pomerium/authenticate/grpc.go

package authenticate // import "github.com/pomerium/pomerium/authenticate"
import (
	"context"
	"fmt"

	"github.com/golang/protobuf/ptypes"

	"github.com/pomerium/pomerium/internal/log"
	"github.com/pomerium/pomerium/internal/sessions"
	pb "github.com/pomerium/pomerium/proto/authenticate"
)

// Authenticate takes an encrypted code, and returns the authentication result.
func (p *Authenticate) Authenticate(ctx context.Context, in *pb.AuthenticateRequest) (*pb.AuthenticateReply, error) {
	session, err := sessions.UnmarshalSession(in.Code, p.cipher)
	if err != nil {
		return nil, fmt.Errorf("authenticate/grpc: %v", err)
	}
	expiryTimestamp, err := ptypes.TimestampProto(session.RefreshDeadline)
	if err != nil {
		return nil, err
	}

	return &pb.AuthenticateReply{
		AccessToken:  session.AccessToken,
		RefreshToken: session.RefreshToken,
		IdToken:      session.IDToken,
		User:         session.User,
		Email:        session.Email,
		Expiry:       expiryTimestamp,
	}, nil
}

// Validate locally validates a JWT id token; does NOT do nonce or revokation validation.
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
func (p *Authenticate) Validate(ctx context.Context, in *pb.ValidateRequest) (*pb.ValidateReply, error) {
	isValid, err := p.provider.Validate(in.IdToken)
	if err != nil {
		return &pb.ValidateReply{IsValid: false}, err
	}
	return &pb.ValidateReply{IsValid: isValid}, nil
}

// Refresh renews a user's session checks if the session has been revoked using an access token
// without reprompting the user.
func (p *Authenticate) Refresh(ctx context.Context, in *pb.RefreshRequest) (*pb.RefreshReply, error) {
	newToken, err := p.provider.Refresh(in.RefreshToken)
	if err != nil {
		return nil, err
	}
	expiryTimestamp, err := ptypes.TimestampProto(newToken.Expiry)
	if err != nil {
		return nil, err
	}
	log.Info().
		Str("session.AccessToken", newToken.AccessToken).
		Msg("authenticate: grpc: refresh: ok")

	return &pb.RefreshReply{
		AccessToken: newToken.AccessToken,
		Expiry:      expiryTimestamp,
	}, nil

}