This repository has been archived on 2024-03-03. You can view files and clone it, but cannot push or open issues or pull requests.
adlin/token-validator/auth_oidc.go

121 lines
3.1 KiB
Go

package main
import (
"context"
"encoding/hex"
"flag"
"fmt"
"log"
"net/http"
"golang.org/x/oauth2"
"github.com/coreos/go-oidc"
"github.com/julienschmidt/httprouter"
"git.nemunai.re/srs/adlin/libadlin"
)
var (
oidcClientID = ""
oidcSecret = ""
oauth2Config oauth2.Config
oidcVerifier *oidc.IDTokenVerifier
)
func init() {
flag.StringVar(&oidcClientID, "oidc-clientid", oidcClientID, "ClientID for OIDC")
flag.StringVar(&oidcSecret, "oidc-secret", oidcSecret, "Secret for OIDC")
router.GET("/auth/CRI", redirectOIDC_CRI)
router.GET("/auth/complete", OIDC_CRI_complete)
}
func initializeOIDC() {
if oidcClientID != "" && oidcSecret != "" {
provider, err := oidc.NewProvider(context.Background(), "https://cri.epita.fr")
if err != nil {
log.Fatal("Unable to setup oidc:", err)
}
oauth2Config = oauth2.Config{
ClientID: oidcClientID,
ClientSecret: oidcSecret,
RedirectURL: "https://adlin.nemunai.re" + baseURL + "/auth/complete",
// Discovery returns the OAuth2 endpoints.
Endpoint: provider.Endpoint(),
// "openid" is a required scope for OpenID Connect flows.
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
}
oidcConfig := oidc.Config{
ClientID: oidcClientID,
}
oidcVerifier = provider.Verifier(&oidcConfig)
}
}
func redirectOIDC_CRI(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
session, err := adlin.NewSession()
if err != nil {
http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusInternalServerError)
} else {
http.Redirect(w, r, oauth2Config.AuthCodeURL(hex.EncodeToString(session.Id)), http.StatusFound)
}
}
func OIDC_CRI_complete(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
idsession, err := hex.DecodeString(r.URL.Query().Get("state"))
if err != nil {
http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusBadRequest)
return
}
session, err := adlin.GetSession(idsession)
if err != nil {
http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusBadRequest)
return
}
oauth2Token, err := oauth2Config.Exchange(context.Background(), r.URL.Query().Get("code"))
if err != nil {
http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
return
}
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
if !ok {
http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError)
return
}
idToken, err := oidcVerifier.Verify(context.Background(), rawIDToken)
if err != nil {
http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
return
}
var claims struct {
Firstname string `json:"given_name"`
Lastname string `json:"family_name"`
Nickname string `json:"nickname"`
Username string `json:"preferred_username"`
Email string `json:"email"`
}
if err := idToken.Claims(&claims); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
if err := completeAuth(w, claims.Username, session); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
http.Redirect(w, r, "/", http.StatusFound)
}