@ -110,6 +110,8 @@ func (h *LoginHandler) handleGet(
return
}
usableEmails := certEmails
defer func ( ) { _ = response . Body . Close ( ) } ( )
h . logger . Debug (
@ -117,7 +119,28 @@ func (h *LoginHandler) handleGet(
"response" , response . Status , "login_request" , oAuth2LoginRequest ,
)
h . renderRequestForClientCert ( w , r , certEmails , localizer , oAuth2LoginRequest )
if subject , ok := oAuth2LoginRequest . GetSubjectOk ( ) ; ok && * subject != "" {
h . logger . Info ( "oauth2LoginRequest expects subject" , "subject" , * subject )
subjectInCert := false
for _ , email := range certEmails {
if * subject == email {
subjectInCert = true
break
}
}
if ! subjectInCert {
h . rejectLoginMissingSubject ( w , r , challenge , localizer , * subject )
return
}
usableEmails = [ ] string { * subject }
}
h . renderRequestForClientCert ( w , r , usableEmails , localizer , oAuth2LoginRequest )
}
type FlashMessage struct {
@ -234,7 +257,7 @@ func (h *LoginHandler) rejectLogin(
r . Context ( ) ,
) . LoginChallenge ( challenge ) . RejectOAuth2Request ( * rejectRequest ) . Execute ( )
if err != nil {
h . logger . Error ( "error gett ing reject login request", "error" , err )
h . logger . Error ( "error send ing reject login request", "error" , err )
http . Error ( w , http . StatusText ( http . StatusInternalServerError ) , http . StatusInternalServerError )
return
@ -242,8 +265,35 @@ func (h *LoginHandler) rejectLogin(
defer func ( ) { _ = response . Body . Close ( ) } ( )
h . logger . Debug (
"go response for RejectOAuth2LoginRequest" ,
h . logger . DebugContext (
r . Context ( ) ,
"got response for RejectOAuth2LoginRequest" ,
"response" , response . Status , "reject_login_request" , rejectLoginRequest ,
)
w . Header ( ) . Set ( "Location" , rejectLoginRequest . GetRedirectTo ( ) )
w . WriteHeader ( http . StatusFound )
}
func ( h * LoginHandler ) rejectLoginMissingSubject ( w http . ResponseWriter , r * http . Request , challenge string , localizer * i18n . Localizer , subject string ) {
rejectRequest := client . NewRejectOAuth2RequestWithDefaults ( )
rejectRequest . SetErrorDescription ( h . trans . LookupMessage ( "LoginDeniedSubjectMissing" , map [ string ] interface { } { "Subject" : subject } , localizer ) )
rejectRequest . SetErrorHint ( h . trans . LookupMessage ( "HintChooseDifferentClientCertificate" , nil , localizer ) )
rejectRequest . SetStatusCode ( http . StatusForbidden )
rejectLoginRequest , response , err := h . adminClient . RejectOAuth2LoginRequest ( r . Context ( ) ) . LoginChallenge ( challenge ) . RejectOAuth2Request ( * rejectRequest ) . Execute ( )
if err != nil {
h . logger . Error ( "error sending reject login request" , "error" , err )
http . Error ( w , http . StatusText ( http . StatusInternalServerError ) , http . StatusInternalServerError )
return
}
defer func ( ) { _ = response . Body . Close ( ) } ( )
h . logger . DebugContext (
r . Context ( ) ,
"got response for RejectOAuth2LoginRequest" ,
"response" , response . Status , "reject_login_request" , rejectLoginRequest ,
)