MCPcopy
hub / github.com/ory/hydra / ValidDynamicAuth

Method ValidDynamicAuth

client/handler.go:838–878  ·  view source on GitHub ↗
(r *http.Request, id string)

Source from the content-addressed store, hash-verified

836}
837
838func (h *Handler) ValidDynamicAuth(r *http.Request, id string) (fosite.Client, error) {
839 c, err := h.r.ClientManager().GetConcreteClient(r.Context(), id)
840 if err != nil {
841 return nil, herodot.ErrUnauthorized.
842 WithTrace(err).
843 WithReason("The requested OAuth 2.0 client does not exist or you provided incorrect credentials.").WithDebug(err.Error())
844 }
845
846 if len(c.RegistrationAccessTokenSignature) == 0 {
847 return nil, errors.WithStack(herodot.ErrUnauthorized.
848 WithReason("The requested OAuth 2.0 client does not exist or you provided incorrect credentials.").WithDebug("The OAuth2 Client does not have a registration access token."))
849 }
850
851 token := strings.TrimPrefix(fosite.AccessTokenFromRequest(r), "ory_at_")
852 if err := h.r.OAuth2HMACStrategy().ValidateAccessToken(
853 r.Context(),
854 // The strategy checks the expiry time of the token. Registration tokens don't expire (we don't have a way of
855 // rotating them) so we set the expiry time to a time in the future.
856 &fosite.Request{
857 Session: &fosite.DefaultSession{
858 ExpiresAt: map[fosite.TokenType]time.Time{
859 fosite.AccessToken: time.Now().Add(time.Hour),
860 },
861 },
862 RequestedAt: time.Now(),
863 },
864 token,
865 ); err != nil {
866 return nil, herodot.ErrUnauthorized.
867 WithTrace(err).
868 WithReason("The requested OAuth 2.0 client does not exist or you provided incorrect credentials.").WithDebug(err.Error())
869 }
870
871 signature := h.r.OAuth2EnigmaStrategy().Signature(token)
872 if subtle.ConstantTimeCompare([]byte(c.RegistrationAccessTokenSignature), []byte(signature)) == 0 {
873 return nil, errors.WithStack(herodot.ErrUnauthorized.
874 WithReason("The requested OAuth 2.0 client does not exist or you provided incorrect credentials.").WithDebug("Registration access tokens do not match."))
875 }
876
877 return c, nil
878}
879
880func (h *Handler) requireDynamicAuth(r *http.Request) *herodot.DefaultError {
881 if !h.r.Config().PublicAllowDynamicRegistration(r.Context()) {

Callers 4

setOidcDynamicClientMethod · 0.95
getOidcDynamicClientMethod · 0.95
TestHandlerFunction · 0.95

Calls 12

AccessTokenFromRequestFunction · 0.92
WithDebugMethod · 0.80
WithTraceMethod · 0.80
SignatureMethod · 0.80
GetConcreteClientMethod · 0.65
ClientManagerMethod · 0.65
ValidateAccessTokenMethod · 0.65
OAuth2HMACStrategyMethod · 0.65
AddMethod · 0.65
NowMethod · 0.65
OAuth2EnigmaStrategyMethod · 0.65
ErrorMethod · 0.45

Tested by 1

TestHandlerFunction · 0.76