2019-09-18 17:55:52 +01:00
|
|
|
package provider
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"errors"
|
|
|
|
|
|
|
|
"github.com/coreos/go-oidc"
|
|
|
|
"golang.org/x/oauth2"
|
2023-11-06 18:15:03 +01:00
|
|
|
|
|
|
|
"github.com/sirupsen/logrus"
|
2019-09-18 17:55:52 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// OIDC provider
|
|
|
|
type OIDC struct {
|
|
|
|
IssuerURL string `long:"issuer-url" env:"ISSUER_URL" description:"Issuer URL"`
|
|
|
|
ClientID string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
|
|
|
|
ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
|
|
|
|
|
2020-06-11 12:24:51 +01:00
|
|
|
OAuthProvider
|
|
|
|
|
2019-09-18 17:55:52 +01:00
|
|
|
provider *oidc.Provider
|
|
|
|
verifier *oidc.IDTokenVerifier
|
2023-11-06 18:15:03 +01:00
|
|
|
|
|
|
|
log *logrus.Logger
|
2019-09-18 17:55:52 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Name returns the name of the provider
|
|
|
|
func (o *OIDC) Name() string {
|
|
|
|
return "oidc"
|
|
|
|
}
|
|
|
|
|
|
|
|
// Setup performs validation and setup
|
2023-11-06 18:15:03 +01:00
|
|
|
func (o *OIDC) Setup(log *logrus.Logger) error {
|
|
|
|
o.log = log
|
|
|
|
|
2019-09-18 17:55:52 +01:00
|
|
|
// Check parms
|
|
|
|
if o.IssuerURL == "" || o.ClientID == "" || o.ClientSecret == "" {
|
|
|
|
return errors.New("providers.oidc.issuer-url, providers.oidc.client-id, providers.oidc.client-secret must be set")
|
|
|
|
}
|
|
|
|
|
|
|
|
var err error
|
|
|
|
o.ctx = context.Background()
|
|
|
|
|
|
|
|
// Try to initiate provider
|
|
|
|
o.provider, err = oidc.NewProvider(o.ctx, o.IssuerURL)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create oauth2 config
|
|
|
|
o.Config = &oauth2.Config{
|
|
|
|
ClientID: o.ClientID,
|
|
|
|
ClientSecret: o.ClientSecret,
|
|
|
|
Endpoint: o.provider.Endpoint(),
|
|
|
|
|
|
|
|
// "openid" is a required scope for OpenID Connect flows.
|
|
|
|
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create OIDC verifier
|
|
|
|
o.verifier = o.provider.Verifier(&oidc.Config{
|
|
|
|
ClientID: o.ClientID,
|
|
|
|
})
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetLoginURL provides the login url for the given redirect uri and state
|
|
|
|
func (o *OIDC) GetLoginURL(redirectURI, state string) string {
|
|
|
|
return o.OAuthGetLoginURL(redirectURI, state)
|
|
|
|
}
|
|
|
|
|
|
|
|
// ExchangeCode exchanges the given redirect uri and code for a token
|
|
|
|
func (o *OIDC) ExchangeCode(redirectURI, code string) (string, error) {
|
|
|
|
token, err := o.OAuthExchangeCode(redirectURI, code)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
2023-11-06 18:15:03 +01:00
|
|
|
o.log.WithField("accessToken", token.AccessToken).Debug("getUser")
|
2019-09-18 17:55:52 +01:00
|
|
|
|
|
|
|
// Extract ID token
|
|
|
|
rawIDToken, ok := token.Extra("id_token").(string)
|
|
|
|
if !ok {
|
|
|
|
return "", errors.New("Missing id_token")
|
|
|
|
}
|
|
|
|
|
|
|
|
return rawIDToken, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetUser uses the given token and returns a complete provider.User object
|
2023-11-06 22:09:29 +01:00
|
|
|
func (o *OIDC) GetUser(token string) (User, Roles, error) {
|
2019-09-18 17:55:52 +01:00
|
|
|
var user User
|
2023-11-06 19:59:31 +01:00
|
|
|
var roles Roles
|
2019-09-18 17:55:52 +01:00
|
|
|
|
|
|
|
// Parse & Verify ID Token
|
|
|
|
idToken, err := o.verifier.Verify(o.ctx, token)
|
|
|
|
if err != nil {
|
2023-11-06 22:09:29 +01:00
|
|
|
return user, roles, err
|
2019-09-18 17:55:52 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Extract custom claims
|
2020-06-29 21:01:59 +01:00
|
|
|
if err := idToken.Claims(&user); err != nil {
|
2023-11-06 22:09:29 +01:00
|
|
|
return user, roles, err
|
2019-09-18 17:55:52 +01:00
|
|
|
}
|
2023-11-06 18:15:03 +01:00
|
|
|
o.log.WithField("user", user).Debug("getUser")
|
|
|
|
|
2023-11-06 19:59:31 +01:00
|
|
|
if err := idToken.Claims(&roles); err != nil {
|
2023-11-06 22:09:29 +01:00
|
|
|
return user, roles, err
|
2023-11-06 19:59:31 +01:00
|
|
|
}
|
|
|
|
o.log.WithField("roles", roles).Debug("getUser")
|
|
|
|
|
2023-11-06 22:09:29 +01:00
|
|
|
return user, roles, nil
|
2019-09-18 17:55:52 +01:00
|
|
|
}
|