Implement consent workflow
This commit is contained in:
parent
7a2174ea41
commit
e4f17ca315
12 changed files with 382 additions and 140 deletions
|
@ -5,6 +5,9 @@ import (
|
|||
"net/http"
|
||||
"net/url"
|
||||
|
||||
"github.com/lestrrat-go/jwx/jwk"
|
||||
"github.com/lestrrat-go/jwx/jwt"
|
||||
"github.com/lestrrat-go/jwx/jwt/openid"
|
||||
"golang.org/x/oauth2"
|
||||
|
||||
"git.cacert.org/oidc_login/app/services"
|
||||
|
@ -21,7 +24,7 @@ func Authenticate(oauth2Config *oauth2.Config, clientId string) func(http.Handle
|
|||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
if _, ok := session.Values[sessionKeyUserId]; ok {
|
||||
if _, ok := session.Values[sessionKeyIdToken]; ok {
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
@ -47,3 +50,12 @@ func Authenticate(oauth2Config *oauth2.Config, clientId string) func(http.Handle
|
|||
})
|
||||
}
|
||||
}
|
||||
|
||||
func ParseIdToken(token string, keySet *jwk.Set) (openid.Token, error) {
|
||||
if parsedIdToken, err := jwt.ParseString(token, jwt.WithKeySet(keySet), jwt.WithOpenIDClaims()); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
return parsedIdToken.(openid.Token), nil
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -6,12 +6,15 @@ import (
|
|||
"net/http"
|
||||
"net/url"
|
||||
|
||||
"github.com/lestrrat-go/jwx/jwk"
|
||||
|
||||
"git.cacert.org/oidc_login/app/services"
|
||||
)
|
||||
|
||||
type indexHandler struct {
|
||||
logoutUrl string
|
||||
serverAddr string
|
||||
keySet *jwk.Set
|
||||
}
|
||||
|
||||
func (h *indexHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
|
||||
|
@ -51,21 +54,26 @@ func (h *indexHandler) ServeHTTP(writer http.ResponseWriter, request *http.Reque
|
|||
http.Error(writer, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
var user string
|
||||
var idToken string
|
||||
var ok bool
|
||||
if user, ok = session.Values[sessionKeyUsername].(string); ok {
|
||||
|
||||
}
|
||||
if idToken, ok := session.Values[sessionKeyIdToken].(string); ok {
|
||||
if idToken, ok = session.Values[sessionKeyIdToken].(string); ok {
|
||||
logoutUrl.RawQuery = url.Values{
|
||||
"id_token_hint": []string{idToken},
|
||||
"post_logout_redirect_uri": []string{fmt.Sprintf("https://%s/after-logout", h.serverAddr)},
|
||||
}.Encode()
|
||||
} else {
|
||||
return
|
||||
}
|
||||
|
||||
oidcToken, err := ParseIdToken(idToken, h.keySet)
|
||||
if err != nil {
|
||||
http.Error(writer, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
writer.Header().Add("Content-Type", "text/html")
|
||||
err = page.Execute(writer, map[string]interface{}{
|
||||
"User": user,
|
||||
"User": oidcToken.Name(),
|
||||
"LogoutURL": logoutUrl.String(),
|
||||
})
|
||||
if err != nil {
|
||||
|
@ -74,6 +82,6 @@ func (h *indexHandler) ServeHTTP(writer http.ResponseWriter, request *http.Reque
|
|||
}
|
||||
}
|
||||
|
||||
func NewIndexHandler(logoutUrl string, serverAddr string) *indexHandler {
|
||||
return &indexHandler{logoutUrl: logoutUrl, serverAddr: serverAddr}
|
||||
func NewIndexHandler(logoutUrl string, serverAddr string, keySet *jwk.Set) *indexHandler {
|
||||
return &indexHandler{logoutUrl: logoutUrl, serverAddr: serverAddr, keySet: keySet}
|
||||
}
|
||||
|
|
|
@ -6,8 +6,7 @@ import (
|
|||
|
||||
"github.com/go-openapi/runtime/client"
|
||||
"github.com/lestrrat-go/jwx/jwk"
|
||||
"github.com/lestrrat-go/jwx/jwt"
|
||||
"github.com/sirupsen/logrus"
|
||||
log "github.com/sirupsen/logrus"
|
||||
"golang.org/x/oauth2"
|
||||
|
||||
"git.cacert.org/oidc_login/app/services"
|
||||
|
@ -17,10 +16,6 @@ const (
|
|||
sessionKeyAccessToken = iota
|
||||
sessionKeyRefreshToken
|
||||
sessionKeyIdToken
|
||||
sessionKeyUserId
|
||||
sessionKeyRoles
|
||||
sessionKeyEmail
|
||||
sessionKeyUsername
|
||||
sessionRedirectTarget
|
||||
)
|
||||
|
||||
|
@ -29,17 +24,24 @@ type oidcCallbackHandler struct {
|
|||
oauth2Config *oauth2.Config
|
||||
}
|
||||
|
||||
func (c *oidcCallbackHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
|
||||
if request.Method != http.MethodGet {
|
||||
http.Error(writer, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
|
||||
func (c *oidcCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method != http.MethodGet {
|
||||
http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
|
||||
return
|
||||
}
|
||||
if request.URL.Path != "/callback" {
|
||||
http.NotFound(writer, request)
|
||||
if r.URL.Path != "/callback" {
|
||||
http.NotFound(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
code := request.URL.Query().Get("code")
|
||||
errorText := r.URL.Query().Get("error")
|
||||
errorDescription := r.URL.Query().Get("error_description")
|
||||
if errorText != "" {
|
||||
c.RenderErrorTemplate(w, r, errorText, errorDescription)
|
||||
return
|
||||
}
|
||||
|
||||
code := r.URL.Query().Get("code")
|
||||
|
||||
ctx := context.Background()
|
||||
httpClient, err := client.TLSClient(client.TLSClientOptions{InsecureSkipVerify: true})
|
||||
|
@ -47,28 +49,29 @@ func (c *oidcCallbackHandler) ServeHTTP(writer http.ResponseWriter, request *htt
|
|||
|
||||
tok, err := c.oauth2Config.Exchange(ctx, code)
|
||||
if err != nil {
|
||||
logrus.Error(err)
|
||||
http.Error(writer, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
||||
log.Error(err)
|
||||
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
session, err := services.GetSessionStore().Get(request, "resource_session")
|
||||
session, err := services.GetSessionStore().Get(r, "resource_session")
|
||||
if err != nil {
|
||||
http.Error(writer, err.Error(), http.StatusInternalServerError)
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
session.Values[sessionKeyAccessToken] = tok.AccessToken
|
||||
session.Values[sessionKeyRefreshToken] = tok.RefreshToken
|
||||
session.Values[sessionKeyIdToken] = tok.Extra("id_token").(string)
|
||||
|
||||
idToken := tok.Extra("id_token")
|
||||
if parsedIdToken, err := jwt.ParseString(idToken.(string), jwt.WithKeySet(c.keySet), jwt.WithOpenIDClaims()); err != nil {
|
||||
logrus.Error(err)
|
||||
http.Error(writer, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
||||
idToken := tok.Extra("id_token").(string)
|
||||
session.Values[sessionKeyIdToken] = idToken
|
||||
|
||||
if oidcToken, err := ParseIdToken(idToken, c.keySet); err != nil {
|
||||
log.Error(err)
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
} else {
|
||||
logrus.Infof(`
|
||||
log.Infof(`
|
||||
ID Token
|
||||
========
|
||||
|
||||
|
@ -80,36 +83,33 @@ Not valid before: %s
|
|||
Not valid after: %s
|
||||
|
||||
`,
|
||||
parsedIdToken.Subject(),
|
||||
parsedIdToken.Audience(),
|
||||
parsedIdToken.IssuedAt(),
|
||||
parsedIdToken.Issuer(),
|
||||
parsedIdToken.NotBefore(),
|
||||
parsedIdToken.Expiration(),
|
||||
oidcToken.Subject(),
|
||||
oidcToken.Audience(),
|
||||
oidcToken.IssuedAt(),
|
||||
oidcToken.Issuer(),
|
||||
oidcToken.NotBefore(),
|
||||
oidcToken.Expiration(),
|
||||
)
|
||||
|
||||
session.Values[sessionKeyUserId] = parsedIdToken.Subject()
|
||||
|
||||
if roles, ok := parsedIdToken.Get("Groups"); ok {
|
||||
session.Values[sessionKeyRoles] = roles
|
||||
}
|
||||
if username, ok := parsedIdToken.Get("Username"); ok {
|
||||
session.Values[sessionKeyUsername] = username
|
||||
}
|
||||
if email, ok := parsedIdToken.Get("Email"); ok {
|
||||
session.Values[sessionKeyEmail] = email
|
||||
}
|
||||
}
|
||||
if err = session.Save(request, writer); err != nil {
|
||||
http.Error(writer, err.Error(), http.StatusInternalServerError)
|
||||
|
||||
if err = session.Save(r, w); err != nil {
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
}
|
||||
if redirectTarget, ok := session.Values[sessionRedirectTarget]; ok {
|
||||
writer.Header().Set("Location", redirectTarget.(string))
|
||||
w.Header().Set("Location", redirectTarget.(string))
|
||||
} else {
|
||||
writer.Header().Set("Location", "/")
|
||||
w.Header().Set("Location", "/")
|
||||
}
|
||||
|
||||
writer.WriteHeader(http.StatusFound)
|
||||
w.WriteHeader(http.StatusFound)
|
||||
}
|
||||
|
||||
func (c *oidcCallbackHandler) RenderErrorTemplate(w http.ResponseWriter, r *http.Request, errorText string, errorDescription string) {
|
||||
if errorDescription != "" {
|
||||
http.Error(w, errorDescription, http.StatusForbidden)
|
||||
} else {
|
||||
http.Error(w, errorText, http.StatusForbidden)
|
||||
}
|
||||
}
|
||||
|
||||
func NewCallbackHandler(keySet *jwk.Set, oauth2Config *oauth2.Config) *oidcCallbackHandler {
|
||||
|
|
|
@ -133,7 +133,7 @@ func main() {
|
|||
authMiddleware := handlers.Authenticate(oauth2Config, config.MustString("oidc.client-id"))
|
||||
|
||||
serverAddr := fmt.Sprintf("%s:%d", config.String("server.name"), config.Int("server.port"))
|
||||
indexHandler := handlers.NewIndexHandler(discoveryResponse.EndSessionEndpoint, serverAddr)
|
||||
indexHandler := handlers.NewIndexHandler(discoveryResponse.EndSessionEndpoint, serverAddr, keySet)
|
||||
callbackHandler := handlers.NewCallbackHandler(keySet, oauth2Config)
|
||||
afterLogoutHandler := handlers.NewAfterLogoutHandler(logger)
|
||||
|
||||
|
|
|
@ -86,7 +86,10 @@ func main() {
|
|||
if err != nil {
|
||||
logger.Fatalf("error initializing login handler: %v", err)
|
||||
}
|
||||
consentHandler := handlers.NewConsentHandler(logger, handlerContext)
|
||||
consentHandler, err := handlers.NewConsentHandler(logger, handlerContext)
|
||||
if err != nil {
|
||||
logger.Fatalf("error initializing consent handler: %v", err)
|
||||
}
|
||||
logoutHandler := handlers.NewLogoutHandler(logger, handlerContext)
|
||||
logoutSuccessHandler := handlers.NewLogoutSuccessHandler()
|
||||
errorHandler := handlers.NewErrorHandler()
|
||||
|
|
|
@ -2,40 +2,166 @@ package handlers
|
|||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"html/template"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/go-playground/form/v4"
|
||||
"github.com/gorilla/csrf"
|
||||
"github.com/lestrrat-go/jwx/jwt/openid"
|
||||
"github.com/nicksnyder/go-i18n/v2/i18n"
|
||||
"github.com/ory/hydra-client-go/client/admin"
|
||||
"github.com/ory/hydra-client-go/models"
|
||||
log "github.com/sirupsen/logrus"
|
||||
|
||||
"git.cacert.org/oidc_login/idp/services"
|
||||
)
|
||||
|
||||
type consentHandler struct {
|
||||
adminClient *admin.Client
|
||||
logger *log.Logger
|
||||
adminClient *admin.Client
|
||||
bundle *i18n.Bundle
|
||||
consentTemplate *template.Template
|
||||
logger *log.Logger
|
||||
messageCatalog *services.MessageCatalog
|
||||
}
|
||||
|
||||
type ConsentInformation struct {
|
||||
ConsentChecked bool `form:"consent"`
|
||||
}
|
||||
|
||||
func (h *consentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
consentChallenge := r.URL.Query().Get("consent_challenge")
|
||||
consentRequest, err := h.adminClient.AcceptConsentRequest(
|
||||
admin.NewAcceptConsentRequestParams().WithConsentChallenge(consentChallenge).WithBody(
|
||||
&models.AcceptConsentRequest{
|
||||
GrantAccessTokenAudience: nil,
|
||||
GrantScope: []string{"openid", "offline"},
|
||||
HandledAt: models.NullTime(time.Now()),
|
||||
Remember: true,
|
||||
RememberFor: 86400,
|
||||
}).WithTimeout(time.Second * 10))
|
||||
challenge := r.URL.Query().Get("consent_challenge")
|
||||
h.logger.Debugf("received consent challenge %s", challenge)
|
||||
accept := r.Header.Get("Accept-Language")
|
||||
localizer := i18n.NewLocalizer(h.bundle, accept)
|
||||
|
||||
// retrieve consent information
|
||||
consentData, err := h.adminClient.GetConsentRequest(
|
||||
admin.NewGetConsentRequestParams().WithConsentChallenge(challenge))
|
||||
if err != nil {
|
||||
h.logger.Panic(err)
|
||||
h.logger.Error("error getting consent information: %v", err)
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
trans := h.messageCatalog.LookupMessage
|
||||
|
||||
// render consent form
|
||||
client := consentData.GetPayload().Client
|
||||
err = h.consentTemplate.Lookup("base").Execute(w, map[string]interface{}{
|
||||
"Title": trans("TitleRequestConsent", nil, localizer),
|
||||
csrf.TemplateTag: csrf.TemplateField(r),
|
||||
"errors": map[string]string{},
|
||||
"client": client,
|
||||
"requestedScope": h.mapRequestedScope(consentData.GetPayload().RequestedScope, localizer),
|
||||
"LabelSubmit": trans("LabelSubmit", nil, localizer),
|
||||
"LabelConsent": trans("LabelConsent", nil, localizer),
|
||||
"IntroMoreInformation": template.HTML(trans("IntroConsentMoreInformation", map[string]interface{}{
|
||||
"client": client.ClientName,
|
||||
"clientLink": client.ClientURI,
|
||||
}, localizer)),
|
||||
"IntroConsentRequested": template.HTML(trans("IntroConsentRequested", map[string]interface{}{
|
||||
"client": client.ClientName,
|
||||
}, localizer)),
|
||||
})
|
||||
break
|
||||
case http.MethodPost:
|
||||
var consentInfo ConsentInformation
|
||||
|
||||
// validate input
|
||||
decoder := form.NewDecoder()
|
||||
if err := decoder.Decode(&consentInfo, r.Form); err != nil {
|
||||
h.logger.Error(err)
|
||||
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if consentInfo.ConsentChecked {
|
||||
idTokenData := make(map[string]interface{}, 0)
|
||||
|
||||
for _, scope := range consentData.GetPayload().RequestedScope {
|
||||
switch scope {
|
||||
case "email":
|
||||
idTokenData[openid.EmailKey] = "john@theripper.mil"
|
||||
idTokenData[openid.EmailVerifiedKey] = true
|
||||
break
|
||||
case "profile":
|
||||
idTokenData[openid.GivenNameKey] = "John"
|
||||
idTokenData[openid.FamilyNameKey] = "The ripper"
|
||||
idTokenData[openid.MiddleNameKey] = ""
|
||||
idTokenData[openid.NameKey] = "John the Ripper"
|
||||
idTokenData[openid.BirthdateKey] = "1970-01-01"
|
||||
idTokenData[openid.ZoneinfoKey] = "Europe/London"
|
||||
idTokenData[openid.LocaleKey] = "en_UK"
|
||||
idTokenData["https://cacert.localhost/groups"] = []string{"admin", "user"}
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
sessionData := &models.ConsentRequestSession{
|
||||
AccessToken: nil,
|
||||
IDToken: idTokenData,
|
||||
}
|
||||
consentRequest, err := h.adminClient.AcceptConsentRequest(
|
||||
admin.NewAcceptConsentRequestParams().WithConsentChallenge(challenge).WithBody(
|
||||
&models.AcceptConsentRequest{
|
||||
GrantAccessTokenAudience: nil,
|
||||
GrantScope: consentData.GetPayload().RequestedScope,
|
||||
HandledAt: models.NullTime(time.Now()),
|
||||
Remember: true,
|
||||
RememberFor: 86400,
|
||||
Session: sessionData,
|
||||
}).WithTimeout(time.Second * 10))
|
||||
if err != nil {
|
||||
h.logger.Error(err)
|
||||
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
w.Header().Add("Location", *consentRequest.GetPayload().RedirectTo)
|
||||
w.WriteHeader(http.StatusFound)
|
||||
} else {
|
||||
consentRequest, err := h.adminClient.RejectConsentRequest(
|
||||
admin.NewRejectConsentRequestParams().WithConsentChallenge(challenge).WithBody(
|
||||
&models.RejectRequest{}))
|
||||
if err != nil {
|
||||
h.logger.Error(err)
|
||||
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
w.Header().Add("Location", *consentRequest.GetPayload().RedirectTo)
|
||||
w.WriteHeader(http.StatusFound)
|
||||
}
|
||||
}
|
||||
w.Header().Add("Location", *consentRequest.GetPayload().RedirectTo)
|
||||
w.WriteHeader(http.StatusFound)
|
||||
}
|
||||
|
||||
func NewConsentHandler(logger *log.Logger, ctx context.Context) *consentHandler {
|
||||
return &consentHandler{
|
||||
logger: logger,
|
||||
adminClient: ctx.Value(CtxAdminClient).(*admin.Client),
|
||||
}
|
||||
type scopeWithLabel struct {
|
||||
Name string
|
||||
Label string
|
||||
}
|
||||
|
||||
func (h *consentHandler) mapRequestedScope(scope models.StringSlicePipeDelimiter, localizer *i18n.Localizer) []*scopeWithLabel {
|
||||
result := make([]*scopeWithLabel, 0)
|
||||
for _, scopeName := range scope {
|
||||
result = append(result, &scopeWithLabel{Name: scopeName, Label: h.messageCatalog.LookupMessage(
|
||||
fmt.Sprintf("Scope-%s-Description", scopeName), nil, localizer)})
|
||||
}
|
||||
return result
|
||||
}
|
||||
|
||||
func NewConsentHandler(logger *log.Logger, ctx context.Context) (*consentHandler, error) {
|
||||
consentTemplate, err := template.ParseFiles("templates/base.gohtml", "templates/consent.gohtml")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &consentHandler{
|
||||
adminClient: ctx.Value(CtxAdminClient).(*admin.Client),
|
||||
bundle: ctx.Value(services.CtxI18nBundle).(*i18n.Bundle),
|
||||
consentTemplate: consentTemplate,
|
||||
logger: logger,
|
||||
messageCatalog: ctx.Value(services.CtxI18nCatalog).(*services.MessageCatalog),
|
||||
}, nil
|
||||
}
|
||||
|
|
|
@ -2,11 +2,11 @@ package handlers
|
|||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"html/template"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/go-openapi/runtime"
|
||||
"github.com/go-playground/form/v4"
|
||||
"github.com/go-playground/validator/v10"
|
||||
"github.com/gorilla/csrf"
|
||||
|
@ -19,13 +19,25 @@ import (
|
|||
)
|
||||
|
||||
type loginHandler struct {
|
||||
loginTemplate *template.Template
|
||||
bundle *i18n.Bundle
|
||||
messageCatalog map[string]*i18n.Message
|
||||
adminClient *admin.Client
|
||||
bundle *i18n.Bundle
|
||||
logger *log.Logger
|
||||
loginTemplate *template.Template
|
||||
messageCatalog *services.MessageCatalog
|
||||
}
|
||||
|
||||
type acrType string
|
||||
|
||||
const (
|
||||
NoCredentials acrType = "none"
|
||||
ClientCertificate acrType = "cert"
|
||||
ClientCertificateOTP acrType = "cert+otp"
|
||||
ClientCertificateToken acrType = "cert+token"
|
||||
Password acrType = "password"
|
||||
PasswordOTP acrType = "password+otp"
|
||||
PasswordToken acrType = "password+token"
|
||||
)
|
||||
|
||||
type LoginInformation struct {
|
||||
Email string `form:"email" validate:"required,email"`
|
||||
Password string `form:"password" validate:"required"`
|
||||
|
@ -34,13 +46,12 @@ type LoginInformation struct {
|
|||
func (h *loginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
var err error
|
||||
challenge := r.URL.Query().Get("login_challenge")
|
||||
h.logger.Debugf("received challenge %s\n", challenge)
|
||||
h.logger.Debugf("received login challenge %s\n", challenge)
|
||||
validate := validator.New()
|
||||
|
||||
switch r.Method {
|
||||
case http.MethodGet:
|
||||
// GET should render login form
|
||||
|
||||
// render login form
|
||||
err = h.loginTemplate.Lookup("base").Execute(w, map[string]interface{}{
|
||||
"Title": "Title",
|
||||
csrf.TemplateTag: csrf.TemplateField(r),
|
||||
|
@ -56,7 +67,6 @@ func (h *loginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
break
|
||||
case http.MethodPost:
|
||||
// POST should perform the action
|
||||
var loginInfo LoginInformation
|
||||
|
||||
// validate input
|
||||
|
@ -72,7 +82,7 @@ func (h *loginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||
errors := make(map[string]string)
|
||||
for _, err := range err.(validator.ValidationErrors) {
|
||||
accept := r.Header.Get("Accept-Language")
|
||||
errors[err.Field()] = h.lookupErrorMessage(err.Tag(), err.Field(), err.Value(), i18n.NewLocalizer(h.bundle, accept))
|
||||
errors[err.Field()] = h.messageCatalog.LookupErrorMessage(err.Tag(), err.Field(), err.Value(), i18n.NewLocalizer(h.bundle, accept))
|
||||
}
|
||||
|
||||
err = h.loginTemplate.Lookup("base").Execute(w, map[string]interface{}{
|
||||
|
@ -98,14 +108,15 @@ func (h *loginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||
subject := "a-user-with-an-id"
|
||||
loginRequest, err := h.adminClient.AcceptLoginRequest(
|
||||
admin.NewAcceptLoginRequestParams().WithLoginChallenge(challenge).WithBody(&models.AcceptLoginRequest{
|
||||
Acr: "no-creds",
|
||||
Acr: string(NoCredentials),
|
||||
Remember: true,
|
||||
RememberFor: 0,
|
||||
Subject: &subject,
|
||||
}).WithTimeout(time.Second * 10))
|
||||
if err != nil {
|
||||
h.logger.Errorf("error getting logout requests: %v", err)
|
||||
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
||||
h.logger.Errorf("error getting login request: %#v", err)
|
||||
http.Error(w, err.Error(), err.(*runtime.APIError).Code)
|
||||
return
|
||||
}
|
||||
w.Header().Add("Location", *loginRequest.GetPayload().RedirectTo)
|
||||
w.WriteHeader(http.StatusFound)
|
||||
|
@ -116,45 +127,16 @@ func (h *loginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
}
|
||||
|
||||
func (h *loginHandler) lookupErrorMessage(tag string, field string, value interface{}, l *i18n.Localizer) string {
|
||||
var message *i18n.Message
|
||||
message, ok := h.messageCatalog[fmt.Sprintf("%s-%s", field, tag)]
|
||||
if !ok {
|
||||
h.logger.Infof("no specific error message %s-%s", field, tag)
|
||||
message, ok = h.messageCatalog[tag]
|
||||
if !ok {
|
||||
h.logger.Infof("no specific error message %s", tag)
|
||||
message, ok = h.messageCatalog["unknown"]
|
||||
if !ok {
|
||||
h.logger.Error("no default translation found")
|
||||
return tag
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
translation, err := l.Localize(&i18n.LocalizeConfig{
|
||||
DefaultMessage: message,
|
||||
TemplateData: map[string]interface{}{
|
||||
"Value": value,
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
h.logger.Error(err)
|
||||
return tag
|
||||
}
|
||||
return translation
|
||||
}
|
||||
|
||||
func NewLoginHandler(logger *log.Logger, ctx context.Context) (*loginHandler, error) {
|
||||
loginTemplate, err := template.ParseFiles("templates/base.html", "templates/login.html")
|
||||
loginTemplate, err := template.ParseFiles("templates/base.gohtml", "templates/login.gohtml")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &loginHandler{
|
||||
adminClient: ctx.Value(CtxAdminClient).(*admin.Client),
|
||||
bundle: ctx.Value(services.CtxI18nBundle).(*i18n.Bundle),
|
||||
logger: logger,
|
||||
loginTemplate: loginTemplate,
|
||||
bundle: ctx.Value(services.CtxI18nBundle).(*i18n.Bundle),
|
||||
messageCatalog: ctx.Value(services.CtxI18nCatalog).(map[string]*i18n.Message),
|
||||
adminClient: ctx.Value(CtxAdminClient).(*admin.Client),
|
||||
messageCatalog: ctx.Value(services.CtxI18nCatalog).(*services.MessageCatalog),
|
||||
}, nil
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@ package services
|
|||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/BurntSushi/toml"
|
||||
"github.com/nicksnyder/go-i18n/v2/i18n"
|
||||
|
@ -16,6 +17,56 @@ const (
|
|||
CtxI18nCatalog
|
||||
)
|
||||
|
||||
type MessageCatalog struct {
|
||||
messages map[string]*i18n.Message
|
||||
logger *log.Logger
|
||||
}
|
||||
|
||||
func (m *MessageCatalog) LookupErrorMessage(tag string, field string, value interface{}, localizer *i18n.Localizer) string {
|
||||
var message *i18n.Message
|
||||
message, ok := m.messages[fmt.Sprintf("%s-%s", field, tag)]
|
||||
if !ok {
|
||||
m.logger.Infof("no specific error message %s-%s", field, tag)
|
||||
message, ok = m.messages[tag]
|
||||
if !ok {
|
||||
m.logger.Infof("no specific error message %s", tag)
|
||||
message, ok = m.messages["unknown"]
|
||||
if !ok {
|
||||
m.logger.Error("no default translation found")
|
||||
return tag
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
translation, err := localizer.Localize(&i18n.LocalizeConfig{
|
||||
DefaultMessage: message,
|
||||
TemplateData: map[string]interface{}{
|
||||
"Value": value,
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
m.logger.Error(err)
|
||||
return tag
|
||||
}
|
||||
return translation
|
||||
}
|
||||
|
||||
func (m *MessageCatalog) LookupMessage(id string, templateData map[string]interface{}, localizer *i18n.Localizer) string {
|
||||
if message, ok := m.messages[id]; ok {
|
||||
translation, err := localizer.Localize(&i18n.LocalizeConfig{
|
||||
DefaultMessage: message,
|
||||
TemplateData: templateData,
|
||||
})
|
||||
if err != nil {
|
||||
m.logger.Error(err)
|
||||
return id
|
||||
}
|
||||
return translation
|
||||
} else {
|
||||
return id
|
||||
}
|
||||
}
|
||||
|
||||
func InitI18n(ctx context.Context, logger *log.Logger) context.Context {
|
||||
bundle := i18n.NewBundle(language.English)
|
||||
bundle.RegisterUnmarshalFunc("toml", toml.Unmarshal)
|
||||
|
@ -23,33 +74,69 @@ func InitI18n(ctx context.Context, logger *log.Logger) context.Context {
|
|||
if err != nil {
|
||||
logger.Warnln("message bundle de.toml not found")
|
||||
}
|
||||
catalog := initMessageCatalog()
|
||||
catalog := initMessageCatalog(logger)
|
||||
ctx = context.WithValue(ctx, CtxI18nBundle, bundle)
|
||||
ctx = context.WithValue(ctx, CtxI18nCatalog, catalog)
|
||||
return ctx
|
||||
}
|
||||
|
||||
func initMessageCatalog() map[string]*i18n.Message {
|
||||
messageCatalog := make(map[string]*i18n.Message)
|
||||
messageCatalog["unknown"] = &i18n.Message{
|
||||
func initMessageCatalog(logger *log.Logger) *MessageCatalog {
|
||||
messages := make(map[string]*i18n.Message)
|
||||
messages["unknown"] = &i18n.Message{
|
||||
ID: "ErrorUnknown",
|
||||
Other: "Unknown error",
|
||||
}
|
||||
messageCatalog["email"] = &i18n.Message{
|
||||
messages["email"] = &i18n.Message{
|
||||
ID: "ErrorEmail",
|
||||
Other: "Please enter a valid email address.",
|
||||
}
|
||||
messageCatalog["Email-required"] = &i18n.Message{
|
||||
messages["Email-required"] = &i18n.Message{
|
||||
ID: "ErrorEmailRequired",
|
||||
Other: "Please enter an email address.",
|
||||
}
|
||||
messageCatalog["required"] = &i18n.Message{
|
||||
messages["required"] = &i18n.Message{
|
||||
ID: "ErrorRequired",
|
||||
Other: "Please enter a value",
|
||||
}
|
||||
messageCatalog["Password-required"] = &i18n.Message{
|
||||
messages["Password-required"] = &i18n.Message{
|
||||
ID: "ErrorPasswordRequired",
|
||||
Other: "Please enter a password.",
|
||||
}
|
||||
return messageCatalog
|
||||
messages["TitleRequestConsent"] = &i18n.Message{
|
||||
ID: "TitleRequestConsent",
|
||||
Other: "Application requests your consent",
|
||||
}
|
||||
messages["LabelSubmit"] = &i18n.Message{
|
||||
ID: "LabelSubmit",
|
||||
Other: "Submit",
|
||||
}
|
||||
messages["LabelConsent"] = &i18n.Message{
|
||||
ID: "LabelConsent",
|
||||
Other: "I hereby agree that the application may get the requested permissions.",
|
||||
}
|
||||
messages["IntroConsentRequested"] = &i18n.Message{
|
||||
ID: "IntroConsentRequested",
|
||||
Other: "The <strong>{{ .client }}</strong> application wants your consent for the requested set of permissions.",
|
||||
}
|
||||
messages["IntroConsentMoreInformation"] = &i18n.Message{
|
||||
ID: "IntroConsentMoreInformation",
|
||||
Other: "You can find more information about <strong>{{ .client }}</strong> at <a href=\"{{ .clientLink }}\">its description page</a>.",
|
||||
}
|
||||
messages["Scope-openid-Description"] = &i18n.Message{
|
||||
ID: "Scope-openid-Description",
|
||||
Other: "Request information about your identity.",
|
||||
}
|
||||
messages["Scope-offline_access-Description"] = &i18n.Message{
|
||||
ID: "Scope-offline_access-Description",
|
||||
Other: "Keep access to your information until you revoke the permission.",
|
||||
}
|
||||
messages["Scope-profile-Description"] = &i18n.Message{
|
||||
ID: "Scope-profile-Description",
|
||||
Other: "Access your user profile information including your name, birth date and locale.",
|
||||
}
|
||||
messages["Scope-email-Description"] = &i18n.Message{
|
||||
ID: "Scope-email-Description",
|
||||
Other: "Access your primary email address.",
|
||||
}
|
||||
return &MessageCatalog{messages: messages, logger: logger}
|
||||
}
|
||||
|
|
10
templates/base.gohtml
Normal file
10
templates/base.gohtml
Normal file
|
@ -0,0 +1,10 @@
|
|||
{{ define "base" }}
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head><title>{{ .Title }}</title></head>
|
||||
<body>
|
||||
<h1>{{ .Title }}</h1>
|
||||
{{ template "content" . }}
|
||||
</body>
|
||||
</html>
|
||||
{{ end }}
|
|
@ -1,10 +0,0 @@
|
|||
{{ define "base" }}
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head><title>{{ .Title }}</title></head>
|
||||
<body>
|
||||
<h1>{{ .Title }}</h1>
|
||||
{{ template "content" . }}
|
||||
</body>
|
||||
</html>
|
||||
{{ end }}
|
24
templates/consent.gohtml
Normal file
24
templates/consent.gohtml
Normal file
|
@ -0,0 +1,24 @@
|
|||
{{ define "content" }}
|
||||
<p>{{ .IntroConsentRequested }}</p>
|
||||
{{ if .client.LogoURI }}
|
||||
<p>
|
||||
<img src="{{ .client.LogoURI }}" alt="{{ .client.ClientName }}"/>
|
||||
</p>
|
||||
{{ end }}
|
||||
<p>{{ .IntroMoreInformation }}</p>
|
||||
<form method="post">
|
||||
{{ .csrfField }}
|
||||
<ul>
|
||||
{{ range .requestedScope }}
|
||||
<li>{{ .Label }}</li>
|
||||
{{ end }}
|
||||
</ul>
|
||||
|
||||
<p>
|
||||
<input type="checkbox" name="consent" id="consent" value="true"/> <label
|
||||
for="consent">{{ .LabelConsent }}</label>
|
||||
</p>
|
||||
|
||||
<button type="submit">{{ .LabelSubmit }}</button>
|
||||
</form>
|
||||
{{ end }}
|
Reference in a new issue