add ClientAuthenticationStrategy

ory · Feb 18, 2021 · 93aaebd · 93aaebd
1 parent c1a6ce3
commit 93aaebd
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 13 deletions.
diff --git a/client_authentication.go b/client_authentication.go
@@ -38,6 +38,9 @@ import (
 	jose "gopkg.in/square/go-jose.v2"
 )
 
+// ClientAuthenticationStrategy provides a method signature for authenticating a client request
+type ClientAuthenticationStrategy func(context.Context, *http.Request, url.Values) (Client, error)
+
 const clientAssertionJWTBearerType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
 
 func (f *Fosite) findClientPublicJWK(oidcClient OpenIDConnectClient, t *jwt.Token, expectsRSAKey bool) (interface{}, error) {
@@ -66,7 +69,18 @@ func (f *Fosite) findClientPublicJWK(oidcClient OpenIDConnectClient, t *jwt.Toke
 	return nil, errorsx.WithStack(ErrInvalidClient.WithHint("The OAuth 2.0 Client has no JSON Web Keys set registered, but they are needed to complete the request."))
 }
 
+// AuthenticateClient authenticates client requests using the configured strategy
+// `Fosite.ClientAuthenticationStrategy`, if nil it uses `Fosite.DefaultClientAuthenticationStrategy`
 func (f *Fosite) AuthenticateClient(ctx context.Context, r *http.Request, form url.Values) (Client, error) {
+	if f.ClientAuthenticationStrategy == nil {
+		return f.DefaultClientAuthenticationStrategy(ctx, r, form)
+	}
+	return f.ClientAuthenticationStrategy(ctx, r, form)
+}
+
+// DefaultClientAuthenticationStrategy provides the fosite's default client authentication strategy,
+// HTTP Basic Authentication and JWT Bearer
+func (f *Fosite) DefaultClientAuthenticationStrategy(ctx context.Context, r *http.Request, form url.Values) (Client, error) {
 	if assertionType := form.Get("client_assertion_type"); assertionType == clientAssertionJWTBearerType {
 		assertion := form.Get("client_assertion")
 		if len(assertion) == 0 {

diff --git a/compose/compose.go b/compose/compose.go
@@ -58,19 +58,20 @@ func Compose(config *Config, storage interface{}, strategy interface{}, hasher f
 	}
 
 	f := &fosite.Fosite{
-		Store:                      storage.(fosite.Storage),
-		AuthorizeEndpointHandlers:  fosite.AuthorizeEndpointHandlers{},
-		TokenEndpointHandlers:      fosite.TokenEndpointHandlers{},
-		TokenIntrospectionHandlers: fosite.TokenIntrospectionHandlers{},
-		RevocationHandlers:         fosite.RevocationHandlers{},
-		Hasher:                     hasher,
-		ScopeStrategy:              config.GetScopeStrategy(),
-		AudienceMatchingStrategy:   config.GetAudienceStrategy(),
-		SendDebugMessagesToClients: config.SendDebugMessagesToClients,
-		TokenURL:                   config.TokenURL,
-		JWKSFetcherStrategy:        config.GetJWKSFetcherStrategy(),
-		MinParameterEntropy:        config.GetMinParameterEntropy(),
-		UseLegacyErrorFormat:       config.UseLegacyErrorFormat,
+		Store:                        storage.(fosite.Storage),
+		AuthorizeEndpointHandlers:    fosite.AuthorizeEndpointHandlers{},
+		TokenEndpointHandlers:        fosite.TokenEndpointHandlers{},
+		TokenIntrospectionHandlers:   fosite.TokenIntrospectionHandlers{},
+		RevocationHandlers:           fosite.RevocationHandlers{},
+		Hasher:                       hasher,
+		ScopeStrategy:                config.GetScopeStrategy(),
+		AudienceMatchingStrategy:     config.GetAudienceStrategy(),
+		SendDebugMessagesToClients:   config.SendDebugMessagesToClients,
+		TokenURL:                     config.TokenURL,
+		JWKSFetcherStrategy:          config.GetJWKSFetcherStrategy(),
+		MinParameterEntropy:          config.GetMinParameterEntropy(),
+		UseLegacyErrorFormat:         config.UseLegacyErrorFormat,
+		ClientAuthenticationStrategy: config.GetClientAuthenticationStrategy(),
 	}
 
 	for _, factory := range factories {

diff --git a/compose/config.go b/compose/config.go
@@ -111,6 +111,9 @@ type Config struct {
 
 	// GrantTypeJWTBearerMaxDuration sets the maximum time after JWT issued date, during which the JWT is considered valid.
 	GrantTypeJWTBearerMaxDuration time.Duration
+
+	// ClientAuthenticationStrategy indicates the Strategy to authenticate client requests
+	ClientAuthenticationStrategy fosite.ClientAuthenticationStrategy
 }
 
 // GetScopeStrategy returns the scope strategy to be used. Defaults to glob scope strategy.
@@ -221,3 +224,11 @@ func (c *Config) GetJWTMaxDuration() time.Duration {
 	}
 	return c.GrantTypeJWTBearerMaxDuration
 }
+
+// GetClientAuthenticationStrategy returns the configured client authentication strategy.
+// Defaults to nil.
+// Note that on a nil strategy `fosite.Fosite` fallbacks to its default client authentication strategy
+// `fosite.Fosite.DefaultClientAuthenticationStrategy`
+func (c *Config) GetClientAuthenticationStrategy() fosite.ClientAuthenticationStrategy {
+	return c.ClientAuthenticationStrategy
+}
diff --git a/fosite.go b/fosite.go
@@ -110,6 +110,9 @@ type Fosite struct {
 
 	// FormPostHTMLTemplate sets html template for rendering the authorization response when the request has response_mode=form_post. Defaults to fosite.FormPostDefaultTemplate
 	FormPostHTMLTemplate *template.Template
+
+	// ClientAuthenticationStrategy provides an extension point to plug a strategy to authenticate clients
+	ClientAuthenticationStrategy ClientAuthenticationStrategy
 }
 
 const MinParameterEntropy = 8