Issue app initiated sso to web token

ref DEV-1405
authgear · Jul 2, 2024 · 16c5d86 · 16c5d86
2 parents 7d396e5 + f5c82bf
commit 16c5d86
Show file tree

Hide file tree

Showing 17 changed files with 1,864 additions and 140 deletions.
diff --git a/pkg/auth/wire_gen.go b/pkg/auth/wire_gen.go
diff --git a/pkg/lib/authenticationflow/declarative/node_do_use_id_token.go b/pkg/lib/authenticationflow/declarative/node_do_use_id_token.go
@@ -22,7 +22,7 @@ var _ authflow.Milestone = &NodeDoUseIDToken{}
 var _ MilestoneDoUseUser = &NodeDoUseIDToken{}
 
 func NewNodeDoUseIDToken(ctx context.Context, deps *authflow.Dependencies, flows authflow.Flows, n *NodeDoUseIDToken) (*NodeDoUseIDToken, error) {
-	token, err := deps.IDTokens.VerifyIDTokenHintWithoutClient(n.IDToken)
+	token, err := deps.IDTokens.VerifyIDTokenWithoutClient(n.IDToken)
 	if err != nil {
 		return nil, apierrors.NewInvalid("invalid ID token")
 	}

diff --git a/pkg/lib/authenticationflow/dependencies.go b/pkg/lib/authenticationflow/dependencies.go
@@ -211,7 +211,7 @@ type PasskeyService interface {
 }
 
 type IDTokenService interface {
-	VerifyIDTokenHintWithoutClient(idTokenHint string) (jwt.Token, error)
+	VerifyIDTokenWithoutClient(idToken string) (jwt.Token, error)
 }
 
 type LoginIDService interface {

diff --git a/pkg/lib/deps/deps_common.go b/pkg/lib/deps/deps_common.go
@@ -147,6 +147,7 @@ var CommonDependencySet = wire.NewSet(
 		wire.Bind(new(oidc.IDTokenHintResolverSessionProvider), new(*idpsession.Provider)),
 		wire.Bind(new(interaction.SessionProvider), new(*idpsession.Provider)),
 		wire.Bind(new(workflow.IDPSessionService), new(*idpsession.Provider)),
+		wire.Bind(new(oauth.IDPSessionProvider), new(*idpsession.Provider)),
 		wire.Bind(new(authenticationflow.IDPSessionService), new(*idpsession.Provider)),
 		wire.Bind(new(sessionlisting.IDPSessionProvider), new(*idpsession.Provider)),
 		wire.Bind(new(facade.IDPSessionManager), new(*idpsession.Manager)),
@@ -323,6 +324,7 @@ var CommonDependencySet = wire.NewSet(
 		wire.Bind(new(oauth.OfflineGrantStore), new(*oauthredis.Store)),
 		wire.Bind(new(oauth.AppSessionTokenStore), new(*oauthredis.Store)),
 		wire.Bind(new(oauth.AppSessionStore), new(*oauthredis.Store)),
+		wire.Bind(new(oauth.AppInitiatedSSOToWebTokenStore), new(*oauthredis.Store)),
 		wire.Bind(new(oauth.SettingsActionGrantStore), new(*oauthredis.Store)),
 
 		oauth.DependencySet,
@@ -337,6 +339,8 @@ var CommonDependencySet = wire.NewSet(
 		wire.Bind(new(workflow.OfflineGrantStore), new(*oauthredis.Store)),
 		wire.Bind(new(authenticationflow.OfflineGrantStore), new(*oauthredis.Store)),
 		wire.Bind(new(oidc.UIInfoResolverPromptResolver), new(*oauth.PromptResolver)),
+		wire.Bind(new(oauthhandler.AppInitiatedSSOToWebTokenService), new(*oauth.AppInitiatedSSOToWebTokenService)),
+		wire.Bind(new(oauthhandler.OfflineGrantService), new(*oauth.OfflineGrantService)),
 
 		oauthhandler.DependencySet,
 

diff --git a/pkg/lib/oauth/app_initiated_sso_to_web_token.go b/pkg/lib/oauth/app_initiated_sso_to_web_token.go
@@ -0,0 +1,74 @@
+package oauth
+
+import (
+	"time"
+
+	"github.com/authgear/authgear-server/pkg/util/clock"
+	"github.com/authgear/authgear-server/pkg/util/duration"
+)
+
+const (
+	AppInitiatedSSOToWebTokenLifetime = duration.Short
+)
+
+type AppInitiatedSSOToWebToken struct {
+	AppID           string   `json:"app_id"`
+	AuthorizationID string   `json:"authorization_id"`
+	ClientID        string   `json:"client_id"`
+	OfflineGrantID  string   `json:"offline_grant_id"`
+	Scopes          []string `json:"scopes"`
+
+	CreatedAt time.Time `json:"created_at"`
+	ExpireAt  time.Time `json:"expire_at"`
+	TokenHash string    `json:"token_hash"`
+}
+
+type AppInitiatedSSOToWebTokenService struct {
+	Clock clock.Clock
+
+	AppInitiatedSSOToWebTokens AppInitiatedSSOToWebTokenStore
+}
+
+type IssueAppInitiatedSSOToWebTokenResult struct {
+	Token     string
+	TokenHash string
+	TokenType string
+	ExpiresIn int
+}
+
+type IssueAppInitiatedSSOToWebTokenOptions struct {
+	AppID           string
+	ClientID        string
+	OfflineGrantID  string
+	AuthorizationID string
+	Scopes          []string
+}
+
+func (s *AppInitiatedSSOToWebTokenService) IssueAppInitiatedSSOToWebToken(
+	options *IssueAppInitiatedSSOToWebTokenOptions,
+) (*IssueAppInitiatedSSOToWebTokenResult, error) {
+	now := s.Clock.NowUTC()
+	token := GenerateToken()
+	tokenHash := HashToken(token)
+	err := s.AppInitiatedSSOToWebTokens.CreateAppInitiatedSSOToWebToken(&AppInitiatedSSOToWebToken{
+		AppID:           options.AppID,
+		AuthorizationID: options.AuthorizationID,
+		ClientID:        options.ClientID,
+		OfflineGrantID:  options.OfflineGrantID,
+		Scopes:          options.Scopes,
+
+		CreatedAt: now,
+		ExpireAt:  now.Add(AppInitiatedSSOToWebTokenLifetime),
+		TokenHash: tokenHash,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &IssueAppInitiatedSSOToWebTokenResult{
+		Token:     token,
+		TokenHash: tokenHash,
+		TokenType: "Bearer",
+		ExpiresIn: int(AppInitiatedSSOToWebTokenLifetime.Seconds()),
+	}, nil
+}
diff --git a/pkg/lib/oauth/deps.go b/pkg/lib/oauth/deps.go
@@ -18,4 +18,6 @@ var DependencySet = wire.NewSet(
 
 	wire.Struct(new(AppSessionTokenService), "*"),
 	wire.Bind(new(AppSessionTokenServiceOfflineGrantService), new(*OfflineGrantService)),
+
+	wire.Struct(new(AppInitiatedSSOToWebTokenService), "*"),
 )