casdoor/object/token_jwt.go

// Copyright 2021 The casbin Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package object

import (
	_ "embed"
	"fmt"
	"time"

	"github.com/astaxie/beego"
	"github.com/golang-jwt/jwt/v4"
)

type Claims struct {
	*User
	Name  string `json:"name,omitempty"`
	Owner string `json:"owner,omitempty"`
	Nonce string `json:"nonce,omitempty"`
	jwt.RegisteredClaims
}

func generateJwtToken(application *Application, user *User, nonce string) (string, string, error) {
	nowTime := time.Now()
	expireTime := nowTime.Add(time.Duration(application.ExpireInHours) * time.Hour)
	refreshExpireTime := nowTime.Add(time.Duration(application.RefreshExpireInHours) * time.Hour)

	user.Password = ""

	claims := Claims{
		User:  user,
		Nonce: nonce,
		RegisteredClaims: jwt.RegisteredClaims{
			Issuer:    beego.AppConfig.String("origin"),
			Subject:   user.Id,
			Audience:  []string{application.ClientId},
			ExpiresAt: jwt.NewNumericDate(expireTime),
			NotBefore: jwt.NewNumericDate(nowTime),
			IssuedAt:  jwt.NewNumericDate(nowTime),
			ID:        "",
		},
	}
	//all fields of the User struct are not added in "JWT-Empty" format
	if application.TokenFormat == "JWT-Empty" {
		claims.User = nil
	}
	claims.Name = user.Name
	claims.Owner = user.Owner

	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
	claims.ExpiresAt = jwt.NewNumericDate(refreshExpireTime)
	refreshToken := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)

	cert := getCertByApplication(application)

	// RSA private key
	key, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(cert.PrivateKey))
	if err != nil {
		return "", "", err
	}

	tokenString, err := token.SignedString(key)
	if err != nil {
		return "", "", err
	}
	refreshTokenString, err := refreshToken.SignedString(key)

	return tokenString, refreshTokenString, err
}

func ParseJwtToken(token string, cert *Cert) (*Claims, error) {
	t, err := jwt.ParseWithClaims(token, &Claims{}, func(token *jwt.Token) (interface{}, error) {
		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
		}

		// RSA public key
		publicKey, err := jwt.ParseRSAPublicKeyFromPEM([]byte(cert.PublicKey))
		if err != nil {
			return nil, err
		}

		return publicKey, nil
	})

	if t != nil {
		if claims, ok := t.Claims.(*Claims); ok && t.Valid {
			return claims, nil
		}
	}

	return nil, err
}
Generate real access token. 2021-03-14 22:48:09 +08:00			`// Copyright 2021 The casbin Authors. All Rights Reserved.`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package object`

			`import (`
Use RS256 to sign JWT token. 2021-10-15 16:27:10 +08:00			`_ "embed"`
			`"fmt"`
Generate real access token. 2021-03-14 22:48:09 +08:00			`"time"`

fix: fix incorrect issuer in id token of oidc (#333) Signed-off-by: Товарищ <2962928213@qq.com> 2021-11-19 16:32:05 +08:00			`"github.com/astaxie/beego"`
Update github.com/golang-jwt/jwt to v4. 2021-10-10 11:51:19 +08:00			`"github.com/golang-jwt/jwt/v4"`
Generate real access token. 2021-03-14 22:48:09 +08:00			`)`

			`type Claims struct {`
fix: adjust the accessToken field (#378) * fix: adjust the accessToken field Signed-off-by: 0x2a <stevesough@gmail.com> * fix: missing name and owner Signed-off-by: 0x2a <stevesough@gmail.com> 2021-12-18 20:19:38 +08:00			`*User`
			Name string `json:"name,omitempty"`
			Owner string `json:"owner,omitempty"`
feat: add OIDC feature support. (#373) 1. add nonce parameter. 2. add sub in userinfo endpoint. Signed-off-by: 0x2a <stevesough@gmail.com> 2021-12-15 21:42:16 +08:00			Nonce string `json:"nonce,omitempty"`
Update github.com/golang-jwt/jwt to v4. 2021-10-10 11:51:19 +08:00			`jwt.RegisteredClaims`
Generate real access token. 2021-03-14 22:48:09 +08:00			`}`

feat: add refresh token mechanism for server side (#336) * feat: add refresh token mechanism for server side Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * feat: add refresh token expire configuration UI Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2021-12-18 18:49:38 +08:00			`func generateJwtToken(application Application, user User, nonce string) (string, string, error) {`
Generate real access token. 2021-03-14 22:48:09 +08:00			`nowTime := time.Now()`
			`expireTime := nowTime.Add(time.Duration(application.ExpireInHours) * time.Hour)`
feat: add refresh token mechanism for server side (#336) * feat: add refresh token mechanism for server side Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * feat: add refresh token expire configuration UI Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2021-12-18 18:49:38 +08:00			`refreshExpireTime := nowTime.Add(time.Duration(application.RefreshExpireInHours) * time.Hour)`
Generate real access token. 2021-03-14 22:48:09 +08:00
Remove password in JWT token payload. 2021-10-03 22:08:40 +08:00			`user.Password = ""`

Generate real access token. 2021-03-14 22:48:09 +08:00			`claims := Claims{`
fix: adjust the accessToken field (#378) * fix: adjust the accessToken field Signed-off-by: 0x2a <stevesough@gmail.com> * fix: missing name and owner Signed-off-by: 0x2a <stevesough@gmail.com> 2021-12-18 20:19:38 +08:00			`User: user,`
feat: add OIDC feature support. (#373) 1. add nonce parameter. 2. add sub in userinfo endpoint. Signed-off-by: 0x2a <stevesough@gmail.com> 2021-12-15 21:42:16 +08:00			`Nonce: nonce,`
Update github.com/golang-jwt/jwt to v4. 2021-10-10 11:51:19 +08:00			`RegisteredClaims: jwt.RegisteredClaims{`
Merge into one origin config. 2021-12-12 19:26:06 +08:00			`Issuer: beego.AppConfig.String("origin"),`
Generate real access token. 2021-03-14 22:48:09 +08:00			`Subject: user.Id,`
Update github.com/golang-jwt/jwt to v4. 2021-10-10 11:51:19 +08:00			`Audience: []string{application.ClientId},`
			`ExpiresAt: jwt.NewNumericDate(expireTime),`
			`NotBefore: jwt.NewNumericDate(nowTime),`
			`IssuedAt: jwt.NewNumericDate(nowTime),`
			`ID: "",`
Generate real access token. 2021-03-14 22:48:09 +08:00			`},`
			`}`
fix: adjust the accessToken field (#378) * fix: adjust the accessToken field Signed-off-by: 0x2a <stevesough@gmail.com> * fix: missing name and owner Signed-off-by: 0x2a <stevesough@gmail.com> 2021-12-18 20:19:38 +08:00			`//all fields of the User struct are not added in "JWT-Empty" format`
Add TokenFormat to application. 2021-12-18 16:16:34 +08:00			`if application.TokenFormat == "JWT-Empty" {`
fix: adjust the accessToken field (#378) * fix: adjust the accessToken field Signed-off-by: 0x2a <stevesough@gmail.com> * fix: missing name and owner Signed-off-by: 0x2a <stevesough@gmail.com> 2021-12-18 20:19:38 +08:00			`claims.User = nil`
Add TokenFormat to application. 2021-12-18 16:16:34 +08:00			`}`
fix: adjust the accessToken field (#378) * fix: adjust the accessToken field Signed-off-by: 0x2a <stevesough@gmail.com> * fix: missing name and owner Signed-off-by: 0x2a <stevesough@gmail.com> 2021-12-18 20:19:38 +08:00			`claims.Name = user.Name`
			`claims.Owner = user.Owner`
Add TokenFormat to application. 2021-12-18 16:16:34 +08:00
Use RS256 to sign JWT token. 2021-10-15 16:27:10 +08:00			`token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)`
feat: add refresh token mechanism for server side (#336) * feat: add refresh token mechanism for server side Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * feat: add refresh token expire configuration UI Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2021-12-18 18:49:38 +08:00			`claims.ExpiresAt = jwt.NewNumericDate(refreshExpireTime)`
			`refreshToken := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)`
Use RS256 to sign JWT token. 2021-10-15 16:27:10 +08:00
Make cert work. 2021-12-31 09:36:48 +08:00			`cert := getCertByApplication(application)`

			`// RSA private key`
			`key, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(cert.PrivateKey))`
Use RS256 to sign JWT token. 2021-10-15 16:27:10 +08:00			`if err != nil {`
feat: add refresh token mechanism for server side (#336) * feat: add refresh token mechanism for server side Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * feat: add refresh token expire configuration UI Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2021-12-18 18:49:38 +08:00			`return "", "", err`
Use RS256 to sign JWT token. 2021-10-15 16:27:10 +08:00			`}`

			`tokenString, err := token.SignedString(key)`
feat: add refresh token mechanism for server side (#336) * feat: add refresh token mechanism for server side Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * feat: add refresh token expire configuration UI Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2021-12-18 18:49:38 +08:00			`if err != nil {`
			`return "", "", err`
			`}`
			`refreshTokenString, err := refreshToken.SignedString(key)`
Generate real access token. 2021-03-14 22:48:09 +08:00
feat: add refresh token mechanism for server side (#336) * feat: add refresh token mechanism for server side Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * feat: add refresh token expire configuration UI Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2021-12-18 18:49:38 +08:00			`return tokenString, refreshTokenString, err`
Generate real access token. 2021-03-14 22:48:09 +08:00			`}`

Make cert work. 2021-12-31 09:36:48 +08:00			`func ParseJwtToken(token string, cert Cert) (Claims, error) {`
Use RS256 to sign JWT token. 2021-10-15 16:27:10 +08:00			`t, err := jwt.ParseWithClaims(token, &Claims{}, func(token *jwt.Token) (interface{}, error) {`
			`if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {`
			`return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])`
			`}`

Make cert work. 2021-12-31 09:36:48 +08:00			`// RSA public key`
			`publicKey, err := jwt.ParseRSAPublicKeyFromPEM([]byte(cert.PublicKey))`
Use RS256 to sign JWT token. 2021-10-15 16:27:10 +08:00			`if err != nil {`
			`return nil, err`
			`}`

			`return publicKey, nil`
Generate real access token. 2021-03-14 22:48:09 +08:00			`})`

Use RS256 to sign JWT token. 2021-10-15 16:27:10 +08:00			`if t != nil {`
			`if claims, ok := t.Claims.(*Claims); ok && t.Valid {`
Generate real access token. 2021-03-14 22:48:09 +08:00			`return claims, nil`
			`}`
			`}`

			`return nil, err`
			`}`