2024-04-12 16:41:11 +02:00
|
|
|
package oidc
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
|
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
|
|
|
"github.com/dchest/uniuri"
|
|
|
|
"github.com/gorilla/sessions"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"gitlab.com/wpetit/goweb/logger"
|
|
|
|
"golang.org/x/oauth2"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
sessionKeyAccessToken = "access-token"
|
|
|
|
sessionKeyRefreshToken = "refresh-token"
|
|
|
|
sessionKeyTokenExpiry = "token-expiry"
|
|
|
|
sessionKeyIDToken = "id-token"
|
|
|
|
sessionKeyPostLoginRedirectURL = "post-login-redirect-url"
|
|
|
|
sessionKeyLoginState = "login-state"
|
|
|
|
sessionKeyLoginNonce = "login-nonce"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
ErrLoginRequired = errors.New("login required")
|
|
|
|
)
|
|
|
|
|
|
|
|
type Client struct {
|
2024-05-23 15:17:05 +02:00
|
|
|
httpClient *http.Client
|
2024-04-12 16:41:11 +02:00
|
|
|
oauth2 *oauth2.Config
|
|
|
|
provider *oidc.Provider
|
|
|
|
verifier *oidc.IDTokenVerifier
|
|
|
|
authParams map[string]string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) Verifier() *oidc.IDTokenVerifier {
|
|
|
|
return c.verifier
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) Provider() *oidc.Provider {
|
|
|
|
return c.provider
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) Authenticate(w http.ResponseWriter, r *http.Request, sess *sessions.Session) (*oidc.IDToken, error) {
|
|
|
|
idToken, err := c.getIDToken(r, sess)
|
|
|
|
if err != nil {
|
|
|
|
logger.Error(r.Context(), "could not retrieve idtoken", logger.E(errors.WithStack(err)))
|
|
|
|
|
|
|
|
c.login(w, r, sess)
|
|
|
|
|
|
|
|
return nil, errors.WithStack(ErrLoginRequired)
|
|
|
|
}
|
|
|
|
|
|
|
|
return idToken, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) login(w http.ResponseWriter, r *http.Request, sess *sessions.Session) {
|
|
|
|
ctx := r.Context()
|
|
|
|
|
|
|
|
state := uniuri.New()
|
|
|
|
nonce := uniuri.New()
|
|
|
|
|
|
|
|
originalURL, err := director.OriginalURL(ctx)
|
|
|
|
if err != nil {
|
|
|
|
logger.Error(ctx, "could not retrieve original url", logger.E(errors.WithStack(err)))
|
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
sess.Values[sessionKeyLoginState] = state
|
|
|
|
sess.Values[sessionKeyLoginNonce] = nonce
|
|
|
|
sess.Values[sessionKeyPostLoginRedirectURL] = originalURL.String()
|
|
|
|
|
|
|
|
if err := sess.Save(r, w); err != nil {
|
|
|
|
logger.Error(ctx, "could not save session", logger.E(errors.WithStack(err)))
|
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
authCodeOptions := []oauth2.AuthCodeOption{}
|
|
|
|
authCodeOptions = append(authCodeOptions, oidc.Nonce(nonce))
|
|
|
|
|
|
|
|
for key, val := range c.authParams {
|
|
|
|
authCodeOptions = append(authCodeOptions, oauth2.SetAuthURLParam(key, val))
|
|
|
|
}
|
|
|
|
|
|
|
|
authCodeURL := c.oauth2.AuthCodeURL(
|
|
|
|
state,
|
|
|
|
authCodeOptions...,
|
|
|
|
)
|
|
|
|
|
|
|
|
http.Redirect(w, r, authCodeURL, http.StatusFound)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) HandleCallback(w http.ResponseWriter, r *http.Request, sess *sessions.Session) error {
|
|
|
|
token, _, rawIDToken, err := c.validate(r, sess)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrap(err, "could not validate oidc token")
|
|
|
|
}
|
|
|
|
|
|
|
|
sess.Values[sessionKeyIDToken] = rawIDToken
|
|
|
|
sess.Values[sessionKeyAccessToken] = token.AccessToken
|
|
|
|
sess.Values[sessionKeyRefreshToken] = token.RefreshToken
|
|
|
|
sess.Values[sessionKeyTokenExpiry] = token.Expiry.UTC().Unix()
|
|
|
|
|
|
|
|
if err := sess.Save(r, w); err != nil {
|
|
|
|
return errors.WithStack(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
rawPostLoginRedirectURL, exists := sess.Values[sessionKeyPostLoginRedirectURL]
|
|
|
|
if !exists {
|
|
|
|
return errors.Wrap(err, "could not find post login redirect url")
|
|
|
|
}
|
|
|
|
|
|
|
|
postLoginRedirectURL, ok := rawPostLoginRedirectURL.(string)
|
|
|
|
if !ok {
|
|
|
|
return errors.Wrapf(err, "unexpected value '%v' for post login redirect url", rawPostLoginRedirectURL)
|
|
|
|
}
|
|
|
|
|
|
|
|
http.Redirect(w, r, postLoginRedirectURL, http.StatusTemporaryRedirect)
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) HandleLogout(w http.ResponseWriter, r *http.Request, sess *sessions.Session, postLogoutRedirectURL string) error {
|
|
|
|
state := uniuri.New()
|
|
|
|
sess.Values[sessionKeyLoginState] = state
|
|
|
|
|
|
|
|
ctx := r.Context()
|
|
|
|
|
|
|
|
rawIDToken, err := c.getRawIDToken(sess)
|
|
|
|
if err != nil {
|
|
|
|
logger.Error(ctx, "could not retrieve raw id token", logger.E(errors.WithStack(err)))
|
|
|
|
}
|
|
|
|
|
|
|
|
sess.Values[sessionKeyIDToken] = nil
|
|
|
|
sess.Values[sessionKeyAccessToken] = nil
|
|
|
|
sess.Values[sessionKeyRefreshToken] = nil
|
|
|
|
sess.Values[sessionKeyTokenExpiry] = nil
|
|
|
|
sess.Options.MaxAge = -1
|
|
|
|
|
|
|
|
if err := sess.Save(r, w); err != nil {
|
|
|
|
return errors.Wrap(err, "could not save session")
|
|
|
|
}
|
|
|
|
|
|
|
|
if rawIDToken == "" {
|
|
|
|
http.Redirect(w, r, postLogoutRedirectURL, http.StatusFound)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
sessionEndURL, err := c.sessionEndURL(rawIDToken, state, postLogoutRedirectURL)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrap(err, "could not retrieve session end url")
|
|
|
|
}
|
|
|
|
|
|
|
|
if sessionEndURL != "" {
|
|
|
|
http.Redirect(w, r, sessionEndURL, http.StatusFound)
|
|
|
|
} else {
|
|
|
|
http.Redirect(w, r, postLogoutRedirectURL, http.StatusFound)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) sessionEndURL(idTokenHint, state, postLogoutRedirectURL string) (string, error) {
|
|
|
|
sessionEndEndpoint := &struct {
|
|
|
|
URL string `json:"end_session_endpoint"`
|
|
|
|
}{}
|
|
|
|
|
|
|
|
if err := c.provider.Claims(&sessionEndEndpoint); err != nil {
|
|
|
|
return "", errors.Wrap(err, "could not unmarshal claims")
|
|
|
|
}
|
|
|
|
|
|
|
|
if sessionEndEndpoint.URL == "" {
|
|
|
|
return "", nil
|
|
|
|
}
|
|
|
|
|
|
|
|
var buf bytes.Buffer
|
|
|
|
buf.WriteString(sessionEndEndpoint.URL)
|
|
|
|
|
|
|
|
v := url.Values{}
|
|
|
|
|
|
|
|
if idTokenHint != "" {
|
|
|
|
v.Set("id_token_hint", idTokenHint)
|
|
|
|
}
|
|
|
|
|
|
|
|
if postLogoutRedirectURL != "" {
|
|
|
|
v.Set("post_logout_redirect_uri", postLogoutRedirectURL)
|
|
|
|
}
|
|
|
|
|
|
|
|
if state != "" {
|
|
|
|
v.Set("state", state)
|
|
|
|
}
|
|
|
|
|
|
|
|
if strings.Contains(sessionEndEndpoint.URL, "?") {
|
|
|
|
buf.WriteByte('&')
|
|
|
|
} else {
|
|
|
|
buf.WriteByte('?')
|
|
|
|
}
|
|
|
|
|
|
|
|
buf.WriteString(v.Encode())
|
|
|
|
|
|
|
|
return buf.String(), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) validate(r *http.Request, sess *sessions.Session) (*oauth2.Token, *oidc.IDToken, string, error) {
|
|
|
|
ctx := r.Context()
|
2024-05-23 15:17:05 +02:00
|
|
|
ctx = oidc.ClientContext(ctx, c.httpClient)
|
2024-04-12 16:41:11 +02:00
|
|
|
|
|
|
|
rawStoredState := sess.Values[sessionKeyLoginState]
|
|
|
|
receivedState := r.URL.Query().Get("state")
|
|
|
|
|
|
|
|
storedState, ok := rawStoredState.(string)
|
|
|
|
if !ok {
|
|
|
|
return nil, nil, "", errors.New("could not find state in session")
|
|
|
|
}
|
|
|
|
|
|
|
|
if receivedState != storedState {
|
|
|
|
return nil, nil, "", errors.New("state mismatch")
|
|
|
|
}
|
|
|
|
|
|
|
|
code := r.URL.Query().Get("code")
|
|
|
|
|
|
|
|
token, err := c.oauth2.Exchange(ctx, code)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, "", errors.Wrap(err, "could not exchange token")
|
|
|
|
}
|
|
|
|
|
|
|
|
rawIDToken, ok := token.Extra("id_token").(string)
|
|
|
|
if !ok {
|
|
|
|
return nil, nil, "", errors.New("could not find id token")
|
|
|
|
}
|
|
|
|
|
|
|
|
idToken, err := c.verifier.Verify(ctx, rawIDToken)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, "", errors.Wrap(err, "could not verify id token")
|
|
|
|
}
|
|
|
|
|
|
|
|
return token, idToken, rawIDToken, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) getRawIDToken(sess *sessions.Session) (string, error) {
|
|
|
|
rawIDToken, ok := sess.Values[sessionKeyIDToken].(string)
|
|
|
|
if !ok || rawIDToken == "" {
|
|
|
|
return "", errors.New("invalid id token")
|
|
|
|
}
|
|
|
|
|
|
|
|
return rawIDToken, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Client) getIDToken(r *http.Request, sess *sessions.Session) (*oidc.IDToken, error) {
|
|
|
|
rawIDToken, err := c.getRawIDToken(sess)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "could not retrieve raw idtoken")
|
|
|
|
}
|
|
|
|
|
|
|
|
idToken, err := c.verifier.Verify(r.Context(), rawIDToken)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "could not verify id token")
|
|
|
|
}
|
|
|
|
|
|
|
|
return idToken, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewClient(funcs ...ClientOptionFunc) *Client {
|
|
|
|
opts := NewClientOptions(funcs...)
|
|
|
|
|
|
|
|
oauth2 := &oauth2.Config{
|
|
|
|
ClientID: opts.ClientID,
|
|
|
|
ClientSecret: opts.ClientSecret,
|
|
|
|
Endpoint: opts.Provider.Endpoint(),
|
|
|
|
RedirectURL: opts.RedirectURL,
|
|
|
|
Scopes: opts.Scopes,
|
|
|
|
}
|
|
|
|
|
|
|
|
verifier := opts.Provider.Verifier(&oidc.Config{
|
|
|
|
ClientID: opts.ClientID,
|
|
|
|
SkipIssuerCheck: opts.SkipIssuerCheck,
|
|
|
|
})
|
|
|
|
|
|
|
|
return &Client{
|
|
|
|
oauth2: oauth2,
|
|
|
|
provider: opts.Provider,
|
|
|
|
verifier: verifier,
|
|
|
|
authParams: opts.AuthParams,
|
2024-05-23 15:17:05 +02:00
|
|
|
httpClient: opts.HTTPClient,
|
2024-04-12 16:41:11 +02:00
|
|
|
}
|
|
|
|
}
|