Passthrough token request

LyricTian · LyricTian · commit d404d104b7b7 · 2021-03-28T17:29:57.000+08:00
diff --git a/README.md b/README.md
@@ -2,11 +2,11 @@
 
 > An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
 
-[![Build][Build-Status-Image]][Build-Status-Url] [![Codecov][codecov-image]][codecov-url] [![ReportCard][reportcard-image]][reportcard-url] [![GoDoc][godoc-image]][godoc-url] [![License][license-image]][license-url]
+[![Build][build-status-image]][build-status-url] [![Codecov][codecov-image]][codecov-url] [![ReportCard][reportcard-image]][reportcard-url] [![GoDoc][godoc-image]][godoc-url] [![License][license-image]][license-url]
 
 ## Protocol Flow
 
-``` text
+```text
      +--------+                               +---------------+
      |        |--(A)- Authorization Request ->|   Resource    |
      |        |                               |     Owner     |
@@ -30,13 +30,13 @@
 
 ### Download and install
 
-``` bash
+```bash
 go get -u -v github.com/go-oauth2/oauth2/v4/...
 ```
 
 ### Create file `server.go`
 
-``` go
+```go
 package main
 
 import (
@@ -95,7 +95,7 @@ func main() {
 
 ### Build and run
 
-``` bash
+```bash
 go build server.go
 
 ./server
@@ -105,24 +105,24 @@ go build server.go
 
 [http://localhost:9096/token?grant_type=client_credentials&client_id=000000&client_secret=999999&scope=read](http://localhost:9096/token?grant_type=client_credentials&client_id=000000&client_secret=999999&scope=read)
 
-``` json
+```json
 {
-    "access_token": "J86XVRYSNFCFI233KXDL0Q",
-    "expires_in": 7200,
-    "scope": "read",
-    "token_type": "Bearer"
+  "access_token": "J86XVRYSNFCFI233KXDL0Q",
+  "expires_in": 7200,
+  "scope": "read",
+  "token_type": "Bearer"
 }
 ```
 
 ## Features
 
-* Easy to use
-* Based on the [RFC 6749](https://tools.ietf.org/html/rfc6749) implementation
-* Token storage support TTL
-* Support custom expiration time of the access token
-* Support custom extension field
-* Support custom scope
-* Support jwt to generate access tokens
+- Easy to use
+- Based on the [RFC 6749](https://tools.ietf.org/html/rfc6749) implementation
+- Token storage support TTL
+- Support custom expiration time of the access token
+- Support custom extension field
+- Support custom scope
+- Support jwt to generate access tokens
 
 ## Example
 
@@ -161,28 +161,28 @@ if !ok || !token.Valid {
 
 ## Store Implements
 
-* [BuntDB](https://github.com/tidwall/buntdb)(default store)
-* [Redis](https://github.com/go-oauth2/redis)
-* [MongoDB](https://github.com/go-oauth2/mongo)
-* [MySQL](https://github.com/go-oauth2/mysql)
-* [MySQL (Provides both client and token store)](https://github.com/imrenagi/go-oauth2-mysql) 
-* [PostgreSQL](https://github.com/vgarvardt/go-oauth2-pg)
-* [DynamoDB](https://github.com/contamobi/go-oauth2-dynamodb)
-* [XORM](https://github.com/techknowlogick/go-oauth2-xorm)
-* [XORM (MySQL, client and token store)](https://github.com/rainlay/go-oauth2-xorm)
-* [GORM](https://github.com/techknowlogick/go-oauth2-gorm)
-* [Firestore](https://github.com/tslamic/go-oauth2-firestore)
+- [BuntDB](https://github.com/tidwall/buntdb)(default store)
+- [Redis](https://github.com/go-oauth2/redis)
+- [MongoDB](https://github.com/go-oauth2/mongo)
+- [MySQL](https://github.com/go-oauth2/mysql)
+- [MySQL (Provides both client and token store)](https://github.com/imrenagi/go-oauth2-mysql)
+- [PostgreSQL](https://github.com/vgarvardt/go-oauth2-pg)
+- [DynamoDB](https://github.com/contamobi/go-oauth2-dynamodb)
+- [XORM](https://github.com/techknowlogick/go-oauth2-xorm)
+- [XORM (MySQL, client and token store)](https://github.com/rainlay/go-oauth2-xorm)
+- [GORM](https://github.com/techknowlogick/go-oauth2-gorm)
+- [Firestore](https://github.com/tslamic/go-oauth2-firestore)
 
 ## Handy Utilities
 
-* [OAuth2 Proxy Logger (Debug utility that proxies interfaces and logs)](https://github.com/aubelsb2/oauth2-logger-proxy)
+- [OAuth2 Proxy Logger (Debug utility that proxies interfaces and logs)](https://github.com/aubelsb2/oauth2-logger-proxy)
 
 ## MIT License
 
-  Copyright (c) 2016 Lyric
+Copyright (c) 2016 Lyric
 
-[Build-Status-Url]: https://travis-ci.org/go-oauth2/oauth2
-[Build-Status-Image]: https://travis-ci.org/go-oauth2/oauth2.svg?branch=master
+[build-status-url]: https://travis-ci.org/go-oauth2/oauth2
+[build-status-image]: https://travis-ci.org/go-oauth2/oauth2.svg?branch=master
 [codecov-url]: https://codecov.io/gh/go-oauth2/oauth2
 [codecov-image]: https://codecov.io/gh/go-oauth2/oauth2/branch/master/graph/badge.svg
 [reportcard-url]: https://goreportcard.com/report/github.com/go-oauth2/oauth2/v4
diff --git a/server/handler.go b/server/handler.go
@@ -16,7 +16,7 @@ type (
 	ClientAuthorizedHandler func(clientID string, grant oauth2.GrantType) (allowed bool, err error)
 
 	// ClientScopeHandler check the client allows to use scope
-	ClientScopeHandler func(clientID, scope string) (allowed bool, err error)
+	ClientScopeHandler func(tgr *oauth2.TokenGenerateRequest) (allowed bool, err error)
 
 	// UserAuthorizationHandler get user id from request authorization
 	UserAuthorizationHandler func(w http.ResponseWriter, r *http.Request) (userID string, err error)
@@ -25,9 +25,9 @@ type (
 	PasswordAuthorizationHandler func(username, password string) (userID string, err error)
 
 	// RefreshingScopeHandler check the scope of the refreshing token
-	RefreshingScopeHandler func(newScope, oldScope string) (allowed bool, err error)
+	RefreshingScopeHandler func(tgr *oauth2.TokenGenerateRequest, oldScope string) (allowed bool, err error)
 
-	//RefreshingValidationHandler check if refresh_token is still valid. eg no revocation or other
+	// RefreshingValidationHandler check if refresh_token is still valid. eg no revocation or other
 	RefreshingValidationHandler func(ti oauth2.TokenInfo) (allowed bool, err error)
 
 	// ResponseErrorHandler response error handing
diff --git a/server/server.go b/server/server.go
@@ -214,7 +214,15 @@ func (s *Server) GetAuthorizeToken(ctx context.Context, req *AuthorizeRequest) (
 
 	// check the client allows the authorized scope
 	if fn := s.ClientScopeHandler; fn != nil {
-		allowed, err := fn(req.ClientID, req.Scope)
+		tgr := &oauth2.TokenGenerateRequest{
+			ClientID:       req.ClientID,
+			UserID:         req.UserID,
+			RedirectURI:    req.RedirectURI,
+			Scope:          req.Scope,
+			AccessTokenExp: req.AccessTokenExp,
+			Request:        req.Request,
+		}
+		allowed, err := fn(tgr)
 		if err != nil {
 			return nil, err
 		} else if !allowed {
@@ -402,7 +410,7 @@ func (s *Server) GetAccessToken(ctx context.Context, gt oauth2.GrantType, tgr *o
 		return ti, nil
 	case oauth2.PasswordCredentials, oauth2.ClientCredentials:
 		if fn := s.ClientScopeHandler; fn != nil {
-			allowed, err := fn(tgr.ClientID, tgr.Scope)
+			allowed, err := fn(tgr)
 			if err != nil {
 				return nil, err
 			} else if !allowed {
@@ -421,7 +429,7 @@ func (s *Server) GetAccessToken(ctx context.Context, gt oauth2.GrantType, tgr *o
 				return nil, err
 			}
 
-			allowed, err := scopeFn(scope, rti.GetScope())
+			allowed, err := scopeFn(tgr, rti.GetScope())
 			if err != nil {
 				return nil, err
 			} else if !allowed {
diff --git a/server/server_test.go b/server/server_test.go
@@ -306,7 +306,7 @@ func TestClientCredentials(t *testing.T) {
 	srv.SetAuthorizeScopeHandler(func(w http.ResponseWriter, r *http.Request) (scope string, err error) {
 		return
 	})
-	srv.SetClientScopeHandler(func(clientID, scope string) (allowed bool, err error) {
+	srv.SetClientScopeHandler(func(tgr *oauth2.TokenGenerateRequest) (allowed bool, err error) {
 		allowed = true
 		return
 	})
