2024-04-12 16:41:11 +02:00
|
|
|
package oidc
|
|
|
|
|
|
|
|
import (
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
|
|
|
|
"forge.cadoles.com/cadoles/bouncer/internal/store"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
)
|
|
|
|
|
|
|
|
const defaultCookieName = "_bouncer_authn_oidc"
|
|
|
|
|
|
|
|
type LayerOptions struct {
|
|
|
|
authn.LayerOptions
|
|
|
|
OIDC OIDCOptions `mapstructure:"oidc"`
|
|
|
|
Cookie CookieOptions `mapstructure:"cookie"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type OIDCOptions struct {
|
|
|
|
ClientID string `mapstructure:"clientId"`
|
|
|
|
ClientSecret string `mapstructure:"clientSecret"`
|
2024-05-24 16:40:19 +02:00
|
|
|
PublicBaseURL string `mapstructure:"publicBaseURL"`
|
|
|
|
LoginCallbackPath string `mapstructure:"loginCallbackPath"`
|
|
|
|
MatchLoginCallbackPath string `mapstructure:"matchLoginCallbackPath"`
|
|
|
|
LogoutPath string `mapstructure:"logoutPath"`
|
|
|
|
MatchLogoutPath string `mapstructure:"matchLogoutPath"`
|
2024-04-12 16:41:11 +02:00
|
|
|
IssuerURL string `mapstructure:"issuerURL"`
|
|
|
|
SkipIssuerVerification bool `mapstructure:"skipIssuerVerification"`
|
2024-05-24 16:40:19 +02:00
|
|
|
PostLogoutRedirectURLs []string `mapstructure:"postLogoutRedirectURLs"`
|
2024-05-23 15:17:05 +02:00
|
|
|
TLSInsecureSkipVerify bool `mapstructure:"tlsInsecureSkipVerify"`
|
2024-04-12 16:41:11 +02:00
|
|
|
Scopes []string `mapstructure:"scopes"`
|
|
|
|
AuthParams map[string]string `mapstructure:"authParams"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type CookieOptions struct {
|
|
|
|
Name string `mapstructure:"name"`
|
|
|
|
Domain string `mapstructure:"domain"`
|
|
|
|
Path string `mapstructure:"path"`
|
|
|
|
SameSite string `mapstructure:"sameSite"`
|
|
|
|
Secure bool `mapstructure:"secure"`
|
|
|
|
HTTPOnly bool `mapstructure:"httpOnly"`
|
|
|
|
MaxAge time.Duration `mapstructure:"maxAge"`
|
|
|
|
}
|
|
|
|
|
2024-05-24 16:40:19 +02:00
|
|
|
func fromStoreOptions(storeOptions store.LayerOptions) (*LayerOptions, error) {
|
|
|
|
loginCallbackPath := ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback"
|
|
|
|
logoutPath := ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/logout"
|
2024-05-23 15:17:05 +02:00
|
|
|
|
2024-04-12 16:41:11 +02:00
|
|
|
layerOptions := LayerOptions{
|
|
|
|
LayerOptions: authn.DefaultLayerOptions(),
|
|
|
|
OIDC: OIDCOptions{
|
2024-05-24 16:40:19 +02:00
|
|
|
PublicBaseURL: "",
|
|
|
|
LoginCallbackPath: loginCallbackPath,
|
|
|
|
MatchLoginCallbackPath: "*" + loginCallbackPath,
|
|
|
|
LogoutPath: logoutPath,
|
|
|
|
MatchLogoutPath: "*" + logoutPath,
|
|
|
|
Scopes: []string{"openid"},
|
2024-04-12 16:41:11 +02:00
|
|
|
},
|
|
|
|
Cookie: CookieOptions{
|
|
|
|
Name: defaultCookieName,
|
|
|
|
Path: "/",
|
|
|
|
HTTPOnly: true,
|
|
|
|
MaxAge: time.Hour,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := authn.FromStoreOptions(storeOptions, &layerOptions); err != nil {
|
|
|
|
return nil, errors.WithStack(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return &layerOptions, nil
|
|
|
|
}
|