goweb-oidc/client.go

package oidc

import (
	"bytes"
	"net/http"
	"net/url"
	"strings"

	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/dchest/uniuri"
	"github.com/pkg/errors"
	"gitlab.com/wpetit/goweb/middleware/container"
	"gitlab.com/wpetit/goweb/service/session"
	"golang.org/x/oauth2"
)

type Client struct {
	oauth2    *oauth2.Config
	provider  *oidc.Provider
	verifier  *oidc.IDTokenVerifier
	acrValues string
}

func (c *Client) Verifier() *oidc.IDTokenVerifier {
	return c.verifier
}

func (c *Client) Provider() *oidc.Provider {
	return c.provider
}

func (c *Client) Login(w http.ResponseWriter, r *http.Request) {
	ctn := container.Must(r.Context())

	sess, err := session.Must(ctn).Get(w, r)
	if err != nil {
		panic(errors.Wrap(err, "could not retrieve session"))
	}

	state := uniuri.New()
	nonce := uniuri.New()

	sess.Set(SessionOIDCStateKey, state)
	sess.Set(SessionOIDCNonceKey, nonce)

	if err := sess.Save(w, r); err != nil {
		panic(errors.Wrap(err, "could not save session"))
	}

	authCodeOptions := []oauth2.AuthCodeOption{}
	authCodeOptions = append(authCodeOptions, oidc.Nonce(nonce))
	if c.acrValues != "" {
		authCodeOptions = append(authCodeOptions, oauth2.SetAuthURLParam("acr_values", c.acrValues))
	}

	authCodeURL := c.oauth2.AuthCodeURL(
		state,
		authCodeOptions...,
	)

	http.Redirect(w, r, authCodeURL, http.StatusFound)
}

func (c *Client) Logout(w http.ResponseWriter, r *http.Request, postLogoutRedirectURL string) {
	rawIDToken, err := RawIDToken(w, r)
	if err != nil {
		panic(errors.Wrap(err, "could not retrieve raw id token"))
	}

	ctn := container.Must(r.Context())

	sess, err := session.Must(ctn).Get(w, r)
	if err != nil {
		panic(errors.Wrap(err, "could not retrieve session"))
	}

	state := uniuri.New()

	sess.Set(SessionOIDCStateKey, state)
	sess.Unset(SessionIDTokenKey)

	if err := sess.Save(w, r); err != nil {
		panic(errors.Wrap(err, "could not save session"))
	}

	sessionEndURL, err := c.sessionEndURL(rawIDToken, state, postLogoutRedirectURL)
	if err != nil {
		panic(errors.Wrap(err, "could not retrieve session end url"))
	}

	if sessionEndURL != "" {
		http.Redirect(w, r, sessionEndURL, http.StatusFound)
	} else {
		http.Redirect(w, r, postLogoutRedirectURL, http.StatusFound)
	}
}

func (c *Client) sessionEndURL(idTokenHint, state, postLogoutRedirectURL string) (string, error) {
	sessionEndEndpoint := &struct {
		URL string `json:"end_session_endpoint"`
	}{}

	if err := c.provider.Claims(&sessionEndEndpoint); err != nil {
		return "", errors.Wrap(err, "could not unmarshal claims")
	}

	if sessionEndEndpoint.URL == "" {
		return "", nil
	}

	var buf bytes.Buffer
	buf.WriteString(sessionEndEndpoint.URL)

	v := url.Values{}

	if idTokenHint != "" {
		v.Set("id_token_hint", idTokenHint)
	}

	if postLogoutRedirectURL != "" {
		v.Set("post_logout_redirect_uri", postLogoutRedirectURL)
	}

	if state != "" {
		v.Set("state", state)
	}

	if strings.Contains(sessionEndEndpoint.URL, "?") {
		buf.WriteByte('&')
	} else {
		buf.WriteByte('?')
	}

	buf.WriteString(v.Encode())

	return buf.String(), nil
}

func (c *Client) Validate(w http.ResponseWriter, r *http.Request) (*oidc.IDToken, string, error) {
	ctx := r.Context()
	ctn := container.Must(ctx)

	sess, err := session.Must(ctn).Get(w, r)
	if err != nil {
		return nil, "", errors.Wrap(err, "could not retrieve session")
	}

	rawStoredState := sess.Get(SessionOIDCStateKey)
	receivedState := r.URL.Query().Get("state")

	storedState, ok := rawStoredState.(string)
	if !ok {
		return nil, "", errors.New("could not find state in session")
	}

	if receivedState != storedState {
		return nil, "", errors.New("state mismatch")
	}

	code := r.URL.Query().Get("code")

	token, err := c.oauth2.Exchange(ctx, code)
	if err != nil {
		return nil, "", errors.Wrap(err, "could not exchange token")
	}

	rawIDToken, ok := token.Extra("id_token").(string)
	if !ok {
		return nil, "", errors.New("could not find id token")
	}

	idToken, err := c.verifier.Verify(ctx, rawIDToken)
	if err != nil {
		return nil, "", errors.Wrap(err, "could not verify id token")
	}

	return idToken, rawIDToken, nil
}

func NewClient(opts ...OptionFunc) *Client {
	opt := fromDefault(opts...)

	oauth2 := &oauth2.Config{
		ClientID:     opt.ClientID,
		ClientSecret: opt.ClientSecret,
		Endpoint:     opt.Provider.Endpoint(),
		RedirectURL:  opt.RedirectURL,
		Scopes:       opt.Scopes,
	}

	verifier := opt.Provider.Verifier(&oidc.Config{
		ClientID:        opt.ClientID,
		SkipIssuerCheck: opt.SkipIssuerCheck,
	})

	return &Client{oauth2, opt.Provider, verifier, opt.AcrValues}
}
Initial commit 2020-05-20 10:43:12 +02:00			`package oidc`

			`import (`
Basic logout workflow 2020-05-20 13:06:04 +02:00			`"bytes"`
Initial commit 2020-05-20 10:43:12 +02:00			`"net/http"`
Basic logout workflow 2020-05-20 13:06:04 +02:00			`"net/url"`
			`"strings"`
Initial commit 2020-05-20 10:43:12 +02:00
feat: use github.com/coreos/go-oidc/v3 2023-11-02 18:21:54 +01:00			`"github.com/coreos/go-oidc/v3/oidc"`
Initial commit 2020-05-20 10:43:12 +02:00			`"github.com/dchest/uniuri"`
			`"github.com/pkg/errors"`
			`"gitlab.com/wpetit/goweb/middleware/container"`
			`"gitlab.com/wpetit/goweb/service/session"`
			`"golang.org/x/oauth2"`
			`)`

			`type Client struct {`
feat: use github.com/coreos/go-oidc/v3 2023-11-02 18:21:54 +01:00			`oauth2 *oauth2.Config`
			`provider *oidc.Provider`
			`verifier *oidc.IDTokenVerifier`
			`acrValues string`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

			`func (c Client) Verifier() oidc.IDTokenVerifier {`
			`return c.verifier`
			`}`

			`func (c Client) Provider() oidc.Provider {`
			`return c.provider`
			`}`

			`func (c Client) Login(w http.ResponseWriter, r http.Request) {`
			`ctn := container.Must(r.Context())`

			`sess, err := session.Must(ctn).Get(w, r)`
			`if err != nil {`
			`panic(errors.Wrap(err, "could not retrieve session"))`
			`}`

			`state := uniuri.New()`
Ajout du nonce au login 2023-03-02 15:07:02 +01:00			`nonce := uniuri.New()`
Initial commit 2020-05-20 10:43:12 +02:00
			`sess.Set(SessionOIDCStateKey, state)`
Ajout du nonce au login 2023-03-02 15:07:02 +01:00			`sess.Set(SessionOIDCNonceKey, nonce)`
Initial commit 2020-05-20 10:43:12 +02:00
			`if err := sess.Save(w, r); err != nil {`
			`panic(errors.Wrap(err, "could not save session"))`
			`}`

Basic logout workflow 2020-05-20 13:06:04 +02:00			`authCodeOptions := []oauth2.AuthCodeOption{}`
Ajout du nonce au login 2023-03-02 15:07:02 +01:00			`authCodeOptions = append(authCodeOptions, oidc.Nonce(nonce))`
feat: use github.com/coreos/go-oidc/v3 2023-11-02 18:21:54 +01:00			`if c.acrValues != "" {`
			`authCodeOptions = append(authCodeOptions, oauth2.SetAuthURLParam("acr_values", c.acrValues))`
Ajout paramètre pour définir l'acr_value 2023-03-02 16:21:34 +01:00			`}`

Basic logout workflow 2020-05-20 13:06:04 +02:00			`authCodeURL := c.oauth2.AuthCodeURL(`
			`state,`
			`authCodeOptions...,`
			`)`

			`http.Redirect(w, r, authCodeURL, http.StatusFound)`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

Basic logout workflow 2020-05-20 13:06:04 +02:00			`func (c Client) Logout(w http.ResponseWriter, r http.Request, postLogoutRedirectURL string) {`
			`rawIDToken, err := RawIDToken(w, r)`
			`if err != nil {`
			`panic(errors.Wrap(err, "could not retrieve raw id token"))`
			`}`

Initial commit 2020-05-20 10:43:12 +02:00			`ctn := container.Must(r.Context())`

			`sess, err := session.Must(ctn).Get(w, r)`
			`if err != nil {`
			`panic(errors.Wrap(err, "could not retrieve session"))`
			`}`

			`state := uniuri.New()`

			`sess.Set(SessionOIDCStateKey, state)`
Test App: logout flow 2020-05-26 11:17:16 +02:00			`sess.Unset(SessionIDTokenKey)`
Initial commit 2020-05-20 10:43:12 +02:00
			`if err := sess.Save(w, r); err != nil {`
			`panic(errors.Wrap(err, "could not save session"))`
			`}`

Basic logout workflow 2020-05-20 13:06:04 +02:00			`sessionEndURL, err := c.sessionEndURL(rawIDToken, state, postLogoutRedirectURL)`
			`if err != nil {`
			`panic(errors.Wrap(err, "could not retrieve session end url"))`
			`}`

			`if sessionEndURL != "" {`
			`http.Redirect(w, r, sessionEndURL, http.StatusFound)`
			`} else {`
			`http.Redirect(w, r, postLogoutRedirectURL, http.StatusFound)`
			`}`
			`}`

			`func (c *Client) sessionEndURL(idTokenHint, state, postLogoutRedirectURL string) (string, error) {`
			`sessionEndEndpoint := &struct {`
			URL string `json:"end_session_endpoint"`
			`}{}`

			`if err := c.provider.Claims(&sessionEndEndpoint); err != nil {`
			`return "", errors.Wrap(err, "could not unmarshal claims")`
			`}`

			`if sessionEndEndpoint.URL == "" {`
			`return "", nil`
			`}`

			`var buf bytes.Buffer`
			`buf.WriteString(sessionEndEndpoint.URL)`

			`v := url.Values{}`

			`if idTokenHint != "" {`
			`v.Set("id_token_hint", idTokenHint)`
			`}`

			`if postLogoutRedirectURL != "" {`
			`v.Set("post_logout_redirect_uri", postLogoutRedirectURL)`
			`}`

			`if state != "" {`
			`v.Set("state", state)`
			`}`

			`if strings.Contains(sessionEndEndpoint.URL, "?") {`
			`buf.WriteByte('&')`
			`} else {`
			`buf.WriteByte('?')`
			`}`

			`buf.WriteString(v.Encode())`

			`return buf.String(), nil`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

Basic logout workflow 2020-05-20 13:06:04 +02:00			`func (c Client) Validate(w http.ResponseWriter, r http.Request) (*oidc.IDToken, string, error) {`
Initial commit 2020-05-20 10:43:12 +02:00			`ctx := r.Context()`
			`ctn := container.Must(ctx)`

			`sess, err := session.Must(ctn).Get(w, r)`
			`if err != nil {`
Basic logout workflow 2020-05-20 13:06:04 +02:00			`return nil, "", errors.Wrap(err, "could not retrieve session")`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

Basic sentry integration for non panicking error 2020-10-13 10:59:49 +02:00			`rawStoredState := sess.Get(SessionOIDCStateKey)`
			`receivedState := r.URL.Query().Get("state")`

			`storedState, ok := rawStoredState.(string)`
Initial commit 2020-05-20 10:43:12 +02:00			`if !ok {`
Decorates errors and remove sentry dependency 2022-07-19 10:24:49 +02:00			`return nil, "", errors.New("could not find state in session")`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

Basic sentry integration for non panicking error 2020-10-13 10:59:49 +02:00			`if receivedState != storedState {`
Basic logout workflow 2020-05-20 13:06:04 +02:00			`return nil, "", errors.New("state mismatch")`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

			`code := r.URL.Query().Get("code")`

			`token, err := c.oauth2.Exchange(ctx, code)`
			`if err != nil {`
Basic logout workflow 2020-05-20 13:06:04 +02:00			`return nil, "", errors.Wrap(err, "could not exchange token")`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

			`rawIDToken, ok := token.Extra("id_token").(string)`
			`if !ok {`
Basic logout workflow 2020-05-20 13:06:04 +02:00			`return nil, "", errors.New("could not find id token")`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

			`idToken, err := c.verifier.Verify(ctx, rawIDToken)`
			`if err != nil {`
Basic logout workflow 2020-05-20 13:06:04 +02:00			`return nil, "", errors.Wrap(err, "could not verify id token")`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

Basic logout workflow 2020-05-20 13:06:04 +02:00			`return idToken, rawIDToken, nil`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

			`func NewClient(opts ...OptionFunc) *Client {`
			`opt := fromDefault(opts...)`

			`oauth2 := &oauth2.Config{`
			`ClientID: opt.ClientID,`
			`ClientSecret: opt.ClientSecret,`
			`Endpoint: opt.Provider.Endpoint(),`
			`RedirectURL: opt.RedirectURL,`
			`Scopes: opt.Scopes,`
			`}`

			`verifier := opt.Provider.Verifier(&oidc.Config{`
feat: configurable scopes and issuer check skipping 2023-11-06 15:57:27 +01:00			`ClientID: opt.ClientID,`
			`SkipIssuerCheck: opt.SkipIssuerCheck,`
Initial commit 2020-05-20 10:43:12 +02:00			`})`

feat: use github.com/coreos/go-oidc/v3 2023-11-02 18:21:54 +01:00			`return &Client{oauth2, opt.Provider, verifier, opt.AcrValues}`
Initial commit 2020-05-20 10:43:12 +02:00			`}`