ClusterCockpit/cc-backend
1
0
Fork 0
mirror of https://github.com/ClusterCockpit/cc-backend synced 2025-07-23 12:51:40 +02:00
Code Issues Packages Releases Activity

Add initial code for oidc authentication support

Browse Source
This commit is contained in:
Jan Eitzinger
2024-03-13 09:37:12 +01:00
parent 5004e44934
commit f761900a3e
4 changed files with 110 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
internal/auth/oidc.go Normal file
View File

@@ -0,0 +1,73 @@
// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
// All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package auth
import (
"context"
"log"
"net/http"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/gorilla/mux"
"golang.org/x/oauth2"
)
type OIDC struct {
client *oauth2.Config
provider *oidc.Provider
state string
codeVerifier string
}
func (oa *OIDC) Init(r *mux.Router) error {
oa.client = &oauth2.Config{
ClientID: "YOUR_CLIENT_ID",
ClientSecret: "YOUR_CLIENT_SECRET",
Endpoint: oauth2.Endpoint{
AuthURL: "https://provider.com/o/oauth2/auth",
TokenURL: "https://provider.com/o/oauth2/token",
},
}
provider, err := oidc.NewProvider(context.Background(), "https://provider")
if err != nil {
log.Fatal(err)
}
oa.provider = provider
r.HandleFunc("/oidc-login", oa.OAuth2Login)
r.HandleFunc("/oidc-callback", oa.OAuth2Callback)
return nil
}
func (oa *OIDC) OAuth2Callback(rw http.ResponseWriter, r *http.Request) {
_ = r.ParseForm()
state := r.Form.Get("state")
if state != oa.state {
http.Error(rw, "State invalid", http.StatusBadRequest)
return
}
code := r.Form.Get("code")
if code == "" {
http.Error(rw, "Code not found", http.StatusBadRequest)
return
}
token, err := oa.client.Exchange(context.Background(), code, oauth2.VerifierOption(oa.codeVerifier))
if err != nil {
http.Error(rw, err.Error(), http.StatusInternalServerError)
return
}
}
func (oa *OIDC) OAuth2Login(rw http.ResponseWriter, r *http.Request) {
// use PKCE to protect against CSRF attacks
oa.codeVerifier = oauth2.GenerateVerifier()
// Redirect user to consent page to ask for permission
url := oa.client.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(oa.codeVerifier))
http.Redirect(rw, r, url, http.StatusFound)
}