feat(rfc8693): add rfc8693 implementation (#46)

This is an implementation of the RFC8693 OAuth 2.0 Token Exchange flow. See https://datatracker.ietf.org/doc/html/rfc8693.

Author: james-d-elliott

config.go

@@ -335,6 +335,12 @@ type RFC8628UserAuthorizeEndpointHandlersProvider interface {
 	GetRFC8628UserAuthorizeEndpointHandlers(ctx context.Context) RFC8628UserAuthorizeEndpointHandlers
 }
 
+type RFC8693ConfigProvider interface {
+	GetTokenTypes(ctx context.Context) map[string]RFC8693TokenType
+
+	GetDefaultRequestedTokenType(ctx context.Context) string
+}
+
 // UseLegacyErrorFormatProvider returns the provider for configuring whether to use the legacy error format.
 //
 // Deprecated: Do not use this flag anymore.

config_default.go

@@ -208,6 +208,10 @@ type Config struct {
 
 	// IsPushedAuthorizeEnforced enforces pushed authorization request for /authorize
 	IsPushedAuthorizeEnforced bool
+
+	RFC8693TokenTypes map[string]RFC8693TokenType
+
+	DefaultRequestedTokenType string
 }
 
 func (c *Config) GetGlobalSecret(ctx context.Context) ([]byte, error) {
@@ -557,6 +561,14 @@ func (c *Config) EnforcePushedAuthorize(ctx context.Context) bool {
 	return c.IsPushedAuthorizeEnforced
 }
 
+func (c *Config) GetTokenTypes(ctx context.Context) map[string]RFC8693TokenType {
+	return c.RFC8693TokenTypes
+}
+
+func (c *Config) GetDefaultRequestedTokenType(ctx context.Context) string {
+	return c.DefaultRequestedTokenType
+}
+
 func (c *Config) GetRFC8628UserVerificationURL(_ context.Context) string {
 	return c.RFC8628UserVerificationURL
 }
@@ -612,6 +624,7 @@ var (
 	_ RevocationHandlersProvider                      = (*Config)(nil)
 	_ PushedAuthorizeRequestHandlersProvider          = (*Config)(nil)
 	_ PushedAuthorizeRequestConfigProvider            = (*Config)(nil)
+	_ RFC8693ConfigProvider                           = (*Config)(nil)
 	_ DeviceAuthorizeConfigProvider                   = (*Config)(nil)
 	_ DeviceAuthorizeEndpointHandlersProvider         = (*Config)(nil)
 	_ RFC8628UserAuthorizeEndpointHandlersProvider    = (*Config)(nil)

fosite.go

@@ -159,6 +159,9 @@ type Configurator interface {
 	TokenEndpointHandlersProvider
 	TokenIntrospectionHandlersProvider
 	RevocationHandlersProvider
+	PushedAuthorizeRequestHandlersProvider
+	PushedAuthorizeRequestConfigProvider
+	RFC8693ConfigProvider
 	DeviceAuthorizeEndpointHandlersProvider
 	RFC8628UserAuthorizeEndpointHandlersProvider
 	DeviceAuthorizeConfigProvider

handler/oauth2/flow_generic_code_token.go

@@ -199,7 +199,7 @@ func (c *GenericCodeTokenEndpointHandler) PopulateTokenEndpointResponse(ctx cont
 	}
 
 	responder.SetAccessToken(access)
-	responder.SetTokenType("bearer")
+	responder.SetTokenType(oauth2.BearerAccessToken)
 	atLifespan := oauth2.GetEffectiveLifespan(requester.GetClient(), oauth2.GrantTypeAuthorizationCode, oauth2.AccessToken, c.Config.GetAccessTokenLifespan(ctx))
 	responder.SetExpiresIn(getExpiresIn(requester, oauth2.AccessToken, atLifespan, time.Now().UTC()))
 	responder.SetScopes(requester.GetGrantedScopes())

handler/oauth2/revocation.go

@@ -81,15 +81,15 @@ type RevocationTokenLookupFunc func(ctx context.Context, token string) (requeste
 
 func (r *TokenRevocationHandler) getRevokeRefreshTokensExplicitly(ctx context.Context, client oauth2.Client) bool {
 	var (
-		rfrrtec oauth2.RevokeFlowRevokeRefreshTokensExplicitClient
-		ok      bool
+		c  oauth2.RevokeFlowRevokeRefreshTokensExplicitClient
+		ok bool
 	)
 
-	if rfrrtec, ok = client.(oauth2.RevokeFlowRevokeRefreshTokensExplicitClient); !ok {
+	if c, ok = client.(oauth2.RevokeFlowRevokeRefreshTokensExplicitClient); !ok {
 		return r.Config.GetRevokeRefreshTokensExplicitly(ctx)
 	}
 
-	if ok = rfrrtec.GetRevokeRefreshTokensExplicitly(ctx); ok || r.Config.GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient(ctx) {
+	if ok = c.GetRevokeRefreshTokensExplicitly(ctx); ok || r.Config.GetEnforceRevokeFlowRevokeRefreshTokensExplicitClient(ctx) {
 		return ok
 	}
 

handler/openid/flow_device_authorization_test.go

@@ -29,7 +29,7 @@ func TestOpenIDConnectDeviceAuthorizeHandler_PopulateRFC8628UserAuthorizeEndpoin
 	}
 	j := &DefaultStrategy{
 		Signer: &jwt.DefaultSigner{
-			GetPrivateKey: func(ctx context.Context) (interface{}, error) {
+			GetPrivateKey: func(ctx context.Context) (any, error) {
 				return key, nil
 			},
 		},
@@ -130,7 +130,7 @@ func TestOpenIDConnectDeviceAuthorizeHandler_PopulateTokenEndpointResponse(t *te
 	}
 	j := &DefaultStrategy{
 		Signer: &jwt.DefaultSigner{
-			GetPrivateKey: func(ctx context.Context) (interface{}, error) {
+			GetPrivateKey: func(ctx context.Context) (any, error) {
 				return key, nil
 			},
 		},

handler/openid/strategy.go

@@ -8,8 +8,13 @@ import (
 	"time"
 
 	"authelia.com/provider/oauth2"
+	"authelia.com/provider/oauth2/token/jwt"
 )
 
 type OpenIDConnectTokenStrategy interface {
 	GenerateIDToken(ctx context.Context, lifespan time.Duration, requester oauth2.Requester) (token string, err error)
 }
+
+type TokenValidationStrategy interface {
+	ValidateIDToken(ctx context.Context, requester oauth2.Requester, token string) (jwt.MapClaims, error)
+}

handler/rfc8693/access_token_type_handler.go

@@ -0,0 +1,207 @@
+package rfc8693
+
+import (
+	"context"
+	"time"
+
+	"github.com/pkg/errors"
+
+	"authelia.com/provider/oauth2"
+	hoauth2 "authelia.com/provider/oauth2/handler/oauth2"
+	"authelia.com/provider/oauth2/internal/consts"
+	"authelia.com/provider/oauth2/internal/errorsx"
+	"authelia.com/provider/oauth2/storage"
+)
+
+type AccessTokenTypeHandler struct {
+	Config               oauth2.RFC8693ConfigProvider
+	AccessTokenLifespan  time.Duration
+	RefreshTokenLifespan time.Duration
+	RefreshTokenScopes   []string
+	hoauth2.CoreStrategy
+	ScopeStrategy oauth2.ScopeStrategy
+	Storage
+}
+
+// HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.3.2
+func (c *AccessTokenTypeHandler) HandleTokenEndpointRequest(ctx context.Context, request oauth2.AccessRequester) error {
+	if !c.CanHandleTokenEndpointRequest(ctx, request) {
+		return errorsx.WithStack(oauth2.ErrUnknownRequest)
+	}
+
+	session, _ := request.GetSession().(Session)
+	if session == nil {
+		return errorsx.WithStack(oauth2.ErrServerError.WithDebug("Failed to perform token exchange because the session is not of the right type."))
+	}
+
+	form := request.GetRequestForm()
+	if form.Get(consts.FormParameterSubjectTokenType) != consts.TokenTypeRFC8693AccessToken && form.Get(consts.FormParameterActorTokenType) != consts.TokenTypeRFC8693AccessToken {
+		return nil
+	}
+
+	if form.Get(consts.FormParameterActorTokenType) == consts.TokenTypeRFC8693AccessToken {
+		token := form.Get(consts.FormParameterActorToken)
+		if _, unpacked, err := c.validate(ctx, request, token); err != nil {
+			return err
+		} else {
+			session.SetActorToken(unpacked)
+		}
+	}
+
+	if form.Get(consts.FormParameterSubjectTokenType) == consts.TokenTypeRFC8693AccessToken {
+		token := form.Get(consts.FormParameterSubjectToken)
+		if subjectTokenSession, unpacked, err := c.validate(ctx, request, token); err != nil {
+			return err
+		} else {
+			session.SetSubjectToken(unpacked)
+			session.SetSubject(subjectTokenSession.GetSubject())
+		}
+	}
+
+	return nil
+}
+
+// PopulateTokenEndpointResponse implements https://tools.ietf.org/html/rfc6749#section-4.3.3
+func (c *AccessTokenTypeHandler) PopulateTokenEndpointResponse(ctx context.Context, request oauth2.AccessRequester, responder oauth2.AccessResponder) error {
+	if !c.CanHandleTokenEndpointRequest(ctx, request) {
+		return errorsx.WithStack(oauth2.ErrUnknownRequest)
+	}
+
+	session, _ := request.GetSession().(Session)
+	if session == nil {
+		return errorsx.WithStack(oauth2.ErrServerError.WithDebug("Failed to perform token exchange because the session is not of the right type."))
+	}
+
+	form := request.GetRequestForm()
+	requestedTokenType := form.Get(consts.FormParameterRequestedTokenType)
+	if requestedTokenType == "" {
+		requestedTokenType = c.Config.GetDefaultRequestedTokenType(ctx)
+	}
+
+	if requestedTokenType != consts.TokenTypeRFC8693AccessToken {
+		return nil
+	}
+
+	if err := c.issue(ctx, request, responder); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// CanSkipClientAuth indicates if client auth can be skipped
+func (c *AccessTokenTypeHandler) CanSkipClientAuth(ctx context.Context, requester oauth2.AccessRequester) bool {
+	return false
+}
+
+// CanHandleTokenEndpointRequest indicates if the token endpoint request can be handled
+func (c *AccessTokenTypeHandler) CanHandleTokenEndpointRequest(ctx context.Context, requester oauth2.AccessRequester) bool {
+	// grant_type REQUIRED.
+	// Value MUST be set to "password".
+	return requester.GetGrantTypes().ExactOne(consts.GrantTypeOAuthTokenExchange)
+}
+
+func (c *AccessTokenTypeHandler) validate(ctx context.Context, request oauth2.AccessRequester, token string) (oauth2.Session, map[string]any, error) {
+	session, _ := request.GetSession().(Session)
+	if session == nil {
+		return nil, nil, errorsx.WithStack(oauth2.ErrServerError.WithDebug(
+			"Failed to perform token exchange because the session is not of the right type."))
+	}
+
+	client := request.GetClient()
+
+	sig := c.CoreStrategy.AccessTokenSignature(ctx, token)
+	or, err := c.Storage.GetAccessTokenSession(ctx, sig, request.GetSession())
+	if err != nil {
+		return nil, nil, errors.WithStack(oauth2.ErrInvalidRequest.WithHint("Token is not valid or has expired.").WithDebugError(err))
+	} else if err := c.CoreStrategy.ValidateAccessToken(ctx, or, token); err != nil {
+		return nil, nil, err
+	}
+
+	subjectTokenClientID := or.GetClient().GetID()
+	// forbid original subjects client to exchange its own token
+	if client.GetID() == subjectTokenClientID {
+		return nil, nil, errors.WithStack(oauth2.ErrRequestForbidden.WithHint("Clients are not allowed to perform a token exchange on their own tokens."))
+	}
+
+	// Check if the client is allowed to exchange this token
+	if subjectTokenClient, ok := or.GetClient().(Client); ok {
+		allowed := subjectTokenClient.TokenExchangeAllowed(client)
+		if !allowed {
+			return nil, nil, errors.WithStack(oauth2.ErrRequestForbidden.WithHintf(
+				"The OAuth 2.0 client is not permitted to exchange a subject token issued to client %s", subjectTokenClientID))
+		}
+	}
+
+	// Scope check
+	for _, scope := range request.GetRequestedScopes() {
+		if !c.ScopeStrategy(or.GetGrantedScopes(), scope) {
+			return nil, nil, errors.WithStack(oauth2.ErrInvalidScope.WithHintf("The subject token is not granted '%s' and so this scope cannot be requested.", scope))
+		}
+	}
+
+	// Convert to flat session with only access token claims
+	claims := session.AccessTokenClaimsMap()
+	claims[consts.ClaimClientIdentifier] = or.GetClient().GetID()
+	claims[consts.ClaimScope] = or.GetGrantedScopes()
+	claims[consts.ClaimAudience] = or.GetGrantedAudience()
+
+	return or.GetSession(), claims, nil
+}
+
+func (c *AccessTokenTypeHandler) issue(ctx context.Context, request oauth2.AccessRequester, response oauth2.AccessResponder) error {
+	request.GetSession().SetExpiresAt(oauth2.AccessToken, time.Now().UTC().Add(c.AccessTokenLifespan))
+
+	token, signature, err := c.CoreStrategy.GenerateAccessToken(ctx, request)
+	if err != nil {
+		return err
+	} else if err := c.Storage.CreateAccessTokenSession(ctx, signature, request.Sanitize([]string{})); err != nil {
+		return err
+	}
+
+	issueRefreshToken := c.canIssueRefreshToken(request)
+	if issueRefreshToken {
+		request.GetSession().SetExpiresAt(oauth2.RefreshToken, time.Now().UTC().Add(c.RefreshTokenLifespan).Round(time.Second))
+		refresh, refreshSignature, err := c.CoreStrategy.GenerateRefreshToken(ctx, request)
+		if err != nil {
+			return errors.WithStack(oauth2.ErrServerError.WithDebugError(err))
+		}
+
+		if refreshSignature != "" {
+			if err := c.Storage.CreateRefreshTokenSession(ctx, refreshSignature, request.Sanitize([]string{})); err != nil {
+				if rollBackTxnErr := storage.MaybeRollbackTx(ctx, c.Storage); rollBackTxnErr != nil {
+					err = rollBackTxnErr
+				}
+				return errors.WithStack(oauth2.ErrServerError.WithDebugError(err))
+			}
+		}
+
+		response.SetExtra(consts.FormParameterRefreshToken, refresh)
+	}
+
+	response.SetAccessToken(token)
+	response.SetTokenType(oauth2.BearerAccessToken)
+	response.SetExpiresIn(c.getExpiresIn(request, oauth2.AccessToken, c.AccessTokenLifespan, time.Now().UTC()))
+	response.SetScopes(request.GetGrantedScopes())
+
+	return nil
+}
+
+func (c *AccessTokenTypeHandler) canIssueRefreshToken(request oauth2.Requester) bool {
+	// Require one of the refresh token scopes, if set.
+	if len(c.RefreshTokenScopes) > 0 && !request.GetGrantedScopes().HasOneOf(c.RefreshTokenScopes...) {
+		return false
+	}
+	// Do not issue a refresh token to clients that cannot use the refresh token grant type.
+	if !request.GetClient().GetGrantTypes().Has(consts.GrantTypeRefreshToken) {
+		return false
+	}
+	return true
+}
+
+func (c *AccessTokenTypeHandler) getExpiresIn(r oauth2.Requester, key oauth2.TokenType, defaultLifespan time.Duration, now time.Time) time.Duration {
+	if r.GetSession().GetExpiresAt(key).IsZero() {
+		return defaultLifespan
+	}
+	return time.Duration(r.GetSession().GetExpiresAt(key).UnixNano() - now.UnixNano())
+}

handler/rfc8693/actor_token_validation_handler.go

@@ -0,0 +1,63 @@
+package rfc8693
+
+import (
+	"context"
+
+	"github.com/pkg/errors"
+
+	"authelia.com/provider/oauth2"
+	"authelia.com/provider/oauth2/internal/consts"
+	"authelia.com/provider/oauth2/internal/errorsx"
+)
+
+type ActorTokenValidationHandler struct{}
+
+// HandleTokenEndpointRequest implements https://tools.ietf.org/html/rfc6749#section-4.3.2
+func (c *ActorTokenValidationHandler) HandleTokenEndpointRequest(ctx context.Context, request oauth2.AccessRequester) error {
+	if !c.CanHandleTokenEndpointRequest(ctx, request) {
+		return errorsx.WithStack(oauth2.ErrUnknownRequest)
+	}
+
+	client := request.GetClient()
+	session, _ := request.GetSession().(Session)
+	if session == nil {
+		return errorsx.WithStack(oauth2.ErrServerError.WithDebug("Failed to perform token exchange because the session is not of the right type."))
+	}
+
+	// Validate that the actor or client is allowed to make this request
+	subjectTokenObject := session.GetSubjectToken()
+	if mayAct, _ := subjectTokenObject[consts.ClaimAuthorizedActor].(map[string]any); mayAct != nil {
+		actorTokenObject := session.GetActorToken()
+		if actorTokenObject == nil {
+			actorTokenObject = map[string]any{
+				consts.ClaimSubject:          client.GetID(),
+				consts.ClaimClientIdentifier: client.GetID(),
+			}
+		}
+
+		for k, v := range mayAct {
+			if actorTokenObject[k] != v {
+				return errors.WithStack(oauth2.ErrInvalidRequest.WithHint("The actor or client is not authorized to act on behalf of the subject."))
+			}
+		}
+	}
+
+	return nil
+}
+
+// PopulateTokenEndpointResponse implements https://tools.ietf.org/html/rfc6749#section-4.3.3
+func (c *ActorTokenValidationHandler) PopulateTokenEndpointResponse(ctx context.Context, request oauth2.AccessRequester, responder oauth2.AccessResponder) error {
+	return nil
+}
+
+// CanSkipClientAuth indicates if client auth can be skipped
+func (c *ActorTokenValidationHandler) CanSkipClientAuth(ctx context.Context, requester oauth2.AccessRequester) bool {
+	return false
+}
+
+// CanHandleTokenEndpointRequest indicates if the token endpoint request can be handled
+func (c *ActorTokenValidationHandler) CanHandleTokenEndpointRequest(ctx context.Context, requester oauth2.AccessRequester) bool {
+	// grant_type REQUIRED.
+	// Value MUST be set to "password".
+	return requester.GetGrantTypes().ExactOne(consts.GrantTypeOAuthTokenExchange)
+}