2020-12-31 13:19:21 +01:00
|
|
|
package services
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
2021-01-01 09:20:49 +01:00
|
|
|
"context"
|
2020-12-31 13:19:21 +01:00
|
|
|
"encoding/json"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
|
2021-01-01 09:20:49 +01:00
|
|
|
"github.com/lestrrat-go/jwx/jwk"
|
2020-12-31 13:19:21 +01:00
|
|
|
log "github.com/sirupsen/logrus"
|
2021-01-01 09:20:49 +01:00
|
|
|
"golang.org/x/oauth2"
|
2021-01-03 11:43:41 +01:00
|
|
|
|
|
|
|
"git.cacert.org/oidc_login/common/models"
|
2021-01-01 09:20:49 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
type oidcContextKey int
|
|
|
|
|
2021-01-03 11:43:41 +01:00
|
|
|
// context keys
|
2021-01-01 09:20:49 +01:00
|
|
|
const (
|
|
|
|
ctxOidcConfig oidcContextKey = iota
|
|
|
|
ctxOAuth2Config
|
|
|
|
ctxOidcJwks
|
2020-12-31 13:19:21 +01:00
|
|
|
)
|
|
|
|
|
2021-01-03 11:43:41 +01:00
|
|
|
// Parameters for DiscoverOIDC
|
2021-01-01 09:20:49 +01:00
|
|
|
type OidcParams struct {
|
|
|
|
OidcServer string
|
|
|
|
OidcClientId string
|
|
|
|
OidcClientSecret string
|
|
|
|
APIClient *http.Client
|
|
|
|
}
|
|
|
|
|
2021-01-03 11:43:41 +01:00
|
|
|
// Discover OpenID Connect parameters from the discovery endpoint and the
|
|
|
|
// JSON Web Key Set from the discovered jwksUri.
|
|
|
|
//
|
|
|
|
// The subset of values specified by models.OpenIDConfiguration is stored in
|
|
|
|
// the given context and can be retrieved from the context by GetOidcConfig.
|
|
|
|
//
|
|
|
|
// OAuth2 specific values are stored in another context object and can be
|
|
|
|
// retrieved by GetOAuth2Config.
|
|
|
|
//
|
|
|
|
// The JSON Web Key Set can be retrieved by GetJwkSet.
|
2021-01-01 09:20:49 +01:00
|
|
|
func DiscoverOIDC(ctx context.Context, logger *log.Logger, params *OidcParams) (context.Context, error) {
|
2020-12-31 13:19:21 +01:00
|
|
|
var discoveryUrl *url.URL
|
|
|
|
|
2021-01-01 09:20:49 +01:00
|
|
|
discoveryUrl, err := url.Parse(params.OidcServer)
|
|
|
|
if err != nil {
|
|
|
|
logger.Fatalf("could not parse oidc.server parameter value %s: %s", params.OidcServer, err)
|
2020-12-31 13:19:21 +01:00
|
|
|
} else {
|
|
|
|
discoveryUrl.Path = "/.well-known/openid-configuration"
|
|
|
|
}
|
|
|
|
|
|
|
|
var body []byte
|
|
|
|
var req *http.Request
|
|
|
|
req, err = http.NewRequest(http.MethodGet, discoveryUrl.String(), bytes.NewBuffer(body))
|
|
|
|
if err != nil {
|
2021-01-01 09:20:49 +01:00
|
|
|
return nil, err
|
2020-12-31 13:19:21 +01:00
|
|
|
}
|
|
|
|
req.Header = map[string][]string{
|
|
|
|
"Accept": {"application/json"},
|
|
|
|
}
|
|
|
|
|
2021-01-01 09:20:49 +01:00
|
|
|
resp, err := params.APIClient.Do(req)
|
2020-12-31 13:19:21 +01:00
|
|
|
if err != nil {
|
2021-01-01 09:20:49 +01:00
|
|
|
return nil, err
|
2020-12-31 13:19:21 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
dec := json.NewDecoder(resp.Body)
|
2021-01-03 11:43:41 +01:00
|
|
|
discoveryResponse := &models.OpenIDConfiguration{}
|
2021-01-01 09:20:49 +01:00
|
|
|
err = dec.Decode(discoveryResponse)
|
2020-12-31 13:19:21 +01:00
|
|
|
if err != nil {
|
2021-01-01 09:20:49 +01:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
ctx = context.WithValue(ctx, ctxOidcConfig, discoveryResponse)
|
|
|
|
|
|
|
|
oauth2Config := &oauth2.Config{
|
|
|
|
ClientID: params.OidcClientId,
|
|
|
|
ClientSecret: params.OidcClientSecret,
|
|
|
|
Endpoint: oauth2.Endpoint{
|
|
|
|
AuthURL: discoveryResponse.AuthorizationEndpoint,
|
|
|
|
TokenURL: discoveryResponse.TokenEndpoint,
|
|
|
|
},
|
|
|
|
Scopes: []string{"openid", "offline"},
|
2020-12-31 13:19:21 +01:00
|
|
|
}
|
2021-01-01 09:20:49 +01:00
|
|
|
ctx = context.WithValue(ctx, ctxOAuth2Config, oauth2Config)
|
|
|
|
|
|
|
|
keySet, err := jwk.FetchHTTP(discoveryResponse.JwksUri, jwk.WithHTTPClient(params.APIClient))
|
|
|
|
if err != nil {
|
|
|
|
log.Fatalf("could not fetch JWKs: %s", err)
|
|
|
|
}
|
|
|
|
ctx = context.WithValue(ctx, ctxOidcJwks, keySet)
|
|
|
|
|
|
|
|
return ctx, nil
|
|
|
|
}
|
|
|
|
|
2021-01-03 11:43:41 +01:00
|
|
|
// Get the OpenID configuration from the context.
|
|
|
|
//
|
|
|
|
// DiscoverOIDC needs to be called before this is available.
|
|
|
|
func GetOidcConfig(ctx context.Context) *models.OpenIDConfiguration {
|
|
|
|
return ctx.Value(ctxOidcConfig).(*models.OpenIDConfiguration)
|
2021-01-01 09:20:49 +01:00
|
|
|
}
|
|
|
|
|
2021-01-03 11:43:41 +01:00
|
|
|
// Get the OAuth 2 configuration configuration from the context.
|
|
|
|
//
|
|
|
|
// DiscoverOIDC needs to be called before this is available.
|
2021-01-01 09:20:49 +01:00
|
|
|
func GetOAuth2Config(ctx context.Context) *oauth2.Config {
|
|
|
|
return ctx.Value(ctxOAuth2Config).(*oauth2.Config)
|
|
|
|
}
|
2020-12-31 13:19:21 +01:00
|
|
|
|
2021-01-03 11:43:41 +01:00
|
|
|
// Get the JSON Web Key set from the context.
|
|
|
|
//
|
|
|
|
// DiscoverOIDC needs to be called before this is available.
|
2021-01-01 09:20:49 +01:00
|
|
|
func GetJwkSet(ctx context.Context) *jwk.Set {
|
|
|
|
return ctx.Value(ctxOidcJwks).(*jwk.Set)
|
2020-12-31 13:19:21 +01:00
|
|
|
}
|