forked from ory/fosite
-
Notifications
You must be signed in to change notification settings - Fork 0
/
audience_strategy.go
60 lines (47 loc) · 1.54 KB
/
audience_strategy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
package fosite
import (
"net/http"
"net/url"
"strings"
"github.com/pkg/errors"
"github.com/ory/go-convenience/stringsx"
)
type AudienceMatchingStrategy func(haystack []string, needle []string) error
func DefaultAudienceMatchingStrategy(haystack []string, needle []string) error {
if len(needle) == 0 {
return nil
}
for _, n := range needle {
nu, err := url.Parse(n)
if err != nil {
return errors.WithStack(ErrInvalidRequest.WithHintf(`Unable to parse requested audience "%s".`, n).WithDebug(err.Error()))
}
var found bool
for _, h := range haystack {
hu, err := url.Parse(h)
if err != nil {
return errors.WithStack(ErrInvalidRequest.WithHintf(`Unable to parse whitelisted audience "%s".`, h).WithDebug(err.Error()))
}
allowedPath := strings.TrimRight(hu.Path, "/")
if nu.Scheme == hu.Scheme &&
nu.Host == hu.Host &&
(nu.Path == hu.Path ||
nu.Path == allowedPath ||
len(nu.Path) > len(allowedPath) && strings.TrimRight(nu.Path[:len(allowedPath)+1], "/")+"/" == allowedPath+"/") {
found = true
}
}
if !found {
return errors.WithStack(ErrInvalidRequest.WithHintf(`Requested audience "%s" has not been whitelisted by the OAuth 2.0 Client.`, n))
}
}
return nil
}
func (f *Fosite) validateAuthorizeAudience(r *http.Request, request *AuthorizeRequest) error {
audience := stringsx.Splitx(request.Form.Get("audience"), " ")
if err := f.AudienceMatchingStrategy(request.Client.GetAudience(), audience); err != nil {
return err
}
request.SetRequestedAudience(Arguments(audience))
return nil
}