forked from AzureAD/microsoft-authentication-library-for-go
-
Notifications
You must be signed in to change notification settings - Fork 0
/
confidential_auth_code_sample.go
109 lines (100 loc) · 3.44 KB
/
confidential_auth_code_sample.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
package main
/*
var (
accessToken string
confidentialConfig = CreateConfig("confidential_config.json")
app confidential.Client
)
// TODO(msal): I'm not sure what to do here with the CodeChallenge and State. authCodeURLParams
// is no more. CodeChallenge is only used now in a confidential.AcquireTokenByAuthCode(), which
// this is not using. Maybe now this is a two step process????
func redirectToURLConfidential(w http.ResponseWriter, r *http.Request) {
// Getting the URL to redirect to acquire the authorization code
authCodeURLParams.CodeChallenge = confidentialConfig.CodeChallenge
authCodeURLParams.State = confidentialConfig.State
authURL, err := app.CreateAuthCodeURL(context.Background(), confidentialConfig.ClientID, confidentialConfig.RedirectURI, confidentialConfig.Scopes)
if err != nil {
http.Error(w, err.Error(), http.StatusUnauthorized)
return
}
// Redirecting to the URL we have received
log.Println("redirecting to auth: ", authURL)
http.Redirect(w, r, authURL, http.StatusSeeOther)
}
func getTokenConfidential(w http.ResponseWriter, r *http.Request) {
// Getting the authorization code from the URL's query
states, ok := r.URL.Query()["state"]
if !ok || len(states[0]) < 1 {
log.Fatal(errors.New("State parameter missing, can't verify authorization code"))
}
codes, ok := r.URL.Query()["code"]
if !ok || len(codes[0]) < 1 {
log.Fatal(errors.New("Authorization code missing"))
}
if states[0] != config.State {
log.Fatal(errors.New("State parameter is incorrect"))
}
code := codes[0]
// Getting the access token using the authorization code
result, err := app.AcquireTokenByAuthCode(
context.Background(),
confidentialConfig.Scopes,
confidential.CodeChallenge(code, confidentialConfig.CodeChallenge),
)
if err != nil {
log.Fatal(err)
}
// Prints the access token on the webpage
fmt.Fprintf(w, "Access token is "+result.GetAccessToken())
accessToken = result.GetAccessToken()
}
// TODO(msal): Needs to use an x509 certificate like the other now that we are not using a
// thumbprint directly.
/*
func acquireByAuthorizationCodeConfidential() {
file, err := os.Open(confidentialConfig.KeyFile)
if err != nil {
log.Fatal(err)
}
defer file.Close()
key, err := ioutil.ReadAll(file)
if err != nil {
log.Fatal(err)
}
certificate, err := msal.CreateClientCredentialFromCertificate(confidentialConfig.Thumbprint, key)
if err != nil {
log.Fatal(err)
}
options := msal.DefaultConfidentialClientApplicationOptions()
options.Accessor = cacheAccessor
options.Authority = confidentialConfig.Authority
app, err := msal.NewConfidentialClientApplication(confidentialConfig.ClientID, certificate, &options)
if err != nil {
log.Fatal(err)
}
var userAccount shared.Account
for _, account := range app.Accounts() {
if account.PreferredUsername == confidentialConfig.Username {
userAccount = account
}
}
result, err := app.AcquireTokenSilent(
context.Background(),
confidentialConfig.Scopes,
&msal.AcquireTokenSilentOptions{
Account: userAccount,
},
)
if err != nil {
panic(err)
}
fmt.Printf("Access token is " + result.GetAccessToken())
accessToken = result.GetAccessToken()
http.HandleFunc("/", redirectToURLConfidential)
// The redirect uri set in our app's registration is http://localhost:port/redirect
http.HandleFunc("/redirect", getTokenConfidential)
log.Fatal(http.ListenAndServe(":"+port, nil))
}
*/