/
provider_microsoft.go
129 lines (102 loc) · 3.63 KB
/
provider_microsoft.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
// Copyright © 2023 Ory Corp
// SPDX-License-Identifier: Apache-2.0
package oidc
import (
"context"
"encoding/json"
"net/url"
"strings"
"github.com/hashicorp/go-retryablehttp"
"github.com/ory/x/httpx"
"github.com/gofrs/uuid"
"github.com/golang-jwt/jwt/v4"
gooidc "github.com/coreos/go-oidc/v3/oidc"
"github.com/pkg/errors"
"golang.org/x/oauth2"
"github.com/ory/herodot"
)
type ProviderMicrosoft struct {
*ProviderGenericOIDC
}
func NewProviderMicrosoft(
config *Configuration,
reg Dependencies,
) Provider {
return &ProviderMicrosoft{
ProviderGenericOIDC: &ProviderGenericOIDC{
config: config,
reg: reg,
},
}
}
func (m *ProviderMicrosoft) OAuth2(ctx context.Context) (*oauth2.Config, error) {
if len(strings.TrimSpace(m.config.Tenant)) == 0 {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No Tenant specified for the `microsoft` oidc provider %s", m.config.ID))
}
endpointPrefix := "https://login.microsoftonline.com/" + m.config.Tenant
endpoint := oauth2.Endpoint{
AuthURL: endpointPrefix + "/oauth2/v2.0/authorize",
TokenURL: endpointPrefix + "/oauth2/v2.0/token",
}
return m.oauth2ConfigFromEndpoint(ctx, endpoint), nil
}
func (m *ProviderMicrosoft) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error) {
raw, ok := exchange.Extra("id_token").(string)
if !ok || len(raw) == 0 {
return nil, errors.WithStack(ErrIDTokenMissing)
}
parser := new(jwt.Parser)
unverifiedClaims := microsoftUnverifiedClaims{}
if _, _, err := parser.ParseUnverified(raw, &unverifiedClaims); err != nil {
return nil, err
}
if _, err := uuid.FromString(unverifiedClaims.TenantID); err != nil {
return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("TenantID claim is not a valid UUID: %s", err))
}
issuer := "https://login.microsoftonline.com/" + unverifiedClaims.TenantID + "/v2.0"
ctx = context.WithValue(ctx, oauth2.HTTPClient, m.reg.HTTPClient(ctx).HTTPClient)
p, err := gooidc.NewProvider(ctx, issuer)
if err != nil {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to initialize OpenID Connect Provider: %s", err))
}
claims, err := m.verifyAndDecodeClaimsWithProvider(ctx, p, raw)
if err != nil {
return nil, err
}
return m.updateSubject(ctx, claims, exchange)
}
func (m *ProviderMicrosoft) updateSubject(ctx context.Context, claims *Claims, exchange *oauth2.Token) (*Claims, error) {
if m.config.SubjectSource == "me" {
o, err := m.OAuth2(ctx)
if err != nil {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("%s", err))
}
ctx, client := httpx.SetOAuth2(ctx, m.reg.HTTPClient(ctx), o, exchange)
req, err := retryablehttp.NewRequestWithContext(ctx, "GET", "https://graph.microsoft.com/v1.0/me", nil)
if err != nil {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("%s", err))
}
resp, err := client.Do(req)
if err != nil {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to fetch from `https://graph.microsoft.com/v1.0/me`: %s", err))
}
defer resp.Body.Close()
if err := logUpstreamError(m.reg.Logger(), resp); err != nil {
return nil, err
}
var user struct {
ID string `json:"id"`
}
if err := json.NewDecoder(resp.Body).Decode(&user); err != nil {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to decode JSON from `https://graph.microsoft.com/v1.0/me`: %s", err))
}
claims.Subject = user.ID
}
return claims, nil
}
type microsoftUnverifiedClaims struct {
TenantID string `json:"tid,omitempty"`
}
func (c *microsoftUnverifiedClaims) Valid() error {
return nil
}