Skip to content

Commit

Permalink
oauth2: get the token from the access_token query parameter (ory#156)
Browse files Browse the repository at this point in the history
Signed-off-by: Jan Olszak <[email protected]>
  • Loading branch information
budougumi0617 committed Apr 14, 2017
1 parent 4098331 commit ec0d779
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 9 deletions.
12 changes: 11 additions & 1 deletion introspect.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,20 @@ type TokenIntrospector interface {
}

func AccessTokenFromRequest(req *http.Request) string {
// Acording to https://tools.ietf.org/html/rfc6750 you can pass tokens through:
// - Form-Encoded Body Parameter. Recomended, more likely to appear. e.g.: Authorization: Bearer mytoken123
// - URI Query Parameter e.g. access_token=mytoken123

auth := req.Header.Get("Authorization")
split := strings.SplitN(auth, " ", 2)
if len(split) != 2 || !strings.EqualFold(split[0], "bearer") {
return ""
// Nothing in Authorization header, try access_token
// Empty string returned if there's no such parameter
err := req.ParseForm()
if err != nil {
return ""
}
return req.Form.Get("access_token")
}

return split[1]
Expand Down
35 changes: 27 additions & 8 deletions introspect_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package fosite_test

import (
"net/http"
"net/url"
"testing"

"github.com/golang/mock/gomock"
Expand All @@ -15,18 +14,38 @@ import (
"golang.org/x/net/context"
)

func TestAccessTokenFromRequestNoToken(t *testing.T) {
req, _ := http.NewRequest("GET", "http://example.com/test", nil)

assert.Equal(t, AccessTokenFromRequest(req), "", "No token should produce an empty string")
}

func TestAccessTokenFromRequestHeader(t *testing.T) {
token := "TokenFromHeader"

req, _ := http.NewRequest("GET", "http://example.com/test", nil)
req.Header.Add("Authorization", "Bearer "+token)

assert.Equal(t, AccessTokenFromRequest(req), token, "Token should be obtainable from header")
}

func TestAccessTokenFromRequestQuery(t *testing.T) {
token := "TokenFromQueryParam"

req, _ := http.NewRequest("GET", "http://example.com/test?access_token="+token, nil)

assert.Equal(t, AccessTokenFromRequest(req), token, "Token should be obtainable from access_token query parameter")
}

func TestIntrospect(t *testing.T) {
ctrl := gomock.NewController(t)
validator := internal.NewMockTokenIntrospector(ctrl)
defer ctrl.Finish()

f := compose.ComposeAllEnabled(new(compose.Config), storage.NewMemoryStore(), []byte{}, nil).(*Fosite)
httpreq := &http.Request{
Header: http.Header{
"Authorization": []string{"bearer some-token"},
},
Form: url.Values{},
}

req, _ := http.NewRequest("GET", "http://example.com/test", nil)
req.Header.Add("Authorization", "bearer some-token")

for k, c := range []struct {
description string
Expand Down Expand Up @@ -77,7 +96,7 @@ func TestIntrospect(t *testing.T) {
},
} {
c.setup()
_, err := f.IntrospectToken(nil, AccessTokenFromRequest(httpreq), AccessToken, nil, c.scopes...)
_, err := f.IntrospectToken(nil, AccessTokenFromRequest(req), AccessToken, nil, c.scopes...)
assert.True(t, errors.Cause(err) == c.expectErr, "(%d) %s\n%s\n%s", k, c.description, err, c.expectErr)
t.Logf("Passed test case %d", k)
}
Expand Down

0 comments on commit ec0d779

Please sign in to comment.