feat: [#628] PAR implementation

authorize_request_handler.go

@@ -46,7 +46,7 @@ func wrapSigningKeyFailure(outer *RFC6749Error, inner error) *RFC6749Error {
 	return outer
 }
 
-func (f *Fosite) authorizeRequestParametersFromOpenIDConnectRequest(request *AuthorizeRequest) error {
+func (f *Fosite) authorizeRequestParametersFromOpenIDConnectRequest(request *AuthorizeRequest, isPARRequest bool) error {
 	var scope Arguments = RemoveEmpty(strings.Split(request.Form.Get("scope"), " "))
 
 	// Even if a scope parameter is present in the Request Object value, a scope parameter MUST always be passed using
@@ -158,6 +158,12 @@ func (f *Fosite) authorizeRequestParametersFromOpenIDConnectRequest(request *Aut
 	}
 
 	claims := token.Claims
+	// Reject the request if the "request_uri" authorization request
+	// parameter is provided.
+	if requestURI, _ := claims["request_uri"].(string); isPARRequest && requestURI != "" {
+		return errorsx.WithStack(ErrInvalidRequestObject.WithHint("Pushed Authorization Requests can not contain the 'request_uri' parameter."))
+	}
+
 	for k, v := range claims {
 		request.Form.Set(k, fmt.Sprintf("%s", v))
 	}
@@ -275,7 +281,51 @@ func (f *Fosite) validateResponseMode(r *http.Request, request *AuthorizeRequest
 	return nil
 }
 
+func (f *Fosite) authorizeRequestFromPAR(ctx context.Context, r *http.Request, request *AuthorizeRequest) (bool, error) {
+	requestURI := r.Form.Get("request_uri")
+	if requestURI == "" || !strings.HasPrefix(requestURI, f.PushedAuthorizationRequestURIPrefix) {
+		// nothing to do here
+		return false, nil
+	}
+
+	clientID := r.Form.Get("client_id")
+
+	storage, ok := f.Store.(PARStorage)
+	if !ok {
+		return false, errorsx.WithStack(ErrServerError.WithHint("Invalid storage").WithDebug("PARStorage not implemented"))
+	}
+
+	// hydrate the requester
+	var parRequest AuthorizeRequester
+	var err error
+	if parRequest, err = storage.GetPARSession(ctx, requestURI); err != nil {
+		return false, errorsx.WithStack(ErrInvalidRequestURI.WithHint("Invalid PAR session").WithWrap(err).WithDebug(err.Error()))
+	}
+
+	// hydrate the request object
+	request.Merge(parRequest)
+	request.RedirectURI = parRequest.GetRedirectURI()
+	request.ResponseTypes = parRequest.GetResponseTypes()
+	request.State = parRequest.GetState()
+	request.ResponseMode = parRequest.GetResponseMode()
+
+	if err := storage.DeletePARSession(ctx, requestURI); err != nil {
+		return false, errorsx.WithStack(ErrServerError.WithWrap(err).WithDebug(err.Error()))
+	}
+
+	// validate the clients match
+	if clientID != request.GetClient().GetID() {
+		return false, errorsx.WithStack(ErrInvalidRequest.WithHint("The 'client_id' must match the one sent in the pushed authorization request."))
+	}
+
+	return true, nil
+}
+
 func (f *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (AuthorizeRequester, error) {
+	return f.newAuthorizeRequest(ctx, r, false)
+}
+
+func (f *Fosite) newAuthorizeRequest(ctx context.Context, r *http.Request, isPARRequest bool) (AuthorizeRequester, error) {
 	request := NewAuthorizeRequest()
 	request.Request.Lang = i18n.GetLangFromRequest(f.MessageCatalog, r)
 
@@ -290,6 +340,18 @@ func (f *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (Auth
 	// Save state to the request to be returned in error conditions (https://github.com/ory/hydra/issues/1642)
 	request.State = request.Form.Get("state")
 
+	// Check if this is a continuation from a pushed authorization request
+	if !isPARRequest {
+		if isPAR, err := f.authorizeRequestFromPAR(ctx, r, request); err != nil {
+			return request, err
+		} else if isPAR {
+			// No need to continue
+			return request, nil
+		} else if f.EnforcePushedAuthorization {
+			return request, errorsx.WithStack(ErrInvalidRequest.WithHint("Pushed Authorization Requests are enforced but no such request was sent."))
+		}
+	}
+
 	client, err := f.Store.GetClient(ctx, request.GetRequestForm().Get("client_id"))
 	if err != nil {
 		return request, errorsx.WithStack(ErrInvalidClient.WithHint("The requested OAuth 2.0 Client does not exist.").WithWrap(err).WithDebug(err.Error()))
@@ -301,7 +363,7 @@ func (f *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (Auth
 	//
 	// All other parse methods should come afterwards so that we ensure that the data is taken
 	// from the request_object if set.
-	if err := f.authorizeRequestParametersFromOpenIDConnectRequest(request); err != nil {
+	if err := f.authorizeRequestParametersFromOpenIDConnectRequest(request, isPARRequest); err != nil {
 		return request, err
 	}
 

authorize_request_handler_oidc_request_test.go

@@ -211,7 +211,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequest(t *testing.T) {
 				},
 			}
 
-			err := f.authorizeRequestParametersFromOpenIDConnectRequest(req)
+			err := f.authorizeRequestParametersFromOpenIDConnectRequest(req, false)
 			if tc.expectErr != nil {
 				require.EqualError(t, err, tc.expectErr.Error(), "%+v", err)
 				if tc.expectErrReason != "" {

compose/compose.go

@@ -23,11 +23,17 @@ package compose
 
 import (
 	"crypto/rsa"
+	"time"
 
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/token/jwt"
 )
 
+const (
+	defaultPARPrefix          = "urn:ietf:params:oauth:request_uri:"
+	defaultPARContextLifetime = 5 * time.Minute
+)
+
 type Factory func(config *Config, storage interface{}, strategy interface{}) interface{}
 
 // Compose takes a config, a storage, a strategy and handlers to instantiate an OAuth2Provider:
@@ -53,28 +59,32 @@ type Factory func(config *Config, storage interface{}, strategy interface{}) int
 //
 // Compose makes use of interface{} types in order to be able to handle a all types of stores, strategies and handlers.
 func Compose(config *Config, storage interface{}, strategy interface{}, hasher fosite.Hasher, factories ...Factory) fosite.OAuth2Provider {
+	setDefaults(config)
 	if hasher == nil {
 		hasher = &fosite.BCrypt{WorkFactor: config.GetHashCost()}
 	}
 
 	f := &fosite.Fosite{
-		Store:                        storage.(fosite.Storage),
-		AuthorizeEndpointHandlers:    fosite.AuthorizeEndpointHandlers{},
-		TokenEndpointHandlers:        fosite.TokenEndpointHandlers{},
-		TokenIntrospectionHandlers:   fosite.TokenIntrospectionHandlers{},
-		RevocationHandlers:           fosite.RevocationHandlers{},
-		Hasher:                       hasher,
-		ScopeStrategy:                config.GetScopeStrategy(),
-		AudienceMatchingStrategy:     config.GetAudienceStrategy(),
-		SendDebugMessagesToClients:   config.SendDebugMessagesToClients,
-		TokenURL:                     config.TokenURL,
-		JWKSFetcherStrategy:          config.GetJWKSFetcherStrategy(),
-		MinParameterEntropy:          config.GetMinParameterEntropy(),
-		UseLegacyErrorFormat:         config.UseLegacyErrorFormat,
-		ClientAuthenticationStrategy: config.GetClientAuthenticationStrategy(),
-		ResponseModeHandlerExtension: config.ResponseModeHandlerExtension,
-		MessageCatalog:               config.MessageCatalog,
-		FormPostHTMLTemplate:         config.FormPostHTMLTemplate,
+		Store:                               storage.(fosite.Storage),
+		AuthorizeEndpointHandlers:           fosite.AuthorizeEndpointHandlers{},
+		TokenEndpointHandlers:               fosite.TokenEndpointHandlers{},
+		TokenIntrospectionHandlers:          fosite.TokenIntrospectionHandlers{},
+		RevocationHandlers:                  fosite.RevocationHandlers{},
+		Hasher:                              hasher,
+		ScopeStrategy:                       config.GetScopeStrategy(),
+		AudienceMatchingStrategy:            config.GetAudienceStrategy(),
+		SendDebugMessagesToClients:          config.SendDebugMessagesToClients,
+		TokenURL:                            config.TokenURL,
+		JWKSFetcherStrategy:                 config.GetJWKSFetcherStrategy(),
+		MinParameterEntropy:                 config.GetMinParameterEntropy(),
+		UseLegacyErrorFormat:                config.UseLegacyErrorFormat,
+		ClientAuthenticationStrategy:        config.GetClientAuthenticationStrategy(),
+		ResponseModeHandlerExtension:        config.ResponseModeHandlerExtension,
+		MessageCatalog:                      config.MessageCatalog,
+		FormPostHTMLTemplate:                config.FormPostHTMLTemplate,
+		PushedAuthorizationRequestURIPrefix: config.PushedAuthorizationRequestURIPrefix,
+		PushedAuthorizationContextLifespan:  config.PushedAuthorizationContextLifespan,
+		EnforcePushedAuthorization:          config.EnforcePushedAuthorization,
 	}
 
 	for _, factory := range factories {
@@ -91,6 +101,9 @@ func Compose(config *Config, storage interface{}, strategy interface{}, hasher f
 		if rh, ok := res.(fosite.RevocationHandler); ok {
 			f.RevocationHandlers.Append(rh)
 		}
+		if ph, ok := res.(fosite.PushedAuthorizeEndpointHandler); ok {
+			f.PushedAuthorizeEndpointHandlers.Append(ph)
+		}
 	}
 
 	return f
@@ -126,5 +139,16 @@ func ComposeAllEnabled(config *Config, storage interface{}, secret []byte, key *
 		OAuth2TokenRevocationFactory,
 
 		OAuth2PKCEFactory,
+		PushedAuthorizeHandlerFactory,
 	)
 }
+
+func setDefaults(config *Config) {
+	if config.PushedAuthorizationRequestURIPrefix == "" {
+		config.PushedAuthorizationRequestURIPrefix = defaultPARPrefix
+	}
+
+	if config.PushedAuthorizationContextLifespan <= 0 {
+		config.PushedAuthorizationContextLifespan = defaultPARContextLifetime
+	}
+}

compose/compose_par.go

@@ -0,0 +1,17 @@
+package compose
+
+import (
+	"github.com/ory/fosite/handler/par"
+)
+
+// PushedAuthorizeHandlerFactory creates the basic PAR handler
+func PushedAuthorizeHandlerFactory(config *Config, storage interface{}, strategy interface{}) interface{} {
+	return &par.PushedAuthorizeHandler{
+		Storage:                  storage,
+		RequestURIPrefix:         config.PushedAuthorizationRequestURIPrefix,
+		PARContextLifetime:       config.PushedAuthorizationContextLifespan,
+		ScopeStrategy:            config.GetScopeStrategy(),
+		AudienceMatchingStrategy: config.GetAudienceStrategy(),
+		IsRedirectURISecure:      config.GetRedirectSecureChecker(),
+	}
+}

compose/config.go

@@ -125,6 +125,16 @@ type Config struct {
 
 	// FormPostHTMLTemplate sets html template for rendering the authorization response when the request has response_mode=form_post.
 	FormPostHTMLTemplate *template.Template
+
+	// PushedAuthorizationRequestURIPrefix is the URI prefix for the PAR request_uri.
+	// This is defaulted to 'urn:ietf:params:oauth:request_uri:'.
+	PushedAuthorizationRequestURIPrefix string
+
+	// PushedAuthorizationContextLifespan is the lifespan of the PAR context
+	PushedAuthorizationContextLifespan time.Duration
+
+	// EnforcePushedAuthorization enforces pushed authorization request for /authorize
+	EnforcePushedAuthorization bool
 }
 
 // GetScopeStrategy returns the scope strategy to be used. Defaults to glob scope strategy.

context.go

@@ -35,4 +35,6 @@ const (
 	AccessResponseContextKey    = ContextKey("accessResponse")
 	AuthorizeRequestContextKey  = ContextKey("authorizeRequest")
 	AuthorizeResponseContextKey = ContextKey("authorizeResponse")
+	// PushedAuthorizeResponseContextKey is the response context
+	PushedAuthorizeResponseContextKey = ContextKey("pushedAuthorizeResponse")
 )

fosite.go

@@ -25,6 +25,7 @@ import (
 	"html/template"
 	"net/http"
 	"reflect"
+	"time"
 
 	"github.com/ory/fosite/i18n"
 )
@@ -85,19 +86,34 @@ func (t *RevocationHandlers) Append(h RevocationHandler) {
 	*t = append(*t, h)
 }
 
+// PushedAuthorizeEndpointHandlers is a list of PushedAuthorizeEndpointHandler
+type PushedAuthorizeEndpointHandlers []PushedAuthorizeEndpointHandler
+
+// Append adds an AuthorizeEndpointHandler to this list. Ignores duplicates based on reflect.TypeOf.
+func (a *PushedAuthorizeEndpointHandlers) Append(h PushedAuthorizeEndpointHandler) {
+	for _, this := range *a {
+		if reflect.TypeOf(this) == reflect.TypeOf(h) {
+			return
+		}
+	}
+
+	*a = append(*a, h)
+}
+
 // Fosite implements OAuth2Provider.
 type Fosite struct {
-	Store                      Storage
-	AuthorizeEndpointHandlers  AuthorizeEndpointHandlers
-	TokenEndpointHandlers      TokenEndpointHandlers
-	TokenIntrospectionHandlers TokenIntrospectionHandlers
-	RevocationHandlers         RevocationHandlers
-	Hasher                     Hasher
-	ScopeStrategy              ScopeStrategy
-	AudienceMatchingStrategy   AudienceMatchingStrategy
-	JWKSFetcherStrategy        JWKSFetcherStrategy
-	HTTPClient                 *http.Client
-	UseLegacyErrorFormat       bool
+	Store                           Storage
+	AuthorizeEndpointHandlers       AuthorizeEndpointHandlers
+	TokenEndpointHandlers           TokenEndpointHandlers
+	TokenIntrospectionHandlers      TokenIntrospectionHandlers
+	RevocationHandlers              RevocationHandlers
+	PushedAuthorizeEndpointHandlers PushedAuthorizeEndpointHandlers
+	Hasher                          Hasher
+	ScopeStrategy                   ScopeStrategy
+	AudienceMatchingStrategy        AudienceMatchingStrategy
+	JWKSFetcherStrategy             JWKSFetcherStrategy
+	HTTPClient                      *http.Client
+	UseLegacyErrorFormat            bool
 
 	// TokenURL is the the URL of the Authorization Server's Token Endpoint.
 	TokenURL string
@@ -120,6 +136,16 @@ type Fosite struct {
 
 	// MessageCatalog is the catalog of messages used for i18n
 	MessageCatalog i18n.MessageCatalog
+
+	// PushedAuthorizationRequestURIPrefix is the URI prefix for the PAR request_uri.
+	// This is defaulted to 'urn:ietf:params:oauth:request_uri:'.
+	PushedAuthorizationRequestURIPrefix string
+
+	// PushedAuthorizationContextLifespan is the lifespan of the PAR context
+	PushedAuthorizationContextLifespan time.Duration
+
+	// EnforcePushedAuthorization enforces pushed authorization request for /authorize
+	EnforcePushedAuthorization bool
 }
 
 const MinParameterEntropy = 8

fosite_test.go

@@ -29,6 +29,7 @@ import (
 
 	. "github.com/ory/fosite"
 	"github.com/ory/fosite/handler/oauth2"
+	"github.com/ory/fosite/handler/par"
 )
 
 func TestAuthorizeEndpointHandlers(t *testing.T) {
@@ -64,6 +65,15 @@ func TestAuthorizedRequestValidators(t *testing.T) {
 	assert.Equal(t, hs[0], h)
 }
 
+func TestPushedAuthorizedRequestHandlers(t *testing.T) {
+	h := &par.PushedAuthorizeHandler{}
+	hs := PushedAuthorizeEndpointHandlers{}
+	hs.Append(h)
+	hs.Append(h)
+	require.Len(t, hs, 1)
+	assert.Equal(t, hs[0], h)
+}
+
 func TestMinParameterEntropy(t *testing.T) {
 	f := Fosite{}
 	assert.Equal(t, MinParameterEntropy, f.GetMinParameterEntropy())

handler.go

@@ -76,3 +76,11 @@ type RevocationHandler interface {
 	// RevokeToken handles access and refresh token revocation.
 	RevokeToken(ctx context.Context, token string, tokenType TokenType, client Client) error
 }
+
+// PushedAuthorizeEndpointHandler is the interface that handles PAR (https://datatracker.ietf.org/doc/html/rfc9126)
+type PushedAuthorizeEndpointHandler interface {
+	// HandlePushedAuthorizeRequest handles a pushed authorize endpoint request. To extend the handler's capabilities, the http request
+	// is passed along, if further information retrieval is required. If the handler feels that he is not responsible for
+	// the pushed authorize request, he must return nil and NOT modify session nor responder neither requester.
+	HandlePushedAuthorizeEndpointRequest(ctx context.Context, requester AuthorizeRequester, responder PushedAuthorizeResponder) error
+}