core/oc-auth
6
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
284667e95ca38149503c158e846be0f18566d156
oc-auth/infrastructure/claims/claims.go
mr 284667e95c Forward For WS
2026-04-01 17:16:18 +02:00

128 lines
2.9 KiB
Go
Raw Blame History

package claims
import (
"fmt"
"oc-auth/conf"
"reflect"
"strings"
"cloud.o-forge.io/core/oc-lib/models/peer"
"github.com/google/go-cmp/cmp"
)
// ClaimService builds and verifies OAuth2 session claims
type ClaimService interface {
// BuildConsentSession builds the session payload for Hydra consent accept.
// Claims are injected into the Hydra JWT via the consent session, not appended to the token.
BuildConsentSession(clientID string, userId string, peer *peer.Peer) Claims
// DecodeClaimsInToken verifies permissions from claims extracted from a JWT
DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, string, error)
}
// SessionClaims contains access_token and id_token claim maps
type SessionClaims struct {
AccessToken map[string]interface{} `json:"access_token"`
IDToken map[string]interface{} `json:"id_token"`
}
// Claims is the top-level session structure passed to Hydra consent accept
type Claims struct {
Session SessionClaims `json:"session"`
}
var t = map[string]ClaimService{
"hydra": HydraClaims{},
}
func cleanMap(m map[string]interface{}) map[string]interface{} {
if m == nil {
return map[string]interface{}{}
}
ignored := map[string]bool{
"exp": true,
"iat": true,
"nbf": true,
}
out := make(map[string]interface{})
for k, v := range m {
if ignored[k] {
continue
}
switch val := v.(type) {
case map[string]interface{}:
out[k] = cleanMap(val)
default:
out[k] = val
}
}
return out
}
func (c *Claims) EqualExt(ext map[string]interface{}) bool {
claims := &Claims{}
claims.SessionFromExt(ext)
return c.EqualClaims(claims)
}
func (c *Claims) EqualClaims(claims *Claims, permsKey ...string) bool {
c.normalizeClaims()
claims.normalizeClaims()
if len(permsKey) > 0 {
for _, p := range permsKey {
if !(claims.Session.AccessToken[p] != nil && c.Session.AccessToken[p] != nil && claims.Session.AccessToken[p] == c.Session.AccessToken[p]) {
return false
}
}
return true
}
ok := reflect.DeepEqual(c.Session, claims.Session)
if !ok {
fmt.Println(cmp.Diff(c.Session, claims.Session))
}
return ok
}
func (c *Claims) normalizeClaims() {
c.Session.AccessToken = cleanMap(c.Session.AccessToken)
c.Session.IDToken = cleanMap(c.Session.IDToken)
}
func (c *Claims) SessionFromExt(ext map[string]interface{}) {
var access map[string]interface{}
var id map[string]interface{}
if v, ok := ext["access_token"].(map[string]interface{}); ok && v != nil {
access = v
} else {
access = map[string]interface{}{}
}
if v, ok := ext["id_token"].(map[string]interface{}); ok && v != nil {
id = v
} else {
id = map[string]interface{}{}
}
c.Session = SessionClaims{
AccessToken: access,
IDToken: id,
}
}
func GetClaims() ClaimService {
for k := range t {
if strings.Contains(conf.GetConfig().Auth, k) {
return t[k]
}
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink