atsebay.t/auth_oidc.go

package main

import (
	"context"
	"encoding/hex"
	"flag"
	"fmt"
	"log"
	"net/http"

	"golang.org/x/oauth2"

	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/julienschmidt/httprouter"
)

var (
	oidcClientID    = ""
	oidcSecret      = ""
	oidcRedirectURL = "https://srs.nemunai.re"
	oauth2Config    oauth2.Config
	oidcVerifier    *oidc.IDTokenVerifier
	nextSessionMap  = map[string]string{}
)

func init() {
	flag.StringVar(&oidcClientID, "oidc-clientid", oidcClientID, "ClientID for OIDC")
	flag.StringVar(&oidcSecret, "oidc-secret", oidcSecret, "Secret for OIDC")
	flag.StringVar(&oidcRedirectURL, "oidc-redirect", oidcRedirectURL, "Base URL for the redirect after connection")

	router.GET("/auth/CRI", redirectOIDC_CRI)
	router.GET("/auth/complete", OIDC_CRI_complete)
}

func initializeOIDC() {
	if oidcClientID != "" && oidcSecret != "" {
		provider, err := oidc.NewProvider(context.Background(), "https://cri.epita.fr")
		if err != nil {
			log.Fatal("Unable to setup oidc:", err)
		}

		oauth2Config = oauth2.Config{
			ClientID:     oidcClientID,
			ClientSecret: oidcSecret,
			RedirectURL:  oidcRedirectURL + baseURL + "/auth/complete",

			// Discovery returns the OAuth2 endpoints.
			Endpoint: provider.Endpoint(),

			// "openid" is a required scope for OpenID Connect flows.
			Scopes: []string{oidc.ScopeOpenID, "profile", "email", "epita"},
		}

		oidcConfig := oidc.Config{
			ClientID: oidcClientID,
		}
		oidcVerifier = provider.Verifier(&oidcConfig)
	}

}

func redirectOIDC_CRI(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
	session, err := NewSession()

	// Save next parameter
	if len(r.URL.Query().Get("next")) > 0 {
		nextSessionMap[fmt.Sprintf("%x", session.Id)] = r.URL.Query().Get("next")
	}

	if err != nil {
		http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusInternalServerError)
	} else {
		http.Redirect(w, r, oauth2Config.AuthCodeURL(hex.EncodeToString(session.Id)), http.StatusFound)
	}
}

func OIDC_CRI_complete(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
	idsession, err := hex.DecodeString(r.URL.Query().Get("state"))
	if err != nil {
		http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusBadRequest)
		return
	}

	session, err := getSession(idsession)
	if err != nil {
		http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusBadRequest)
		return
	}

	oauth2Token, err := oauth2Config.Exchange(context.Background(), r.URL.Query().Get("code"))
	if err != nil {
		http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
		return
	}
	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
	if !ok {
		http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError)
		return
	}
	idToken, err := oidcVerifier.Verify(context.Background(), rawIDToken)
	if err != nil {
		http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
		return
	}

	var claims struct {
		Firstname string                   `json:"given_name"`
		Lastname  string                   `json:"family_name"`
		Nickname  string                   `json:"nickname"`
		Username  string                   `json:"preferred_username"`
		Email     string                   `json:"email"`
		Groups    []map[string]interface{} `json:"groups"`
	}
	if err := idToken.Claims(&claims); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	groups := ","
	for _, g := range claims.Groups {
		if slug, ok := g["slug"]; ok {
			groups += slug.(string) + ","
		}
	}

	if _, err := completeAuth(w, claims.Username, claims.Email, claims.Firstname, claims.Lastname, groups, &session); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	// Retrieve next URL associated with session
	if next, ok := nextSessionMap[fmt.Sprintf("%x", session.Id)]; ok {
		http.Redirect(w, r, next, http.StatusFound)
		delete(nextSessionMap, fmt.Sprintf("%x", session.Id))
	} else {
		http.Redirect(w, r, "/", http.StatusFound)
	}

}
Initial commit 2020-03-04 11:07:12 +00:00			`package main`

			`import (`
			`"context"`
			`"encoding/hex"`
			`"flag"`
			`"fmt"`
			`"log"`
			`"net/http"`

			`"golang.org/x/oauth2"`

chore(deps): update module github.com/coreos/go-oidc to v3 2022-05-01 12:07:35 +00:00			`"github.com/coreos/go-oidc/v3/oidc"`
Initial commit 2020-03-04 11:07:12 +00:00			`"github.com/julienschmidt/httprouter"`
			`)`

			`var (`
OIDC CRI: change provider location 2020-09-14 08:23:44 +00:00			`oidcClientID = ""`
			`oidcSecret = ""`
v1 done 2020-03-08 00:06:44 +00:00			`oidcRedirectURL = "https://srs.nemunai.re"`
OIDC CRI: change provider location 2020-09-14 08:23:44 +00:00			`oauth2Config oauth2.Config`
			`oidcVerifier *oidc.IDTokenVerifier`
Handle next parameters even through OIDC 2022-05-15 10:36:17 +00:00			`nextSessionMap = map[string]string{}`
Initial commit 2020-03-04 11:07:12 +00:00			`)`

			`func init() {`
			`flag.StringVar(&oidcClientID, "oidc-clientid", oidcClientID, "ClientID for OIDC")`
			`flag.StringVar(&oidcSecret, "oidc-secret", oidcSecret, "Secret for OIDC")`
v1 done 2020-03-08 00:06:44 +00:00			`flag.StringVar(&oidcRedirectURL, "oidc-redirect", oidcRedirectURL, "Base URL for the redirect after connection")`
Initial commit 2020-03-04 11:07:12 +00:00
			`router.GET("/auth/CRI", redirectOIDC_CRI)`
			`router.GET("/auth/complete", OIDC_CRI_complete)`
			`}`

			`func initializeOIDC() {`
			`if oidcClientID != "" && oidcSecret != "" {`
OIDC CRI: change provider location 2020-09-14 08:23:44 +00:00			`provider, err := oidc.NewProvider(context.Background(), "https://cri.epita.fr")`
Initial commit 2020-03-04 11:07:12 +00:00			`if err != nil {`
			`log.Fatal("Unable to setup oidc:", err)`
			`}`

			`oauth2Config = oauth2.Config{`
			`ClientID: oidcClientID,`
			`ClientSecret: oidcSecret,`
v1 done 2020-03-08 00:06:44 +00:00			`RedirectURL: oidcRedirectURL + baseURL + "/auth/complete",`
Initial commit 2020-03-04 11:07:12 +00:00
			`// Discovery returns the OAuth2 endpoints.`
			`Endpoint: provider.Endpoint(),`

			`// "openid" is a required scope for OpenID Connect flows.`
Ask for epita scope too 2020-11-24 13:06:29 +00:00			`Scopes: []string{oidc.ScopeOpenID, "profile", "email", "epita"},`
Initial commit 2020-03-04 11:07:12 +00:00			`}`

			`oidcConfig := oidc.Config{`
OIDC CRI: change provider location 2020-09-14 08:23:44 +00:00			`ClientID: oidcClientID,`
Initial commit 2020-03-04 11:07:12 +00:00			`}`
			`oidcVerifier = provider.Verifier(&oidcConfig)`
			`}`

			`}`

			`func redirectOIDC_CRI(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {`
			`session, err := NewSession()`
Handle next parameters even through OIDC 2022-05-15 10:36:17 +00:00
			`// Save next parameter`
			`if len(r.URL.Query().Get("next")) > 0 {`
			`nextSessionMap[fmt.Sprintf("%x", session.Id)] = r.URL.Query().Get("next")`
			`}`

Initial commit 2020-03-04 11:07:12 +00:00			`if err != nil {`
			`http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusInternalServerError)`
			`} else {`
			`http.Redirect(w, r, oauth2Config.AuthCodeURL(hex.EncodeToString(session.Id)), http.StatusFound)`
			`}`
			`}`

			`func OIDC_CRI_complete(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {`
			`idsession, err := hex.DecodeString(r.URL.Query().Get("state"))`
			`if err != nil {`
			`http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusBadRequest)`
			`return`
			`}`

			`session, err := getSession(idsession)`
			`if err != nil {`
			`http.Error(w, fmt.Sprintf("{'errmsg':%q}", err.Error()), http.StatusBadRequest)`
			`return`
			`}`

			`oauth2Token, err := oauth2Config.Exchange(context.Background(), r.URL.Query().Get("code"))`
			`if err != nil {`
			`http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`rawIDToken, ok := oauth2Token.Extra("id_token").(string)`
			`if !ok {`
			`http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError)`
			`return`
			`}`
			`idToken, err := oidcVerifier.Verify(context.Background(), rawIDToken)`
			`if err != nil {`
			`http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)`
			`return`
			`}`

			`var claims struct {`
Handle student groups 2021-09-15 22:26:09 +00:00			Firstname string `json:"given_name"`
			Lastname string `json:"family_name"`
			Nickname string `json:"nickname"`
			Username string `json:"preferred_username"`
			Email string `json:"email"`
			Groups []map[string]interface{} `json:"groups"`
Initial commit 2020-03-04 11:07:12 +00:00			`}`
			`if err := idToken.Claims(&claims); err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`

Handle student groups 2021-09-15 22:26:09 +00:00			`groups := ","`
			`for _, g := range claims.Groups {`
			`if slug, ok := g["slug"]; ok {`
			`groups += slug.(string) + ","`
			`}`
			`}`
Groups are objects, try to debug it 2021-01-09 14:06:26 +00:00
WIP Svelte 2021-11-18 11:12:28 +00:00			`if _, err := completeAuth(w, claims.Username, claims.Email, claims.Firstname, claims.Lastname, groups, &session); err != nil {`
Initial commit 2020-03-04 11:07:12 +00:00			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`

Handle next parameters even through OIDC 2022-05-15 10:36:17 +00:00			`// Retrieve next URL associated with session`
			`if next, ok := nextSessionMap[fmt.Sprintf("%x", session.Id)]; ok {`
			`http.Redirect(w, r, next, http.StatusFound)`
			`delete(nextSessionMap, fmt.Sprintf("%x", session.Id))`
			`} else {`
			`http.Redirect(w, r, "/", http.StatusFound)`
			`}`

Initial commit 2020-03-04 11:07:12 +00:00			`}`