dex/session/session.go

package session

import (
	"net/url"
	"time"

	"github.com/coreos/go-oidc/jose"
	"github.com/coreos/go-oidc/oidc"

	"github.com/coreos/dex/scope"
)

const (
	sessionKeyValidityWindow = 10 * time.Minute //RFC6749

	// The default token expiration time.
	// This is exported, so it can be used to set the expiration
	// time in refresh token flow.
	DefaultSessionValidityWindow = 12 * time.Hour
)

type SessionState string

const (
	SessionStateNew            = SessionState("NEW")
	SessionStateRemoteAttached = SessionState("REMOTE_ATTACHED")
	SessionStateIdentified     = SessionState("IDENTIFIED")
	SessionStateDead           = SessionState("EXCHANGED")
)

type SessionKey struct {
	Key       string
	SessionID string
}

type Session struct {
	ConnectorID string
	ID          string
	State       SessionState
	CreatedAt   time.Time
	ExpiresAt   time.Time
	ClientID    string
	ClientState string
	RedirectURL url.URL
	Identity    oidc.Identity
	UserID      string

	// Regsiter indicates that this session is a registration flow.
	Register bool

	// Nonce is optionally provided in the initial authorization request, and
	// propogated in such cases to the generated claims.
	Nonce string

	// Scope is the 'scope' field in the authentication request. Example scopes
	// are 'openid', 'email', 'offline', etc.
	Scope scope.Scopes

	// Groups the user belongs to.
	Groups []string
}

// Claims returns a new set of Claims for the current session.
// The "sub" of the returned Claims is that of the dex User, not whatever
// remote Identity was used to authenticate.
func (s *Session) Claims(issuerURL string) jose.Claims {
	claims := oidc.NewClaims(issuerURL, s.UserID, s.ClientID, s.CreatedAt, s.ExpiresAt)
	if s.Nonce != "" {
		claims["nonce"] = s.Nonce
	}
	if s.Scope.HasScope(scope.ScopeGroups) {
		claims["groups"] = s.Groups
	}
	return claims
}