Add initial code for oidc authentication support

2025-07-23 04:51:39 +02:00 · 2024-03-13 09:37:12 +01:00
parent 5004e44934
commit f761900a3e
4 changed files with 110 additions and 17 deletions
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -27,18 +27,18 @@ type Authenticator interface {
 }

 type Authentication struct {
-	sessionStore  *sessions.CookieStore
-	SessionMaxAge time.Duration
-
-	authenticators []Authenticator
+	sessionStore   *sessions.CookieStore
 	LdapAuth       *LdapAuthenticator
 	JwtAuth        *JWTAuthenticator
 	LocalAuth      *LocalAuthenticator
+	authenticators []Authenticator
+	SessionMaxAge  time.Duration
 }

 func (auth *Authentication) AuthViaSession(
 	rw http.ResponseWriter,
-	r *http.Request) (*schema.User, error) {
+	r *http.Request,
+) (*schema.User, error) {
 	session, err := auth.sessionStore.Get(r, "session")
 	if err != nil {
 		log.Error("Error while getting session store")
@@ -131,8 +131,8 @@ func Init() (*Authentication, error) {

 func (auth *Authentication) Login(
 	onsuccess http.Handler,
-	onfailure func(rw http.ResponseWriter, r *http.Request, loginErr error)) http.Handler {
-
+	onfailure func(rw http.ResponseWriter, r *http.Request, loginErr error),
+) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		username := r.FormValue("username")
 		var dbUser *schema.User
@@ -193,10 +193,9 @@ func (auth *Authentication) Login(

 func (auth *Authentication) Auth(
 	onsuccess http.Handler,
-	onfailure func(rw http.ResponseWriter, r *http.Request, authErr error)) http.Handler {
-
+	onfailure func(rw http.ResponseWriter, r *http.Request, authErr error),
+) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-
 		user, err := auth.JwtAuth.AuthViaJWT(rw, r)
 		if err != nil {
 			log.Infof("authentication failed: %s", err.Error())
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -0,0 +1,73 @@
+// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package auth
+
+import (
+	"context"
+	"log"
+	"net/http"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/gorilla/mux"
+	"golang.org/x/oauth2"
+)
+
+type OIDC struct {
+	client       *oauth2.Config
+	provider     *oidc.Provider
+	state        string
+	codeVerifier string
+}
+
+func (oa *OIDC) Init(r *mux.Router) error {
+	oa.client = &oauth2.Config{
+		ClientID:     "YOUR_CLIENT_ID",
+		ClientSecret: "YOUR_CLIENT_SECRET",
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  "https://provider.com/o/oauth2/auth",
+			TokenURL: "https://provider.com/o/oauth2/token",
+		},
+	}
+
+	provider, err := oidc.NewProvider(context.Background(), "https://provider")
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	oa.provider = provider
+
+	r.HandleFunc("/oidc-login", oa.OAuth2Login)
+	r.HandleFunc("/oidc-callback", oa.OAuth2Callback)
+
+	return nil
+}
+
+func (oa *OIDC) OAuth2Callback(rw http.ResponseWriter, r *http.Request) {
+	_ = r.ParseForm()
+	state := r.Form.Get("state")
+	if state != oa.state {
+		http.Error(rw, "State invalid", http.StatusBadRequest)
+		return
+	}
+	code := r.Form.Get("code")
+	if code == "" {
+		http.Error(rw, "Code not found", http.StatusBadRequest)
+		return
+	}
+	token, err := oa.client.Exchange(context.Background(), code, oauth2.VerifierOption(oa.codeVerifier))
+	if err != nil {
+		http.Error(rw, err.Error(), http.StatusInternalServerError)
+		return
+	}
+}
+
+func (oa *OIDC) OAuth2Login(rw http.ResponseWriter, r *http.Request) {
+	// use PKCE to protect against CSRF attacks
+	oa.codeVerifier = oauth2.GenerateVerifier()
+
+	// Redirect user to consent page to ask for permission
+	url := oa.client.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(oa.codeVerifier))
+	http.Redirect(rw, r, url, http.StatusFound)
+}