Use oauth2.AuthCodeURL to simplify Authenticate

9 months ago · 815c8e792a
parent 7ec9e393e0
commit 815c8e792a
3 changed files with 9 additions and 24 deletions
--- a/cmd/app/main.go
+++ b/cmd/app/main.go
@ -140,7 +140,7 @@ func main() {
 	sessionPath, sessionAuthKey, sessionEncKey := configureSessionParameters(config)
 	services.InitSessionStore(logger, sessionPath, sessionAuthKey, sessionEncKey)

-	authMiddleware := handlers.Authenticate(logger, oidcInfo.OAuth2Config, oidcClientID)
+	authMiddleware := handlers.Authenticate(oidcInfo.OAuth2Config)

 	publicURL := buildPublicURL(config.MustString("server.name"), config.MustInt("server.port"))

--- a/internal/handlers/common.go
+++ b/internal/handlers/common.go
@ -18,19 +18,14 @@ limitations under the License.
 package handlers

 import (
-	"bytes"
 	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"net/http"
-	"net/url"

 	"github.com/gorilla/sessions"
 	"github.com/nicksnyder/go-i18n/v2/i18n"
-	log "github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"

-	"code.cacert.org/cacert/oidc-demo-app/internal/models"
 	"code.cacert.org/cacert/oidc-demo-app/internal/services"
 )

@ -39,7 +34,7 @@ const (
 	sessionName               = "resource_app"
 )

-func Authenticate(logger *log.Logger, oauth2Config *oauth2.Config, clientID string) func(http.Handler) http.Handler {
+func Authenticate(oauth2Config *oauth2.Config) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			session, err := GetSession(r)
@ -63,28 +58,17 @@ func Authenticate(logger *log.Logger, oauth2Config *oauth2.Config, clientID stri
 				return
 			}

-			var authURL *url.URL
+			authURL := oauth2Config.AuthCodeURL(
+				base64.URLEncoding.EncodeToString(services.GenerateKey(oauth2RedirectStateLength)),
+			)

-			if authURL, err = url.Parse(oauth2Config.Endpoint.AuthURL); err != nil {
-				http.Error(w, err.Error(), http.StatusInternalServerError)
-
-				return
-			}
-
-			queryValues := authURL.Query()
-			queryValues.Set("client_id", clientID)
-			queryValues.Set("response_type", "code")
-			queryValues.Set("scope", "openid profile email cacert_groups")
-			queryValues.Set("state", base64.URLEncoding.EncodeToString(services.GenerateKey(oauth2RedirectStateLength)))
-			queryValues.Set("claims", getRequestedClaims(logger))
-			authURL.RawQuery = queryValues.Encode()
-
-			w.Header().Set("Location", authURL.String())
+			w.Header().Set("Location", authURL)
 			w.WriteHeader(http.StatusFound)
 		})
 	}
 }

+/*
 func getRequestedClaims(logger *log.Logger) string {
 	claims := make(models.OIDCClaimsRequest)
 	claims["userinfo"] = make(models.ClaimElement)
@ -102,6 +86,7 @@ func getRequestedClaims(logger *log.Logger) string {

 	return buf.String()
 }
+*/

 func GetSession(r *http.Request) (*sessions.Session, error) {
 	session, err := services.GetSessionStore().Get(r, sessionName)
--- a/internal/services/oidc.go
+++ b/internal/services/oidc.go
@ -104,7 +104,7 @@ func DiscoverOIDC(logger *log.Logger, params *OidcParams) (*OIDCInformation, err
 			AuthURL:  discoveryResponse.AuthorizationEndpoint,
 			TokenURL: discoveryResponse.TokenEndpoint,
 		},
-		Scopes: []string{"openid", "offline"},
+		Scopes: []string{"openid", "email", "profile"},
 	}

 	const jwkFetchTimeout = 10 * time.Second