This repository has been archived on 2024-03-28. You can view files and clone it, but cannot push or open issues or pull requests.
atsebay.t/auth_oidc.go

152 lines
4.4 KiB
Go

package main
import (
"context"
"encoding/hex"
"flag"
"fmt"
"log"
"net/http"
"golang.org/x/oauth2"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/gin-gonic/gin"
)
var (
oidcClientID = ""
oidcSecret = ""
oidcRedirectURL = "https://srs.nemunai.re"
oauth2Config oauth2.Config
oidcVerifier *oidc.IDTokenVerifier
nextSessionMap = map[string]string{}
)
func init() {
flag.StringVar(&oidcClientID, "oidc-clientid", oidcClientID, "ClientID for OIDC")
flag.StringVar(&oidcSecret, "oidc-secret", oidcSecret, "Secret for OIDC")
flag.StringVar(&oidcRedirectURL, "oidc-redirect", oidcRedirectURL, "Base URL for the redirect after connection")
}
func initializeOIDC(router *gin.Engine) {
router.GET("/auth/CRI", redirectOIDC_CRI)
router.GET("/auth/complete", OIDC_CRI_complete)
if oidcClientID != "" && oidcSecret != "" {
provider, err := oidc.NewProvider(context.Background(), "https://cri.epita.fr")
if err != nil {
log.Fatal("Unable to setup oidc:", err)
}
oauth2Config = oauth2.Config{
ClientID: oidcClientID,
ClientSecret: oidcSecret,
RedirectURL: oidcRedirectURL + baseURL + "/auth/complete",
// Discovery returns the OAuth2 endpoints.
Endpoint: provider.Endpoint(),
// "openid" is a required scope for OpenID Connect flows.
Scopes: []string{oidc.ScopeOpenID, "profile", "email", "epita"},
}
oidcConfig := oidc.Config{
ClientID: oidcClientID,
}
oidcVerifier = provider.Verifier(&oidcConfig)
}
}
func redirectOIDC_CRI(c *gin.Context) {
session, err := NewSession()
// Save next parameter
if len(c.Request.URL.Query().Get("next")) > 0 {
nextSessionMap[fmt.Sprintf("%x", session.Id)] = c.Request.URL.Query().Get("next")
}
if err != nil {
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": err.Error()})
return
}
c.Redirect(http.StatusFound, oauth2Config.AuthCodeURL(hex.EncodeToString(session.Id)))
}
func OIDC_CRI_complete(c *gin.Context) {
idsession, err := hex.DecodeString(c.Request.URL.Query().Get("state"))
if err != nil {
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})
return
}
session, err := getSession(idsession)
if err != nil {
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})
return
}
oauth2Token, err := oauth2Config.Exchange(c.Request.Context(), c.Request.URL.Query().Get("code"))
if err != nil {
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Failed to exchange token: " + err.Error()})
return
}
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
if !ok {
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "No id_token field in oauth2 token."})
return
}
idToken, err := oidcVerifier.Verify(c.Request.Context(), rawIDToken)
if err != nil {
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Failed to verify ID Token: " + err.Error()})
return
}
var claims struct {
Firstname string `json:"given_name"`
Lastname string `json:"family_name"`
Username string `json:"preferred_username"`
Email string `json:"email"`
Groups []map[string]interface{} `json:"groups"`
Campuses []string `json:"campuses"`
GraduationYears []uint `json:"graduation_years"`
}
if err := idToken.Claims(&claims); err != nil {
log.Println("Unable to extract claims to Claims:", err.Error())
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Something goes wrong when analyzing your claims. Contact administrator to fix the issue."})
return
}
groups := ","
for _, g := range claims.Groups {
if slug, ok := g["slug"]; ok {
groups += slug.(string) + ","
}
}
var promo uint
if len(claims.GraduationYears) > 0 {
for _, gy := range claims.GraduationYears {
if gy > promo {
promo = gy
}
}
}
if _, err := completeAuth(c, claims.Username, claims.Email, claims.Firstname, claims.Lastname, promo, groups, session); err != nil {
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": err.Error()})
return
}
// Retrieve next URL associated with session
if next, ok := nextSessionMap[fmt.Sprintf("%x", session.Id)]; ok {
c.Redirect(http.StatusFound, next)
delete(nextSessionMap, fmt.Sprintf("%x", session.Id))
} else {
c.Redirect(http.StatusFound, "/")
}
}