ory · aeneasr · Jan 27, 2016 · Jan 27, 2016
@@ -7,6 +7,7 @@ import (
 	"github.com/ory-am/hydra/oauth/provider"
 	"github.com/ory-am/hydra/oauth/provider/dropbox"
 	"github.com/ory-am/hydra/oauth/provider/google"
+	"github.com/ory-am/hydra/oauth/provider/microsoft"
 	"github.com/ory-am/hydra/oauth/provider/signin"
 	"os"
 	"path"
@@ -42,6 +43,12 @@ func getEnv() {
 			env.Getenv("GOOGLE_SECRET", ""),
 			pkg.JoinURL(hostURL, "/oauth2/auth"),
 		),
+		microsoft.New(
+			"microsoft",
+			env.Getenv("MICROSOFT_CLIENT", ""),
+			env.Getenv("MICROSOFT_SECRET", ""),
+			pkg.JoinURL(hostURL, "/oauth2/auth"),
+		),
 		signin.New(
 			"login",
 			env.Getenv("SIGNIN_URL", ""),

@@ -313,7 +313,7 @@ func (h *Handler) AuthorizeHandler(w http.ResponseWriter, r *http.Request) {
 
 		provider, err := h.Providers.Find(providerName)
 		if err != nil {
-			http.Error(w, fmt.Sprintf(`Provider "%s" not known and no sign in location provided.`, providerName), http.StatusBadRequest)
+			http.Error(w, fmt.Sprintf(`Unknown provider "%s".`, providerName), http.StatusBadRequest)
 			return
 		}
 

@@ -16,21 +16,6 @@ type dropbox struct {
 	api   string
 }
 
-type Account struct {
-	ID          string                 `json:"account_id"`
-	Email       string                 `json:"email"`
-	Locale      string                 `json:"locale"`
-	ReferralURL string                 `json:"referral_link"`
-	IsPaired    bool                   `json:"is_paired"`
-	Type        map[string]interface{} `json:"account_type"`
-	Name        struct {
-		Given        string `json:"given_name,omitempty"`
-		Surname      string `json:"surname,omitempty"`
-		FamiliarName string `json:"familiar_name,omitempty"`
-		DisplayName  string `json:"display_name,omitempty"`
-	} `json:"name"`
-}
-
 func New(id, client, secret, redirectURL string) *dropbox {
 	return &dropbox{
 		id:  id,
@@ -70,27 +55,18 @@ func (d *dropbox) FetchSession(code string) (Session, error) {
 	}
 	defer response.Body.Close()
 
-	var acc Account
+	if response.StatusCode != http.StatusOK {
+		return nil, errors.Errorf("Could not fetch account data because %s", err)
+	}
+
+	var acc map[string]interface{}
 	if err = json.NewDecoder(response.Body).Decode(&acc); err != nil {
 		return nil, err
 	}
 
 	return &DefaultSession{
-		RemoteSubject: acc.ID,
-		Extra: map[string]interface{}{
-			"account_id":    acc.ID,
-			"email":         acc.Email,
-			"locale":        acc.Locale,
-			"referral_link": acc.ReferralURL,
-			"is_paired":     acc.IsPaired,
-			"account_type":  acc.Type,
-			"name": map[string]interface{}{
-				"given_name":    acc.Name.Given,
-				"surname":       acc.Name.Surname,
-				"familiar_name": acc.Name.FamiliarName,
-				"display_name":  acc.Name.DisplayName,
-			},
-		},
+		RemoteSubject: fmt.Sprintf("%s", acc["account_id"]),
+		Extra:         acc,
 	}, nil
 }
 

@@ -48,17 +48,29 @@ func TestExchangeCode(t *testing.T) {
 	})
 	router.HandleFunc("/users/get_current_account", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
-		fmt.Fprintln(w, `{"account_id": "dbid:2qrw3etsdtr","name": {"given_name": "Peter","surname": "Peter","familiar_name": "Peter","display_name": "Peter"},"email": "peter@gmail.com","country": "DE","locale": "de","referral_link": "https://db.tt/w34setrdgxf","is_paired": false,"account_type": {".tag": "pro"}}`)
+		fmt.Fprintln(w, `{
+	"account_id": "dbid:foobar",
+	"name": {
+		"given_name": "foobar",
+		"surname": "foobar",
+		"familiar_name": "foobar",
+		"display_name": "foobar"
+	},
+	"email": "peter@gmail.com",
+	"country": "DE",
+	"locale": "de",
+	"referral_link": "https://db.tt/foobar",
+	"is_paired": false,
+	"account_type": {".tag": "pro"}
+}`)
 	})
 	ts := httptest.NewServer(router)
 
 	mock.api = ts.URL
 	mock.conf.Endpoint.TokenURL = ts.URL + mock.conf.Endpoint.TokenURL
 
-	t.Logf("Token URL: %s", mock.conf.Endpoint.TokenURL)
-	t.Logf("API URL: %s", mock.api)
 	code := "testcode"
 	ses, err := mock.FetchSession(code)
 	require.Nil(t, err)
-	assert.Equal(t, "dbid:2qrw3etsdtr", ses.GetRemoteSubject())
+	assert.Equal(t, "dbid:foobar", ses.GetRemoteSubject())
 }
@@ -16,27 +16,21 @@ type google struct {
 	conf *oauth2.Config
 }
 
-type claims struct {
-	Issuer     string `json:"iss"`
-	Subject    string `json:"sub"`
-	Email      string `json:"email"`
-	Name       string `json:"name"`
-	Picture    string `json:"picture"`
-	GivenName  string `json:"givenName"`
-	FamilyName string `json:"familyName"`
-	Locale     string `json:"locale"`
-}
-
 func New(id, client, secret, redirectURL string) *google {
 	return &google{
 		id:  id,
 		api: "https://www.googleapis.com",
 		conf: &oauth2.Config{
 			ClientID:     client,
 			ClientSecret: secret,
-			Scopes:       []string{"openid", "email", "profile"},
-			RedirectURL:  redirectURL,
-			Endpoint:     gauth.Endpoint,
+			Scopes: []string{
+				"email",
+				"profile",
+				"https://www.googleapis.com/auth/plus.login",
+				"https://www.googleapis.com/auth/plus.me",
+			},
+			RedirectURL: redirectURL,
+			Endpoint:    gauth.Endpoint,
 		},
 	}
 }
@@ -56,34 +50,26 @@ func (d *google) FetchSession(code string) (Session, error) {
 		return nil, errors.Errorf("Token is not valid: %v", token)
 	}
 
-	idToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, errors.Errorf("Token is not valid: %v", idToken)
-	}
-
-	resp, err := http.Get(fmt.Sprintf("%s/%s", d.api, "oauth2/v3/tokeninfo?id_token="+idToken))
+	c := conf.Client(oauth2.NoContext, token)
+	req, err := http.NewRequest("GET", fmt.Sprintf("%s/%s", d.api, "plus/v1/people/me"), nil)
+	resp, err := c.Do(req)
 	if err != nil {
-		return nil, errors.Errorf("Could not validate id token because %s", err)
+		return nil, err
 	}
 	defer resp.Body.Close()
 
-	var profile claims
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.Errorf("Could not fetch account data because %s", err)
+	}
+
+	var profile map[string]interface{}
 	if err := json.NewDecoder(resp.Body).Decode(&profile); err != nil {
 		return nil, errors.Errorf("Could not validate id token because %s", err)
 	}
 
 	return &DefaultSession{
-		RemoteSubject: profile.Subject,
-		Extra: map[string]interface{}{
-			"iss":         profile.Issuer,
-			"sub":         profile.Subject,
-			"email":       profile.Email,
-			"picture":     profile.Picture,
-			"locale":      profile.Locale,
-			"given_name":  profile.GivenName,
-			"name":        profile.Name,
-			"family_name": profile.FamilyName,
-		},
+		RemoteSubject: fmt.Sprintf("%s", profile["id"]),
+		Extra:         profile,
 	}, nil
 }
 

@@ -40,40 +40,51 @@ func TestGetAuthCodeURL(t *testing.T) {
 }
 
 func TestExchangeCode(t *testing.T) {
-
 	router := mux.NewRouter()
 	router.HandleFunc("/oauth2/token", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		fmt.Fprintln(w, `{"access_token": "ABCDEFG", "token_type": "bearer", "uid": "12345", "id_token": "foobar"}`)
 	})
-	router.HandleFunc("/oauth2/v3/tokeninfo", func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, r.URL.Query().Get("id_token"), "foobar")
+	router.HandleFunc("/plus/v1/people/me", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		fmt.Fprintln(w, `{
- "iss": "https://accounts.google.com",
- "sub": "110169484474386276334",
- "azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
- "aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
- "iat": "1433978353",
- "exp": "1433981953",
- "email": "testuser@gmail.com",
- "email_verified": "true",
- "name" : "Test User",
- "picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
- "given_name": "Test",
- "family_name": "User",
- "locale": "en"
+	"kind": "plus#person",
+	"etag": "\"foobar\"",
+	"gender": "male",
+	"emails": [
+		{
+		"value": "foobar@gmail.com",
+		"type": "account"
+		}
+	],
+	"objectType": "person",
+	"id": "foobarid",
+	"displayName": "foobar",
+	"name": {
+		"familyName": "foobar",
+		"givenName": "foobar"
+	},
+	"url": "https://plus.google.com/foobar",
+	"image": {
+		"url": "https://lh3.googleusercontent.com/foobar/photo.jpg?sz=50",
+		"isDefault": true
+	},
+	"isPlusUser": true,
+	"language": "de",
+	"ageRange": {
+		"min": 21
+	},
+	"circledByCount": 6,
+	"verified": false
 }`)
 	})
 	ts := httptest.NewServer(router)
 
 	mock.api = ts.URL
 	mock.conf.Endpoint.TokenURL = ts.URL + mock.conf.Endpoint.TokenURL
 
-	t.Logf("Token URL: %s", mock.conf.Endpoint.TokenURL)
-	t.Logf("API URL: %s", mock.api)
 	code := "testcode"
 	ses, err := mock.FetchSession(code)
 	require.Nil(t, err, "%s", err)
-	assert.Equal(t, "110169484474386276334", ses.GetRemoteSubject())
+	assert.Equal(t, "foobarid", ses.GetRemoteSubject())
 }
@@ -0,0 +1,78 @@
+package microsoft
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/go-errors/errors"
+	. "github.com/ory-am/hydra/oauth/provider"
+	"golang.org/x/oauth2"
+	"net/http"
+)
+
+// Read up on: https://dev.onedrive.com/auth/msa_oauth.htm
+
+type microsoft struct {
+	id    string
+	conf  *oauth2.Config
+	token *oauth2.Token
+	api   string
+}
+
+func New(id, client, secret, redirectURL string) *microsoft {
+	return &microsoft{
+		id:  id,
+		api: "https://apis.live.net",
+		conf: &oauth2.Config{
+			ClientID:     client,
+			ClientSecret: secret,
+			RedirectURL:  redirectURL,
+			Scopes:       []string{"wl.signin", "wl.emails"},
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  "https://login.live.com/oauth20_authorize.srf",
+				TokenURL: "https://login.live.com/oauth20_token.srf",
+			},
+		},
+	}
+}
+
+func (d *microsoft) GetAuthenticationURL(state string) string {
+	return d.conf.AuthCodeURL(state)
+}
+
+func (d *microsoft) FetchSession(code string) (Session, error) {
+	conf := *d.conf
+	token, err := conf.Exchange(oauth2.NoContext, code)
+	if err != nil {
+		return nil, err
+	}
+
+	if !token.Valid() {
+		return nil, errors.Errorf("Token is not valid: %v", token)
+	}
+
+	c := conf.Client(oauth2.NoContext, token)
+	req, err := http.NewRequest("GET", fmt.Sprintf("%s/%s", d.api, "v5.0/me"), nil)
+	response, err := c.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return nil, errors.Errorf("Could not fetch account data because %s", err)
+	}
+
+	var acc map[string]interface{}
+	if err = json.NewDecoder(response.Body).Decode(&acc); err != nil {
+		return nil, err
+	}
+
+	return &DefaultSession{
+		RemoteSubject: fmt.Sprintf("%s", acc["id"]),
+		Extra:         acc,
+	}, nil
+}
+
+func (d *microsoft) GetID() string {
+	return d.id
+}