This repository has been archived by the owner on Sep 24, 2020. It is now read-only.
/
oidc.go
100 lines (80 loc) · 2.59 KB
/
oidc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
package oidc
import (
"context"
"golang.org/x/crypto/bcrypt"
"net/http"
"github.com/coreos/go-oidc"
"github.com/modoki-paas/modoki-k8s/internal/tokenutil"
"golang.org/x/oauth2"
"golang.org/x/xerrors"
)
// Authenticator is a helper to sign in with OpenID Connect
type Authenticator struct {
Provider *oidc.Provider
Config oauth2.Config
}
// AuthResult represents results of OpenID Connect authentication flow
type AuthResult struct {
Token *oauth2.Token
IDToken *oidc.IDToken
Profile map[string]interface{}
}
// NewAuthenticator initializes an Authenticator
func NewAuthenticator(ctx context.Context, clientID, clientSecret, redirectURL, providerURL string, scopes []string) (*Authenticator, error) {
provider, err := oidc.NewProvider(ctx, providerURL)
if err != nil {
return nil, xerrors.Errorf("failed to initialize oidc provider: %w", err)
}
conf := oauth2.Config{
ClientID: clientID,
ClientSecret: clientSecret,
RedirectURL: redirectURL,
Endpoint: provider.Endpoint(),
Scopes: scopes,
}
return &Authenticator{
Provider: provider,
Config: conf,
}, nil
}
// Callback handles callback requests from IdP
func (author *Authenticator) Callback(ctx context.Context, expectedState, actualState, code string) (*AuthResult, error) {
token, err := author.Config.Exchange(ctx, code)
if err != nil {
return nil, xerrors.Errorf("failed to exchange code: %w", err)
}
rawIDToken, ok := token.Extra("id_token").(string)
if !ok {
return nil, xerrors.Errorf("No id_token field in oauth2 token: %w", http.StatusInternalServerError)
}
oidcConfig := &oidc.Config{
ClientID: author.Config.ClientID,
}
idToken, err := author.Provider.Verifier(oidcConfig).Verify(ctx, rawIDToken)
if err != nil {
return nil, xerrors.Errorf("Failed to verify ID Token: %w", err)
}
// Getting now the userInfo
var profile map[string]interface{}
if err := idToken.Claims(&profile); err != nil {
return nil, xerrors.Errorf("failed to get userinfo: %w", err)
}
return &AuthResult{
Token: token,
IDToken: idToken,
Profile: profile,
}, nil
}
// Login generates state and redirect url to IdP
func (author *Authenticator) Login(ctx context.Context) (redirectURL, state string, err error) {
state, err = tokenutil.GenerateRandomToken()
if err != nil {
return "", "", xerrors.Errorf("failed to generate a random token: %w", err)
}
hashedState, err := bcrypt.GenerateFromPassword([]byte(state), bcrypt.DefaultCost)
if err != nil {
return "", "", xerrors.Errorf("failed to hash the state string: %w", err)
}
redirectURL = author.Config.AuthCodeURL(string(hashedState))
return
}