-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsub_scoper.go
40 lines (33 loc) · 1.19 KB
/
sub_scoper.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
package niso
import (
"strings"
)
// AccessTokenSubScoper checks if the requested scopes of AT are a subset of already granted scopes.
type AccessTokenSubScoper interface {
CheckSubScopes(accessTokenScopes string, refreshTokenScopes string) (string, error)
}
// DefaultAccessTokenSubScoper checks if the given scopes of AT request are a string subset of already granted scopes.
type DefaultAccessTokenSubScoper struct {
}
// CheckSubScopes checks the given access token scopes to see if they are granted by the refresh token's scope,
// and returns the resulting subset of scopes.
func (a *DefaultAccessTokenSubScoper) CheckSubScopes(accessTokenScopes string, refreshTokenScopes string) (string, error) {
refreshScopesLists := strings.Split(refreshTokenScopes, ",")
accessScopeLists := strings.Split(accessTokenScopes, ",")
refreshMaps := make(map[string]int)
for _, scope := range refreshScopesLists {
if scope == "" {
continue
}
refreshMaps[scope] = 1
}
for _, scope := range accessScopeLists {
if scope == "" {
continue
}
if _, ok := refreshMaps[scope]; !ok {
return "", NewError(EInvalidScope, "scope %v is not in original grant", scope)
}
}
return accessTokenScopes, nil
}