package oidc import ( "bytes" "net/http" "net/url" "strings" "github.com/coreos/go-oidc/v3/oidc" "github.com/dchest/uniuri" "github.com/pkg/errors" "gitlab.com/wpetit/goweb/middleware/container" "gitlab.com/wpetit/goweb/service/session" "golang.org/x/oauth2" ) type Client struct { oauth2 *oauth2.Config provider *oidc.Provider verifier *oidc.IDTokenVerifier acrValues string } func (c *Client) Verifier() *oidc.IDTokenVerifier { return c.verifier } func (c *Client) Provider() *oidc.Provider { return c.provider } func (c *Client) Login(w http.ResponseWriter, r *http.Request) { ctn := container.Must(r.Context()) sess, err := session.Must(ctn).Get(w, r) if err != nil { panic(errors.Wrap(err, "could not retrieve session")) } state := uniuri.New() nonce := uniuri.New() sess.Set(SessionOIDCStateKey, state) sess.Set(SessionOIDCNonceKey, nonce) if err := sess.Save(w, r); err != nil { panic(errors.Wrap(err, "could not save session")) } authCodeOptions := []oauth2.AuthCodeOption{} authCodeOptions = append(authCodeOptions, oidc.Nonce(nonce)) if c.acrValues != "" { authCodeOptions = append(authCodeOptions, oauth2.SetAuthURLParam("acr_values", c.acrValues)) } authCodeURL := c.oauth2.AuthCodeURL( state, authCodeOptions..., ) http.Redirect(w, r, authCodeURL, http.StatusFound) } func (c *Client) Logout(w http.ResponseWriter, r *http.Request, postLogoutRedirectURL string) { rawIDToken, err := RawIDToken(w, r) if err != nil { panic(errors.Wrap(err, "could not retrieve raw id token")) } ctn := container.Must(r.Context()) sess, err := session.Must(ctn).Get(w, r) if err != nil { panic(errors.Wrap(err, "could not retrieve session")) } state := uniuri.New() sess.Set(SessionOIDCStateKey, state) sess.Unset(SessionIDTokenKey) if err := sess.Save(w, r); err != nil { panic(errors.Wrap(err, "could not save session")) } sessionEndURL, err := c.sessionEndURL(rawIDToken, state, postLogoutRedirectURL) if err != nil { panic(errors.Wrap(err, "could not retrieve session end url")) } if sessionEndURL != "" { http.Redirect(w, r, sessionEndURL, http.StatusFound) } else { http.Redirect(w, r, postLogoutRedirectURL, http.StatusFound) } } func (c *Client) sessionEndURL(idTokenHint, state, postLogoutRedirectURL string) (string, error) { sessionEndEndpoint := &struct { URL string `json:"end_session_endpoint"` }{} if err := c.provider.Claims(&sessionEndEndpoint); err != nil { return "", errors.Wrap(err, "could not unmarshal claims") } if sessionEndEndpoint.URL == "" { return "", nil } var buf bytes.Buffer buf.WriteString(sessionEndEndpoint.URL) v := url.Values{} if idTokenHint != "" { v.Set("id_token_hint", idTokenHint) } if postLogoutRedirectURL != "" { v.Set("post_logout_redirect_uri", postLogoutRedirectURL) } if state != "" { v.Set("state", state) } if strings.Contains(sessionEndEndpoint.URL, "?") { buf.WriteByte('&') } else { buf.WriteByte('?') } buf.WriteString(v.Encode()) return buf.String(), nil } func (c *Client) Validate(w http.ResponseWriter, r *http.Request) (*oidc.IDToken, string, error) { ctx := r.Context() ctn := container.Must(ctx) sess, err := session.Must(ctn).Get(w, r) if err != nil { return nil, "", errors.Wrap(err, "could not retrieve session") } rawStoredState := sess.Get(SessionOIDCStateKey) receivedState := r.URL.Query().Get("state") storedState, ok := rawStoredState.(string) if !ok { return nil, "", errors.New("could not find state in session") } if receivedState != storedState { return nil, "", errors.New("state mismatch") } code := r.URL.Query().Get("code") token, err := c.oauth2.Exchange(ctx, code) if err != nil { return nil, "", errors.Wrap(err, "could not exchange token") } rawIDToken, ok := token.Extra("id_token").(string) if !ok { return nil, "", errors.New("could not find id token") } idToken, err := c.verifier.Verify(ctx, rawIDToken) if err != nil { return nil, "", errors.Wrap(err, "could not verify id token") } return idToken, rawIDToken, nil } func NewClient(opts ...OptionFunc) *Client { opt := fromDefault(opts...) oauth2 := &oauth2.Config{ ClientID: opt.ClientID, ClientSecret: opt.ClientSecret, Endpoint: opt.Provider.Endpoint(), RedirectURL: opt.RedirectURL, Scopes: opt.Scopes, } verifier := opt.Provider.Verifier(&oidc.Config{ ClientID: opt.ClientID, SkipIssuerCheck: opt.SkipIssuerCheck, }) return &Client{oauth2, opt.Provider, verifier, opt.AcrValues} }