package main import ( "context" "encoding/hex" "flag" "fmt" "log" "net/http" "golang.org/x/oauth2" "github.com/coreos/go-oidc" "github.com/julienschmidt/httprouter" "git.nemunai.re/srs/adlin/libadlin" ) var ( oidcClientID = "" oidcSecret = "" oauth2Config oauth2.Config oidcVerifier *oidc.IDTokenVerifier ) func init() { flag.StringVar(&oidcClientID, "oidc-clientid", oidcClientID, "ClientID for OIDC") flag.StringVar(&oidcSecret, "oidc-secret", oidcSecret, "Secret for OIDC") router.GET("/auth/CRI", redirectOIDC_CRI) router.GET("/auth/complete", OIDC_CRI_complete) } func initializeOIDC() { if oidcClientID != "" && oidcSecret != "" { provider, err := oidc.NewProvider(context.Background(), "https://cri.epita.fr") if err != nil { log.Fatal("Unable to setup oidc:", err) } oauth2Config = oauth2.Config{ ClientID: oidcClientID, ClientSecret: oidcSecret, RedirectURL: "https://adlin.nemunai.re" + baseURL + "/auth/complete", // Discovery returns the OAuth2 endpoints. Endpoint: provider.Endpoint(), // "openid" is a required scope for OpenID Connect flows. Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, } oidcConfig := oidc.Config{ ClientID: oidcClientID, } oidcVerifier = provider.Verifier(&oidcConfig) } } func redirectOIDC_CRI(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { session, err := adlin.NewSession() if err != nil { http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusInternalServerError) } else { http.Redirect(w, r, oauth2Config.AuthCodeURL(hex.EncodeToString(session.Id)), http.StatusFound) } } func OIDC_CRI_complete(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { idsession, err := hex.DecodeString(r.URL.Query().Get("state")) if err != nil { http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusBadRequest) return } session, err := adlin.GetSession(idsession) if err != nil { http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusBadRequest) return } oauth2Token, err := oauth2Config.Exchange(context.Background(), r.URL.Query().Get("code")) if err != nil { http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError) return } rawIDToken, ok := oauth2Token.Extra("id_token").(string) if !ok { http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError) return } idToken, err := oidcVerifier.Verify(context.Background(), rawIDToken) if err != nil { http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError) return } var claims struct { Firstname string `json:"given_name"` Lastname string `json:"family_name"` Nickname string `json:"nickname"` Username string `json:"preferred_username"` Email string `json:"email"` } if err := idToken.Claims(&claims); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } if err := completeAuth(w, claims.Username, session); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } http.Redirect(w, r, "/", http.StatusFound) }