oc-auth/infrastructure/claims/claims.go

package claims

import (
	"fmt"
	"oc-auth/conf"
	"reflect"
	"strings"

	"cloud.o-forge.io/core/oc-lib/models/peer"
	"github.com/google/go-cmp/cmp"
)

// ClaimService builds and verifies OAuth2 session claims
type ClaimService interface {
	// BuildConsentSession builds the session payload for Hydra consent accept.
	// Claims are injected into the Hydra JWT via the consent session, not appended to the token.
	BuildConsentSession(clientID string, userId string, peer *peer.Peer) Claims

	// DecodeClaimsInToken verifies permissions from claims extracted from a JWT
	DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, string, error)
}

// SessionClaims contains access_token and id_token claim maps
type SessionClaims struct {
	AccessToken map[string]interface{} `json:"access_token"`
	IDToken     map[string]interface{} `json:"id_token"`
}

// Claims is the top-level session structure passed to Hydra consent accept
type Claims struct {
	Session SessionClaims `json:"session"`
}

var t = map[string]ClaimService{
	"hydra": HydraClaims{},
}

func cleanMap(m map[string]interface{}) map[string]interface{} {
	if m == nil {
		return map[string]interface{}{}
	}

	ignored := map[string]bool{
		"exp": true,
		"iat": true,
		"nbf": true,
	}

	out := make(map[string]interface{})

	for k, v := range m {
		if ignored[k] {
			continue
		}

		switch val := v.(type) {
		case map[string]interface{}:
			out[k] = cleanMap(val)
		default:
			out[k] = val
		}
	}

	return out
}

func (c *Claims) EqualExt(ext map[string]interface{}) bool {
	claims := &Claims{}
	claims.SessionFromExt(ext)

	return c.EqualClaims(claims)
}

func (c *Claims) EqualClaims(claims *Claims, permsKey ...string) bool {
	c.normalizeClaims()
	claims.normalizeClaims()

	if len(permsKey) > 0 {
		for _, p := range permsKey {
			if !(claims.Session.AccessToken[p] != nil && c.Session.AccessToken[p] != nil && claims.Session.AccessToken[p] == c.Session.AccessToken[p]) {
				return false
			}
		}
		return true
	}
	ok := reflect.DeepEqual(c.Session, claims.Session)
	if !ok {
		fmt.Println(cmp.Diff(c.Session, claims.Session))
	}
	return ok
}

func (c *Claims) normalizeClaims() {
	c.Session.AccessToken = cleanMap(c.Session.AccessToken)
	c.Session.IDToken = cleanMap(c.Session.IDToken)
}

func (c *Claims) SessionFromExt(ext map[string]interface{}) {
	var access map[string]interface{}
	var id map[string]interface{}

	if v, ok := ext["access_token"].(map[string]interface{}); ok && v != nil {
		access = v
	} else {
		access = map[string]interface{}{}
	}

	if v, ok := ext["id_token"].(map[string]interface{}); ok && v != nil {
		id = v
	} else {
		id = map[string]interface{}{}
	}

	c.Session = SessionClaims{
		AccessToken: access,
		IDToken:     id,
	}
}

func GetClaims() ClaimService {
	for k := range t {
		if strings.Contains(conf.GetConfig().Auth, k) {
			return t[k]
		}
	}
	return nil
}
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`package claims`

add groups in claims 2024-11-27 12:36:37 +01:00			`import (`
Forward For WS 2026-04-01 17:16:18 +02:00			`"fmt"`
add groups in claims 2024-11-27 12:36:37 +01:00			`"oc-auth/conf"`
Forward For WS 2026-04-01 17:16:18 +02:00			`"reflect"`
auth 2025-04-01 10:16:26 +02:00			`"strings"`
add groups in claims 2024-11-27 12:36:37 +01:00
			`"cloud.o-forge.io/core/oc-lib/models/peer"`
Forward For WS 2026-04-01 17:16:18 +02:00			`"github.com/google/go-cmp/cmp"`
add groups in claims 2024-11-27 12:36:37 +01:00			`)`
BAHAMAS 2024-10-30 12:38:25 +01:00
oc-auth OAUTH2 2026-02-19 14:56:15 +01:00			`// ClaimService builds and verifies OAuth2 session claims`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`type ClaimService interface {`
oc-auth OAUTH2 2026-02-19 14:56:15 +01:00			`// BuildConsentSession builds the session payload for Hydra consent accept.`
			`// Claims are injected into the Hydra JWT via the consent session, not appended to the token.`
			`BuildConsentSession(clientID string, userId string, peer *peer.Peer) Claims`

			`// DecodeClaimsInToken verifies permissions from claims extracted from a JWT`
Forward For WS 2026-04-01 17:16:18 +02:00			`DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, string, error)`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`}`

oc-auth OAUTH2 2026-02-19 14:56:15 +01:00			`// SessionClaims contains access_token and id_token claim maps`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`type SessionClaims struct {`
			AccessToken map[string]interface{} `json:"access_token"`
			IDToken map[string]interface{} `json:"id_token"`
			`}`

oc-auth OAUTH2 2026-02-19 14:56:15 +01:00			`// Claims is the top-level session structure passed to Hydra consent accept`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`type Claims struct {`
			Session SessionClaims `json:"session"`
			`}`
BAHAMAS 2024-10-30 12:38:25 +01:00
			`var t = map[string]ClaimService{`
			`"hydra": HydraClaims{},`
			`}`

Forward For WS 2026-04-01 17:16:18 +02:00			`func cleanMap(m map[string]interface{}) map[string]interface{} {`
			`if m == nil {`
			`return map[string]interface{}{}`
			`}`

			`ignored := map[string]bool{`
			`"exp": true,`
			`"iat": true,`
			`"nbf": true,`
			`}`

			`out := make(map[string]interface{})`

			`for k, v := range m {`
			`if ignored[k] {`
			`continue`
			`}`

			`switch val := v.(type) {`
			`case map[string]interface{}:`
			`out[k] = cleanMap(val)`
			`default:`
			`out[k] = val`
			`}`
			`}`

			`return out`
			`}`

			`func (c *Claims) EqualExt(ext map[string]interface{}) bool {`
			`claims := &Claims{}`
			`claims.SessionFromExt(ext)`

			`return c.EqualClaims(claims)`
			`}`

			`func (c Claims) EqualClaims(claims Claims, permsKey ...string) bool {`
			`c.normalizeClaims()`
			`claims.normalizeClaims()`

			`if len(permsKey) > 0 {`
			`for _, p := range permsKey {`
			`if !(claims.Session.AccessToken[p] != nil && c.Session.AccessToken[p] != nil && claims.Session.AccessToken[p] == c.Session.AccessToken[p]) {`
			`return false`
			`}`
			`}`
			`return true`
			`}`
			`ok := reflect.DeepEqual(c.Session, claims.Session)`
			`if !ok {`
			`fmt.Println(cmp.Diff(c.Session, claims.Session))`
			`}`
			`return ok`
			`}`

			`func (c *Claims) normalizeClaims() {`
			`c.Session.AccessToken = cleanMap(c.Session.AccessToken)`
			`c.Session.IDToken = cleanMap(c.Session.IDToken)`
			`}`

			`func (c *Claims) SessionFromExt(ext map[string]interface{}) {`
			`var access map[string]interface{}`
			`var id map[string]interface{}`

			`if v, ok := ext["access_token"].(map[string]interface{}); ok && v != nil {`
			`access = v`
			`} else {`
			`access = map[string]interface{}{}`
			`}`

			`if v, ok := ext["id_token"].(map[string]interface{}); ok && v != nil {`
			`id = v`
			`} else {`
			`id = map[string]interface{}{}`
			`}`

			`c.Session = SessionClaims{`
			`AccessToken: access,`
			`IDToken: id,`
			`}`
			`}`

BAHAMAS 2024-10-30 12:38:25 +01:00			`func GetClaims() ClaimService {`
auth 2025-04-01 10:16:26 +02:00			`for k := range t {`
			`if strings.Contains(conf.GetConfig().Auth, k) {`
			`return t[k]`
			`}`
			`}`
			`return nil`
BAHAMAS 2024-10-30 12:38:25 +01:00			`}`