL + tokenRelativePath) } -var hmacStrategy = &oauth2.HMACSHAStrategy{ - Enigma: &hmac.HMACStrategy{ +var hmacStrategy = oauth2.NewHMACSHAStrategy( + &hmac.HMACStrategy{ Config: &fosite.Config{ GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows"), }, }, - Config: &fosite.Config{ + &fosite.Config{ AccessTokenLifespan: accessTokenLifespan, AuthorizeCodeLifespan: authCodeLifespan, }, -} +) var defaultRSAKey = gen.MustRSAKey() var jwtStrategy = &oauth2.DefaultJWTStrategy{