wn/traefik-forward-auth
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

evaluate role in higher layer

Browse Source
This commit is contained in:
Wolfgang Hottgenroth
2023-11-06 22:09:29 +01:00
parent ab2d527dbd
commit f6120640d2
5 changed files with 33 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
internal/provider/oidc.go
View File

@ -3,6 +3,7 @@ package provider
import (
"context"
"errors"
"fmt"
"github.com/coreos/go-oidc"
"golang.org/x/oauth2"
@ -88,14 +89,14 @@ func (o *OIDC) ExchangeCode(redirectURI, code string) (string, error) {
}
// GetUser uses the given token and returns a complete provider.User object
func (o *OIDC) GetUser(token string) (User, error) {
func (o *OIDC) GetUser(token string) (User, Roles, error) {
var user User
var roles Roles
// Parse & Verify ID Token
idToken, err := o.verifier.Verify(o.ctx, token)
if err != nil {
return user, err
return user, roles, err
}
@ -103,16 +104,18 @@ func (o *OIDC) GetUser(token string) (User, error) {
// Extract custom claims
if err := idToken.Claims(&user); err != nil {
return user, err
return user, roles, err
}
o.log.WithField("user", user).Debug("getUser")
if err := idToken.Claims(&roles); err != nil {
return user, err
return user, roles, err
}
o.log.WithField("roles", roles).Debug("getUser")
for i, r := range roles.Roles {
o.log.Debug(fmt.Sprintf("%d, %s", i, r))
}
return user, errors.New("access denied")
// return user, nil
return user, roles, nil
}