2023-10-01 21:44:49 +01:00
|
|
|
package issuer
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
2023-10-03 23:20:28 +01:00
|
|
|
"github.com/1f349/lavender/utils"
|
2023-10-03 01:14:25 +01:00
|
|
|
"golang.org/x/oauth2"
|
2023-10-01 21:44:49 +01:00
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
"slices"
|
2023-10-03 23:20:28 +01:00
|
|
|
"strings"
|
2023-10-01 21:44:49 +01:00
|
|
|
)
|
|
|
|
|
2023-10-04 14:51:38 +01:00
|
|
|
var httpGet = http.Get
|
|
|
|
|
2023-10-01 21:44:49 +01:00
|
|
|
// SsoConfig is the base URL for an OAUTH/OPENID/SSO login service
|
|
|
|
// The path `/.well-known/openid-configuration` should be available
|
|
|
|
type SsoConfig struct {
|
2023-10-09 00:04:28 +01:00
|
|
|
Addr utils.JsonUrl `json:"addr"` // https://login.example.com
|
|
|
|
Namespace string `json:"namespace"` // example.com
|
|
|
|
Client SsoConfigClient `json:"client"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type SsoConfigClient struct {
|
|
|
|
ID string `json:"id"`
|
|
|
|
Secret string `json:"secret"`
|
|
|
|
Scopes []string `json:"scopes"`
|
2023-10-01 21:44:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s SsoConfig) FetchConfig() (*WellKnownOIDC, error) {
|
2023-10-03 23:20:28 +01:00
|
|
|
// generate openid config url
|
|
|
|
u := s.Addr.String()
|
|
|
|
if !strings.HasSuffix(u, "/") {
|
|
|
|
u += "/"
|
|
|
|
}
|
|
|
|
u += ".well-known/openid-configuration"
|
|
|
|
|
|
|
|
// fetch metadata
|
2023-10-04 14:51:38 +01:00
|
|
|
get, err := httpGet(u)
|
2023-10-01 21:44:49 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer get.Body.Close()
|
|
|
|
|
|
|
|
var c WellKnownOIDC
|
|
|
|
err = json.NewDecoder(get.Body).Decode(&c)
|
2023-10-04 14:51:38 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2023-10-04 21:53:20 +01:00
|
|
|
c.Config = s
|
2023-10-04 14:51:38 +01:00
|
|
|
c.OAuth2Config = oauth2.Config{
|
|
|
|
ClientID: c.Config.Client.ID,
|
|
|
|
ClientSecret: c.Config.Client.Secret,
|
|
|
|
Endpoint: oauth2.Endpoint{
|
|
|
|
AuthURL: c.AuthorizationEndpoint,
|
|
|
|
TokenURL: c.TokenEndpoint,
|
|
|
|
AuthStyle: oauth2.AuthStyleInHeader,
|
|
|
|
},
|
|
|
|
Scopes: c.Config.Client.Scopes,
|
|
|
|
}
|
|
|
|
return &c, nil
|
2023-10-01 21:44:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
type WellKnownOIDC struct {
|
2023-10-04 14:51:38 +01:00
|
|
|
Config SsoConfig `json:"-"`
|
|
|
|
Issuer string `json:"issuer"`
|
|
|
|
AuthorizationEndpoint string `json:"authorization_endpoint"`
|
|
|
|
TokenEndpoint string `json:"token_endpoint"`
|
|
|
|
UserInfoEndpoint string `json:"userinfo_endpoint"`
|
|
|
|
ResponseTypesSupported []string `json:"response_types_supported"`
|
|
|
|
ScopesSupported []string `json:"scopes_supported"`
|
|
|
|
ClaimsSupported []string `json:"claims_supported"`
|
|
|
|
GrantTypesSupported []string `json:"grant_types_supported"`
|
|
|
|
OAuth2Config oauth2.Config `json:"-"`
|
2023-10-01 21:44:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func (o WellKnownOIDC) Validate() error {
|
|
|
|
if o.Issuer == "" {
|
|
|
|
return errors.New("missing issuer")
|
|
|
|
}
|
|
|
|
|
|
|
|
// check URLs are valid
|
|
|
|
if _, err := url.Parse(o.AuthorizationEndpoint); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if _, err := url.Parse(o.TokenEndpoint); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if _, err := url.Parse(o.UserInfoEndpoint); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// check oidc supported values
|
|
|
|
if !slices.Contains(o.ResponseTypesSupported, "code") {
|
|
|
|
return errors.New("missing required response type 'code'")
|
|
|
|
}
|
|
|
|
if !slices.Contains(o.ScopesSupported, "openid") {
|
|
|
|
return errors.New("missing required scope 'openid'")
|
|
|
|
}
|
|
|
|
requiredClaims := []string{"sub", "name", "preferred_username", "email", "email_verified"}
|
|
|
|
for _, i := range requiredClaims {
|
|
|
|
if !slices.Contains(o.ClaimsSupported, i) {
|
|
|
|
return fmt.Errorf("missing required claim '%s'", i)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// oidc valid
|
|
|
|
return nil
|
|
|
|
}
|
2023-10-03 01:14:25 +01:00
|
|
|
|
2023-10-03 23:20:28 +01:00
|
|
|
func (o WellKnownOIDC) ValidReturnUrl(u *url.URL) bool {
|
2023-10-04 14:51:38 +01:00
|
|
|
return o.Config.Addr.Scheme == u.Scheme && o.Config.Addr.Host == u.Host
|
2023-10-03 23:20:28 +01:00
|
|
|
}
|