refactor: additional docs and reference cleanups (#4)

authelia · Dec 20, 2023 · 5f46c1a · 5f46c1a
1 parent 0032a2a
commit 5f46c1a
Show file tree

Hide file tree

Showing 18 changed files with 152 additions and 113 deletions.
diff --git a/README.md b/README.md
@@ -14,18 +14,57 @@ We however:
   library should not allow their usage to be a reflection on ORY as this library
   is not maintained by them.
 
-## Notable Differences
+## Notable Implemented or Intended Differences
 
 In an effort to assist users who wish to use this library we aim to maintain the
 following list of differences:
 
-- Module path changed from `github.com/ory/fosite` to
-  `github.com/authelia/oauth2`.
-- Minimum dependency is go version 1.21.
+- [x] Module path changed from `github.com/ory/fosite` to
+      `authelia.com/provider/oauth2`.
+- Rename interfaces and implementations:
+  - [x] `OAuth2Provider` to `Provider`.
+  - [ ] `Fosite` to `TBA`.
+- [x] Minimum dependency is go version 1.21.
+- Fixes:
+  - [x] Basic Scheme Rejects Special Characters
+        2314625eb1f21987a9199fb1cdf6da6cee4df965
+  - [x] RFC9068 must condition ignored f4652d60c850d167da00e2d2fe9096776eff9465
+  - [ ] Refresh Flow ignores requested scope
+  - [ ] Refresh Flow does not set original request ID early enough
+  - [ ] PKCE Flow session generated needlessly
+  - [ ] OpenID Flows ignore empty redirect uri
+  - [ ] Decode id_token_hint with correct signer
+  - [ ] Write Revocation Response does not correctly error
+  - [ ] Invalid Token base 64 error not mapped to RFC
+  - [ ] Auth Request omitted Response Mode not validated
+  - [ ] Refresh Grant if Token Invalid/Expired status is not 400
+  - [ ] Access Token iat in JWT Profile always original iat
+- Features:
+  - [ ] Customizable Token Prefix
+  - [ ] JWE support for Client Authentication and Issuance
+  - [ ] JARM support
+  - [ ] Revocation Flow per policy can decide to revoke Refresh Tokens on
+        request
+  - [ ] Response Type None
+  - [ ] Client Secret Validation Interface
 - Removal of the following dependencies:
-  - `go.opentelemetry.io/otel`
+  - [x] `go.opentelemetry.io/otel/trace`
+  - [x] `github.com/ecordell/optgen`
+  - [x] `github.com/asaskevich/govalidator `
+  - [x] `github.com/gorilla/websocket`
+  - [x] `github.com/magiconair/properties`
+  - [x] `github.com/mattn/goveralls`
+  - [x] `github.com/oleiade/reflections`
+  - [x] `github.com/ory/go-acc`
+  - [x] `github.com/ory/go-convenience`
+  - [x] `github.com/ory/x`
+  - [x] `github.com/gorilla/sessions`
+  - [x] `github.com/gobuffalo/packr`
+  - [x] `github.com/form3tech-oss/jwt-go`
+  - [x] `github.com/dgrijalva/jwt-go`
 - Migration of the following dependencies:
-  - `github.com/golang/mock` => `github.com/uber-go/mock`
+  - [x] `github.com/golang/mock` => `github.com/uber-go/mock`
+  - [x] `github.com/cristalhq/jwt/v4` => `github.com/golang-jwt/jwt/v5`
 
 ## TODO
 

diff --git a/authorize_helper_test.go b/authorize_helper_test.go
@@ -192,13 +192,13 @@ func TestDoesClientWhiteListRedirect(t *testing.T) {
 			isError: true,
 		},
 		{
-			client:  &oauth2.DefaultClient{RedirectURIs: []string{"https://www.ory.sh/cb"}},
+			client:  &oauth2.DefaultClient{RedirectURIs: []string{"https://www.authelia.com/cb"}},
 			url:     "http://127.0.0.1:8080/cb",
 			isError: true,
 		},
 		{
 			client:  &oauth2.DefaultClient{RedirectURIs: []string{"http://127.0.0.1:8080/cb"}},
-			url:     "https://www.ory.sh/cb",
+			url:     "https://www.authelia.com/cb",
 			isError: true,
 		},
 		{

diff --git a/authorize_request_handler_test.go b/authorize_request_handler_test.go
@@ -162,7 +162,7 @@ func TestNewAuthorizeRequest(t *testing.T) {
 				"response_type": {"code token"},
 				"state":         {"strong-state"},
 				"scope":         {"foo bar"},
-				"audience":      {"https://cloud.ory.sh/api https://www.ory.sh/api"},
+				"audience":      {"https://cloud.ory.sh/api https://www.authelia.com/api"},
 			},
 			mock: func() {
 				store.EXPECT().GetClient(gomock.Any(), "1234").Return(&DefaultClient{
@@ -182,14 +182,14 @@ func TestNewAuthorizeRequest(t *testing.T) {
 				"response_type": {"code token"},
 				"state":         {"strong-state"},
 				"scope":         {"foo bar"},
-				"audience":      {"https://cloud.ory.sh/api https://www.ory.sh/api"},
+				"audience":      {"https://cloud.ory.sh/api https://www.authelia.com/api"},
 			},
 			mock: func() {
 				store.EXPECT().GetClient(gomock.Any(), "1234").Return(&DefaultClient{
 					ResponseTypes: []string{"code token"},
 					RedirectURIs:  []string{"https://foo.bar/cb"},
 					Scopes:        []string{"foo", "bar"},
-					Audience:      []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					Audience:      []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 				}, nil)
 			},
 			expect: &AuthorizeRequest{
@@ -200,10 +200,10 @@ func TestNewAuthorizeRequest(t *testing.T) {
 					Client: &DefaultClient{
 						ResponseTypes: []string{"code token"}, RedirectURIs: []string{"https://foo.bar/cb"},
 						Scopes:   []string{"foo", "bar"},
-						Audience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+						Audience: []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 					},
 					RequestedScope:    []string{"foo", "bar"},
-					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 				},
 			},
 		},
@@ -217,14 +217,14 @@ func TestNewAuthorizeRequest(t *testing.T) {
 				"response_type": {"code token"},
 				"state":         {"strong-state"},
 				"scope":         {"foo bar"},
-				"audience":      {"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+				"audience":      {"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 			},
 			mock: func() {
 				store.EXPECT().GetClient(gomock.Any(), "1234").Return(&DefaultClient{
 					ResponseTypes: []string{"code token"},
 					RedirectURIs:  []string{"https://foo.bar/cb"},
 					Scopes:        []string{"foo", "bar"},
-					Audience:      []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					Audience:      []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 				}, nil)
 			},
 			expect: &AuthorizeRequest{
@@ -235,10 +235,10 @@ func TestNewAuthorizeRequest(t *testing.T) {
 					Client: &DefaultClient{
 						ResponseTypes: []string{"code token"}, RedirectURIs: []string{"https://foo.bar/cb"},
 						Scopes:   []string{"foo", "bar"},
-						Audience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+						Audience: []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 					},
 					RequestedScope:    []string{"foo", "bar"},
-					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 				},
 			},
 		},
@@ -287,14 +287,14 @@ func TestNewAuthorizeRequest(t *testing.T) {
 				"response_type": {"code token"},
 				"state":         {"strong-state"},
 				"scope":         {"foo bar"},
-				"audience":      {"https://cloud.ory.sh/api https://www.ory.sh/api"},
+				"audience":      {"https://cloud.ory.sh/api https://www.authelia.com/api"},
 			},
 			mock: func() {
 				store.EXPECT().GetClient(gomock.Any(), "1234").Return(&DefaultClient{
 					ResponseTypes: []string{"code token"},
 					RedirectURIs:  []string{"web+application://callback"},
 					Scopes:        []string{"foo", "bar"},
-					Audience:      []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					Audience:      []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 				}, nil)
 			},
 			expect: &AuthorizeRequest{
@@ -305,10 +305,10 @@ func TestNewAuthorizeRequest(t *testing.T) {
 					Client: &DefaultClient{
 						ResponseTypes: []string{"code token"}, RedirectURIs: []string{"web+application://callback"},
 						Scopes:   []string{"foo", "bar"},
-						Audience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+						Audience: []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 					},
 					RequestedScope:    []string{"foo", "bar"},
-					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 				},
 			},
 		},
@@ -322,14 +322,14 @@ func TestNewAuthorizeRequest(t *testing.T) {
 				"response_type": {"code token"},
 				"state":         {"strong-state"},
 				"scope":         {"foo bar"},
-				"audience":      {"https://cloud.ory.sh/api  https://www.ory.sh/api"},
+				"audience":      {"https://cloud.ory.sh/api  https://www.authelia.com/api"},
 			},
 			mock: func() {
 				store.EXPECT().GetClient(gomock.Any(), "1234").Return(&DefaultClient{
 					ResponseTypes: []string{"code token"},
 					RedirectURIs:  []string{"https://foo.bar/cb"},
 					Scopes:        []string{"foo", "bar"},
-					Audience:      []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					Audience:      []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 				}, nil)
 			},
 			expect: &AuthorizeRequest{
@@ -340,10 +340,10 @@ func TestNewAuthorizeRequest(t *testing.T) {
 					Client: &DefaultClient{
 						ResponseTypes: []string{"code token"}, RedirectURIs: []string{"https://foo.bar/cb"},
 						Scopes:   []string{"foo", "bar"},
-						Audience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+						Audience: []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 					},
 					RequestedScope:    []string{"foo", "bar"},
-					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 				},
 			},
 		},
@@ -416,15 +416,15 @@ func TestNewAuthorizeRequest(t *testing.T) {
 				"state":         {"strong-state"},
 				"scope":         {"foo bar"},
 				"response_mode": {"form_post"},
-				"audience":      {"https://cloud.ory.sh/api https://www.ory.sh/api"},
+				"audience":      {"https://cloud.ory.sh/api https://www.authelia.com/api"},
 			},
 			mock: func() {
 				store.EXPECT().GetClient(gomock.Any(), "1234").Return(&DefaultResponseModeClient{
 					DefaultClient: &DefaultClient{
 						RedirectURIs:  []string{"https://foo.bar/cb"},
 						Scopes:        []string{"foo", "bar"},
 						ResponseTypes: []string{"code token"},
-						Audience:      []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+						Audience:      []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 					},
 					ResponseModes: []ResponseModeType{ResponseModeFormPost},
 				}, nil)
@@ -439,12 +439,12 @@ func TestNewAuthorizeRequest(t *testing.T) {
 							RedirectURIs:  []string{"https://foo.bar/cb"},
 							Scopes:        []string{"foo", "bar"},
 							ResponseTypes: []string{"code token"},
-							Audience:      []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+							Audience:      []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 						},
 						ResponseModes: []ResponseModeType{ResponseModeFormPost},
 					},
 					RequestedScope:    []string{"foo", "bar"},
-					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 				},
 			},
 		},
@@ -458,15 +458,15 @@ func TestNewAuthorizeRequest(t *testing.T) {
 				"response_type": {"code"},
 				"state":         {"strong-state"},
 				"scope":         {"foo bar"},
-				"audience":      {"https://cloud.ory.sh/api https://www.ory.sh/api"},
+				"audience":      {"https://cloud.ory.sh/api https://www.authelia.com/api"},
 			},
 			mock: func() {
 				store.EXPECT().GetClient(gomock.Any(), "1234").Return(&DefaultResponseModeClient{
 					DefaultClient: &DefaultClient{
 						RedirectURIs:  []string{"https://foo.bar/cb"},
 						Scopes:        []string{"foo", "bar"},
 						ResponseTypes: []string{"code"},
-						Audience:      []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+						Audience:      []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 					},
 					ResponseModes: []ResponseModeType{ResponseModeQuery},
 				}, nil)
@@ -481,12 +481,12 @@ func TestNewAuthorizeRequest(t *testing.T) {
 							RedirectURIs:  []string{"https://foo.bar/cb"},
 							Scopes:        []string{"foo", "bar"},
 							ResponseTypes: []string{"code"},
-							Audience:      []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+							Audience:      []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 						},
 						ResponseModes: []ResponseModeType{ResponseModeQuery},
 					},
 					RequestedScope:    []string{"foo", "bar"},
-					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 				},
 			},
 		},
@@ -500,15 +500,15 @@ func TestNewAuthorizeRequest(t *testing.T) {
 				"response_type": {"code token"},
 				"state":         {"strong-state"},
 				"scope":         {"foo bar"},
-				"audience":      {"https://cloud.ory.sh/api https://www.ory.sh/api"},
+				"audience":      {"https://cloud.ory.sh/api https://www.authelia.com/api"},
 			},
 			mock: func() {
 				store.EXPECT().GetClient(gomock.Any(), "1234").Return(&DefaultResponseModeClient{
 					DefaultClient: &DefaultClient{
 						RedirectURIs:  []string{"https://foo.bar/cb"},
 						Scopes:        []string{"foo", "bar"},
 						ResponseTypes: []string{"code token"},
-						Audience:      []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+						Audience:      []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 					},
 					ResponseModes: []ResponseModeType{ResponseModeFragment},
 				}, nil)
@@ -523,12 +523,12 @@ func TestNewAuthorizeRequest(t *testing.T) {
 							RedirectURIs:  []string{"https://foo.bar/cb"},
 							Scopes:        []string{"foo", "bar"},
 							ResponseTypes: []string{"code token"},
-							Audience:      []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+							Audience:      []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 						},
 						ResponseModes: []ResponseModeType{ResponseModeFragment},
 					},
 					RequestedScope:    []string{"foo", "bar"},
-					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.ory.sh/api"},
+					RequestedAudience: []string{"https://cloud.ory.sh/api", "https://www.authelia.com/api"},
 				},
 			},
 		},

diff --git a/handler/oauth2/flow_authorize_code_auth_test.go b/handler/oauth2/flow_authorize_code_auth_test.go
@@ -82,9 +82,9 @@ func TestAuthorizeCode_HandleAuthorizeEndpointRequest(t *testing.T) {
 							Client: &oauth2.DefaultClient{
 								ResponseTypes: oauth2.Arguments{"code"},
 								RedirectURIs:  []string{"https://asdf.com/cb"},
-								Audience:      []string{"https://www.ory.sh/api"},
+								Audience:      []string{"https://www.authelia.com/api"},
 							},
-							RequestedAudience: []string{"https://www.ory.sh/not-api"},
+							RequestedAudience: []string{"https://www.authelia.com/not-api"},
 						},
 						RedirectURI: parseUrl("https://asdf.com/cb"),
 					},
@@ -99,9 +99,9 @@ func TestAuthorizeCode_HandleAuthorizeEndpointRequest(t *testing.T) {
 							Client: &oauth2.DefaultClient{
 								ResponseTypes: oauth2.Arguments{"code"},
 								RedirectURIs:  []string{"https://asdf.de/cb"},
-								Audience:      []string{"https://www.ory.sh/api"},
+								Audience:      []string{"https://www.authelia.com/api"},
 							},
-							RequestedAudience: []string{"https://www.ory.sh/api"},
+							RequestedAudience: []string{"https://www.authelia.com/api"},
 							GrantedScope:      oauth2.Arguments{"a", "b"},
 							Session: &oauth2.DefaultSession{
 								ExpiresAt: map[oauth2.TokenType]time.Time{oauth2.AccessToken: time.Now().UTC().Add(time.Hour)},
@@ -137,9 +137,9 @@ func TestAuthorizeCode_HandleAuthorizeEndpointRequest(t *testing.T) {
 							Client: &oauth2.DefaultClient{
 								ResponseTypes: oauth2.Arguments{"code"},
 								RedirectURIs:  []string{"https://asdf.de/cb"},
-								Audience:      []string{"https://www.ory.sh/api"},
+								Audience:      []string{"https://www.authelia.com/api"},
 							},
-							RequestedAudience: []string{"https://www.ory.sh/api"},
+							RequestedAudience: []string{"https://www.authelia.com/api"},
 							GrantedScope:      oauth2.Arguments{"a", "b"},
 							Session: &oauth2.DefaultSession{
 								ExpiresAt: map[oauth2.TokenType]time.Time{oauth2.AccessToken: time.Now().UTC().Add(time.Hour)},

diff --git a/handler/oauth2/flow_authorize_implicit_test.go b/handler/oauth2/flow_authorize_implicit_test.go
@@ -66,20 +66,20 @@ func TestAuthorizeImplicit_EndpointHandler(t *testing.T) {
 			setup: func() {
 				areq.ResponseTypes = oauth2.Arguments{"token"}
 				areq.RequestedScope = oauth2.Arguments{"scope"}
-				areq.RequestedAudience = oauth2.Arguments{"https://www.ory.sh/not-api"}
+				areq.RequestedAudience = oauth2.Arguments{"https://www.authelia.com/not-api"}
 				areq.Client = &oauth2.DefaultClient{
 					GrantTypes:    oauth2.Arguments{"implicit"},
 					ResponseTypes: oauth2.Arguments{"token"},
 					Scopes:        []string{"scope"},
-					Audience:      []string{"https://www.ory.sh/api"},
+					Audience:      []string{"https://www.authelia.com/api"},
 				}
 			},
 			expectErr: oauth2.ErrInvalidRequest,
 		},
 		{
 			description: "should fail because persistence failed",
 			setup: func() {
-				areq.RequestedAudience = oauth2.Arguments{"https://www.ory.sh/api"}
+				areq.RequestedAudience = oauth2.Arguments{"https://www.authelia.com/api"}
 				chgen.EXPECT().GenerateAccessToken(context.TODO(), areq).AnyTimes().Return("access.ats", "ats", nil)
 				store.EXPECT().CreateAccessTokenSession(context.TODO(), "ats", gomock.Eq(areq.Sanitize([]string{}))).Return(errors.New(""))
 			},

diff --git a/handler/oauth2/flow_client_credentials_test.go b/handler/oauth2/flow_client_credentials_test.go
@@ -56,10 +56,10 @@ func TestClientCredentials_HandleTokenEndpointRequest(t *testing.T) {
 			mock: func() {
 				areq.EXPECT().GetGrantTypes().Return(oauth2.Arguments{"client_credentials"})
 				areq.EXPECT().GetRequestedScopes().Return([]string{})
-				areq.EXPECT().GetRequestedAudience().Return([]string{"https://www.ory.sh/not-api"})
+				areq.EXPECT().GetRequestedAudience().Return([]string{"https://www.authelia.com/not-api"})
 				areq.EXPECT().GetClient().Return(&oauth2.DefaultClient{
 					GrantTypes: oauth2.Arguments{"client_credentials"},
-					Audience:   []string{"https://www.ory.sh/api"},
+					Audience:   []string{"https://www.authelia.com/api"},
 				})
 			},
 		},

diff --git a/handler/oauth2/flow_resource_owner_test.go b/handler/oauth2/flow_resource_owner_test.go
@@ -51,7 +51,7 @@ func TestResourceOwnerFlow_HandleTokenEndpointRequest(t *testing.T) {
 		{
 			description: "should fail because audience missing",
 			setup: func(config *oauth2.Config) {
-				areq.RequestedAudience = oauth2.Arguments{"https://www.ory.sh/api"}
+				areq.RequestedAudience = oauth2.Arguments{"https://www.authelia.com/api"}
 				areq.Client = &oauth2.DefaultClient{GrantTypes: oauth2.Arguments{"password"}, Scopes: []string{"foo-scope"}}
 			},
 			expectErr: oauth2.ErrInvalidRequest,
@@ -69,7 +69,7 @@ func TestResourceOwnerFlow_HandleTokenEndpointRequest(t *testing.T) {
 			setup: func(config *oauth2.Config) {
 				areq.Form.Set("username", "peter")
 				areq.Form.Set("password", "pan")
-				areq.Client = &oauth2.DefaultClient{GrantTypes: oauth2.Arguments{"password"}, Scopes: []string{"foo-scope"}, Audience: []string{"https://www.ory.sh/api"}}
+				areq.Client = &oauth2.DefaultClient{GrantTypes: oauth2.Arguments{"password"}, Scopes: []string{"foo-scope"}, Audience: []string{"https://www.authelia.com/api"}}
 
 				store.EXPECT().Authenticate(context.TODO(), "peter", "pan").Return(oauth2.ErrNotFound)
 			},