From 815c8e792a5be21c0d4bb71526153b4cd4fea9cb Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Thu, 3 Aug 2023 23:54:03 +0200 Subject: [PATCH] Use oauth2.AuthCodeURL to simplify Authenticate --- cmd/app/main.go | 2 +- internal/handlers/common.go | 29 +++++++---------------------- internal/services/oidc.go | 2 +- 3 files changed, 9 insertions(+), 24 deletions(-) diff --git a/cmd/app/main.go b/cmd/app/main.go index 6b01b17..6a3e7b6 100644 --- a/cmd/app/main.go +++ b/cmd/app/main.go @@ -140,7 +140,7 @@ func main() { sessionPath, sessionAuthKey, sessionEncKey := configureSessionParameters(config) services.InitSessionStore(logger, sessionPath, sessionAuthKey, sessionEncKey) - authMiddleware := handlers.Authenticate(logger, oidcInfo.OAuth2Config, oidcClientID) + authMiddleware := handlers.Authenticate(oidcInfo.OAuth2Config) publicURL := buildPublicURL(config.MustString("server.name"), config.MustInt("server.port")) diff --git a/internal/handlers/common.go b/internal/handlers/common.go index 49a751e..01924e9 100644 --- a/internal/handlers/common.go +++ b/internal/handlers/common.go @@ -18,19 +18,14 @@ limitations under the License. package handlers import ( - "bytes" "encoding/base64" - "encoding/json" "fmt" "net/http" - "net/url" "github.com/gorilla/sessions" "github.com/nicksnyder/go-i18n/v2/i18n" - log "github.com/sirupsen/logrus" "golang.org/x/oauth2" - "code.cacert.org/cacert/oidc-demo-app/internal/models" "code.cacert.org/cacert/oidc-demo-app/internal/services" ) @@ -39,7 +34,7 @@ const ( sessionName = "resource_app" ) -func Authenticate(logger *log.Logger, oauth2Config *oauth2.Config, clientID string) func(http.Handler) http.Handler { +func Authenticate(oauth2Config *oauth2.Config) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { session, err := GetSession(r) @@ -63,28 +58,17 @@ func Authenticate(logger *log.Logger, oauth2Config *oauth2.Config, clientID stri return } - var authURL *url.URL + authURL := oauth2Config.AuthCodeURL( + base64.URLEncoding.EncodeToString(services.GenerateKey(oauth2RedirectStateLength)), + ) - if authURL, err = url.Parse(oauth2Config.Endpoint.AuthURL); err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - - return - } - - queryValues := authURL.Query() - queryValues.Set("client_id", clientID) - queryValues.Set("response_type", "code") - queryValues.Set("scope", "openid profile email cacert_groups") - queryValues.Set("state", base64.URLEncoding.EncodeToString(services.GenerateKey(oauth2RedirectStateLength))) - queryValues.Set("claims", getRequestedClaims(logger)) - authURL.RawQuery = queryValues.Encode() - - w.Header().Set("Location", authURL.String()) + w.Header().Set("Location", authURL) w.WriteHeader(http.StatusFound) }) } } +/* func getRequestedClaims(logger *log.Logger) string { claims := make(models.OIDCClaimsRequest) claims["userinfo"] = make(models.ClaimElement) @@ -102,6 +86,7 @@ func getRequestedClaims(logger *log.Logger) string { return buf.String() } +*/ func GetSession(r *http.Request) (*sessions.Session, error) { session, err := services.GetSessionStore().Get(r, sessionName) diff --git a/internal/services/oidc.go b/internal/services/oidc.go index 40e918d..6f72d89 100644 --- a/internal/services/oidc.go +++ b/internal/services/oidc.go @@ -104,7 +104,7 @@ func DiscoverOIDC(logger *log.Logger, params *OidcParams) (*OIDCInformation, err AuthURL: discoveryResponse.AuthorizationEndpoint, TokenURL: discoveryResponse.TokenEndpoint, }, - Scopes: []string{"openid", "offline"}, + Scopes: []string{"openid", "email", "profile"}, } const jwkFetchTimeout = 10 * time.Second