hydra_oidc_poc/app/handlers/common.go

package handlers

import (
	"bytes"
	"context"
	"encoding/base64"
	"encoding/json"
	"net/http"
	"net/url"

	"github.com/lestrrat-go/jwx/jwk"
	"github.com/lestrrat-go/jwx/jwt"
	"github.com/lestrrat-go/jwx/jwt/openid"
	log "github.com/sirupsen/logrus"

	"git.cacert.org/oidc_login/app/services"
	"git.cacert.org/oidc_login/common/models"
	commonServices "git.cacert.org/oidc_login/common/services"
)

const sessionName = "resource_session"

func Authenticate(ctx context.Context, logger *log.Logger, clientId string) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			session, err := services.GetSessionStore().Get(r, sessionName)
			if err != nil {
				http.Error(w, err.Error(), http.StatusInternalServerError)
				return
			}
			if _, ok := session.Values[sessionKeyIdToken]; ok {
				next.ServeHTTP(w, r)
				return
			}
			session.Values[sessionRedirectTarget] = r.URL.String()
			if err = session.Save(r, w); err != nil {
				http.Error(w, err.Error(), http.StatusInternalServerError)
				return
			}
			var authUrl *url.URL
			if authUrl, err = url.Parse(commonServices.GetOAuth2Config(ctx).Endpoint.AuthURL); err != nil {
				http.Error(w, err.Error(), http.StatusInternalServerError)
				return
			}
			queryValues := authUrl.Query()
			queryValues.Set("client_id", clientId)
			queryValues.Set("response_type", "code")
			queryValues.Set("scope", "openid offline_access profile email")
			queryValues.Set("state", base64.URLEncoding.EncodeToString(commonServices.GenerateKey(8)))
			queryValues.Set("claims", getRequestedClaims(logger))
			authUrl.RawQuery = queryValues.Encode()

			w.Header().Set("Location", authUrl.String())
			w.WriteHeader(http.StatusFound)
		})
	}
}

func getRequestedClaims(logger *log.Logger) string {
	claims := make(models.OIDCClaimsRequest)
	claims["userinfo"] = make(models.ClaimElement)
	essentialItem := make(models.IndividualClaimRequest)
	essentialItem["essential"] = true
	claims["userinfo"]["https://cacert.localhost/groups"] = &essentialItem

	target := make([]byte, 0)
	buf := bytes.NewBuffer(target)
	enc := json.NewEncoder(buf)
	if err := enc.Encode(claims); err != nil {
		logger.Warnf("could not encode claims request parameter: %v", err)
	}
	return buf.String()
}

func ParseIdToken(token string, keySet *jwk.Set) (openid.Token, error) {
	if parsedIdToken, err := jwt.ParseString(token, jwt.WithKeySet(keySet), jwt.WithOpenIDClaims()); err != nil {
		return nil, err
	} else {
		return parsedIdToken.(openid.Token), nil
	}

}
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`package handlers`

			`import (`
Start implementation of individual claim handling 2021-01-03 11:43:41 +01:00			`"bytes"`
Refactor i18n, add templating for resource app 2021-01-01 09:20:49 +01:00			`"context"`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`"encoding/base64"`
Start implementation of individual claim handling 2021-01-03 11:43:41 +01:00			`"encoding/json"`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`"net/http"`
			`"net/url"`

Implement consent workflow 2020-12-31 19:11:06 +01:00			`"github.com/lestrrat-go/jwx/jwk"`
			`"github.com/lestrrat-go/jwx/jwt"`
			`"github.com/lestrrat-go/jwx/jwt/openid"`
Start implementation of individual claim handling 2021-01-03 11:43:41 +01:00			`log "github.com/sirupsen/logrus"`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00
			`"git.cacert.org/oidc_login/app/services"`
Start implementation of individual claim handling 2021-01-03 11:43:41 +01:00			`"git.cacert.org/oidc_login/common/models"`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`commonServices "git.cacert.org/oidc_login/common/services"`
			`)`

			`const sessionName = "resource_session"`

Start implementation of individual claim handling 2021-01-03 11:43:41 +01:00			`func Authenticate(ctx context.Context, logger *log.Logger, clientId string) func(http.Handler) http.Handler {`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`session, err := services.GetSessionStore().Get(r, sessionName)`
			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
Implement consent workflow 2020-12-31 19:11:06 +01:00			`if _, ok := session.Values[sessionKeyIdToken]; ok {`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`next.ServeHTTP(w, r)`
			`return`
			`}`
			`session.Values[sessionRedirectTarget] = r.URL.String()`
			`if err = session.Save(r, w); err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`var authUrl *url.URL`
Refactor i18n, add templating for resource app 2021-01-01 09:20:49 +01:00			`if authUrl, err = url.Parse(commonServices.GetOAuth2Config(ctx).Endpoint.AuthURL); err != nil {`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`queryValues := authUrl.Query()`
			`queryValues.Set("client_id", clientId)`
			`queryValues.Set("response_type", "code")`
			`queryValues.Set("scope", "openid offline_access profile email")`
			`queryValues.Set("state", base64.URLEncoding.EncodeToString(commonServices.GenerateKey(8)))`
Start implementation of individual claim handling 2021-01-03 11:43:41 +01:00			`queryValues.Set("claims", getRequestedClaims(logger))`
Refactor app, implement logout 2020-12-31 13:19:21 +01:00			`authUrl.RawQuery = queryValues.Encode()`

			`w.Header().Set("Location", authUrl.String())`
			`w.WriteHeader(http.StatusFound)`
			`})`
			`}`
			`}`
Implement consent workflow 2020-12-31 19:11:06 +01:00
Start implementation of individual claim handling 2021-01-03 11:43:41 +01:00			`func getRequestedClaims(logger *log.Logger) string {`
			`claims := make(models.OIDCClaimsRequest)`
			`claims["userinfo"] = make(models.ClaimElement)`
			`essentialItem := make(models.IndividualClaimRequest)`
			`essentialItem["essential"] = true`
			`claims["userinfo"]["https://cacert.localhost/groups"] = &essentialItem`

			`target := make([]byte, 0)`
			`buf := bytes.NewBuffer(target)`
			`enc := json.NewEncoder(buf)`
			`if err := enc.Encode(claims); err != nil {`
			`logger.Warnf("could not encode claims request parameter: %v", err)`
			`}`
			`return buf.String()`
			`}`

Implement consent workflow 2020-12-31 19:11:06 +01:00			`func ParseIdToken(token string, keySet *jwk.Set) (openid.Token, error) {`
			`if parsedIdToken, err := jwt.ParseString(token, jwt.WithKeySet(keySet), jwt.WithOpenIDClaims()); err != nil {`
			`return nil, err`
			`} else {`
			`return parsedIdToken.(openid.Token), nil`
			`}`

			`}`