token-validator: add OpenID connect with Epita CRI
This commit is contained in:
parent
3837513270
commit
4ddfe9e5c4
3 changed files with 144 additions and 14 deletions
118
token-validator/auth_oidc.go
Normal file
118
token-validator/auth_oidc.go
Normal file
|
|
@ -0,0 +1,118 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/hex"
|
||||
"flag"
|
||||
"fmt"
|
||||
"log"
|
||||
"net/http"
|
||||
|
||||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/coreos/go-oidc"
|
||||
"github.com/julienschmidt/httprouter"
|
||||
)
|
||||
|
||||
var (
|
||||
oidcClientID = ""
|
||||
oidcSecret = ""
|
||||
oauth2Config oauth2.Config
|
||||
oidcVerifier *oidc.IDTokenVerifier
|
||||
)
|
||||
|
||||
func init() {
|
||||
flag.StringVar(&oidcClientID, "oidc-clientid", oidcClientID, "ClientID for OIDC")
|
||||
flag.StringVar(&oidcSecret, "oidc-secret", oidcSecret, "Secret for OIDC")
|
||||
|
||||
router.GET("/auth/CRI", redirectOIDC_CRI)
|
||||
router.GET("/auth/complete", OIDC_CRI_complete)
|
||||
}
|
||||
|
||||
func initializeOIDC() {
|
||||
if oidcClientID != "" && oidcSecret != "" {
|
||||
provider, err := oidc.NewProvider(context.Background(), "https://cri.epita.fr/oidc")
|
||||
if err != nil {
|
||||
log.Fatal("Unable to setup oidc:", err)
|
||||
}
|
||||
|
||||
oauth2Config = oauth2.Config{
|
||||
ClientID: oidcClientID,
|
||||
ClientSecret: oidcSecret,
|
||||
RedirectURL: "https://adlin.nemunai.re" + baseURL + "/auth/complete",
|
||||
|
||||
// Discovery returns the OAuth2 endpoints.
|
||||
Endpoint: provider.Endpoint(),
|
||||
|
||||
// "openid" is a required scope for OpenID Connect flows.
|
||||
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
|
||||
}
|
||||
|
||||
oidcConfig := oidc.Config{
|
||||
ClientID: oidcClientID,
|
||||
}
|
||||
oidcVerifier = provider.Verifier(&oidcConfig)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func redirectOIDC_CRI(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
||||
session, err := NewSession()
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusInternalServerError)
|
||||
} else {
|
||||
http.Redirect(w, r, oauth2Config.AuthCodeURL(hex.EncodeToString(session.Id)), http.StatusFound)
|
||||
}
|
||||
}
|
||||
|
||||
func OIDC_CRI_complete(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
||||
idsession, err := hex.DecodeString(r.URL.Query().Get("state"))
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
session, err := getSession(idsession)
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
oauth2Token, err := oauth2Config.Exchange(context.Background(), r.URL.Query().Get("code"))
|
||||
if err != nil {
|
||||
http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
|
||||
}
|
||||
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
|
||||
if !ok {
|
||||
http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError)
|
||||
return
|
||||
|
||||
}
|
||||
idToken, err := oidcVerifier.Verify(context.Background(), rawIDToken)
|
||||
if err != nil {
|
||||
http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
|
||||
}
|
||||
|
||||
var claims struct {
|
||||
Firstname string `json:"given_name"`
|
||||
Lastname string `json:"family_name"`
|
||||
Nickname string `json:"nickname"`
|
||||
Username string `json:"preferred_username"`
|
||||
Email string `json:"email"`
|
||||
}
|
||||
if err := idToken.Claims(&claims); err != nil {
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if err := completeAuth(w, claims.Username, &session); err != nil {
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
http.Redirect(w, r, "/", http.StatusFound)
|
||||
}
|
||||
|
|
@ -1,16 +1,26 @@
|
|||
<h2>Accès à votre compte</h2>
|
||||
<div class="row">
|
||||
<form class="col" ng-submit="logmein()">
|
||||
<h2>Accès à votre compte</h2>
|
||||
<div class="form-group">
|
||||
<label for="login">CRI login</label>
|
||||
<input class="form-control" id="login" ng-model="auth.username" placeholder="Entrer votre login" autofocus>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="password">Mot de passe</label>
|
||||
<input type="password" class="form-control" id="password" ng-model="auth.password" placeholder="Mot de passe">
|
||||
</div>
|
||||
<button type="submit" class="btn btn-primary">
|
||||
<span class="spinner-border spinner-border-sm" role="status" aria-hidden="true" ng-show="pleaseWait"></span>
|
||||
Me connecter
|
||||
</button>
|
||||
</form>
|
||||
|
||||
<form ng-submit="logmein()">
|
||||
<div class="form-group">
|
||||
<label for="login">CRI login</label>
|
||||
<input class="form-control" id="login" ng-model="auth.username" placeholder="Entrer votre login" autofocus>
|
||||
<div class="col">
|
||||
<h2>OpenId Connect</h2>
|
||||
<div class="text-center">
|
||||
<a href="auth/CRI" class="btn btn-info" target="_self">
|
||||
Me connecter avec mon compte CRI
|
||||
</a>
|
||||
</div>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="password">Mot de passe</label>
|
||||
<input type="password" class="form-control" id="password" ng-model="auth.password" placeholder="Mot de passe">
|
||||
</div>
|
||||
<button type="submit" class="btn btn-primary">
|
||||
<span class="spinner-border spinner-border-sm" role="status" aria-hidden="true" ng-show="pleaseWait"></span>
|
||||
Me connecter
|
||||
</button>
|
||||
</form>
|
||||
</div>
|
||||
|
|
|
|||
|
|
@ -83,6 +83,8 @@ func main() {
|
|||
AuthFunc = dummyAuth
|
||||
}
|
||||
|
||||
initializeOIDC()
|
||||
|
||||
// Initialize contents
|
||||
log.Println("Opening database...")
|
||||
if err := DBInit(*dsn); err != nil {
|
||||
|
|
|
|||
Reference in a new issue