core/oc-auth
6
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Forward For WS

Browse Source
This commit is contained in:
mr
2026-04-01 17:16:18 +02:00
parent 744caf9a5e
commit 284667e95c
10 changed files with 570 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
infrastructure/claims/hydra_claims.go
View File

@@ -81,22 +81,21 @@ func (h HydraClaims) clearBlank(path []string) []string {
}
// DecodeClaimsInToken verifies permissions from claims in a standard JWT (via introspection)
func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {
func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, string, error) {
logger := oclib.GetLogger()
idTokenClaims := sessionClaims.Session.IDToken
// Signature verification: skip if signature is empty (internal requests)
if sig, ok := idTokenClaims["signature"].(string); ok && sig != "" {
if ok, err := h.DecodeSignature(host, sig, publicKey); !ok {
return false, err
return false, "", err
}
}
claims := sessionClaims.Session.AccessToken
if claims == nil {
return false, errors.New("no access_token claims found")
return false, "", errors.New("no access_token claims found")
}
path := strings.ReplaceAll(forward, "http://"+host, "")
splittedPath := h.clearBlank(strings.Split(path, "/"))
@@ -105,11 +104,11 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
if !ok {
continue
}
match := true
splittedP := h.clearBlank(strings.Split(pStr, "/"))
if len(splittedP) != len(splittedPath) {
continue
}
match := true
for i, v := range splittedP {
if strings.Contains(v, ":") { // is a param
continue
@@ -127,11 +126,11 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
Relation: "permits" + strings.ToUpper(meth.String()),
Object: pStr,
}
return perms_connectors.GetPermissionConnector("").CheckPermission(perm, nil, true), nil
return perms_connectors.GetPermissionConnector("").CheckPermission(perm, nil, true), m, nil
}
}
logger.Error().Msg("No permission found for " + method + " " + forward)
return false, errors.New("no permission found")
return false, "", errors.New("no permission found")
}
// BuildConsentSession builds the session payload for Hydra consent accept.
@@ -162,7 +161,9 @@ func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer
return c
}
c.Session.IDToken["username"] = userId
c.Session.AccessToken["peer_id"] = p.UUID
c.Session.IDToken["user_id"] = userId
c.Session.IDToken["peer_id"] = p.UUID
c.Session.IDToken["client_id"] = clientID
@@ -172,6 +173,13 @@ func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer
return c
}
c.Session.IDToken["groups"] = groups
roles, err := perms_connectors.KetoConnector{}.GetRoleByUser(userId)
if err != nil {
logger.Error().Msg("Failed to get roles for user " + userId + ": " + err.Error())
return c
}
c.Session.IDToken["roles"] = roles
c.Session.IDToken["signature"] = sign
return c
}