cc-backend/internal/auth/oidc.go

// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
// All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package auth

import (
	"context"
	"log"
	"net/http"

	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/gorilla/mux"
	"golang.org/x/oauth2"
)

type OIDC struct {
	client       *oauth2.Config
	provider     *oidc.Provider
	state        string
	codeVerifier string
}

func (oa *OIDC) Init(r *mux.Router) error {
	oa.client = &oauth2.Config{
		ClientID:     "YOUR_CLIENT_ID",
		ClientSecret: "YOUR_CLIENT_SECRET",
		Endpoint: oauth2.Endpoint{
			AuthURL:  "https://provider.com/o/oauth2/auth",
			TokenURL: "https://provider.com/o/oauth2/token",
		},
	}

	provider, err := oidc.NewProvider(context.Background(), "https://provider")
	if err != nil {
		log.Fatal(err)
	}

	oa.provider = provider

	r.HandleFunc("/oidc-login", oa.OAuth2Login)
	r.HandleFunc("/oidc-callback", oa.OAuth2Callback)

	return nil
}

func (oa *OIDC) OAuth2Callback(rw http.ResponseWriter, r *http.Request) {
	_ = r.ParseForm()
	state := r.Form.Get("state")
	if state != oa.state {
		http.Error(rw, "State invalid", http.StatusBadRequest)
		return
	}
	code := r.Form.Get("code")
	if code == "" {
		http.Error(rw, "Code not found", http.StatusBadRequest)
		return
	}
	token, err := oa.client.Exchange(context.Background(), code, oauth2.VerifierOption(oa.codeVerifier))
	if err != nil {
		http.Error(rw, err.Error(), http.StatusInternalServerError)
		return
	}
}

func (oa *OIDC) OAuth2Login(rw http.ResponseWriter, r *http.Request) {
	// use PKCE to protect against CSRF attacks
	oa.codeVerifier = oauth2.GenerateVerifier()

	// Redirect user to consent page to ask for permission
	url := oa.client.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(oa.codeVerifier))
	http.Redirect(rw, r, url, http.StatusFound)
}
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.`
			`// All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`
			`package auth`

			`import (`
			`"context"`
			`"log"`
			`"net/http"`

			`"github.com/coreos/go-oidc/v3/oidc"`
			`"github.com/gorilla/mux"`
			`"golang.org/x/oauth2"`
			`)`

			`type OIDC struct {`
			`client *oauth2.Config`
			`provider *oidc.Provider`
			`state string`
			`codeVerifier string`
			`}`

			`func (oa OIDC) Init(r mux.Router) error {`
			`oa.client = &oauth2.Config{`
			`ClientID: "YOUR_CLIENT_ID",`
			`ClientSecret: "YOUR_CLIENT_SECRET",`
			`Endpoint: oauth2.Endpoint{`
			`AuthURL: "https://provider.com/o/oauth2/auth",`
			`TokenURL: "https://provider.com/o/oauth2/token",`
			`},`
			`}`

			`provider, err := oidc.NewProvider(context.Background(), "https://provider")`
			`if err != nil {`
			`log.Fatal(err)`
			`}`

			`oa.provider = provider`

			`r.HandleFunc("/oidc-login", oa.OAuth2Login)`
			`r.HandleFunc("/oidc-callback", oa.OAuth2Callback)`

			`return nil`
			`}`

			`func (oa OIDC) OAuth2Callback(rw http.ResponseWriter, r http.Request) {`
			`_ = r.ParseForm()`
			`state := r.Form.Get("state")`
			`if state != oa.state {`
			`http.Error(rw, "State invalid", http.StatusBadRequest)`
			`return`
			`}`
			`code := r.Form.Get("code")`
			`if code == "" {`
			`http.Error(rw, "Code not found", http.StatusBadRequest)`
			`return`
			`}`
			`token, err := oa.client.Exchange(context.Background(), code, oauth2.VerifierOption(oa.codeVerifier))`
			`if err != nil {`
			`http.Error(rw, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`}`

			`func (oa OIDC) OAuth2Login(rw http.ResponseWriter, r http.Request) {`
			`// use PKCE to protect against CSRF attacks`
			`oa.codeVerifier = oauth2.GenerateVerifier()`

			`// Redirect user to consent page to ask for permission`
			`url := oa.client.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(oa.codeVerifier))`
			`http.Redirect(rw, r, url, http.StatusFound)`
			`}`