traefik-forward-auth/internal/provider/oidc.go

package provider

import (
	"context"
	"errors"

	"github.com/coreos/go-oidc"
	"golang.org/x/oauth2"

	"github.com/sirupsen/logrus"
)

// OIDC provider
type OIDC struct {
	IssuerURL    string `long:"issuer-url" env:"ISSUER_URL" description:"Issuer URL"`
	ClientID     string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
	ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`

	OAuthProvider

	provider *oidc.Provider
	verifier *oidc.IDTokenVerifier

  log          *logrus.Logger
}

// Name returns the name of the provider
func (o *OIDC) Name() string {
	return "oidc"
}

// Setup performs validation and setup
func (o *OIDC) Setup(log *logrus.Logger) error {
  o.log = log

	// Check parms
	if o.IssuerURL == "" || o.ClientID == "" || o.ClientSecret == "" {
		return errors.New("providers.oidc.issuer-url, providers.oidc.client-id, providers.oidc.client-secret must be set")
	}

	var err error
	o.ctx = context.Background()

	// Try to initiate provider
	o.provider, err = oidc.NewProvider(o.ctx, o.IssuerURL)
	if err != nil {
		return err
	}

	// Create oauth2 config
	o.Config = &oauth2.Config{
		ClientID:     o.ClientID,
		ClientSecret: o.ClientSecret,
		Endpoint:     o.provider.Endpoint(),

		// "openid" is a required scope for OpenID Connect flows.
		Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
	}

	// Create OIDC verifier
	o.verifier = o.provider.Verifier(&oidc.Config{
		ClientID: o.ClientID,
	})

	return nil
}

// GetLoginURL provides the login url for the given redirect uri and state
func (o *OIDC) GetLoginURL(redirectURI, state string) string {
	return o.OAuthGetLoginURL(redirectURI, state)
}

// ExchangeCode exchanges the given redirect uri and code for a token
func (o *OIDC) ExchangeCode(redirectURI, code string) (string, error) {
	token, err := o.OAuthExchangeCode(redirectURI, code)
	if err != nil {
		return "", err
	}
	o.log.WithField("accessToken", token.AccessToken).Debug("getUser")

	// Extract ID token
	rawIDToken, ok := token.Extra("id_token").(string)
	if !ok {
		return "", errors.New("Missing id_token")
	}

	return rawIDToken, nil
}

// GetUser uses the given token and returns a complete provider.User object
func (o *OIDC) GetUser(token string) (User, Roles, error) {
	var user User
  var roles Roles

	// Parse & Verify ID Token
	idToken, err := o.verifier.Verify(o.ctx, token)
	if err != nil {
		return user, roles, err
	}

	// Extract custom claims
	if err := idToken.Claims(&user); err != nil {
		return user, roles, err
	}
	o.log.WithField("user", user).Debug("getUser")

	if err := idToken.Claims(&roles); err != nil {
		return user, roles, err
	}
	o.log.WithField("roles", roles).Debug("getUser")

	return user, roles, nil
}
Multiple provider support + OIDC provider 2019-09-18 17:55:52 +01:00			`package provider`

			`import (`
			`"context"`
			`"errors"`

			`"github.com/coreos/go-oidc"`
			`"golang.org/x/oauth2"`
debugging for analyzing token 2023-11-06 18:15:03 +01:00
			`"github.com/sirupsen/logrus"`
Multiple provider support + OIDC provider 2019-09-18 17:55:52 +01:00			`)`

			`// OIDC provider`
			`type OIDC struct {`
			IssuerURL string `long:"issuer-url" env:"ISSUER_URL" description:"Issuer URL"`
			ClientID string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
			ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`

Add support for resource indicator to OIDC provider (#131) 2020-06-11 12:24:51 +01:00			`OAuthProvider`

Multiple provider support + OIDC provider 2019-09-18 17:55:52 +01:00			`provider *oidc.Provider`
			`verifier *oidc.IDTokenVerifier`
debugging for analyzing token 2023-11-06 18:15:03 +01:00
			`log *logrus.Logger`
Multiple provider support + OIDC provider 2019-09-18 17:55:52 +01:00			`}`

			`// Name returns the name of the provider`
			`func (o *OIDC) Name() string {`
			`return "oidc"`
			`}`

			`// Setup performs validation and setup`
debugging for analyzing token 2023-11-06 18:15:03 +01:00			`func (o OIDC) Setup(log logrus.Logger) error {`
			`o.log = log`

Multiple provider support + OIDC provider 2019-09-18 17:55:52 +01:00			`// Check parms`
			`if o.IssuerURL == "" \|\| o.ClientID == "" \|\| o.ClientSecret == "" {`
			`return errors.New("providers.oidc.issuer-url, providers.oidc.client-id, providers.oidc.client-secret must be set")`
			`}`

			`var err error`
			`o.ctx = context.Background()`

			`// Try to initiate provider`
			`o.provider, err = oidc.NewProvider(o.ctx, o.IssuerURL)`
			`if err != nil {`
			`return err`
			`}`

			`// Create oauth2 config`
			`o.Config = &oauth2.Config{`
			`ClientID: o.ClientID,`
			`ClientSecret: o.ClientSecret,`
			`Endpoint: o.provider.Endpoint(),`

			`// "openid" is a required scope for OpenID Connect flows.`
			`Scopes: []string{oidc.ScopeOpenID, "profile", "email"},`
			`}`

			`// Create OIDC verifier`
			`o.verifier = o.provider.Verifier(&oidc.Config{`
			`ClientID: o.ClientID,`
			`})`

			`return nil`
			`}`

			`// GetLoginURL provides the login url for the given redirect uri and state`
			`func (o *OIDC) GetLoginURL(redirectURI, state string) string {`
			`return o.OAuthGetLoginURL(redirectURI, state)`
			`}`

			`// ExchangeCode exchanges the given redirect uri and code for a token`
			`func (o *OIDC) ExchangeCode(redirectURI, code string) (string, error) {`
			`token, err := o.OAuthExchangeCode(redirectURI, code)`
			`if err != nil {`
			`return "", err`
			`}`
debugging for analyzing token 2023-11-06 18:15:03 +01:00			`o.log.WithField("accessToken", token.AccessToken).Debug("getUser")`
Multiple provider support + OIDC provider 2019-09-18 17:55:52 +01:00
			`// Extract ID token`
			`rawIDToken, ok := token.Extra("id_token").(string)`
			`if !ok {`
			`return "", errors.New("Missing id_token")`
			`}`

			`return rawIDToken, nil`
			`}`

			`// GetUser uses the given token and returns a complete provider.User object`
evaluate role in higher layer 2023-11-06 22:09:29 +01:00			`func (o *OIDC) GetUser(token string) (User, Roles, error) {`
Multiple provider support + OIDC provider 2019-09-18 17:55:52 +01:00			`var user User`
we get closer 2023-11-06 19:59:31 +01:00			`var roles Roles`
Multiple provider support + OIDC provider 2019-09-18 17:55:52 +01:00
			`// Parse & Verify ID Token`
			`idToken, err := o.verifier.Verify(o.ctx, token)`
			`if err != nil {`
evaluate role in higher layer 2023-11-06 22:09:29 +01:00			`return user, roles, err`
Multiple provider support + OIDC provider 2019-09-18 17:55:52 +01:00			`}`

			`// Extract custom claims`
Remove unused user fields (#141) These aren't actually used anywhere and can result in a parse error if the ID field isn't a string 2020-06-29 21:01:59 +01:00			`if err := idToken.Claims(&user); err != nil {`
evaluate role in higher layer 2023-11-06 22:09:29 +01:00			`return user, roles, err`
Multiple provider support + OIDC provider 2019-09-18 17:55:52 +01:00			`}`
debugging for analyzing token 2023-11-06 18:15:03 +01:00			`o.log.WithField("user", user).Debug("getUser")`

we get closer 2023-11-06 19:59:31 +01:00			`if err := idToken.Claims(&roles); err != nil {`
evaluate role in higher layer 2023-11-06 22:09:29 +01:00			`return user, roles, err`
we get closer 2023-11-06 19:59:31 +01:00			`}`
			`o.log.WithField("roles", roles).Debug("getUser")`

evaluate role in higher layer 2023-11-06 22:09:29 +01:00			`return user, roles, nil`
Multiple provider support + OIDC provider 2019-09-18 17:55:52 +01:00			`}`