add auth_time to mytoken

dd2070a9 · Gabriel Zachmann · e86db238 · dd2070a9 · dd2070a9 · dd2070a9
Commit dd2070a9 authored 3 years ago by Gabriel Zachmann
--- a/internal/oidc/authcode/authcode.go
+++ b/internal/oidc/authcode/authcode.go
@@ -274,10 +274,9 @@ func CodeExchange(

 func createMytokenEntry(
 	rlog log.Ext1FieldLogger, tx *sqlx.Tx, authFlowInfo *authcodeinforepo.AuthFlowInfoOut, token *oauth2.Token,
-	oidcSub string,
-	networkData api.ClientMetaData,
+	oidcSub string, networkData api.ClientMetaData,
 ) (*mytokenrepo.MytokenEntry, error) {
-	ste := mytokenrepo.NewMytokenEntry(
+	mte := mytokenrepo.NewMytokenEntry(
 		mytoken.NewMytoken(
 			oidcSub,
 			authFlowInfo.Issuer,
@@ -285,16 +284,18 @@ func createMytokenEntry(
 			authFlowInfo.Capabilities,
 			authFlowInfo.SubtokenCapabilities,
 			authFlowInfo.Rotation,
+			unixtime.Now(),
 		),
 		authFlowInfo.Name, networkData,
 	)
-	if err := ste.InitRefreshToken(token.RefreshToken); err != nil {
+	mte.Token.AuthTime = unixtime.Now()
+	if err := mte.InitRefreshToken(token.RefreshToken); err != nil {
 		return nil, err
 	}
-	if err := ste.Store(rlog, tx, "Used grant_type oidc_flow authorization_code"); err != nil {
+	if err := mte.Store(rlog, tx, "Used grant_type oidc_flow authorization_code"); err != nil {
 		return nil, err
 	}
-	return ste, nil
+	return mte, nil
 }

 func getSubjectFromUserinfo(provider *oidc.Provider, token *oauth2.Token) (string, error) {

--- a/shared/mytoken/mytokenHandler.go
+++ b/shared/mytoken/mytokenHandler.go
@@ -271,8 +271,8 @@ func createMytokenEntry(
 		sc = api.TightenCapabilities(capsFromParent, req.SubtokenCapabilities)
 	}
 	ste := mytokenrepo.NewMytokenEntry(
-		mytoken.NewMytoken(parent.OIDCSubject, parent.OIDCIssuer, r, c, sc, req.Rotation),
-		req.Name, networkData,
+		mytoken.NewMytoken(parent.OIDCSubject, parent.OIDCIssuer, r, c, sc, req.Rotation, parent.AuthTime), req.Name,
+		networkData,
 	)
 	encryptionKey, _, err := encryptionkeyrepo.GetEncryptionKey(rlog, nil, parent.ID, req.Mytoken.JWT)
 	if err != nil {

--- a/shared/mytoken/pkg/mytoken.go
+++ b/shared/mytoken/pkg/mytoken.go
@@ -34,6 +34,7 @@ type Mytoken struct {
 	ExpiresAt            unixtime.UnixTime         `json:"exp,omitempty"`
 	NotBefore            unixtime.UnixTime         `json:"nbf"`
 	IssuedAt             unixtime.UnixTime         `json:"iat"`
+	AuthTime             unixtime.UnixTime         `json:"auth_time,omitempty"`
 	ID                   mtid.MTID                 `json:"jti"`
 	SeqNo                uint64                    `json:"seq_no"`
 	Name                 string                    `json:"name,omitempty"`
@@ -90,6 +91,7 @@ func (mt *Mytoken) VerifyCapabilities(required ...api.Capability) bool {
 // NewMytoken creates a new Mytoken
 func NewMytoken(
 	oidcSub, oidcIss string, r restrictions.Restrictions, c, sc api.Capabilities, rot *api.Rotation,
+	authTime unixtime.UnixTime,
 ) *Mytoken {
 	now := unixtime.Now()
 	mt := &Mytoken{
@@ -99,6 +101,7 @@ func NewMytoken(
 		SeqNo:                1,
 		IssuedAt:             now,
 		NotBefore:            now,
+		AuthTime:             authTime,
 		Issuer:               config.Get().IssuerURL,
 		Subject:              utils.CreateMytokenSubject(oidcSub, oidcIss),
 		Audience:             config.Get().IssuerURL,