This repository has been archived by the owner on Feb 13, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
auth.go
202 lines (180 loc) · 6.38 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
package ibmoidc
import (
"context"
"crypto/rsa"
"errors"
"fmt"
"github.com/dgrijalva/jwt-go"
"net/http"
"github.com/lpar/blammo/log"
"golang.org/x/oauth2"
)
type key int
const userIdentity key = 0
// Authenticator is an object for processing IBM authentication responses.
type Authenticator struct {
OAuth2 *oauth2.Config
PubKey *rsa.PublicKey
}
// NewIntranetAuthenticator creates an Authenticator object for processing
// IBMid authentication server responses.
func NewIBMidAuthenticator(clientid, clientsecret, redirecturl string) *Authenticator {
oa2 := &oauth2.Config{
ClientID: clientid,
ClientSecret: clientsecret,
RedirectURL: redirecturl,
Endpoint: IBMidEndpoint,
Scopes: []string{"openid"},
}
auth := &Authenticator{
OAuth2: oa2,
PubKey: IBMidPublicKey,
}
return auth
}
// NewIntranetAuthenticator creates an Authenticator object for processing
// intranet w3ID authentication server responses.
func NewIntranetAuthenticator(clientid, clientsecret, redirecturl string) *Authenticator {
oa2 := &oauth2.Config{
ClientID: clientid,
ClientSecret: clientsecret,
RedirectURL: redirecturl,
Endpoint: IBMw3idEndpoint,
Scopes: []string{"openid"},
}
auth := &Authenticator{
OAuth2: oa2,
PubKey: IBMw3idPublicKey,
}
return auth
}
// NewIntranetStagingAuthenticator creates an Authenticator object for processing
// intranet w3ID authentication server responses from the staging server.
func NewIntranetStagingAuthenticator(clientid, clientsecret, redirecturl string) *Authenticator {
oa2 := &oauth2.Config{
ClientID: clientid,
ClientSecret: clientsecret,
RedirectURL: redirecturl,
Endpoint: IBMw3idStagingEndpoint,
Scopes: []string{"openid"},
}
auth := &Authenticator{
OAuth2: oa2,
PubKey: IBMw3idStagingPublicKey,
}
return auth
}
// BeginLogin redirects the browser to the federated authentication provider
// in order to begin the login process.
func (auth *Authenticator) BeginLogin() http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
csrftok, err := MakeCSRFtoken()
if err != nil {
log.Error().Err(err).Msg("unable to make CSRF token")
http.Error(w, "unable to make CSRF token", http.StatusInternalServerError)
return
}
// We write our CSRF token into a cookie and into the OIDC request
http.SetCookie(w, MakeCSRFcookie(csrftok))
url := auth.OAuth2.AuthCodeURL(csrftok, oauth2.AccessTypeOnline)
log.Debug().Str("url", url).Msg("redirecting user to log in")
http.Redirect(w, r, url, http.StatusTemporaryRedirect)
})
}
func (auth *Authenticator) FetchToken(code string) (*jwt.Token, error) {
var jsonwt *jwt.Token
token, err := auth.OAuth2.Exchange(context.Background(), code)
if err != nil {
return jsonwt, err
}
if !token.Valid() {
return jsonwt, errors.New("endpoint oauth2.Exchange returned invalid token")
}
log.Debug().Msg("exchanged code for token")
// Next, extract the encoded id_token from the access token response
encidtoken := token.Extra("id_token").(string)
if len(encidtoken) == 0 {
return jsonwt, errors.New("endpoint oauth2.Exchange() response missing id_token")
}
log.Debug().Msg("got id_token from token")
log.Debug().Str("token", encidtoken).Msg("encoded token")
jsonwt, err = jwt.Parse(encidtoken, func(token *jwt.Token) (interface{}, error) {
algo := token.Header["alg"].(string)
if algo == "RS256" {
return auth.PubKey, nil
} else {
log.Error().Str("alg", algo).Msg("bad JWT signature algorithm")
return nil, nil
}
})
if err != nil {
return jsonwt, fmt.Errorf("endpoint oauth2.Exchange() id_token invalid: %v", err)
}
log.Debug().Msg("verified signature on id_token")
return jsonwt, nil
}
// CompleteLoginFunc is the http.HandlerFunc version of CompleteLogin.
// It accepts the HTTP GET response from the federated
// authentication provider and completes the login process by fetching
// identity information from the provider. The verified identity is then
// added to the request context, so that it can be accessed by the next
// handler in the chain using TokenFromRequest.
func (auth *Authenticator) CompleteLoginFunc(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
nr := auth.decodeTokenToRequest(w, r)
next(w, nr)
}
}
// decodeTokenToRequest checks the CSRF cookie and fetches the token.
// If everything worked, it adds the token to the request and returns the new request.
// If not, it returns the same request it was passed.
func (auth *Authenticator) decodeTokenToRequest(w http.ResponseWriter, r *http.Request) *http.Request {
log.Debug().Msg("loginCallback started")
// First verify the state value to protect against CSRF attack
cstate := ReadCSRFcookie(r)
state := r.FormValue("state")
if state != cstate {
log.Debug().Str("expected", cstate).Str("got", state).Msg("invalid CSRF state")
http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
return r
}
log.Debug().Msg("passed CSRF check")
// Then use the code we were given to fetch an access token via TLS
code := r.FormValue("code")
tok, err := auth.FetchToken(code)
if err != nil {
log.Error().Err(err).Msg("login failed")
http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
return r
}
nr := RequestWithToken(r, tok)
return nr
}
// CompleteLogin accepts the HTTP GET response from the federated
// authentication provider and completes the login process by fetching
// identity information from the provider. The verified identity is then
// added to the request context, so that it can be accessed by the next
// handler in the chain using TokenFromRequest.
func (auth *Authenticator) CompleteLogin(next http.Handler) http.Handler {
return http.HandlerFunc( func(w http.ResponseWriter, r *http.Request) {
nr := auth.decodeTokenToRequest(w, r)
next.ServeHTTP(w, nr)
})
}
// RequestWithToken adds a token to the http request, using a private
// context key.
func RequestWithToken(r *http.Request, cs *jwt.Token) *http.Request {
ctx := r.Context()
nctx := context.WithValue(ctx, userIdentity, cs)
nr := r.WithContext(nctx)
return nr
}
// TokenFromRequest obtains the authenticated token from the request's
// context, where it was stored earlier by RequestWithToken.
// The boolean indicates whether an authenticated token was actually found
// in the request.
func TokenFromRequest(r *http.Request) (*jwt.Token, bool) {
ctx := r.Context()
cs, ok := ctx.Value(userIdentity).(*jwt.Token)
return cs, ok
}