Start implementation of individual claim handling
This commit is contained in:
parent
e9c34a2337
commit
744440ee54
6 changed files with 243 additions and 12 deletions
|
|
@ -1,22 +1,26 @@
|
|||
package handlers
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
"github.com/lestrrat-go/jwx/jwk"
|
||||
"github.com/lestrrat-go/jwx/jwt"
|
||||
"github.com/lestrrat-go/jwx/jwt/openid"
|
||||
log "github.com/sirupsen/logrus"
|
||||
|
||||
"git.cacert.org/oidc_login/app/services"
|
||||
"git.cacert.org/oidc_login/common/models"
|
||||
commonServices "git.cacert.org/oidc_login/common/services"
|
||||
)
|
||||
|
||||
const sessionName = "resource_session"
|
||||
|
||||
func Authenticate(ctx context.Context, clientId string) func(http.Handler) http.Handler {
|
||||
func Authenticate(ctx context.Context, logger *log.Logger, clientId string) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
session, err := services.GetSessionStore().Get(r, sessionName)
|
||||
|
|
@ -43,6 +47,7 @@ func Authenticate(ctx context.Context, clientId string) func(http.Handler) http.
|
|||
queryValues.Set("response_type", "code")
|
||||
queryValues.Set("scope", "openid offline_access profile email")
|
||||
queryValues.Set("state", base64.URLEncoding.EncodeToString(commonServices.GenerateKey(8)))
|
||||
queryValues.Set("claims", getRequestedClaims(logger))
|
||||
authUrl.RawQuery = queryValues.Encode()
|
||||
|
||||
w.Header().Set("Location", authUrl.String())
|
||||
|
|
@ -51,6 +56,22 @@ func Authenticate(ctx context.Context, clientId string) func(http.Handler) http.
|
|||
}
|
||||
}
|
||||
|
||||
func getRequestedClaims(logger *log.Logger) string {
|
||||
claims := make(models.OIDCClaimsRequest)
|
||||
claims["userinfo"] = make(models.ClaimElement)
|
||||
essentialItem := make(models.IndividualClaimRequest)
|
||||
essentialItem["essential"] = true
|
||||
claims["userinfo"]["https://cacert.localhost/groups"] = &essentialItem
|
||||
|
||||
target := make([]byte, 0)
|
||||
buf := bytes.NewBuffer(target)
|
||||
enc := json.NewEncoder(buf)
|
||||
if err := enc.Encode(claims); err != nil {
|
||||
logger.Warnf("could not encode claims request parameter: %v", err)
|
||||
}
|
||||
return buf.String()
|
||||
}
|
||||
|
||||
func ParseIdToken(token string, keySet *jwk.Set) (openid.Token, error) {
|
||||
if parsedIdToken, err := jwt.ParseString(token, jwt.WithKeySet(keySet), jwt.WithOpenIDClaims()); err != nil {
|
||||
return nil, err
|
||||
|
|
|
|||
Reference in a new issue