-
Notifications
You must be signed in to change notification settings - Fork 80
/
authorization_handlers.h
159 lines (135 loc) · 7.63 KB
/
authorization_handlers.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
#ifndef NMOS_AUTHORIZATION_HANDLERS_H
#define NMOS_AUTHORIZATION_HANDLERS_H
#include <functional>
#include <cpprest/oauth2.h>
#include "cpprest/api_router.h"
#include "nmos/scope.h"
#include "nmos/settings.h"
namespace slog
{
class base_gate;
}
namespace web
{
class uri;
namespace json
{
class value;
}
}
namespace nmos
{
struct base_model;
namespace experimental
{
struct authorization_state;
struct authorization_error
{
enum status_t
{
succeeded,
without_authentication, // failure: access protected resource request without authentication
insufficient_scope, // failure: access protected resource request requires higher privileges
no_matching_keys, // failure: no matching keys for the token validation
failed // failure: access protected resource request with authentication but failed
};
authorization_error() : value(without_authentication) {}
authorization_error(status_t value, const std::string& message = {}) : value(value), message(message) {}
status_t value;
std::string message;
operator bool() const { return succeeded == value; }
};
namespace fields
{
// authorization_server_uri: the uri of the authorization server, where the client is registered
const web::json::field_as_string_or authorization_server_uri{ U("authorization_server_uri"), U("") };
// client_metadata: the registered client metadata
// already defined in nmos/json_fields.h
//const web::json::field_as_value client_metadata{ U("client_metadata") };
}
// callback to supply a list of authorization clients
// callbacks from this function are called with the model locked, and may read or write directly to the model
// this callback should not throw exceptions
// example JSON of the authorization client list
// [
// {
// "authorization_server_uri": "https://example.com"
// },
// {
// "client_metadata": {
// "client_id": "acc8fd35-327d-4486-a02f-9a8fdc25a609",
// "client_name" : "example client",
// "grant_types" : [ "authorization_code", "client_credentials","refresh_token" ],
// "jwks_uri" : "https://example_client/jwks",
// "redirect_uris" : [ "https://example_client/callback" ],
// "registration_access_token" : "eyJhbGci....",
// "registration_client_uri" : "https://example.com/openid-connect/acc8fd35-327d-4486-a02f-9a8fdc25a609",
// "response_types" : [ "code" ],
// "scope" : "registration",
// "subject_type" : "public",
// "tls_client_certificate_bound_access_tokens" : false,
// "token_endpoint_auth_method" : "private_key_jwt"
// }
// }
// ]
typedef std::function<web::json::value()> load_authorization_clients_handler;
// callback after authorization client has registered
// callbacks from this function are called with the model locked, and may read or write directly to the model
// this callback should not throw exceptions
// example JSON of the client_metadata
// {
// {
// "authorization_server_uri": "https://example.com"
// },
// {
// "client_metadata": {
// "client_id": "acc8fd35-327d-4486-a02f-9a8fdc25a609",
// "client_name" : "example client",
// "grant_types" : [ "authorization_code", "client_credentials","refresh_token" ],
// "issuer" : "https://example.com",
// "jwks_uri" : "https://example_client/jwks",
// "redirect_uris" : [ "https://example_client/callback" ],
// "registration_access_token" : "eyJhbGci....",
// "registration_client_uri" : "https://example.com/openid-connect/acc8fd35-327d-4486-a02f-9a8fdc25a609",
// "response_types" : [ "code" ],
// "scope" : "registration",
// "subject_type" : "public",
// "tls_client_certificate_bound_access_tokens" : false,
// "token_endpoint_auth_method" : "private_key_jwt"
// }
// }
// }
typedef std::function<void(const web::json::value& client_metadata)> save_authorization_client_handler;
// callback on requesting to start off the authorization code grant flow
// callbacks from this function are called with the model locked, and may read or write directly to the model
// this callback should not throw exceptions
typedef std::function<void(const web::uri& authorization_code_uri)> request_authorization_code_handler;
// helper function to load from the authorization clients file
web::json::value load_authorization_clients_file(const utility::string_t& filename, slog::base_gate& gate);
// helper function to update the authorization clients file
void update_authorization_clients_file(const utility::string_t& filename, const web::json::value& authorization_client, slog::base_gate& gate);
// construct callback to load a table of authorization server uri vs authorization clients metadata from file based on settings seed_id
load_authorization_clients_handler make_load_authorization_clients_handler(const nmos::settings& settings, slog::base_gate& gate);
// construct callback to save authorization client metadata to file based on seed_id from settings
save_authorization_client_handler make_save_authorization_client_handler(const nmos::settings& settings, slog::base_gate& gate);
// construct callback to start the authorization code flow request on a browser
request_authorization_code_handler make_request_authorization_code_handler(slog::base_gate& gate);
// callback to validate OAuth 2.0 authorization access token
// this callback should not throw exceptions
typedef std::function <authorization_error(const utility::string_t& access_token)> validate_authorization_token_handler;
// construct callback to validate OAuth 2.0 authorization access token
validate_authorization_token_handler make_validate_authorization_token_handler(authorization_state& authorization_state, slog::base_gate& gate);
// callback to return the OAuth 2.0 validation route handler
// this callback is executed at the beginning while walking the supported API routes
typedef std::function<web::http::experimental::listener::route_handler(const nmos::experimental::scope& scope)> validate_authorization_handler;
// construct callback to validate OAuth 2.0 authorization
validate_authorization_handler make_validate_authorization_handler(nmos::base_model& model, authorization_state& authorization_state, validate_authorization_token_handler access_token_validation, slog::base_gate& gate);
// callback to return OAuth 2.0 authorization bearer token
// this callback is execute while create http_client
// this callback should not throw exceptions
typedef std::function<web::http::oauth2::experimental::oauth2_token()> get_authorization_bearer_token_handler;
// construct callback to retrieve OAuth 2.0 authorization bearer token
get_authorization_bearer_token_handler make_get_authorization_bearer_token_handler(authorization_state& authorization_state, slog::base_gate& gate);
}
}
#endif