From b35b62fed16e24ada19f182a3ccb205a743293a8 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Mon, 28 Oct 2024 14:21:22 +0100 Subject: [PATCH] feat: add identity ID to password grant extra claims --- handler/oauth2/flow_resource_owner.go | 6 +++++- handler/oauth2/flow_resource_owner_storage.go | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/handler/oauth2/flow_resource_owner.go b/handler/oauth2/flow_resource_owner.go index ad0b45a2..ff17afb0 100644 --- a/handler/oauth2/flow_resource_owner.go +++ b/handler/oauth2/flow_resource_owner.go @@ -58,10 +58,14 @@ func (c *ResourceOwnerPasswordCredentialsGrantHandler) HandleTokenEndpointReques password := request.GetRequestForm().Get("password") if username == "" || password == "" { return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("Username or password are missing from the POST body.")) - } else if err := c.ResourceOwnerPasswordCredentialsGrantStorage.Authenticate(ctx, username, password); errors.Is(err, fosite.ErrNotFound) { + } else if identityID, err := c.ResourceOwnerPasswordCredentialsGrantStorage.Authenticate(ctx, username, password); errors.Is(err, fosite.ErrNotFound) { return errorsx.WithStack(fosite.ErrInvalidGrant.WithHint("Unable to authenticate the provided username and password credentials.").WithWrap(err).WithDebug(err.Error())) } else if err != nil { return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error())) + } else { + if sess, ok := request.GetSession().(fosite.ExtraClaimsSession); ok { + sess.GetExtraClaims()["identity_id"] = identityID + } } // Credentials must not be passed around, potentially leaking to the database! diff --git a/handler/oauth2/flow_resource_owner_storage.go b/handler/oauth2/flow_resource_owner_storage.go index ffc07642..d70a0467 100644 --- a/handler/oauth2/flow_resource_owner_storage.go +++ b/handler/oauth2/flow_resource_owner_storage.go @@ -8,7 +8,7 @@ import ( ) type ResourceOwnerPasswordCredentialsGrantStorage interface { - Authenticate(ctx context.Context, name string, secret string) error + Authenticate(ctx context.Context, name string, secret string) (string, error) AccessTokenStorage RefreshTokenStorage }