Extend oidc auth provider

This commit is contained in:
Jan Eitzinger 2024-03-13 17:09:36 +01:00
parent f761900a3e
commit e92e727279
2 changed files with 69 additions and 26 deletions

View File

@ -74,8 +74,8 @@ func (la *LdapAuthenticator) CanLogin(
user *schema.User, user *schema.User,
username string, username string,
rw http.ResponseWriter, rw http.ResponseWriter,
r *http.Request) (*schema.User, bool) { r *http.Request,
) (*schema.User, bool) {
lc := config.Keys.LdapConfig lc := config.Keys.LdapConfig
if user != nil { if user != nil {
@ -138,8 +138,8 @@ func (la *LdapAuthenticator) CanLogin(
func (la *LdapAuthenticator) Login( func (la *LdapAuthenticator) Login(
user *schema.User, user *schema.User,
rw http.ResponseWriter, rw http.ResponseWriter,
r *http.Request) (*schema.User, error) { r *http.Request,
) (*schema.User, error) {
l, err := la.getLdapConnection(false) l, err := la.getLdapConnection(false)
if err != nil { if err != nil {
log.Warn("Error while getting ldap connection") log.Warn("Error while getting ldap connection")
@ -238,7 +238,6 @@ func (la *LdapAuthenticator) Sync() error {
} }
func (la *LdapAuthenticator) getLdapConnection(admin bool) (*ldap.Conn, error) { func (la *LdapAuthenticator) getLdapConnection(admin bool) (*ldap.Conn, error) {
lc := config.Keys.LdapConfig lc := config.Keys.LdapConfig
conn, err := ldap.DialURL(lc.Url) conn, err := ldap.DialURL(lc.Url)
if err != nil { if err != nil {

View File

@ -6,9 +6,15 @@ package auth
import ( import (
"context" "context"
"crypto/rand"
"encoding/base64"
"io"
"log" "log"
"net/http" "net/http"
"strings"
"time"
"github.com/ClusterCockpit/cc-backend/internal/config"
"github.com/coreos/go-oidc/v3/oidc" "github.com/coreos/go-oidc/v3/oidc"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"golang.org/x/oauth2" "golang.org/x/oauth2"
@ -17,27 +23,42 @@ import (
type OIDC struct { type OIDC struct {
client *oauth2.Config client *oauth2.Config
provider *oidc.Provider provider *oidc.Provider
state string }
codeVerifier string
func randString(nByte int) (string, error) {
b := make([]byte, nByte)
if _, err := io.ReadFull(rand.Reader, b); err != nil {
return "", err
}
return base64.RawURLEncoding.EncodeToString(b), nil
}
func setCallbackCookie(w http.ResponseWriter, r *http.Request, name, value string) {
c := &http.Cookie{
Name: name,
Value: value,
MaxAge: int(time.Hour.Seconds()),
Secure: r.TLS != nil,
HttpOnly: true,
}
http.SetCookie(w, c)
} }
func (oa *OIDC) Init(r *mux.Router) error { func (oa *OIDC) Init(r *mux.Router) error {
oa.client = &oauth2.Config{
ClientID: "YOUR_CLIENT_ID",
ClientSecret: "YOUR_CLIENT_SECRET",
Endpoint: oauth2.Endpoint{
AuthURL: "https://provider.com/o/oauth2/auth",
TokenURL: "https://provider.com/o/oauth2/token",
},
}
provider, err := oidc.NewProvider(context.Background(), "https://provider") provider, err := oidc.NewProvider(context.Background(), "https://provider")
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }
oa.provider = provider oa.provider = provider
oa.client = &oauth2.Config{
ClientID: "YOUR_CLIENT_ID",
ClientSecret: "YOUR_CLIENT_SECRET",
Endpoint: provider.Endpoint(),
RedirectURL: "https://" + config.Keys.Addr + "/oidc-callback",
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
}
r.HandleFunc("/oidc-login", oa.OAuth2Login) r.HandleFunc("/oidc-login", oa.OAuth2Login)
r.HandleFunc("/oidc-callback", oa.OAuth2Callback) r.HandleFunc("/oidc-callback", oa.OAuth2Callback)
@ -45,9 +66,18 @@ func (oa *OIDC) Init(r *mux.Router) error {
} }
func (oa *OIDC) OAuth2Callback(rw http.ResponseWriter, r *http.Request) { func (oa *OIDC) OAuth2Callback(rw http.ResponseWriter, r *http.Request) {
c, err := r.Cookie("state")
if err != nil {
http.Error(rw, "state not found", http.StatusBadRequest)
return
}
str := strings.Split(c.Value, " ")
state := str[0]
codeVerifier := str[1]
_ = r.ParseForm() _ = r.ParseForm()
state := r.Form.Get("state") if r.Form.Get("state") != state {
if state != oa.state {
http.Error(rw, "State invalid", http.StatusBadRequest) http.Error(rw, "State invalid", http.StatusBadRequest)
return return
} }
@ -56,18 +86,32 @@ func (oa *OIDC) OAuth2Callback(rw http.ResponseWriter, r *http.Request) {
http.Error(rw, "Code not found", http.StatusBadRequest) http.Error(rw, "Code not found", http.StatusBadRequest)
return return
} }
token, err := oa.client.Exchange(context.Background(), code, oauth2.VerifierOption(oa.codeVerifier)) token, err := oa.client.Exchange(context.Background(), code, oauth2.VerifierOption(codeVerifier))
if err != nil { if err != nil {
http.Error(rw, err.Error(), http.StatusInternalServerError) http.Error(rw, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
return
}
userInfo, err := oa.provider.UserInfo(context.Background(), oauth2.StaticTokenSource(token))
if err != nil {
http.Error(rw, "Failed to get userinfo: "+err.Error(), http.StatusInternalServerError)
return return
} }
} }
func (oa *OIDC) OAuth2Login(rw http.ResponseWriter, r *http.Request) { func (oa *OIDC) OAuth2Login(rw http.ResponseWriter, r *http.Request) {
state, err := randString(16)
if err != nil {
http.Error(rw, "Internal error", http.StatusInternalServerError)
return
}
// use PKCE to protect against CSRF attacks // use PKCE to protect against CSRF attacks
oa.codeVerifier = oauth2.GenerateVerifier() codeVerifier := oauth2.GenerateVerifier()
setCallbackCookie(rw, r, "state", strings.Join([]string{state, codeVerifier}, " "))
// Redirect user to consent page to ask for permission // Redirect user to consent page to ask for permission
url := oa.client.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(oa.codeVerifier)) url := oa.client.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(codeVerifier))
http.Redirect(rw, r, url, http.StatusFound) http.Redirect(rw, r, url, http.StatusFound)
} }