..
This commit is contained in:
24
oauth2.go
24
oauth2.go
@@ -13,15 +13,19 @@ import (
|
||||
type OidcClams struct {
|
||||
Email string `json:"email"`
|
||||
Profile string `json:"profile"`
|
||||
Username string `json:"preferred_username"`
|
||||
}
|
||||
|
||||
|
||||
type OAuth2 struct {
|
||||
LogoutUrl string `json:"end_session_endpoint"`
|
||||
|
||||
_ctx context.Context
|
||||
_oauth2Config *oauth2.Config
|
||||
_oidcVerifier *oidc.IDTokenVerifier
|
||||
_oidcProvider *oidc.Provider
|
||||
_nonces map[string]string
|
||||
|
||||
}
|
||||
|
||||
func (o *OAuth2) GetClaims(w http.ResponseWriter, token *oidc.IDToken) (*OidcClams, error) {
|
||||
@@ -42,6 +46,7 @@ func (o *OAuth2) checkOAuth(w http.ResponseWriter, r *http.Request, allowRedirec
|
||||
if err == nil {
|
||||
log.Info("got id_token cookie")
|
||||
token, err := o._oidcVerifier.Verify(o._ctx, cookie.Value)
|
||||
|
||||
if err != nil {
|
||||
http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
|
||||
return nil, false
|
||||
@@ -60,7 +65,6 @@ func (o *OAuth2) checkOAuth(w http.ResponseWriter, r *http.Request, allowRedirec
|
||||
return nil, false
|
||||
}
|
||||
delete(o._nonces, state)
|
||||
|
||||
oauth2Token, err := o._oauth2Config.Exchange(o._ctx, code)
|
||||
if err != nil {
|
||||
http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
|
||||
@@ -72,7 +76,7 @@ func (o *OAuth2) checkOAuth(w http.ResponseWriter, r *http.Request, allowRedirec
|
||||
http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError)
|
||||
return nil, false
|
||||
}
|
||||
log.Info(rawIDToken)
|
||||
|
||||
token, err2 := o._oidcVerifier.Verify(o._ctx, rawIDToken)
|
||||
if err2 != nil {
|
||||
http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
|
||||
@@ -99,9 +103,10 @@ func (o *OAuth2) checkOAuth(w http.ResponseWriter, r *http.Request, allowRedirec
|
||||
} else {
|
||||
//no auth code and no bearer -> redirect
|
||||
if allowRedirect {
|
||||
nonce := generateToken()
|
||||
o._nonces[nonce] = nonce
|
||||
http.Redirect(w, r, o._oauth2Config.AuthCodeURL(nonce), http.StatusFound)
|
||||
pw, _ , _ := generateToken();
|
||||
o._nonces[pw] = pw
|
||||
|
||||
http.Redirect(w, r, o._oauth2Config.AuthCodeURL(pw), http.StatusFound)
|
||||
}
|
||||
|
||||
return nil, false
|
||||
@@ -123,7 +128,6 @@ func CreateOAuth2(config *Config) (*OAuth2, error) {
|
||||
|
||||
// Configure an OpenID Connect aware OAuth2 client.
|
||||
verifier := provider.Verifier(oidcConfig)
|
||||
|
||||
oauthConfig := oauth2.Config{
|
||||
ClientID: config.OAuth2ClientID,
|
||||
ClientSecret: config.OAuth2ClientSecret,
|
||||
@@ -132,11 +136,15 @@ func CreateOAuth2(config *Config) (*OAuth2, error) {
|
||||
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
|
||||
}
|
||||
|
||||
return &OAuth2{
|
||||
ret := OAuth2{
|
||||
_ctx: ctx,
|
||||
_oauth2Config: &oauthConfig,
|
||||
_oidcVerifier: verifier,
|
||||
_oidcProvider: provider,
|
||||
_nonces: make(map[string]string),
|
||||
}, nil
|
||||
}
|
||||
|
||||
err = provider.Claims(&ret)
|
||||
|
||||
return &ret, nil
|
||||
}
|
||||
Reference in New Issue
Block a user