ory · mattslocum · Jan 4, 2023
@@ -805,7 +805,8 @@ func (h *Handler) ValidDynamicAuth(r *http.Request, ps httprouter.Params) (fosit
 			WithReason("The requested OAuth 2.0 client does not exist or you provided incorrect credentials.").WithDebug("The OAuth2 Client does not have a registration access token."))
 	}
 
-	token := strings.TrimPrefix(fosite.AccessTokenFromRequest(r), "ory_at_")
+	prefix := h.r.Config().GetTokenPrefix(r.Context()) + "_at_"
+	token := strings.TrimPrefix(fosite.AccessTokenFromRequest(r), prefix)
 	if err := h.r.OAuth2HMACStrategy().Enigma.Validate(r.Context(), token); err != nil {
 		return nil, herodot.ErrUnauthorized.
 			WithTrace(err).

@@ -92,6 +92,7 @@ const (
 	KeyOAuth2GrantJWTIDOptional                  = "oauth2.grant.jwt.jti_optional"
 	KeyOAuth2GrantJWTIssuedDateOptional          = "oauth2.grant.jwt.iat_optional"
 	KeyOAuth2GrantJWTMaxDuration                 = "oauth2.grant.jwt.max_ttl"
+	KeyOAuth2TokenPrefix                         = "oauth2.token_prefix"
 	KeyRefreshTokenHookURL                       = "oauth2.refresh_token_hook" // #nosec G101
 	KeyDevelopmentMode                           = "dev"
 )
@@ -515,6 +516,10 @@ func (p *DefaultProvider) GetJWTMaxDuration(ctx context.Context) time.Duration {
 	return p.getProvider(ctx).DurationF(KeyOAuth2GrantJWTMaxDuration, time.Hour*24*30)
 }
 
+func (p *DefaultProvider) GetTokenPrefix(ctx context.Context) string {
+	return p.getProvider(ctx).StringF(KeyOAuth2TokenPrefix, "ory")
+}
+
 func (p *DefaultProvider) CookieDomain(ctx context.Context) string {
 	return p.getProvider(ctx).String(KeyCookieDomain)
 }

@@ -89,6 +89,10 @@ func (p *DefaultProvider) GetScopeStrategy(ctx context.Context) fosite.ScopeStra
 	return fosite.ExactScopeStrategy
 }
 
+func (p *DefaultProvider) GetTokenPrefixProvider(ctx context.Context) string {
+	return p.getProvider(ctx).StringF(KeyOAuth2TokenPrefix, "ory")
+}
+
 func (p *DefaultProvider) GetUseLegacyErrorFormat(context.Context) bool {
 	return false
 }
@@ -406,6 +406,17 @@ func TestCookieSecure(t *testing.T) {
 	assert.True(t, c.CookieSecure(ctx))
 }
 
+func TestTokenPrefix(t *testing.T) {
+	ctx := context.Background()
+	l := logrusx.New("", "")
+	l.Logrus().SetOutput(io.Discard)
+	c := MustNew(context.Background(), l, configx.SkipValidation())
+
+	assert.EqualValues(t, "ory", c.GetTokenPrefix(ctx)) // default when not set
+	c.MustSet(ctx, KeyOAuth2TokenPrefix, "sabre")
+	assert.EqualValues(t, "sabre", c.GetTokenPrefix(ctx))
+}
+
 func TestTokenRefreshHookURL(t *testing.T) {
 	ctx := context.Background()
 	l := logrusx.New("", "")

@@ -9,6 +9,7 @@ replace (
 	github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2
 	github.com/mattn/go-sqlite3 => github.com/mattn/go-sqlite3 v1.14.13
 	github.com/oleiade/reflections => github.com/oleiade/reflections v1.0.1
+	github.com/ory/fosite => github.com/mattslocum/fosite v0.0.0-20230104213057-70d11837908d
 )
 
 replace github.com/ory/hydra-client-go/v2 => ./internal/httpclient

@@ -766,6 +766,8 @@ github.com/mattn/go-sqlite3 v1.14.13 h1:1tj15ngiFfcZzii7yd82foL+ks+ouQcj8j/TPq3f
 github.com/mattn/go-sqlite3 v1.14.13/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/mattn/goveralls v0.0.11 h1:eJXea6R6IFlL1QMKNMzDvvHv/hwGrnvyig4N+0+XiMM=
 github.com/mattn/goveralls v0.0.11/go.mod h1:gU8SyhNswsJKchEV93xRQxX6X3Ei4PJdQk/6ZHvrvRk=
+github.com/mattslocum/fosite v0.0.0-20230104213057-70d11837908d h1:0yn96ItzZRMyrYXNLjqFZFoJvv57ZJSI2Nd6e2OkOl0=
+github.com/mattslocum/fosite v0.0.0-20230104213057-70d11837908d/go.mod h1:o/G4kAeNn65l6MCod2+KmFfU6JQBSojS7eXys6lKGzM=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
@@ -856,8 +858,6 @@ github.com/ory/analytics-go/v4 v4.0.3 h1:2zNBQLlm3UiD8U7DdUGLLUBm62ZA5GtbEJ3S5U+
 github.com/ory/analytics-go/v4 v4.0.3/go.mod h1:A3Chm/3TmM8jw4nqRss+gFhAYHRI5j/HFYH3C1FRahU=
 github.com/ory/dockertest/v3 v3.9.1 h1:v4dkG+dlu76goxMiTT2j8zV7s4oPPEppKT8K8p2f1kY=
 github.com/ory/dockertest/v3 v3.9.1/go.mod h1:42Ir9hmvaAPm0Mgibk6mBPi7SFvTXxEcnztDYOJ//uM=
-github.com/ory/fosite v0.44.0 h1:Z3UjyO11/wlIoa3BotOqcTkfm7kUNA8F7dd8mOMfx0o=
-github.com/ory/fosite v0.44.0/go.mod h1:o/G4kAeNn65l6MCod2+KmFfU6JQBSojS7eXys6lKGzM=
 github.com/ory/go-acc v0.2.6/go.mod h1:4Kb/UnPcT8qRAk3IAxta+hvVapdxTLWtrr7bFLlEgpw=
 github.com/ory/go-acc v0.2.8 h1:rOHHAPQjf0u7eHFGWpiXK+gIu/e0GRSJNr9pDukdNC4=
 github.com/ory/go-acc v0.2.8/go.mod h1:iCRZUdGb/7nqvSn8xWZkhfVrtXRZ9Wru2E5rabCjFPI=

@@ -970,6 +970,12 @@
             }
           }
         },
+        "token_prefix": {
+          "type": "string",
+          "description": "Sets the prefix for access, refresh, and code tokens. This allows detection of tokens in source code and databases. An additional '_at_', '_rt_', '_ac_' is added after the token_prefix, respectively.",
+          "examples": ["sabre"],
+          "default": "ory"
+        },
         "refresh_token_hook": {
           "type": "string",
           "description": "Sets the refresh token hook endpoint. If set it will be called during token refresh to receive updated token claims.",