atsebay.t/auth_oidc.go

package main

import (
	"context"
	"encoding/hex"
	"flag"
	"fmt"
	"log"
	"net/http"

	"golang.org/x/oauth2"

	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/gin-gonic/gin"
)

var (
	oidcClientID    = ""
	oidcSecret      = ""
	oidcRedirectURL = "https://srs.nemunai.re"
	oauth2Config    oauth2.Config
	oidcVerifier    *oidc.IDTokenVerifier
	nextSessionMap  = map[string]string{}
)

func init() {
	flag.StringVar(&oidcClientID, "oidc-clientid", oidcClientID, "ClientID for OIDC")
	flag.StringVar(&oidcSecret, "oidc-secret", oidcSecret, "Secret for OIDC")
	flag.StringVar(&oidcRedirectURL, "oidc-redirect", oidcRedirectURL, "Base URL for the redirect after connection")
}

func initializeOIDC(router *gin.Engine) {
	router.GET("/auth/CRI", redirectOIDC_CRI)
	router.GET("/auth/complete", OIDC_CRI_complete)

	if oidcClientID != "" && oidcSecret != "" {
		provider, err := oidc.NewProvider(context.Background(), "https://cri.epita.fr")
		if err != nil {
			log.Fatal("Unable to setup oidc:", err)
		}

		oauth2Config = oauth2.Config{
			ClientID:     oidcClientID,
			ClientSecret: oidcSecret,
			RedirectURL:  oidcRedirectURL + baseURL + "/auth/complete",

			// Discovery returns the OAuth2 endpoints.
			Endpoint: provider.Endpoint(),

			// "openid" is a required scope for OpenID Connect flows.
			Scopes: []string{oidc.ScopeOpenID, "profile", "email", "epita"},
		}

		oidcConfig := oidc.Config{
			ClientID: oidcClientID,
		}
		oidcVerifier = provider.Verifier(&oidcConfig)
	}

}

func redirectOIDC_CRI(c *gin.Context) {
	session, err := NewSession()

	// Save next parameter
	if len(c.Request.URL.Query().Get("next")) > 0 {
		nextSessionMap[fmt.Sprintf("%x", session.Id)] = c.Request.URL.Query().Get("next")
	}

	if err != nil {
		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": err.Error()})
		return
	}

	c.Redirect(http.StatusFound, oauth2Config.AuthCodeURL(hex.EncodeToString(session.Id)))
}

func OIDC_CRI_complete(c *gin.Context) {
	idsession, err := hex.DecodeString(c.Request.URL.Query().Get("state"))
	if err != nil {
		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})
		return
	}

	session, err := getSession(idsession)
	if err != nil {
		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})
		return
	}

	oauth2Token, err := oauth2Config.Exchange(c.Request.Context(), c.Request.URL.Query().Get("code"))
	if err != nil {
		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Failed to exchange token: " + err.Error()})
		return
	}
	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
	if !ok {
		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "No id_token field in oauth2 token."})
		return
	}
	idToken, err := oidcVerifier.Verify(c.Request.Context(), rawIDToken)
	if err != nil {
		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Failed to verify ID Token: " + err.Error()})
		return
	}

	var claims struct {
		Firstname       string                   `json:"given_name"`
		Lastname        string                   `json:"family_name"`
		Username        string                   `json:"preferred_username"`
		Email           string                   `json:"email"`
		Groups          []map[string]interface{} `json:"groups"`
		Campuses        []string                 `json:"campuses"`
		GraduationYears []uint                   `json:"graduation_years"`
	}
	if err := idToken.Claims(&claims); err != nil {
		log.Println("Unable to extract claims to Claims:", err.Error())
		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Something goes wrong when analyzing your claims. Contact administrator to fix the issue."})
		return
	}

	groups := ","
	for _, g := range claims.Groups {
		if slug, ok := g["slug"]; ok {
			groups += slug.(string) + ","
		}
	}

	var promo uint
	if len(claims.GraduationYears) > 0 {
		for _, gy := range claims.GraduationYears {
			if gy > promo {
				promo = gy
			}
		}
	}

	if _, err := completeAuth(c, claims.Username, claims.Email, claims.Firstname, claims.Lastname, promo, groups, session); err != nil {
		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": err.Error()})
		return
	}

	// Retrieve next URL associated with session
	if next, ok := nextSessionMap[fmt.Sprintf("%x", session.Id)]; ok {
		c.Redirect(http.StatusFound, next)
		delete(nextSessionMap, fmt.Sprintf("%x", session.Id))
	} else {
		c.Redirect(http.StatusFound, "/")
	}

}
Initial commit 2020-03-04 11:07:12 +00:00			`package main`

			`import (`
			`"context"`
			`"encoding/hex"`
			`"flag"`
			`"fmt"`
			`"log"`
			`"net/http"`

			`"golang.org/x/oauth2"`

chore(deps): update module github.com/coreos/go-oidc to v3 2022-05-01 12:07:35 +00:00			`"github.com/coreos/go-oidc/v3/oidc"`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`"github.com/gin-gonic/gin"`
Initial commit 2020-03-04 11:07:12 +00:00			`)`

			`var (`
OIDC CRI: change provider location 2020-09-14 08:23:44 +00:00			`oidcClientID = ""`
			`oidcSecret = ""`
v1 done 2020-03-08 00:06:44 +00:00			`oidcRedirectURL = "https://srs.nemunai.re"`
OIDC CRI: change provider location 2020-09-14 08:23:44 +00:00			`oauth2Config oauth2.Config`
			`oidcVerifier *oidc.IDTokenVerifier`
Handle next parameters even through OIDC 2022-05-15 10:36:17 +00:00			`nextSessionMap = map[string]string{}`
Initial commit 2020-03-04 11:07:12 +00:00			`)`

			`func init() {`
			`flag.StringVar(&oidcClientID, "oidc-clientid", oidcClientID, "ClientID for OIDC")`
			`flag.StringVar(&oidcSecret, "oidc-secret", oidcSecret, "Secret for OIDC")`
v1 done 2020-03-08 00:06:44 +00:00			`flag.StringVar(&oidcRedirectURL, "oidc-redirect", oidcRedirectURL, "Base URL for the redirect after connection")`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`}`
Initial commit 2020-03-04 11:07:12 +00:00
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`func initializeOIDC(router *gin.Engine) {`
Initial commit 2020-03-04 11:07:12 +00:00			`router.GET("/auth/CRI", redirectOIDC_CRI)`
			`router.GET("/auth/complete", OIDC_CRI_complete)`

			`if oidcClientID != "" && oidcSecret != "" {`
OIDC CRI: change provider location 2020-09-14 08:23:44 +00:00			`provider, err := oidc.NewProvider(context.Background(), "https://cri.epita.fr")`
Initial commit 2020-03-04 11:07:12 +00:00			`if err != nil {`
			`log.Fatal("Unable to setup oidc:", err)`
			`}`

			`oauth2Config = oauth2.Config{`
			`ClientID: oidcClientID,`
			`ClientSecret: oidcSecret,`
v1 done 2020-03-08 00:06:44 +00:00			`RedirectURL: oidcRedirectURL + baseURL + "/auth/complete",`
Initial commit 2020-03-04 11:07:12 +00:00
			`// Discovery returns the OAuth2 endpoints.`
			`Endpoint: provider.Endpoint(),`

			`// "openid" is a required scope for OpenID Connect flows.`
Ask for epita scope too 2020-11-24 13:06:29 +00:00			`Scopes: []string{oidc.ScopeOpenID, "profile", "email", "epita"},`
Initial commit 2020-03-04 11:07:12 +00:00			`}`

			`oidcConfig := oidc.Config{`
OIDC CRI: change provider location 2020-09-14 08:23:44 +00:00			`ClientID: oidcClientID,`
Initial commit 2020-03-04 11:07:12 +00:00			`}`
			`oidcVerifier = provider.Verifier(&oidcConfig)`
			`}`

			`}`

Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`func redirectOIDC_CRI(c *gin.Context) {`
Initial commit 2020-03-04 11:07:12 +00:00			`session, err := NewSession()`
Handle next parameters even through OIDC 2022-05-15 10:36:17 +00:00
			`// Save next parameter`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`if len(c.Request.URL.Query().Get("next")) > 0 {`
			`nextSessionMap[fmt.Sprintf("%x", session.Id)] = c.Request.URL.Query().Get("next")`
Handle next parameters even through OIDC 2022-05-15 10:36:17 +00:00			`}`

Initial commit 2020-03-04 11:07:12 +00:00			`if err != nil {`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": err.Error()})`
			`return`
Initial commit 2020-03-04 11:07:12 +00:00			`}`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00
			`c.Redirect(http.StatusFound, oauth2Config.AuthCodeURL(hex.EncodeToString(session.Id)))`
Initial commit 2020-03-04 11:07:12 +00:00			`}`

Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`func OIDC_CRI_complete(c *gin.Context) {`
			`idsession, err := hex.DecodeString(c.Request.URL.Query().Get("state"))`
Initial commit 2020-03-04 11:07:12 +00:00			`if err != nil {`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})`
Initial commit 2020-03-04 11:07:12 +00:00			`return`
			`}`

			`session, err := getSession(idsession)`
			`if err != nil {`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})`
Initial commit 2020-03-04 11:07:12 +00:00			`return`
			`}`

auth: Use context from request 2022-09-04 11:23:11 +00:00			`oauth2Token, err := oauth2Config.Exchange(c.Request.Context(), c.Request.URL.Query().Get("code"))`
Initial commit 2020-03-04 11:07:12 +00:00			`if err != nil {`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Failed to exchange token: " + err.Error()})`
Initial commit 2020-03-04 11:07:12 +00:00			`return`
			`}`
			`rawIDToken, ok := oauth2Token.Extra("id_token").(string)`
			`if !ok {`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "No id_token field in oauth2 token."})`
Initial commit 2020-03-04 11:07:12 +00:00			`return`
			`}`
auth: Use context from request 2022-09-04 11:23:11 +00:00			`idToken, err := oidcVerifier.Verify(c.Request.Context(), rawIDToken)`
Initial commit 2020-03-04 11:07:12 +00:00			`if err != nil {`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Failed to verify ID Token: " + err.Error()})`
Initial commit 2020-03-04 11:07:12 +00:00			`return`
			`}`

			`var claims struct {`
OIDC: Retrieve promotion from OIDC claims 2022-11-11 10:14:43 +00:00			Firstname string `json:"given_name"`
			Lastname string `json:"family_name"`
			Username string `json:"preferred_username"`
			Email string `json:"email"`
			Groups []map[string]interface{} `json:"groups"`
			Campuses []string `json:"campuses"`
			GraduationYears []uint `json:"graduation_years"`
Initial commit 2020-03-04 11:07:12 +00:00			`}`
			`if err := idToken.Claims(&claims); err != nil {`
OIDC: Retrieve promotion from OIDC claims 2022-11-11 10:14:43 +00:00			`log.Println("Unable to extract claims to Claims:", err.Error())`
			`c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Something goes wrong when analyzing your claims. Contact administrator to fix the issue."})`
Initial commit 2020-03-04 11:07:12 +00:00			`return`
			`}`

Handle student groups 2021-09-15 22:26:09 +00:00			`groups := ","`
			`for _, g := range claims.Groups {`
			`if slug, ok := g["slug"]; ok {`
			`groups += slug.(string) + ","`
			`}`
			`}`
Groups are objects, try to debug it 2021-01-09 14:06:26 +00:00
OIDC: Retrieve promotion from OIDC claims 2022-11-11 10:14:43 +00:00			`var promo uint`
			`if len(claims.GraduationYears) > 0 {`
			`for _, gy := range claims.GraduationYears {`
			`if gy > promo {`
			`promo = gy`
			`}`
			`}`
			`}`

			`if _, err := completeAuth(c, claims.Username, claims.Email, claims.Firstname, claims.Lastname, promo, groups, session); err != nil {`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": err.Error()})`
Initial commit 2020-03-04 11:07:12 +00:00			`return`
			`}`

Handle next parameters even through OIDC 2022-05-15 10:36:17 +00:00			`// Retrieve next URL associated with session`
			`if next, ok := nextSessionMap[fmt.Sprintf("%x", session.Id)]; ok {`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`c.Redirect(http.StatusFound, next)`
Handle next parameters even through OIDC 2022-05-15 10:36:17 +00:00			`delete(nextSessionMap, fmt.Sprintf("%x", session.Id))`
			`} else {`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`c.Redirect(http.StatusFound, "/")`
Handle next parameters even through OIDC 2022-05-15 10:36:17 +00:00			`}`

Initial commit 2020-03-04 11:07:12 +00:00			`}`