-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side.
- Loading branch information
Marc Bärtschi
committed
Jan 28, 2024
1 parent
d70236c
commit bd06a8a
Showing
5 changed files
with
181 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,119 @@ | ||
package oidc | ||
|
||
import ( | ||
"context" | ||
"crypto/rand" | ||
"encoding/base64" | ||
"fmt" | ||
"io" | ||
"net/http" | ||
"net/url" | ||
|
||
"github.com/coreos/go-oidc/v3/oidc" | ||
"github.com/labstack/echo/v4" | ||
"golang.org/x/oauth2" | ||
) | ||
|
||
type Config struct { | ||
ProviderURL string | ||
RedirectURL string | ||
ClientID string | ||
ClientSecret string | ||
} | ||
|
||
func OIDCAuth(config Config) echo.MiddlewareFunc { | ||
provider, err := oidc.NewProvider(context.Background(), config.ProviderURL) | ||
if err != nil { | ||
panic(err) | ||
} | ||
verifier := provider.Verifier(&oidc.Config{ | ||
ClientID: config.ClientID, | ||
}) | ||
|
||
oidcConfig := oauth2.Config{ | ||
ClientID: config.ClientID, | ||
ClientSecret: config.ClientSecret, | ||
Endpoint: provider.Endpoint(), | ||
RedirectURL: config.RedirectURL, | ||
Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, | ||
} | ||
|
||
pathURL, err := url.Parse(config.RedirectURL) | ||
if err != nil { | ||
panic(err) | ||
} | ||
|
||
return func(next echo.HandlerFunc) echo.HandlerFunc { | ||
return func(c echo.Context) error { | ||
if c.Request().URL.Path == pathURL.Path { | ||
oauth2Token, err := oidcConfig.Exchange(c.Request().Context(), c.Request().URL.Query().Get("code")) | ||
if err != nil { | ||
return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("Failed to exchange token: %v", err)) | ||
} | ||
|
||
rawIDToken, ok := oauth2Token.Extra("id_token").(string) | ||
if !ok { | ||
return echo.NewHTTPError(http.StatusUnauthorized, "No id_token field in oauth2 token") | ||
} | ||
|
||
idToken, err := verifier.Verify(c.Request().Context(), rawIDToken) | ||
if err != nil { | ||
return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("Failed to verify ID Token: %v", err)) | ||
} | ||
|
||
nonce, err := c.Cookie("nonce") | ||
if err != nil { | ||
return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("nonce cookie not found: %v", err)) | ||
} | ||
|
||
if idToken.Nonce != nonce.Value { | ||
return echo.NewHTTPError(http.StatusUnauthorized, "nonce did not match") | ||
} | ||
|
||
c.SetCookie(&http.Cookie{ | ||
Name: "id_token", | ||
Value: rawIDToken, | ||
Secure: true, | ||
SameSite: http.SameSiteLaxMode, | ||
Path: "/", | ||
}) | ||
|
||
// Login success - redirect back to the intended page | ||
return c.Redirect(302, c.Request().URL.Query().Get("state")) | ||
} | ||
|
||
// check if request is authenticated | ||
rawIDToken, err := c.Cookie("id_token") | ||
if err == nil { // cookie found | ||
_, err = verifier.Verify(c.Request().Context(), rawIDToken.Value) | ||
if err == nil { | ||
return next(c) | ||
} | ||
} else if err != http.ErrNoCookie { | ||
return echo.NewHTTPError(http.StatusInternalServerError, err.Error()) | ||
} | ||
|
||
// Redirect to login | ||
nonce, err := randString(16) | ||
if err != nil { | ||
return echo.NewHTTPError(http.StatusInternalServerError, err.Error()) | ||
} | ||
c.SetCookie(&http.Cookie{ | ||
Name: "nonce", | ||
Value: nonce, | ||
Secure: true, | ||
SameSite: http.SameSiteLaxMode, | ||
Path: "/", | ||
}) | ||
return c.Redirect(302, oidcConfig.AuthCodeURL(c.Request().URL.RequestURI(), oidc.Nonce(nonce))) | ||
} | ||
} | ||
} | ||
|
||
func randString(nByte int) (string, error) { | ||
b := make([]byte, nByte) | ||
if _, err := io.ReadFull(rand.Reader, b); err != nil { | ||
return "", err | ||
} | ||
return base64.RawURLEncoding.EncodeToString(b), nil | ||
} |