/
authenticator.go
78 lines (64 loc) · 1.87 KB
/
authenticator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
package auth
import (
"context"
"fmt"
"log"
"strings"
"time"
"github.com/acidlemon/guardmech/app/config"
"github.com/acidlemon/guardmech/app/logic"
"github.com/acidlemon/guardmech/oidconnect"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/pkg/errors"
"golang.org/x/oauth2"
)
//
type Query interface {
}
type Authenticator struct {
oidcConf *oauth2.Config
provider oidconnect.OIDCProvider
}
func NewAuthenticator(conf *oauth2.Config, provider oidconnect.OIDCProvider) *Authenticator {
return &Authenticator{
oidcConf: conf,
provider: provider,
}
}
// OpenID Connectを利用した認証の開始
func (a *Authenticator) StartAuthentication() (string, string, time.Time) {
state := logic.GenerateRandomString(32)
url := a.oidcConf.AuthCodeURL(state, oauth2.AccessTypeOffline)
expireAt := time.Now().Add(config.SessionLifeTime)
log.Println(url)
return state, url, expireAt
}
// OpenID Connectの認証結果の検証
func (a *Authenticator) VerifyAuthentication(ctx context.Context, code string) (*OpenIDToken, error) {
var verifier = a.provider.Verifier(&oidc.Config{ClientID: a.oidcConf.ClientID})
oauth2Token, err := a.oidcConf.Exchange(ctx, code)
if err != nil {
return nil, err
}
// Extract the ID Token from OAuth2 token.
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
if !ok {
return nil, fmt.Errorf("Token does not contains id_token")
}
// Parse and verify ID Token payload.
idToken, err := verifier.Verify(ctx, rawIDToken)
if err != nil {
return nil, errors.Wrap(err, "Verification failed")
}
// Extract custom claims
var claims OpenIDToken
if err := idToken.Claims(&claims); err != nil {
// handle error
return nil, err
}
// extract access token
// accessToken := oauth2Token.AccessToken
// normalize issuer (remove "https://" for Google)
claims.Issuer = strings.Replace(claims.Issuer, "https://", "", -1)
return &claims, nil
}