feat: enhance access token management with options for resource and organization (#167)

xiaoyijun · web-flow · commit ab059675d253 · 2025-05-30T17:49:55.000+08:00
diff --git a/client/client.go b/client/client.go
@@ -15,6 +15,22 @@ type AccessToken struct {
 	ExpiresAt int64  `json:"expiresAt"`
 }
 
+// GetAccessTokenOptions contains parameters for retrieving an access token.
+// Use Resource to specify the API resource, and OrganizationId to specify the organization context.
+// Both fields are optional; leave them empty if not needed.
+type GetAccessTokenOptions struct {
+	Resource       string
+	OrganizationId string
+}
+
+// GetOrganizationTokenClaimsOptions contains parameters for retrieving organization access token claims.
+// Use Resource to specify the API resource, and OrganizationId to specify the organization whose claims you want to retrieve.
+// OrganizationId is required.
+type GetOrganizationTokenClaimsOptions struct {
+	Resource       string
+	OrganizationId string
+}
+
 type LogtoClient struct {
 	httpClient     *http.Client
 	logtoConfig    *LogtoConfig
@@ -63,46 +79,32 @@ func (logtoClient *LogtoClient) GetIdTokenClaims() (core.IdTokenClaims, error) {
 	return core.DecodeIdToken(logtoClient.GetIdToken())
 }
 
-func (logtoClient *LogtoClient) GetOrganizationTokenClaims(organizationId string) (core.OrganizationAccessTokenClaims, error) {
-	token, getTokenErr := logtoClient.GetOrganizationToken(organizationId)
-
-	if getTokenErr != nil {
-		return core.OrganizationAccessTokenClaims{}, getTokenErr
-	}
-
-	jwtObject, parseTokenErr := core.ParseSignedJwt(token.Token)
-
-	if parseTokenErr != nil {
-		return core.OrganizationAccessTokenClaims{}, parseTokenErr
-	}
-
-	var claims core.OrganizationAccessTokenClaims
-	claimsErr := jwtObject.UnsafeClaimsWithoutVerification(&claims)
-
-	if claimsErr != nil {
-		return core.OrganizationAccessTokenClaims{}, claimsErr
-	}
-
-	return claims, claimsErr
-}
-
 func (logtoClient *LogtoClient) SaveAccessToken(key string, accessToken AccessToken) {
 	logtoClient.accessTokenMap[key] = accessToken
 	logtoClient.persistAccessTokenMap()
 }
 
-func (logtoClient *LogtoClient) getAccessToken(resource string, organizationId string) (AccessToken, error) {
+// GetAccessTokenWithOptions retrieves an access token for the specified resource and/or organization.
+// Use GetAccessToken for resource-only tokens, or GetOrganizationToken for organization-only tokens.
+// This method provides the most flexibility and is recommended for advanced scenarios.
+func (logtoClient *LogtoClient) GetAccessTokenWithOptions(options GetAccessTokenOptions) (AccessToken, error) {
 	if !logtoClient.IsAuthenticated() {
 		return AccessToken{}, ErrNotAuthenticated
 	}
 
-	if resource != "" {
-		if !slices.Contains(logtoClient.logtoConfig.Resources, resource) {
+	if options.Resource != "" {
+		if !slices.Contains(logtoClient.logtoConfig.Resources, options.Resource) {
 			return AccessToken{}, ErrUnacknowledgedResourceFound
 		}
 	}
 
-	accessTokenKey := buildAccessTokenKey([]string{}, resource, organizationId)
+	if options.OrganizationId != "" {
+		if !slices.Contains(logtoClient.logtoConfig.Scopes, core.UserScopeOrganizations) {
+			return AccessToken{}, ErrMissingScopeOrganizations
+		}
+	}
+
+	accessTokenKey := buildAccessTokenKey([]string{}, options.Resource, options.OrganizationId)
 	if accessToken, ok := logtoClient.accessTokenMap[accessTokenKey]; ok {
 		if accessToken.ExpiresAt > time.Now().Unix() {
 			return accessToken, nil
@@ -126,9 +128,9 @@ func (logtoClient *LogtoClient) getAccessToken(resource string, organizationId s
 		ClientId:       logtoClient.logtoConfig.AppId,
 		ClientSecret:   logtoClient.logtoConfig.AppSecret,
 		RefreshToken:   refreshToken,
-		Resource:       resource,
+		Resource:       options.Resource,
 		Scopes:         []string{},
-		OrganizationId: organizationId,
+		OrganizationId: options.OrganizationId,
 	})
 
 	if refreshTokenErr != nil {
@@ -156,16 +158,65 @@ func (logtoClient *LogtoClient) getAccessToken(resource string, organizationId s
 	return refreshedAccessToken, nil
 }
 
+// GetOrganizationTokenClaimsWithOptions retrieves the claims from an organization access token
+// for the specified resource and organization. OrganizationId is required.
+// Use GetOrganizationTokenClaims for organization-only claims.
+// This method is recommended for advanced scenarios where both resource and organization context are needed.
+func (logtoClient *LogtoClient) GetOrganizationTokenClaimsWithOptions(options GetOrganizationTokenClaimsOptions) (core.OrganizationAccessTokenClaims, error) {
+	if options.OrganizationId == "" {
+		return core.OrganizationAccessTokenClaims{}, ErrMissingOrganizationId
+	}
+
+	token, getTokenErr := logtoClient.GetAccessTokenWithOptions(GetAccessTokenOptions{
+		Resource:       options.Resource,
+		OrganizationId: options.OrganizationId,
+	})
+
+	if getTokenErr != nil {
+		return core.OrganizationAccessTokenClaims{}, getTokenErr
+	}
+
+	jwtObject, parseTokenErr := core.ParseSignedJwt(token.Token)
+
+	if parseTokenErr != nil {
+		return core.OrganizationAccessTokenClaims{}, parseTokenErr
+	}
+
+	var claims core.OrganizationAccessTokenClaims
+	claimsErr := jwtObject.UnsafeClaimsWithoutVerification(&claims)
+
+	if claimsErr != nil {
+		return core.OrganizationAccessTokenClaims{}, claimsErr
+	}
+
+	return claims, claimsErr
+}
+
+// GetAccessToken retrieves an access token for the specified resource only.
+// This method does not support organization-based access.
+// If you need to specify an organization, use GetAccessTokenWithOptions instead.
 func (logtoClient *LogtoClient) GetAccessToken(resource string) (AccessToken, error) {
-	return logtoClient.getAccessToken(resource, "")
+	return logtoClient.GetAccessTokenWithOptions(GetAccessTokenOptions{
+		Resource: resource,
+	})
 }
 
+// GetOrganizationToken retrieves an access token for the specified organization only.
+// This method does not support resource-based access.
+// If you need to specify a resource, use GetAccessTokenWithOptions instead.
 func (logtoClient *LogtoClient) GetOrganizationToken(organizationId string) (AccessToken, error) {
-	if !slices.Contains(logtoClient.logtoConfig.Scopes, core.UserScopeOrganizations) {
-		return AccessToken{}, ErrMissingScopeOrganizations
-	}
+	return logtoClient.GetAccessTokenWithOptions(GetAccessTokenOptions{
+		OrganizationId: organizationId,
+	})
+}
 
-	return logtoClient.getAccessToken("", organizationId)
+// GetOrganizationTokenClaims retrieves the claims from an organization access token for the specified organization only.
+// This method does not support resource-based claims retrieval.
+// If you need to specify a resource, use GetOrganizationTokenClaimsWithOptions instead.
+func (logtoClient *LogtoClient) GetOrganizationTokenClaims(organizationId string) (core.OrganizationAccessTokenClaims, error) {
+	return logtoClient.GetOrganizationTokenClaimsWithOptions(GetOrganizationTokenClaimsOptions{
+		OrganizationId: organizationId,
+	})
 }
 
 func (logtoClient *LogtoClient) FetchUserInfo() (core.UserInfoResponse, error) {
diff --git a/client/errors.go b/client/errors.go
@@ -6,4 +6,5 @@ var (
 	ErrNotAuthenticated            = errors.New("not authenticated")
 	ErrUnacknowledgedResourceFound = errors.New("unacknowledged resource found")
 	ErrMissingScopeOrganizations   = errors.New("missing 'urn:logto:scope:organizations' scope")
+	ErrMissingOrganizationId       = errors.New("missing organization id")
 )

Original file line number	Diff line number	Diff line change
`@@ -6,4 +6,5 @@ var (`
`6`	`6`	`ErrNotAuthenticated = errors.New("not authenticated")`
`7`	`7`	`ErrUnacknowledgedResourceFound = errors.New("unacknowledged resource found")`
`8`	`8`	`ErrMissingScopeOrganizations = errors.New("missing 'urn:logto:scope:organizations' scope")`
	`9`	`+ ErrMissingOrganizationId = errors.New("missing organization id")`
`9`	`10`	`)`