-
-
Notifications
You must be signed in to change notification settings - Fork 936
/
provider_generic_oidc.go
97 lines (79 loc) · 2.06 KB
/
provider_generic_oidc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
package oidc
import (
"context"
"net/url"
"github.com/pkg/errors"
"golang.org/x/oauth2"
"github.com/ory/herodot"
"github.com/ory/x/stringslice"
gooidc "github.com/coreos/go-oidc"
)
var _ Provider = new(ProviderGenericOIDC)
type ProviderGenericOIDC struct {
p *gooidc.Provider
config *Configuration
public *url.URL
}
func NewProviderGenericOIDC(
config *Configuration,
public *url.URL,
) *ProviderGenericOIDC {
return &ProviderGenericOIDC{
config: config,
public: public,
}
}
func (g *ProviderGenericOIDC) Config() *Configuration {
return g.config
}
func (g *ProviderGenericOIDC) provider(ctx context.Context) (*gooidc.Provider, error) {
if g.p == nil {
p, err := gooidc.NewProvider(context.Background(), g.config.IssuerURL)
if err != nil {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to initialize OpenID Connect Provider: %s", err))
}
g.p = p
}
return g.p, nil
}
func (g *ProviderGenericOIDC) OAuth2(ctx context.Context) (*oauth2.Config, error) {
p, err := g.provider(ctx)
if err != nil {
return nil, err
}
endpoint := p.Endpoint()
scope := g.config.Scope
if !stringslice.Has(scope, gooidc.ScopeOpenID) {
scope = append(scope, gooidc.ScopeOpenID)
}
return &oauth2.Config{
ClientID: g.config.ClientID,
ClientSecret: g.config.ClientSecret,
Endpoint: endpoint,
Scopes: scope,
RedirectURL: g.config.Redir(g.public),
}, nil
}
func (g *ProviderGenericOIDC) Claims(ctx context.Context, exchange *oauth2.Token) (*Claims, error) {
raw, ok := exchange.Extra("id_token").(string)
if !ok || len(raw) == 0 {
return nil, errors.WithStack(ErrIDTokenMissing)
}
p, err := g.provider(ctx)
if err != nil {
return nil, err
}
token, err := p.
Verifier(&gooidc.Config{
ClientID: g.config.ClientID,
}).
Verify(ctx, raw)
if err != nil {
return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("%s", err))
}
var claims Claims
if err := token.Claims(&claims); err != nil {
return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("%s", err))
}
return &claims, nil
}