| 836 | } |
| 837 | |
| 838 | func (h *Handler) ValidDynamicAuth(r *http.Request, id string) (fosite.Client, error) { |
| 839 | c, err := h.r.ClientManager().GetConcreteClient(r.Context(), id) |
| 840 | if err != nil { |
| 841 | return nil, herodot.ErrUnauthorized. |
| 842 | WithTrace(err). |
| 843 | WithReason("The requested OAuth 2.0 client does not exist or you provided incorrect credentials.").WithDebug(err.Error()) |
| 844 | } |
| 845 | |
| 846 | if len(c.RegistrationAccessTokenSignature) == 0 { |
| 847 | return nil, errors.WithStack(herodot.ErrUnauthorized. |
| 848 | WithReason("The requested OAuth 2.0 client does not exist or you provided incorrect credentials.").WithDebug("The OAuth2 Client does not have a registration access token.")) |
| 849 | } |
| 850 | |
| 851 | token := strings.TrimPrefix(fosite.AccessTokenFromRequest(r), "ory_at_") |
| 852 | if err := h.r.OAuth2HMACStrategy().ValidateAccessToken( |
| 853 | r.Context(), |
| 854 | // The strategy checks the expiry time of the token. Registration tokens don't expire (we don't have a way of |
| 855 | // rotating them) so we set the expiry time to a time in the future. |
| 856 | &fosite.Request{ |
| 857 | Session: &fosite.DefaultSession{ |
| 858 | ExpiresAt: map[fosite.TokenType]time.Time{ |
| 859 | fosite.AccessToken: time.Now().Add(time.Hour), |
| 860 | }, |
| 861 | }, |
| 862 | RequestedAt: time.Now(), |
| 863 | }, |
| 864 | token, |
| 865 | ); err != nil { |
| 866 | return nil, herodot.ErrUnauthorized. |
| 867 | WithTrace(err). |
| 868 | WithReason("The requested OAuth 2.0 client does not exist or you provided incorrect credentials.").WithDebug(err.Error()) |
| 869 | } |
| 870 | |
| 871 | signature := h.r.OAuth2EnigmaStrategy().Signature(token) |
| 872 | if subtle.ConstantTimeCompare([]byte(c.RegistrationAccessTokenSignature), []byte(signature)) == 0 { |
| 873 | return nil, errors.WithStack(herodot.ErrUnauthorized. |
| 874 | WithReason("The requested OAuth 2.0 client does not exist or you provided incorrect credentials.").WithDebug("Registration access tokens do not match.")) |
| 875 | } |
| 876 | |
| 877 | return c, nil |
| 878 | } |
| 879 | |
| 880 | func (h *Handler) requireDynamicAuth(r *http.Request) *herodot.DefaultError { |
| 881 | if !h.r.Config().PublicAllowDynamicRegistration(r.Context()) { |