This repository has been archived by the owner on Jan 24, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
See the README for usage with Dex or any other OIDC provider. To test run a backend: python3 -m http.server Run dex and modify the example config with the proxy callback: go get github.com/coreos/dex/cmd/dex cd $GOPATH/src/github.com/coreos/dex sed -i.bak \ 's|http://127.0.0.1:5555/callback|http://127.0.0.1:5555/oauth2/callback|g' \ examples/config-dev.yaml make ./bin/dex serve examples/config-dev.yaml Then run the oauth2_proxy oauth2_proxy \ --oidc-issuer-url http://127.0.0.1:5556/dex \ --upstream http://localhost:8000 \ --client-id example-app \ --client-secret ZXhhbXBsZS1hcHAtc2VjcmV0 \ --cookie-secret foo \ --email-domain '*' \ --http-address http://127.0.0.1:5555 \ --redirect-url http://127.0.0.1:5555/oauth2/callback \ --cookie-secure=false Login with the username/password "admin@example.com:password"
- Loading branch information
1 parent
ea2540b
commit cb48577
Showing
6 changed files
with
140 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
package providers | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"time" | ||
|
||
"golang.org/x/oauth2" | ||
|
||
oidc "github.com/coreos/go-oidc" | ||
) | ||
|
||
type OIDCProvider struct { | ||
*ProviderData | ||
|
||
Verifier *oidc.IDTokenVerifier | ||
} | ||
|
||
func NewOIDCProvider(p *ProviderData) *OIDCProvider { | ||
return &OIDCProvider{ProviderData: p} | ||
} | ||
|
||
func (p *OIDCProvider) Redeem(redirectURL, code string) (s *SessionState, err error) { | ||
ctx := context.Background() | ||
c := oauth2.Config{ | ||
ClientID: p.ClientID, | ||
ClientSecret: p.ClientSecret, | ||
Endpoint: oauth2.Endpoint{ | ||
TokenURL: p.RedeemURL.String(), | ||
}, | ||
RedirectURL: redirectURL, | ||
} | ||
token, err := c.Exchange(ctx, code) | ||
if err != nil { | ||
return nil, fmt.Errorf("token exchange: %v", err) | ||
} | ||
|
||
rawIDToken, ok := token.Extra("id_token").(string) | ||
if !ok { | ||
return nil, fmt.Errorf("token response did not contain an id_token") | ||
} | ||
|
||
// Parse and verify ID Token payload. | ||
idToken, err := p.Verifier.Verify(ctx, rawIDToken) | ||
if err != nil { | ||
return nil, fmt.Errorf("could not verify id_token: %v", err) | ||
} | ||
|
||
// Extract custom claims. | ||
var claims struct { | ||
Email string `json:"email"` | ||
Verified *bool `json:"email_verified"` | ||
} | ||
if err := idToken.Claims(&claims); err != nil { | ||
return nil, fmt.Errorf("failed to parse id_token claims: %v", err) | ||
} | ||
|
||
if claims.Email == "" { | ||
return nil, fmt.Errorf("id_token did not contain an email") | ||
} | ||
if claims.Verified != nil && !*claims.Verified { | ||
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email) | ||
} | ||
|
||
s = &SessionState{ | ||
AccessToken: token.AccessToken, | ||
RefreshToken: token.RefreshToken, | ||
ExpiresOn: token.Expiry, | ||
Email: claims.Email, | ||
} | ||
|
||
return | ||
} | ||
|
||
func (p *OIDCProvider) RefreshSessionIfNeeded(s *SessionState) (bool, error) { | ||
if s == nil || s.ExpiresOn.After(time.Now()) || s.RefreshToken == "" { | ||
return false, nil | ||
} | ||
|
||
origExpiration := s.ExpiresOn | ||
s.ExpiresOn = time.Now().Add(time.Second).Truncate(time.Second) | ||
fmt.Printf("refreshed access token %s (expired on %s)\n", s, origExpiration) | ||
return false, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters