Skip to content
This repository has been archived by the owner on Dec 7, 2020. It is now read-only.

Commit

Permalink
Update OAuth2 dependency #518
Browse files Browse the repository at this point in the history
- package "crypto/rand" is being imported twice
- Remove unused reference
- Upgrade to golang/x/oauth2

Resolves #518
  • Loading branch information
Bruno Oliveira da Silva committed Jun 22, 2020
1 parent b48a022 commit 0395e26
Show file tree
Hide file tree
Showing 12 changed files with 142 additions and 123 deletions.
12 changes: 6 additions & 6 deletions doc.go
Original file line number Diff line number Diff line change
Expand Up @@ -438,10 +438,10 @@ type userContext struct {

// tokenResponse
type tokenResponse struct {
TokenType string `json:"token_type"`
AccessToken string `json:"access_token"`
IDToken string `json:"id_token"`
RefreshToken string `json:"refresh_token,omitempty"`
ExpiresIn int `json:"expires_in"`
Scope string `json:"scope,omitempty"`
TokenType string `json:"token_type"`
AccessToken string `json:"access_token"`
IDToken string `json:"id_token"`
RefreshToken string `json:"refresh_token,omitempty"`
ExpiresIn float64 `json:"expires_in"`
Scope string `json:"scope,omitempty"`
}
12 changes: 6 additions & 6 deletions forwarding.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ limitations under the License.
package main

import (
"context"
"fmt"
"net/http"
"time"
Expand Down Expand Up @@ -86,10 +87,9 @@ func (r *oauthProxy) proxyMiddleware(next http.Handler) http.Handler {

// forwardProxyHandler is responsible for signing outbound requests
func (r *oauthProxy) forwardProxyHandler() func(*http.Request, *http.Response) {
client, err := r.client.OAuthClient()
if err != nil {
r.log.Fatal("failed to create oauth client", zap.Error(err))
}
ctx := context.Background()
conf := r.newOAuth2Config(r.config.RedirectionURL)

// the loop state
var state struct {
// the access token
Expand Down Expand Up @@ -118,7 +118,7 @@ func (r *oauthProxy) forwardProxyHandler() func(*http.Request, *http.Response) {
zap.String("username", r.config.ForwardingUsername))

// step: login into the service
resp, err := client.UserCredsToken(r.config.ForwardingUsername, r.config.ForwardingPassword)
resp, err := conf.PasswordCredentialsToken(ctx, r.config.ForwardingUsername, r.config.ForwardingPassword)
if err != nil {
r.log.Error("failed to login to authentication service", zap.Error(err))
// step: back-off and reschedule
Expand Down Expand Up @@ -160,7 +160,7 @@ func (r *oauthProxy) forwardProxyHandler() func(*http.Request, *http.Response) {
zap.String("expires", state.expiration.Format(time.RFC3339)))

// step: attempt to refresh the access
token, newRefreshToken, expiration, _, err := getRefreshedToken(r.client, state.refresh)
token, newRefreshToken, expiration, _, err := getRefreshedToken(conf, state.refresh)
if err != nil {
state.login = true
switch err {
Expand Down
8 changes: 4 additions & 4 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -19,18 +19,18 @@ require (
github.com/onsi/ginkgo v1.8.0 // indirect
github.com/onsi/gomega v1.5.0 // indirect
github.com/pkg/errors v0.8.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v0.9.2
github.com/rs/cors v1.6.0
github.com/stretchr/testify v1.2.2
github.com/stretchr/testify v1.5.1
github.com/unrolled/secure v0.0.0-20181221173256-0d6b5bb13069
github.com/urfave/cli v0.0.0-20181029213200-b67dcf995b6a
go.etcd.io/bbolt v1.3.3 // indirect
go.uber.org/atomic v1.3.2 // indirect
go.uber.org/multierr v1.1.0 // indirect
go.uber.org/zap v1.9.1
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9
golang.org/x/net v0.0.0-20181201002055-351d144fa1fc
golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
golang.org/x/sys v0.0.0-20200302083256-062a44052db1 // indirect
gopkg.in/bsm/ratelimit.v1 v1.0.0-20160220154919-db14e161995a // indirect
gopkg.in/redis.v4 v4.2.4
Expand Down
22 changes: 18 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
github.com/PuerkitoBio/purell v1.1.0 h1:rmGxhojJlM0tuKtfdvliR84CFHljx9ag64t2xmVkjK4=
github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
Expand All @@ -12,6 +13,7 @@ github.com/coreos/go-oidc v0.0.0-20171020180921-e860bd55bfa7 h1:UeXD8Kli+SWhDlj1
github.com/coreos/go-oidc v0.0.0-20171020180921-e860bd55bfa7/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f h1:lBNOc5arjvs8E5mO2tbpBpLoyyu8B6e44T7hJy6potg=
github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/elazarl/goproxy v0.0.0-20181111060418-2ce16c963a8a h1:A4wNiqeKqU56ZhtnzJCTyPZ1+cyu8jKtIchQ3TtxHgw=
Expand Down Expand Up @@ -55,8 +57,9 @@ github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a h1:9a8MnZMP0X2nL
github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/rs/cors v1.6.0 h1:G9tHG9lebljV9mfp9SNPDL36nCDxmo3zTlAf1YgvzmI=
github.com/rs/cors v1.6.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
github.com/unrolled/secure v0.0.0-20181221173256-0d6b5bb13069 h1:RKeYksgIwGE8zFJTvXI1WWx09QPrGyaVFMy0vpU7j/o=
github.com/unrolled/secure v0.0.0-20181221173256-0d6b5bb13069/go.mod h1:mnPT77IAdsi/kV7+Es7y+pXALeV3h7G6dQF6mNYjcLA=
github.com/urfave/cli v0.0.0-20181029213200-b67dcf995b6a h1:qzVPM2q9ifOxaIVx4kyJvCHXsMNDTLgzu/29aqIuyB8=
Expand All @@ -69,20 +72,31 @@ go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI=
go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
go.uber.org/zap v1.9.1 h1:XCJQEf3W6eZaVwhRBof6ImoYGJSITeKWsyeh3HFu/5o=
go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9 h1:mKdxBk7AujPs8kU4m80U72y/zjbZ3UcXC7dClwKbUI0=
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7 h1:0hQKqeLdqlt5iIwVOBErRisrHJAN57yOiPRQItI20fU=
golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181201002055-351d144fa1fc h1:a3CU5tJYVj92DY2LaA1kUkrsqD5/3mLDhx2NcNqyW+0=
golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f h1:Bl/8QSvNqXvPGPGXa2z5xUTmV7VDcZyvRZ+QQXkXTZQ=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200302083256-062a44052db1 h1:trYYa2hBaTeei9Bq2uAXwsfNYW4r+xD/tztngRsT0cQ=
golang.org/x/sys v0.0.0-20200302083256-062a44052db1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
gopkg.in/bsm/ratelimit.v1 v1.0.0-20160220154919-db14e161995a h1:stTHdEoWg1pQ8riaP5ROrjS6zy6wewH/Q2iwnLCQUXY=
gopkg.in/bsm/ratelimit.v1 v1.0.0-20160220154919-db14e161995a/go.mod h1:KF9sEfUPAXdG8Oev9e99iLGnl2uJMjc5B+4y3O7x610=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
Expand Down
86 changes: 41 additions & 45 deletions handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package main

import (
"bytes"
"context"
"encoding/base64"
"encoding/json"
"errors"
Expand All @@ -31,8 +32,8 @@ import (
"strings"
"time"

"github.com/coreos/go-oidc/oauth2"
"github.com/coreos/go-oidc/oidc"
"golang.org/x/oauth2"

"github.com/go-chi/chi"
"go.uber.org/zap"
Expand Down Expand Up @@ -72,22 +73,17 @@ func (r *oauthProxy) oauthAuthorizationHandler(w http.ResponseWriter, req *http.
w.WriteHeader(http.StatusNotAcceptable)
return
}
client, err := r.getOAuthClient(r.getRedirectionURL(w, req), getClientAuthMethod(r.config.ClientAuthMethod))
if err != nil {
r.log.Error("failed to retrieve the oauth client for authorization", zap.Error(err))
w.WriteHeader(http.StatusInternalServerError)
return
}
conf := r.newOAuth2Config(r.getRedirectionURL(w, req))

// step: set the access type of the session
var accessType string
accessType := oauth2.AccessTypeOnline
if containedIn("offline", r.config.Scopes) {
accessType = "offline"
accessType = oauth2.AccessTypeOffline
}

authURL := client.AuthCodeURL(req.URL.Query().Get("state"), accessType, "")
authURL := conf.AuthCodeURL(req.URL.Query().Get("state"), accessType)
r.log.Debug("incoming authorization request from client address",
zap.String("access_type", accessType),
zap.Any("access_type", accessType),
zap.String("auth_url", authURL),
zap.String("client_ip", req.RemoteAddr))

Expand All @@ -104,18 +100,6 @@ func (r *oauthProxy) oauthAuthorizationHandler(w http.ResponseWriter, req *http.
r.redirectToURL(authURL, w, req, http.StatusSeeOther)
}

// getClientAuthMethod maps the config value CLIENT_AUTH_METHOD to valid OAuth2 auth method keys
func getClientAuthMethod(authMethod string) string {
switch authMethod {
case authMethodBasic:
return oauth2.AuthMethodClientSecretBasic
case authMethodBody:
return oauth2.AuthMethodClientSecretPost
default:
return ""
}
}

// oauthCallbackHandler is responsible for handling the response from oauth service
func (r *oauthProxy) oauthCallbackHandler(w http.ResponseWriter, req *http.Request) {
if r.config.SkipTokenVerification {
Expand All @@ -129,14 +113,9 @@ func (r *oauthProxy) oauthCallbackHandler(w http.ResponseWriter, req *http.Reque
return
}

client, err := r.getOAuthClient(r.getRedirectionURL(w, req), getClientAuthMethod(r.config.ClientAuthMethod))
if err != nil {
r.log.Error("unable to create a oauth2 client", zap.Error(err))
w.WriteHeader(http.StatusInternalServerError)
return
}
conf := r.newOAuth2Config(r.getRedirectionURL(w, req))

resp, err := exchangeAuthenticationCode(client, code)
resp, err := exchangeAuthenticationCode(conf, code)
if err != nil {
r.log.Error("unable to exchange code for access token", zap.Error(err))
r.accessForbidden(w, req)
Expand All @@ -146,12 +125,20 @@ func (r *oauthProxy) oauthCallbackHandler(w http.ResponseWriter, req *http.Reque
// Flow: once we exchange the authorization code we parse the ID Token; we then check for an access token,
// if an access token is present and we can decode it, we use that as the session token, otherwise we default
// to the ID Token.
token, identity, err := parseToken(resp.IDToken)
rawIDToken, ok := resp.Extra("id_token").(string)
if !ok {
r.log.Error("unable to obtain id token", zap.Error(err))
r.accessForbidden(w, req)
return
}

token, identity, err := parseToken(rawIDToken)
if err != nil {
r.log.Error("unable to parse id token for identity", zap.Error(err))
r.accessForbidden(w, req)
return
}

access, id, err := parseToken(resp.AccessToken)
if err == nil {
token = access
Expand Down Expand Up @@ -195,7 +182,7 @@ func (r *oauthProxy) oauthCallbackHandler(w http.ResponseWriter, req *http.Reque
return
}
// drop in the access token - cookie expiration = access token
r.dropAccessTokenCookie(req, w, accessToken, r.getAccessCookieExpiration(token, resp.RefreshToken))
r.dropAccessTokenCookie(req, w, accessToken, r.getAccessCookieExpiration(resp.RefreshToken))

var expiration time.Duration
// notes: not all idp refresh tokens are readable, google for example, so we attempt to decode into
Expand Down Expand Up @@ -235,6 +222,8 @@ func (r *oauthProxy) oauthCallbackHandler(w http.ResponseWriter, req *http.Reque
// loginHandler provide's a generic endpoint for clients to perform a user_credentials login to the provider
func (r *oauthProxy) loginHandler(w http.ResponseWriter, req *http.Request) {
errorMsg, code, err := func() (string, int, error) {
ctx := context.Background()

if !r.config.EnableLoginHandler {
return "attempt to login when login handler is disabled", http.StatusNotImplemented, errors.New("login handler disabled")
}
Expand All @@ -244,15 +233,13 @@ func (r *oauthProxy) loginHandler(w http.ResponseWriter, req *http.Request) {
return "request does not have both username and password", http.StatusBadRequest, errors.New("no credentials")
}

client, err := r.client.OAuthClient()
if err != nil {
return "unable to create the oauth client for user_credentials request", http.StatusInternalServerError, err
}
conf := r.newOAuth2Config(r.getRedirectionURL(w, req))

start := time.Now()
token, err := client.UserCredsToken(username, password)
token, err := conf.PasswordCredentialsToken(ctx, username, password)

if err != nil {
if strings.HasPrefix(err.Error(), oauth2.ErrorInvalidGrant) {
if !token.Valid() {
return "invalid user credentials provided", http.StatusUnauthorized, err
}
return "unable to request the access token via grant_type 'password'", http.StatusInternalServerError, err
Expand All @@ -271,12 +258,21 @@ func (r *oauthProxy) loginHandler(w http.ResponseWriter, req *http.Request) {
oauthTokensMetric.WithLabelValues("login").Inc()

w.Header().Set("Content-Type", "application/json")
idToken, ok := token.Extra("id_token").(string)
if !ok {
return "", http.StatusInternalServerError, fmt.Errorf("token response does not contain an id_token")
}
expiresIn, ok := token.Extra("expires_in").(float64)
if !ok {
return "", http.StatusInternalServerError, fmt.Errorf("token response does not contain expires_in")
}
scope, _ := token.Extra("scope").(string)
if err := json.NewEncoder(w).Encode(tokenResponse{
IDToken: token.IDToken,
IDToken: idToken,
AccessToken: token.AccessToken,
RefreshToken: token.RefreshToken,
ExpiresIn: token.Expires,
Scope: token.Scope,
ExpiresIn: expiresIn,
Scope: scope,
}); err != nil {
return "", http.StatusInternalServerError, err
}
Expand Down Expand Up @@ -321,6 +317,7 @@ func (r *oauthProxy) logoutHandler(w http.ResponseWriter, req *http.Request) {

// step: can either use the id token or the refresh token
identityToken := user.token.Encode()
//nolint:vetshadow
if refresh, _, err := r.retrieveRefreshToken(req, user); err == nil {
identityToken = refresh
}
Expand All @@ -332,7 +329,7 @@ func (r *oauthProxy) logoutHandler(w http.ResponseWriter, req *http.Request) {
// step: check if the user has a state session and if so revoke it
if r.useStore() {
go func() {
if err := r.DeleteRefreshToken(user.token); err != nil {
if err = r.DeleteRefreshToken(user.token); err != nil {
r.log.Error("unable to remove the refresh token from store", zap.Error(err))
}
}()
Expand Down Expand Up @@ -366,13 +363,12 @@ func (r *oauthProxy) logoutHandler(w http.ResponseWriter, req *http.Request) {

// step: do we have a revocation endpoint?
if revocationURL != "" {
client, err := r.client.OAuthClient()
client := &http.Client{Timeout: 5 * time.Second}
if err != nil {
r.log.Error("unable to retrieve the openid client", zap.Error(err))
w.WriteHeader(http.StatusInternalServerError)
return
}

// step: add the authentication headers
encodedID := url.QueryEscape(r.config.ClientID)
encodedSecret := url.QueryEscape(r.config.ClientSecret)
Expand All @@ -390,7 +386,7 @@ func (r *oauthProxy) logoutHandler(w http.ResponseWriter, req *http.Request) {
request.Header.Set("Content-Type", "application/x-www-form-urlencoded")

start := time.Now()
response, err := client.HttpClient().Do(request)
response, err := client.Do(request)
if err != nil {
r.log.Error("unable to post to revocation endpoint", zap.Error(err))
return
Expand Down
5 changes: 3 additions & 2 deletions middleware.go
Original file line number Diff line number Diff line change
Expand Up @@ -241,7 +241,8 @@ func (r *oauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
//
// exp: expiration of the access token
// expiresIn: expiration of the ID token
token, newRefreshToken, accessExpiresAt, refreshExpiresIn, err := getRefreshedToken(r.client, refresh)
conf := r.newOAuth2Config(r.config.RedirectionURL)
token, newRefreshToken, accessExpiresAt, refreshExpiresIn, err := getRefreshedToken(conf, refresh)
if err != nil {
switch err {
case ErrRefreshTokenExpired:
Expand All @@ -266,7 +267,7 @@ func (r *oauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
}
if refreshExpiresIn == 0 {
// refresh token expiry claims not available: try to parse refresh token
refreshExpiresIn = r.getAccessCookieExpiration(token, refresh)
refreshExpiresIn = r.getAccessCookieExpiration(refresh)
}

r.log.Info("injecting the refreshed access token cookie",
Expand Down
3 changes: 1 addition & 2 deletions misc.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ import (
"strings"
"time"

"github.com/coreos/go-oidc/jose"
"go.uber.org/zap"
)

Expand Down Expand Up @@ -113,7 +112,7 @@ func (r *oauthProxy) redirectToAuthorization(w http.ResponseWriter, req *http.Re
}

// getAccessCookieExpiration calculates the expiration of the access token cookie
func (r *oauthProxy) getAccessCookieExpiration(token jose.JWT, refresh string) time.Duration {
func (r *oauthProxy) getAccessCookieExpiration(refresh string) time.Duration {
// notes: by default the duration of the access token will be the configuration option, if
// however we can decode the refresh token, we will set the duration to the duration of the
// refresh token
Expand Down
Loading

0 comments on commit 0395e26

Please sign in to comment.