mirror of
				https://github.com/go-gitea/gitea
				synced 2025-10-26 08:58:24 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			475 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			Go
		
	
	
	
		
			Vendored
		
	
	
	
			
		
		
	
	
			475 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			Go
		
	
	
	
		
			Vendored
		
	
	
	
| package openidConnect
 | |
| 
 | |
| import (
 | |
| 	"bytes"
 | |
| 	"encoding/base64"
 | |
| 	"encoding/json"
 | |
| 	"errors"
 | |
| 	"fmt"
 | |
| 	"io/ioutil"
 | |
| 	"net/http"
 | |
| 	"net/url"
 | |
| 	"strings"
 | |
| 	"time"
 | |
| 
 | |
| 	"github.com/markbates/goth"
 | |
| 	"golang.org/x/oauth2"
 | |
| )
 | |
| 
 | |
| const (
 | |
| 	// Standard Claims http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
 | |
| 	// fixed, cannot be changed
 | |
| 	subjectClaim  = "sub"
 | |
| 	expiryClaim   = "exp"
 | |
| 	audienceClaim = "aud"
 | |
| 	issuerClaim   = "iss"
 | |
| 
 | |
| 	PreferredUsernameClaim = "preferred_username"
 | |
| 	EmailClaim             = "email"
 | |
| 	NameClaim              = "name"
 | |
| 	NicknameClaim          = "nickname"
 | |
| 	PictureClaim           = "picture"
 | |
| 	GivenNameClaim         = "given_name"
 | |
| 	FamilyNameClaim        = "family_name"
 | |
| 	AddressClaim           = "address"
 | |
| 
 | |
| 	// Unused but available to set in Provider claims
 | |
| 	MiddleNameClaim          = "middle_name"
 | |
| 	ProfileClaim             = "profile"
 | |
| 	WebsiteClaim             = "website"
 | |
| 	EmailVerifiedClaim       = "email_verified"
 | |
| 	GenderClaim              = "gender"
 | |
| 	BirthdateClaim           = "birthdate"
 | |
| 	ZoneinfoClaim            = "zoneinfo"
 | |
| 	LocaleClaim              = "locale"
 | |
| 	PhoneNumberClaim         = "phone_number"
 | |
| 	PhoneNumberVerifiedClaim = "phone_number_verified"
 | |
| 	UpdatedAtClaim           = "updated_at"
 | |
| 
 | |
| 	clockSkew = 10 * time.Second
 | |
| )
 | |
| 
 | |
| // Provider is the implementation of `goth.Provider` for accessing OpenID Connect provider
 | |
| type Provider struct {
 | |
| 	ClientKey    string
 | |
| 	Secret       string
 | |
| 	CallbackURL  string
 | |
| 	HTTPClient   *http.Client
 | |
| 	OpenIDConfig *OpenIDConfig
 | |
| 	config       *oauth2.Config
 | |
| 	providerName string
 | |
| 
 | |
| 	UserIdClaims    []string
 | |
| 	NameClaims      []string
 | |
| 	NickNameClaims  []string
 | |
| 	EmailClaims     []string
 | |
| 	AvatarURLClaims []string
 | |
| 	FirstNameClaims []string
 | |
| 	LastNameClaims  []string
 | |
| 	LocationClaims  []string
 | |
| 
 | |
| 	SkipUserInfoRequest bool
 | |
| }
 | |
| 
 | |
| type OpenIDConfig struct {
 | |
| 	AuthEndpoint     string `json:"authorization_endpoint"`
 | |
| 	TokenEndpoint    string `json:"token_endpoint"`
 | |
| 	UserInfoEndpoint string `json:"userinfo_endpoint"`
 | |
| 
 | |
| 	// If OpenID discovery is enabled, the end_session_endpoint field can optionally be provided
 | |
| 	// in the discovery endpoint response according to OpenID spec. See:
 | |
| 	// https://openid.net/specs/openid-connect-session-1_0-17.html#OPMetadata
 | |
| 	EndSessionEndpoint string `json:"end_session_endpoint, omitempty"`
 | |
| 	Issuer             string `json:"issuer"`
 | |
| }
 | |
| 
 | |
| type RefreshTokenResponse struct {
 | |
| 	AccessToken string `json:"access_token"`
 | |
| 
 | |
| 	// The OpenID spec defines the ID token as an optional response field in the
 | |
| 	// refresh token flow. As a result, a new ID token may not be returned in a successful
 | |
| 	// response.
 | |
| 	// See more: https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
 | |
| 	IdToken string `json:"id_token, omitempty"`
 | |
| 
 | |
| 	// The OAuth spec defines the refresh token as an optional response field in the
 | |
| 	// refresh token flow. As a result, a new refresh token may not be returned in a successful
 | |
| 	// response.
 | |
| 	//See more: https://www.oauth.com/oauth2-servers/making-authenticated-requests/refreshing-an-access-token/
 | |
| 	RefreshToken string `json:"refresh_token,omitempty"`
 | |
| }
 | |
| 
 | |
| // New creates a new OpenID Connect provider, and sets up important connection details.
 | |
| // You should always call `openidConnect.New` to get a new Provider. Never try to create
 | |
| // one manually.
 | |
| // New returns an implementation of an OpenID Connect Authorization Code Flow
 | |
| // See http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
 | |
| // ID Token decryption is not (yet) supported
 | |
| // UserInfo decryption is not (yet) supported
 | |
| func New(clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, scopes ...string) (*Provider, error) {
 | |
| 	p := &Provider{
 | |
| 		ClientKey:   clientKey,
 | |
| 		Secret:      secret,
 | |
| 		CallbackURL: callbackURL,
 | |
| 
 | |
| 		UserIdClaims:    []string{subjectClaim},
 | |
| 		NameClaims:      []string{NameClaim},
 | |
| 		NickNameClaims:  []string{NicknameClaim, PreferredUsernameClaim},
 | |
| 		EmailClaims:     []string{EmailClaim},
 | |
| 		AvatarURLClaims: []string{PictureClaim},
 | |
| 		FirstNameClaims: []string{GivenNameClaim},
 | |
| 		LastNameClaims:  []string{FamilyNameClaim},
 | |
| 		LocationClaims:  []string{AddressClaim},
 | |
| 
 | |
| 		providerName: "openid-connect",
 | |
| 	}
 | |
| 
 | |
| 	openIDConfig, err := getOpenIDConfig(p, openIDAutoDiscoveryURL)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	p.OpenIDConfig = openIDConfig
 | |
| 
 | |
| 	p.config = newConfig(p, scopes, openIDConfig)
 | |
| 	return p, nil
 | |
| }
 | |
| 
 | |
| // Name is the name used to retrieve this provider later.
 | |
| func (p *Provider) Name() string {
 | |
| 	return p.providerName
 | |
| }
 | |
| 
 | |
| // SetName is to update the name of the provider (needed in case of multiple providers of 1 type)
 | |
| func (p *Provider) SetName(name string) {
 | |
| 	p.providerName = name
 | |
| }
 | |
| 
 | |
| func (p *Provider) Client() *http.Client {
 | |
| 	return goth.HTTPClientWithFallBack(p.HTTPClient)
 | |
| }
 | |
| 
 | |
| // Debug is a no-op for the openidConnect package.
 | |
| func (p *Provider) Debug(debug bool) {}
 | |
| 
 | |
| // BeginAuth asks the OpenID Connect provider for an authentication end-point.
 | |
| func (p *Provider) BeginAuth(state string) (goth.Session, error) {
 | |
| 	url := p.config.AuthCodeURL(state)
 | |
| 	session := &Session{
 | |
| 		AuthURL: url,
 | |
| 	}
 | |
| 	return session, nil
 | |
| }
 | |
| 
 | |
| // FetchUser will use the the id_token and access requested information about the user.
 | |
| func (p *Provider) FetchUser(session goth.Session) (goth.User, error) {
 | |
| 	sess := session.(*Session)
 | |
| 
 | |
| 	expiresAt := sess.ExpiresAt
 | |
| 
 | |
| 	if sess.IDToken == "" {
 | |
| 		return goth.User{}, fmt.Errorf("%s cannot get user information without id_token", p.providerName)
 | |
| 	}
 | |
| 
 | |
| 	// decode returned id token to get expiry
 | |
| 	claims, err := decodeJWT(sess.IDToken)
 | |
| 
 | |
| 	if err != nil {
 | |
| 		return goth.User{}, fmt.Errorf("oauth2: error decoding JWT token: %v", err)
 | |
| 	}
 | |
| 
 | |
| 	expiry, err := p.validateClaims(claims)
 | |
| 	if err != nil {
 | |
| 		return goth.User{}, fmt.Errorf("oauth2: error validating JWT token: %v", err)
 | |
| 	}
 | |
| 
 | |
| 	if expiry.Before(expiresAt) {
 | |
| 		expiresAt = expiry
 | |
| 	}
 | |
| 
 | |
| 	if err := p.getUserInfo(sess.AccessToken, claims); err != nil {
 | |
| 		return goth.User{}, err
 | |
| 	}
 | |
| 
 | |
| 	user := goth.User{
 | |
| 		AccessToken:  sess.AccessToken,
 | |
| 		Provider:     p.Name(),
 | |
| 		RefreshToken: sess.RefreshToken,
 | |
| 		ExpiresAt:    expiresAt,
 | |
| 		RawData:      claims,
 | |
| 		IDToken:      sess.IDToken,
 | |
| 	}
 | |
| 
 | |
| 	p.userFromClaims(claims, &user)
 | |
| 	return user, err
 | |
| }
 | |
| 
 | |
| //RefreshTokenAvailable refresh token is provided by auth provider or not
 | |
| func (p *Provider) RefreshTokenAvailable() bool {
 | |
| 	return true
 | |
| }
 | |
| 
 | |
| //RefreshToken get new access token based on the refresh token
 | |
| func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) {
 | |
| 	token := &oauth2.Token{RefreshToken: refreshToken}
 | |
| 	ts := p.config.TokenSource(oauth2.NoContext, token)
 | |
| 	newToken, err := ts.Token()
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	return newToken, err
 | |
| }
 | |
| 
 | |
| // The ID token is a fundamental part of the OpenID connect refresh token flow but is not part of the OAuth flow.
 | |
| // The existing RefreshToken function leverages the OAuth library's refresh token mechanism, ignoring the refreshed
 | |
| // ID token. As a result, a new function needs to be exposed (rather than changing the existing function, for backwards
 | |
| // compatibility purposes) that also returns the id_token in the OpenID refresh token flow API response
 | |
| // Learn more about ID tokens: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
 | |
| func (p *Provider) RefreshTokenWithIDToken(refreshToken string) (*RefreshTokenResponse, error) {
 | |
| 	urlValues := url.Values{
 | |
| 		"grant_type":    {"refresh_token"},
 | |
| 		"refresh_token": {refreshToken},
 | |
| 		"client_id":     {p.ClientKey},
 | |
| 		"client_secret": {p.Secret},
 | |
| 	}
 | |
| 	req, err := http.NewRequest("POST", p.OpenIDConfig.TokenEndpoint, strings.NewReader(urlValues.Encode()))
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 | |
| 
 | |
| 	resp, err := p.Client().Do(req)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	if resp.StatusCode != http.StatusOK {
 | |
| 		return nil, fmt.Errorf("Non-200 response from RefreshToken: %d, WWW-Authenticate=%s", resp.StatusCode, resp.Header.Get("WWW-Authenticate"))
 | |
| 	}
 | |
| 
 | |
| 	body, err := ioutil.ReadAll(resp.Body)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	resp.Body.Close()
 | |
| 
 | |
| 	refreshTokenResponse := &RefreshTokenResponse{}
 | |
| 
 | |
| 	err = json.Unmarshal(body, refreshTokenResponse)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	return refreshTokenResponse, nil
 | |
| }
 | |
| 
 | |
| // validate according to standard, returns expiry
 | |
| // http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
 | |
| func (p *Provider) validateClaims(claims map[string]interface{}) (time.Time, error) {
 | |
| 	audience := getClaimValue(claims, []string{audienceClaim})
 | |
| 	if audience != p.ClientKey {
 | |
| 		found := false
 | |
| 		audiences := getClaimValues(claims, []string{audienceClaim})
 | |
| 		for _, aud := range audiences {
 | |
| 			if aud == p.ClientKey {
 | |
| 				found = true
 | |
| 				break
 | |
| 			}
 | |
| 		}
 | |
| 		if !found {
 | |
| 			return time.Time{}, errors.New("audience in token does not match client key")
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	issuer := getClaimValue(claims, []string{issuerClaim})
 | |
| 	if issuer != p.OpenIDConfig.Issuer {
 | |
| 		return time.Time{}, errors.New("issuer in token does not match issuer in OpenIDConfig discovery")
 | |
| 	}
 | |
| 
 | |
| 	// expiry is required for JWT, not for UserInfoResponse
 | |
| 	// is actually a int64, so force it in to that type
 | |
| 	expiryClaim := int64(claims[expiryClaim].(float64))
 | |
| 	expiry := time.Unix(expiryClaim, 0)
 | |
| 	if expiry.Add(clockSkew).Before(time.Now()) {
 | |
| 		return time.Time{}, errors.New("user info JWT token is expired")
 | |
| 	}
 | |
| 	return expiry, nil
 | |
| }
 | |
| 
 | |
| func (p *Provider) userFromClaims(claims map[string]interface{}, user *goth.User) {
 | |
| 	// required
 | |
| 	user.UserID = getClaimValue(claims, p.UserIdClaims)
 | |
| 
 | |
| 	user.Name = getClaimValue(claims, p.NameClaims)
 | |
| 	user.NickName = getClaimValue(claims, p.NickNameClaims)
 | |
| 	user.Email = getClaimValue(claims, p.EmailClaims)
 | |
| 	user.AvatarURL = getClaimValue(claims, p.AvatarURLClaims)
 | |
| 	user.FirstName = getClaimValue(claims, p.FirstNameClaims)
 | |
| 	user.LastName = getClaimValue(claims, p.LastNameClaims)
 | |
| 	user.Location = getClaimValue(claims, p.LocationClaims)
 | |
| }
 | |
| 
 | |
| func (p *Provider) getUserInfo(accessToken string, claims map[string]interface{}) error {
 | |
| 	// skip if there is no UserInfoEndpoint or is explicitly disabled
 | |
| 	if p.OpenIDConfig.UserInfoEndpoint == "" || p.SkipUserInfoRequest {
 | |
| 		return nil
 | |
| 	}
 | |
| 
 | |
| 	userInfoClaims, err := p.fetchUserInfo(p.OpenIDConfig.UserInfoEndpoint, accessToken)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	// The sub (subject) Claim MUST always be returned in the UserInfo Response.
 | |
| 	// http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
 | |
| 	userInfoSubject := getClaimValue(userInfoClaims, []string{subjectClaim})
 | |
| 	if userInfoSubject == "" {
 | |
| 		return fmt.Errorf("userinfo response did not contain a 'sub' claim: %#v", userInfoClaims)
 | |
| 	}
 | |
| 
 | |
| 	// The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token;
 | |
| 	// if they do not match, the UserInfo Response values MUST NOT be used.
 | |
| 	// http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
 | |
| 	subject := getClaimValue(claims, []string{subjectClaim})
 | |
| 	if userInfoSubject != subject {
 | |
| 		return fmt.Errorf("userinfo 'sub' claim (%s) did not match id_token 'sub' claim (%s)", userInfoSubject, subject)
 | |
| 	}
 | |
| 
 | |
| 	// Merge in userinfo claims in case id_token claims contained some that userinfo did not
 | |
| 	for k, v := range userInfoClaims {
 | |
| 		claims[k] = v
 | |
| 	}
 | |
| 
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // fetch and decode JSON from the given UserInfo URL
 | |
| func (p *Provider) fetchUserInfo(url, accessToken string) (map[string]interface{}, error) {
 | |
| 	req, _ := http.NewRequest("GET", url, nil)
 | |
| 	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
 | |
| 
 | |
| 	resp, err := p.Client().Do(req)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	defer resp.Body.Close()
 | |
| 
 | |
| 	if resp.StatusCode != http.StatusOK {
 | |
| 		return nil, fmt.Errorf("Non-200 response from UserInfo: %d, WWW-Authenticate=%s", resp.StatusCode, resp.Header.Get("WWW-Authenticate"))
 | |
| 	}
 | |
| 
 | |
| 	// The UserInfo Claims MUST be returned as the members of a JSON object
 | |
| 	// http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
 | |
| 	data, err := ioutil.ReadAll(resp.Body)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	return unMarshal(data)
 | |
| }
 | |
| 
 | |
| func getOpenIDConfig(p *Provider, openIDAutoDiscoveryURL string) (*OpenIDConfig, error) {
 | |
| 	res, err := p.Client().Get(openIDAutoDiscoveryURL)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	defer res.Body.Close()
 | |
| 
 | |
| 	body, err := ioutil.ReadAll(res.Body)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	openIDConfig := &OpenIDConfig{}
 | |
| 	err = json.Unmarshal(body, openIDConfig)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	return openIDConfig, nil
 | |
| }
 | |
| 
 | |
| func newConfig(provider *Provider, scopes []string, openIDConfig *OpenIDConfig) *oauth2.Config {
 | |
| 	c := &oauth2.Config{
 | |
| 		ClientID:     provider.ClientKey,
 | |
| 		ClientSecret: provider.Secret,
 | |
| 		RedirectURL:  provider.CallbackURL,
 | |
| 		Endpoint: oauth2.Endpoint{
 | |
| 			AuthURL:  openIDConfig.AuthEndpoint,
 | |
| 			TokenURL: openIDConfig.TokenEndpoint,
 | |
| 		},
 | |
| 		Scopes: []string{},
 | |
| 	}
 | |
| 
 | |
| 	if len(scopes) > 0 {
 | |
| 		foundOpenIDScope := false
 | |
| 
 | |
| 		for _, scope := range scopes {
 | |
| 			if scope == "openid" {
 | |
| 				foundOpenIDScope = true
 | |
| 			}
 | |
| 			c.Scopes = append(c.Scopes, scope)
 | |
| 		}
 | |
| 
 | |
| 		if !foundOpenIDScope {
 | |
| 			c.Scopes = append(c.Scopes, "openid")
 | |
| 		}
 | |
| 	} else {
 | |
| 		c.Scopes = []string{"openid"}
 | |
| 	}
 | |
| 
 | |
| 	return c
 | |
| }
 | |
| 
 | |
| func getClaimValue(data map[string]interface{}, claims []string) string {
 | |
| 	for _, claim := range claims {
 | |
| 		if value, ok := data[claim]; ok {
 | |
| 			if stringValue, ok := value.(string); ok && len(stringValue) > 0 {
 | |
| 				return stringValue
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return ""
 | |
| }
 | |
| 
 | |
| func getClaimValues(data map[string]interface{}, claims []string) []string {
 | |
| 	var result []string
 | |
| 
 | |
| 	for _, claim := range claims {
 | |
| 		if value, ok := data[claim]; ok {
 | |
| 			if stringValues, ok := value.([]interface{}); ok {
 | |
| 				for _, stringValue := range stringValues {
 | |
| 					if s, ok := stringValue.(string); ok && len(s) > 0 {
 | |
| 						result = append(result, s)
 | |
| 					}
 | |
| 				}
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return result
 | |
| }
 | |
| 
 | |
| // decodeJWT decodes a JSON Web Token into a simple map
 | |
| // http://openid.net/specs/draft-jones-json-web-token-07.html
 | |
| func decodeJWT(jwt string) (map[string]interface{}, error) {
 | |
| 	jwtParts := strings.Split(jwt, ".")
 | |
| 	if len(jwtParts) != 3 {
 | |
| 		return nil, errors.New("jws: invalid token received, not all parts available")
 | |
| 	}
 | |
| 
 | |
| 	decodedPayload, err := base64.URLEncoding.WithPadding(base64.NoPadding).DecodeString(jwtParts[1])
 | |
| 
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	return unMarshal(decodedPayload)
 | |
| }
 | |
| 
 | |
| func unMarshal(payload []byte) (map[string]interface{}, error) {
 | |
| 	data := make(map[string]interface{})
 | |
| 
 | |
| 	return data, json.NewDecoder(bytes.NewBuffer(payload)).Decode(&data)
 | |
| }
 |