diff --git a/object/token.go b/object/token.go index 45150f76..0ad6a514 100644 --- a/object/token.go +++ b/object/token.go @@ -58,6 +58,7 @@ type TokenWrapper struct { TokenType string `json:"token_type"` ExpiresIn int `json:"expires_in"` Scope string `json:"scope"` + Error string `json:"error,omitempty"` } type IntrospectionResponse struct { @@ -306,23 +307,28 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU } func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, username string, password string, host string) *TokenWrapper { + var errString string application := GetApplicationByClientId(clientId) if application == nil { + errString = "error: invalid client_id" return &TokenWrapper{ - AccessToken: "error: invalid client_id", + AccessToken: errString, TokenType: "", ExpiresIn: 0, Scope: "", + Error: errString, } } //Check if grantType is allowed in the current application if !IsGrantTypeValid(grantType, application.GrantTypes) { + errString = fmt.Sprintf("error: grant_type: %s is not supported in this application", grantType) return &TokenWrapper{ - AccessToken: fmt.Sprintf("error: grant_type: %s is not supported in this application", grantType), + AccessToken: errString, TokenType: "", ExpiresIn: 0, Scope: "", + Error: errString, } } @@ -338,11 +344,13 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code } if err != nil { + errString = err.Error() return &TokenWrapper{ - AccessToken: err.Error(), + AccessToken: errString, TokenType: "", ExpiresIn: 0, Scope: "", + Error: errString, } } @@ -361,62 +369,75 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code } func RefreshToken(grantType string, refreshToken string, scope string, clientId string, clientSecret string, host string) *TokenWrapper { + var errString string // check parameters if grantType != "refresh_token" { + errString = "error: grant_type should be \"refresh_token\"" return &TokenWrapper{ - AccessToken: "error: grant_type should be \"refresh_token\"", + AccessToken: errString, TokenType: "", ExpiresIn: 0, Scope: "", + Error: errString, } } application := GetApplicationByClientId(clientId) if application == nil { + errString = "error: invalid client_id" return &TokenWrapper{ - AccessToken: "error: invalid client_id", + AccessToken: errString, TokenType: "", ExpiresIn: 0, Scope: "", + Error: errString, } } if clientSecret != "" && application.ClientSecret != clientSecret { + errString = "error: invalid client_secret" return &TokenWrapper{ - AccessToken: "error: invalid client_secret", + AccessToken: errString, TokenType: "", ExpiresIn: 0, Scope: "", + Error: errString, } } // check whether the refresh token is valid, and has not expired. token := Token{RefreshToken: refreshToken} existed, err := adapter.Engine.Get(&token) if err != nil || !existed { + errString = "error: invalid refresh_token" return &TokenWrapper{ - AccessToken: "error: invalid refresh_token", + AccessToken: errString, TokenType: "", ExpiresIn: 0, Scope: "", + Error: errString, } } cert := getCertByApplication(application) _, err = ParseJwtToken(refreshToken, cert) if err != nil { + errString := fmt.Sprintf("error: %s", err.Error()) return &TokenWrapper{ - AccessToken: fmt.Sprintf("error: %s", err.Error()), + AccessToken: errString, TokenType: "", ExpiresIn: 0, Scope: "", + Error: errString, } } // generate a new token user := getUser(application.Organization, token.User) if user.IsForbidden { + errString = "error: the user is forbidden to sign in, please contact the administrator" return &TokenWrapper{ - AccessToken: "error: the user is forbidden to sign in, please contact the administrator", + AccessToken: errString, TokenType: "", ExpiresIn: 0, Scope: "", + Error: errString, } } newAccessToken, newRefreshToken, err := generateJwtToken(application, user, "", scope, host) diff --git a/swagger/swagger.json b/swagger/swagger.json index 0af4890f..9464a29e 100644 --- a/swagger/swagger.json +++ b/swagger/swagger.json @@ -2797,11 +2797,11 @@ } }, "definitions": { - "2026.0xc000380de0.false": { + "2127.0xc00036c600.false": { "title": "false", "type": "object" }, - "2060.0xc000380e10.false": { + "2161.0xc00036c630.false": { "title": "false", "type": "object" }, @@ -2818,10 +2818,10 @@ "type": "object", "properties": { "data": { - "$ref": "#/definitions/2026.0xc000380de0.false" + "$ref": "#/definitions/2127.0xc00036c600.false" }, "data2": { - "$ref": "#/definitions/2060.0xc000380e10.false" + "$ref": "#/definitions/2161.0xc00036c630.false" }, "msg": { "type": "string" @@ -2842,10 +2842,10 @@ "type": "object", "properties": { "data": { - "$ref": "#/definitions/2026.0xc000380de0.false" + "$ref": "#/definitions/2127.0xc00036c600.false" }, "data2": { - "$ref": "#/definitions/2060.0xc000380e10.false" + "$ref": "#/definitions/2161.0xc00036c630.false" }, "msg": { "type": "string" @@ -3648,6 +3648,9 @@ "access_token": { "type": "string" }, + "error": { + "type": "string" + }, "expires_in": { "type": "integer", "format": "int64" @@ -3682,6 +3685,9 @@ "affiliation": { "type": "string" }, + "alipay": { + "type": "string" + }, "apple": { "type": "string" }, @@ -3721,6 +3727,9 @@ "email": { "type": "string" }, + "emailVerified": { + "type": "boolean" + }, "facebook": { "type": "string" }, diff --git a/swagger/swagger.yml b/swagger/swagger.yml index ff55e2ce..2637a685 100644 --- a/swagger/swagger.yml +++ b/swagger/swagger.yml @@ -1831,10 +1831,10 @@ paths: schema: $ref: '#/definitions/object.Userinfo' definitions: - 2026.0xc000380de0.false: + 2127.0xc00036c600.false: title: "false" type: object - 2060.0xc000380e10.false: + 2161.0xc00036c630.false: title: "false" type: object RequestForm: @@ -1848,9 +1848,9 @@ definitions: type: object properties: data: - $ref: '#/definitions/2026.0xc000380de0.false' + $ref: '#/definitions/2127.0xc00036c600.false' data2: - $ref: '#/definitions/2060.0xc000380e10.false' + $ref: '#/definitions/2161.0xc00036c630.false' msg: type: string name: @@ -1864,9 +1864,9 @@ definitions: type: object properties: data: - $ref: '#/definitions/2026.0xc000380de0.false' + $ref: '#/definitions/2127.0xc00036c600.false' data2: - $ref: '#/definitions/2060.0xc000380e10.false' + $ref: '#/definitions/2161.0xc00036c630.false' msg: type: string name: @@ -2407,6 +2407,8 @@ definitions: properties: access_token: type: string + error: + type: string expires_in: type: integer format: int64 @@ -2430,6 +2432,8 @@ definitions: type: string affiliation: type: string + alipay: + type: string apple: type: string avatar: @@ -2456,6 +2460,8 @@ definitions: type: string email: type: string + emailVerified: + type: boolean facebook: type: string firstName: