Jan Dittberner
7ec9e393e0
This commit adds a separate protected resource page to demonstrate how to selectively require logins. Add code to improve client performance by providing modification timestamps and Cache-Control headers for embedded static files.
100 lines
2.6 KiB
Go
100 lines
2.6 KiB
Go
/*
|
|
Copyright 2023 CAcert Inc.
|
|
SPDX-License-Identifier: Apache-2.0
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
https://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package services
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/gorilla/sessions"
|
|
"github.com/lestrrat-go/jwx/jwk"
|
|
"github.com/lestrrat-go/jwx/jwt"
|
|
"github.com/lestrrat-go/jwx/jwt/openid"
|
|
log "github.com/sirupsen/logrus"
|
|
)
|
|
|
|
type OIDCTokenInfo struct {
|
|
AccessToken string
|
|
IDToken string
|
|
RefreshToken string
|
|
Expires time.Time
|
|
Name string
|
|
Email string
|
|
}
|
|
|
|
type TokenInfoService struct {
|
|
logger *log.Logger
|
|
keySet jwk.Set
|
|
}
|
|
|
|
func (s *TokenInfoService) GetTokenInfo(session *sessions.Session) (*OIDCTokenInfo, error) {
|
|
tokenInfo := &OIDCTokenInfo{}
|
|
|
|
var ok bool
|
|
|
|
if tokenInfo.AccessToken, ok = session.Values[SessionAccessToken].(string); ok {
|
|
s.logger.WithField("access_token", tokenInfo.AccessToken).Debug("found access token in session")
|
|
}
|
|
|
|
if tokenInfo.RefreshToken, ok = session.Values[SessionRefreshToken].(string); ok {
|
|
s.logger.WithField("refresh_token", tokenInfo.RefreshToken).Debug("found refresh token in session")
|
|
}
|
|
|
|
if tokenInfo.IDToken, ok = session.Values[SessionIDToken].(string); ok {
|
|
s.logger.WithField("id_token", tokenInfo.IDToken).Debug("found ID token in session")
|
|
}
|
|
|
|
if tokenInfo.IDToken == "" {
|
|
return tokenInfo, nil
|
|
}
|
|
|
|
oidcToken, err := ParseIDToken(tokenInfo.IDToken, s.keySet)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("could not parse ID token: %w", err)
|
|
}
|
|
|
|
tokenInfo.Expires = oidcToken.Expiration()
|
|
|
|
tokenInfo.Name = oidcToken.Name()
|
|
|
|
tokenInfo.Email = oidcToken.Email()
|
|
|
|
return tokenInfo, nil
|
|
}
|
|
|
|
func InitTokenInfoService(logger *log.Logger, oidcInfo *OIDCInformation) (*TokenInfoService, error) {
|
|
return &TokenInfoService{logger: logger, keySet: oidcInfo.KeySet}, nil
|
|
}
|
|
|
|
func ParseIDToken(token string, keySet jwk.Set) (openid.Token, error) {
|
|
var (
|
|
parsedIDToken jwt.Token
|
|
err error
|
|
)
|
|
|
|
if parsedIDToken, err = jwt.ParseString(token, jwt.WithKeySet(keySet), jwt.WithToken(openid.New())); err != nil {
|
|
return nil, fmt.Errorf("could not parse ID token: %w", err)
|
|
}
|
|
|
|
if v, ok := parsedIDToken.(openid.Token); ok {
|
|
return v, nil
|
|
}
|
|
|
|
return nil, errors.New("ID token is no OpenID Connect Identity Token")
|
|
}
|