One of the changes in OAuth 2.1 addresses attacks with refresh token
replays by recommending the use of one-time use tokens. A refresh token
is thus rotated and invalid after exactly one use, returning a new token
for each successful grant. Any further attempts must thus use the most
recently acquired refresh token. Reusing a refresh token may also
cause the authorization server to invalidate the current active refresh
token, requiring a refresh authorization grant to be reacquired for
further refresh token usage.
The use of locks prevents multiple refresh grant attempts for a given
session from happening across concurrent requests.
Replace hardcoded callback URLs with dynamic generation
of URLs based on incoming requests. These are validated against
a pre-registered list of ingresses for which Wonderwall is considered
authorative for.
We also preserve the cookie behaviour; the most specific ingress path
and domain is used for the cookies.
The `url` package has been moved to the `handler` package, and its
implementation refactored slightly for readability and DRY.
As we already clear any local sessions before redirecting to the
Identity Provider, and the callback always redirects to a pre-configured URL,
there isn't really any need to maintain and verify state in the logout
callback.
In other words, the logout callback handler is simply a redirect handler.
There's a bunch of changes here, but in essence:
- split out openid configuration
- separate openid configuration between client/rp and provider
- consolidate client and provider related code in separate packages
These changes allow for simplification of the Handler, as well as a
bunch of test/mock code as the configuration is now instantiated
seperately from the client/provider code.
