Sign In
golang
/
flannel
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 5d0061bb3a
Branches Tags
flannel
/
vendor
/
golang.org
/
x
/
oauth2
/
jwt
/
jwt.go

jwt.go 4.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153 
  1. // Copyright 2014 The Go Authors. All rights reserved.
    2. 

  2. // Use of this source code is governed by a BSD-style
    3. 

  3. // license that can be found in the LICENSE file.
    4. 

  4. 

  5. // Package jwt implements the OAuth 2.0 JSON Web Token flow, commonly
    6. 

  6. // known as "two-legged OAuth 2.0".
    7. 

  7. //
    8. 

  8. // See: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12
    9. 

  9. package jwt
    10. 

  10. 

  11. import (
    12. 

  12. 	"encoding/json"
    13. 

  13. 	"fmt"
    14. 

  14. 	"io"
    15. 

  15. 	"io/ioutil"
    16. 

  16. 	"net/http"
    17. 

  17. 	"net/url"
    18. 

  18. 	"strings"
    19. 

  19. 	"time"
    20. 

  20. 

  21. 	"golang.org/x/net/context"
    22. 

  22. 	"golang.org/x/oauth2"
    23. 

  23. 	"golang.org/x/oauth2/internal"
    24. 

  24. 	"golang.org/x/oauth2/jws"
    25. 

  25. )
    26. 

  26. 

  27. var (
    28. 

  28. 	defaultGrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
    29. 

  29. 	defaultHeader    = &jws.Header{Algorithm: "RS256", Typ: "JWT"}
    30. 

  30. )
    31. 

  31. 

  32. // Config is the configuration for using JWT to fetch tokens,
    33. 

  33. // commonly known as "two-legged OAuth 2.0".
    34. 

  34. type Config struct {
    35. 

  35. 	// Email is the OAuth client identifier used when communicating with
    36. 

  36. 	// the configured OAuth provider.
    37. 

  37. 	Email string
    38. 

  38. 

  39. 	// PrivateKey contains the contents of an RSA private key or the
    40. 

  40. 	// contents of a PEM file that contains a private key. The provided
    41. 

  41. 	// private key is used to sign JWT payloads.
    42. 

  42. 	// PEM containers with a passphrase are not supported.
    43. 

  43. 	// Use the following command to convert a PKCS 12 file into a PEM.
    44. 

  44. 	//
    45. 

  45. 	//    $ openssl pkcs12 -in key.p12 -out key.pem -nodes
    46. 

  46. 	//
    47. 

  47. 	PrivateKey []byte
    48. 

  48. 

  49. 	// Subject is the optional user to impersonate.
    50. 

  50. 	Subject string
    51. 

  51. 

  52. 	// Scopes optionally specifies a list of requested permission scopes.
    53. 

  53. 	Scopes []string
    54. 

  54. 

  55. 	// TokenURL is the endpoint required to complete the 2-legged JWT flow.
    56. 

  56. 	TokenURL string
    57. 

  57. 

  58. 	// Expires optionally specifies how long the token is valid for.
    59. 

  59. 	Expires time.Duration
    60. 

  60. }
    61. 

  61. 

  62. // TokenSource returns a JWT TokenSource using the configuration
    63. 

  63. // in c and the HTTP client from the provided context.
    64. 

  64. func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource {
    65. 

  65. 	return oauth2.ReuseTokenSource(nil, jwtSource{ctx, c})
    66. 

  66. }
    67. 

  67. 

  68. // Client returns an HTTP client wrapping the context's
    69. 

  69. // HTTP transport and adding Authorization headers with tokens
    70. 

  70. // obtained from c.
    71. 

  71. //
    72. 

  72. // The returned client and its Transport should not be modified.
    73. 

  73. func (c *Config) Client(ctx context.Context) *http.Client {
    74. 

  74. 	return oauth2.NewClient(ctx, c.TokenSource(ctx))
    75. 

  75. }
    76. 

  76. 

  77. // jwtSource is a source that always does a signed JWT request for a token.
    78. 

  78. // It should typically be wrapped with a reuseTokenSource.
    79. 

  79. type jwtSource struct {
    80. 

  80. 	ctx  context.Context
    81. 

  81. 	conf *Config
    82. 

  82. }
    83. 

  83. 

  84. func (js jwtSource) Token() (*oauth2.Token, error) {
    85. 

  85. 	pk, err := internal.ParseKey(js.conf.PrivateKey)
    86. 

  86. 	if err != nil {
    87. 

  87. 		return nil, err
    88. 

  88. 	}
    89. 

  89. 	hc := oauth2.NewClient(js.ctx, nil)
    90. 

  90. 	claimSet := &jws.ClaimSet{
    91. 

  91. 		Iss:   js.conf.Email,
    92. 

  92. 		Scope: strings.Join(js.conf.Scopes, " "),
    93. 

  93. 		Aud:   js.conf.TokenURL,
    94. 

  94. 	}
    95. 

  95. 	if subject := js.conf.Subject; subject != "" {
    96. 

  96. 		claimSet.Sub = subject
    97. 

  97. 		// prn is the old name of sub. Keep setting it
    98. 

  98. 		// to be compatible with legacy OAuth 2.0 providers.
    99. 

  99. 		claimSet.Prn = subject
    100. 

  100. 	}
    101. 

  101. 	if t := js.conf.Expires; t > 0 {
    102. 

  102. 		claimSet.Exp = time.Now().Add(t).Unix()
    103. 

  103. 	}
    104. 

  104. 	payload, err := jws.Encode(defaultHeader, claimSet, pk)
    105. 

  105. 	if err != nil {
    106. 

  106. 		return nil, err
    107. 

  107. 	}
    108. 

  108. 	v := url.Values{}
    109. 

  109. 	v.Set("grant_type", defaultGrantType)
    110. 

  110. 	v.Set("assertion", payload)
    111. 

  111. 	resp, err := hc.PostForm(js.conf.TokenURL, v)
    112. 

  112. 	if err != nil {
    113. 

  113. 		return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
    114. 

  114. 	}
    115. 

  115. 	defer resp.Body.Close()
    116. 

  116. 	body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
    117. 

  117. 	if err != nil {
    118. 

  118. 		return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
    119. 

  119. 	}
    120. 

  120. 	if c := resp.StatusCode; c < 200 || c > 299 {
    121. 

  121. 		return nil, fmt.Errorf("oauth2: cannot fetch token: %v\nResponse: %s", resp.Status, body)
    122. 

  122. 	}
    123. 

  123. 	// tokenRes is the JSON response body.
    124. 

  124. 	var tokenRes struct {
    125. 

  125. 		AccessToken string `json:"access_token"`
    126. 

  126. 		TokenType   string `json:"token_type"`
    127. 

  127. 		IDToken     string `json:"id_token"`
    128. 

  128. 		ExpiresIn   int64  `json:"expires_in"` // relative seconds from now
    129. 

  129. 	}
    130. 

  130. 	if err := json.Unmarshal(body, &tokenRes); err != nil {
    131. 

  131. 		return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
    132. 

  132. 	}
    133. 

  133. 	token := &oauth2.Token{
    134. 

  134. 		AccessToken: tokenRes.AccessToken,
    135. 

  135. 		TokenType:   tokenRes.TokenType,
    136. 

  136. 	}
    137. 

  137. 	raw := make(map[string]interface{})
    138. 

  138. 	json.Unmarshal(body, &raw) // no error checks for optional fields
    139. 

  139. 	token = token.WithExtra(raw)
    140. 

  140. 

  141. 	if secs := tokenRes.ExpiresIn; secs > 0 {
    142. 

  142. 		token.Expiry = time.Now().Add(time.Duration(secs) * time.Second)
    143. 

  143. 	}
    144. 

  144. 	if v := tokenRes.IDToken; v != "" {
    145. 

  145. 		// decode returned id token to get expiry
    146. 

  146. 		claimSet, err := jws.Decode(v)
    147. 

  147. 		if err != nil {
    148. 

  148. 			return nil, fmt.Errorf("oauth2: error decoding JWT token: %v", err)
    149. 

  149. 		}
    150. 

  150. 		token.Expiry = time.Unix(claimSet.Exp, 0)
    151. 

  151. 	}
    152. 

  152. 	return token, nil
    153. 

  153. }
    154.