Merge branch 'master' into closes-180

.travis.yml

@@ -14,5 +14,9 @@ install:
    - glide install
 
 script:
-  - gotestcover -coverprofile="cover.out" -race -covermode="count" $(glide novendor)
-  - goveralls -coverprofile="cover.out"
+  - touch ./coverage.tmp
+  - |
+    echo 'mode: atomic' > coverage.txt
+  - |
+    go list ./... | grep -v /vendor | grep -v /internal | xargs -n1 -I{} sh -c 'go test -race -covermode=atomic -coverprofile=coverage.tmp -coverpkg $(go list ./... | grep -v /vendor | grep -v /internal | tr "\n" ",") {} && tail -n +2 coverage.tmp >> coverage.txt || exit 255' && rm coverage.tmp
+  - goveralls -coverprofile="coverage.txt"

compose/compose.go

@@ -83,6 +83,7 @@ func ComposeAllEnabled(config *Config, storage interface{}, secret []byte, key *
 		OpenIDConnectExplicitFactory,
 		OpenIDConnectImplicitFactory,
 		OpenIDConnectHybridFactory,
+		OpenIDConnectRefreshFactory,
 
 		OAuth2TokenIntrospectionFactory,
 	)

compose/compose_openid.go

@@ -5,8 +5,9 @@ import (
 	"github.com/ory/fosite/handler/openid"
 )
 
-// OpenIDConnectExplicitFactory creates an OpenID Connect explicit ("authorize code flow") grant handler. You must add this handler
-// *after* you have added an OAuth2 authorize code handler!
+// OpenIDConnectExplicitFactory creates an OpenID Connect explicit ("authorize code flow") grant handler.
+//
+// **Important note:** You must add this handler *after* you have added an OAuth2 authorize code handler!
 func OpenIDConnectExplicitFactory(config *Config, storage interface{}, strategy interface{}) interface{} {
 	return &openid.OpenIDConnectExplicitHandler{
 		OpenIDConnectRequestStorage: storage.(openid.OpenIDConnectRequestStorage),
@@ -16,8 +17,20 @@ func OpenIDConnectExplicitFactory(config *Config, storage interface{}, strategy
 	}
 }
 
-// OpenIDConnectImplicitFactory creates an OpenID Connect implicit ("implicit flow") grant handler. You must add this handler
-// *after* you have added an OAuth2 authorize implicit handler!
+// OpenIDConnectRefreshFactory creates a handler for refreshing openid connect tokens.
+//
+// **Important note:** You must add this handler *after* you have added an OAuth2 authorize code handler!
+func OpenIDConnectRefreshFactory(config *Config, storage interface{}, strategy interface{}) interface{} {
+	return &openid.OpenIDConnectRefreshHandler{
+		IDTokenHandleHelper: &openid.IDTokenHandleHelper{
+			IDTokenStrategy: strategy.(openid.OpenIDConnectTokenStrategy),
+		},
+	}
+}
+
+// OpenIDConnectImplicitFactory creates an OpenID Connect implicit ("implicit flow") grant handler.
+//
+// **Important note:** You must add this handler *after* you have added an OAuth2 authorize code handler!
 func OpenIDConnectImplicitFactory(config *Config, storage interface{}, strategy interface{}) interface{} {
 	return &openid.OpenIDConnectImplicitHandler{
 		AuthorizeImplicitGrantTypeHandler: &oauth2.AuthorizeImplicitGrantTypeHandler{
@@ -32,8 +45,9 @@ func OpenIDConnectImplicitFactory(config *Config, storage interface{}, strategy
 	}
 }
 
-// OpenIDConnectHybridFactory creates an OpenID Connect hybrid grant handler. You must add this handler
-// *after* you have added an OAuth2 authorize code and implicit authorize handler!
+// OpenIDConnectHybridFactory creates an OpenID Connect hybrid grant handler.
+//
+// **Important note:** You must add this handler *after* you have added an OAuth2 authorize code handler!
 func OpenIDConnectHybridFactory(config *Config, storage interface{}, strategy interface{}) interface{} {
 	return &openid.OpenIDConnectHybridHandler{
 		AuthorizeExplicitGrantHandler: &oauth2.AuthorizeExplicitGrantHandler{

handler/oauth2/strategy_jwt_session.go

@@ -1,12 +1,11 @@
 package oauth2
 
 import (
-	"bytes"
-	"encoding/gob"
 	"time"
 
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/token/jwt"
+	"github.com/mohae/deepcopy"
 )
 
 type JWTSessionContainer interface {
@@ -80,11 +79,5 @@ func (s *JWTSession) Clone() fosite.Session {
 		return nil
 	}
 
-	var clone JWTSession
-	var mod bytes.Buffer
-	enc := gob.NewEncoder(&mod)
-	dec := gob.NewDecoder(&mod)
-	_ = enc.Encode(s)
-	_ = dec.Decode(&clone)
-	return &clone
+	return deepcopy.Copy(s).(fosite.Session)
 }

handler/openid/flow_refresh_token.go

@@ -0,0 +1,44 @@
+package openid
+
+import (
+	"context"
+
+	"github.com/ory/fosite"
+	"github.com/pkg/errors"
+	"time"
+)
+
+type OpenIDConnectRefreshHandler struct {
+	*IDTokenHandleHelper
+}
+
+func (c *OpenIDConnectRefreshHandler) HandleTokenEndpointRequest(ctx context.Context, request fosite.AccessRequester) error {
+	if !request.GetGrantTypes().Exact("refresh_token") {
+		return errors.WithStack(fosite.ErrUnknownRequest)
+	}
+
+	if !request.GetGrantedScopes().Has("openid") {
+		return errors.WithStack(fosite.ErrUnknownRequest)
+	}
+
+	sess, ok := request.GetSession().(Session)
+	if !ok {
+		return errors.New("Failed to generate id token because session must be of type fosite/handler/openid.Session")
+	}
+
+	// We need to reset the expires at value
+	sess.IDTokenClaims().ExpiresAt = time.Time{}
+	return nil
+}
+
+func (c *OpenIDConnectRefreshHandler) PopulateTokenEndpointResponse(ctx context.Context, requester fosite.AccessRequester, responder fosite.AccessResponder) error {
+	if !requester.GetGrantTypes().Exact("refresh_token") {
+		return errors.WithStack(fosite.ErrUnknownRequest)
+	}
+
+	if !requester.GetGrantedScopes().Has("openid") {
+		return errors.WithStack(fosite.ErrUnknownRequest)
+	}
+
+	return c.IssueExplicitIDToken(ctx, requester, responder)
+}

handler/openid/strategy_jwt.go

@@ -1,15 +1,14 @@
 package openid
 
 import (
-	"encoding/gob"
 	"time"
-
-	"bytes"
 	"context"
 
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/token/jwt"
 	"github.com/pkg/errors"
+	"github.com/mohae/deepcopy"
+	"github.com/pborman/uuid"
 )
 
 const defaultExpiryTime = time.Hour
@@ -42,13 +41,7 @@ func (s *DefaultSession) Clone() fosite.Session {
 		return nil
 	}
 
-	var clone DefaultSession
-	var mod bytes.Buffer
-	enc := gob.NewEncoder(&mod)
-	dec := gob.NewDecoder(&mod)
-	_ = enc.Encode(s)
-	_ = dec.Decode(&clone)
-	return &clone
+	return deepcopy.Copy(s).(fosite.Session)
 }
 
 func (s *DefaultSession) SetExpiresAt(key fosite.TokenType, exp time.Time) {
@@ -112,24 +105,24 @@ func (h DefaultStrategy) GenerateIDToken(_ context.Context, requester fosite.Req
 
 	sess, ok := requester.GetSession().(Session)
 	if !ok {
-		return "", errors.New("Session must be of type strategy.Session")
+		return "", errors.New("Failed to generate id token because session must be of type fosite/handler/openid.Session")
 	}
 
 	claims := sess.IDTokenClaims()
 	if requester.GetRequestForm().Get("max_age") != "" && (claims.AuthTime.IsZero() || claims.AuthTime.After(time.Now())) {
-		return "", errors.New("Authentication time claim is required when max_age is set and can not be in the future")
+		return "", errors.New("Failed to generate id token because authentication time claim is required when max_age is set and can not be in the future")
 	}
 
 	if claims.Subject == "" {
-		return "", errors.New("Subject claim can not be empty")
+		return "", errors.New("Failed to generate id token because subject is an empty string")
 	}
 
 	if claims.ExpiresAt.IsZero() {
 		claims.ExpiresAt = time.Now().Add(h.Expiry)
 	}
 
 	if claims.ExpiresAt.Before(time.Now()) {
-		return "", errors.New("Expiry claim can not be in the past")
+		return "", errors.New("Failed to generate id token because expiry claim can not be in the past")
 	}
 
 	if claims.AuthTime.IsZero() {
@@ -143,7 +136,8 @@ func (h DefaultStrategy) GenerateIDToken(_ context.Context, requester fosite.Req
 	nonce := requester.GetRequestForm().Get("nonce")
 	// OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
 	if len(nonce) == 0 {
-		// skip this check, no nonce provided
+		// skip this check, no nonce provided, let's use a random one.
+		nonce = uuid.New()
 	} else if len(nonce) < fosite.MinParameterEntropy {
 		// We're assuming that using less then 8 characters for the state can not be considered "unguessable"
 		return "", errors.WithStack(fosite.ErrInsufficientEntropy)

integration/placeholder.go

@@ -0,0 +1 @@
+package integration