oauth2_proxy/providers/provider_default.go

134 lines
3.7 KiB
Go
Raw Permalink Normal View History

2015-05-21 03:23:48 +00:00
package providers
import (
"bytes"
"encoding/json"
"errors"
2015-06-06 18:15:43 +00:00
"fmt"
2015-05-21 03:23:48 +00:00
"io/ioutil"
"net/http"
"net/url"
2019-05-07 14:32:46 +00:00
"time"
2019-05-05 12:33:13 +00:00
"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
2019-05-24 16:06:48 +00:00
"github.com/pusher/oauth2_proxy/pkg/encryption"
2015-05-21 03:23:48 +00:00
)
// Redeem provides a default implementation of the OAuth2 token redemption process
2019-05-05 12:33:13 +00:00
func (p *ProviderData) Redeem(redirectURL, code string) (s *sessions.SessionState, err error) {
2015-05-21 03:23:48 +00:00
if code == "" {
err = errors.New("missing code")
return
}
params := url.Values{}
params.Add("redirect_uri", redirectURL)
2015-05-21 03:23:48 +00:00
params.Add("client_id", p.ClientID)
params.Add("client_secret", p.ClientSecret)
params.Add("code", code)
params.Add("grant_type", "authorization_code")
2015-11-09 08:28:34 +00:00
if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {
params.Add("resource", p.ProtectedResource.String())
}
var req *http.Request
req, err = http.NewRequest("POST", p.RedeemURL.String(), bytes.NewBufferString(params.Encode()))
2015-05-21 03:23:48 +00:00
if err != nil {
return
2015-05-21 03:23:48 +00:00
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
var resp *http.Response
resp, err = http.DefaultClient.Do(req)
2015-05-21 03:23:48 +00:00
if err != nil {
return nil, err
2015-05-21 03:23:48 +00:00
}
var body []byte
2015-05-21 03:23:48 +00:00
body, err = ioutil.ReadAll(resp.Body)
resp.Body.Close()
if err != nil {
return
2015-05-21 03:23:48 +00:00
}
2015-06-06 18:15:43 +00:00
if resp.StatusCode != 200 {
err = fmt.Errorf("got %d from %q %s", resp.StatusCode, p.RedeemURL.String(), body)
return
2015-06-06 18:15:43 +00:00
}
2015-05-21 03:23:48 +00:00
// blindly try json and x-www-form-urlencoded
var jsonResponse struct {
AccessToken string `json:"access_token"`
}
err = json.Unmarshal(body, &jsonResponse)
if err == nil {
2019-05-05 12:33:13 +00:00
s = &sessions.SessionState{
AccessToken: jsonResponse.AccessToken,
}
return
2015-05-21 03:23:48 +00:00
}
var v url.Values
v, err = url.ParseQuery(string(body))
if err != nil {
return
}
if a := v.Get("access_token"); a != "" {
2019-05-07 14:32:46 +00:00
s = &sessions.SessionState{AccessToken: a, CreatedAt: time.Now()}
} else {
err = fmt.Errorf("no access token found %s", body)
}
return
2015-05-21 03:23:48 +00:00
}
2015-06-06 18:15:43 +00:00
// GetLoginURL with typical oauth parameters
2017-03-28 01:14:38 +00:00
func (p *ProviderData) GetLoginURL(redirectURI, state string) string {
var a url.URL
a = *p.LoginURL
params, _ := url.ParseQuery(a.RawQuery)
params.Set("redirect_uri", redirectURI)
params.Set("approval_prompt", p.ApprovalPrompt)
2015-06-06 18:15:43 +00:00
params.Add("scope", p.Scope)
params.Set("client_id", p.ClientID)
params.Set("response_type", "code")
2017-03-28 01:14:38 +00:00
params.Add("state", state)
a.RawQuery = params.Encode()
return a.String()
2015-06-06 18:15:43 +00:00
}
// CookieForSession serializes a session state for storage in a cookie
2019-05-24 16:06:48 +00:00
func (p *ProviderData) CookieForSession(s *sessions.SessionState, c *encryption.Cipher) (string, error) {
return s.EncodeSessionState(c)
}
// SessionFromCookie deserializes a session from a cookie value
2019-05-24 16:06:48 +00:00
func (p *ProviderData) SessionFromCookie(v string, c *encryption.Cipher) (s *sessions.SessionState, err error) {
2019-05-05 12:33:13 +00:00
return sessions.DecodeSessionState(v, c)
}
// GetEmailAddress returns the Account email address
2019-05-05 12:33:13 +00:00
func (p *ProviderData) GetEmailAddress(s *sessions.SessionState) (string, error) {
return "", errors.New("not implemented")
}
// GetUserName returns the Account username
2019-05-05 12:33:13 +00:00
func (p *ProviderData) GetUserName(s *sessions.SessionState) (string, error) {
return "", errors.New("not implemented")
}
// ValidateGroup validates that the provided email exists in the configured provider
// email group(s).
func (p *ProviderData) ValidateGroup(email string) bool {
return true
}
// ValidateSessionState validates the AccessToken
2019-05-05 12:33:13 +00:00
func (p *ProviderData) ValidateSessionState(s *sessions.SessionState) bool {
return validateToken(p, s.AccessToken, nil)
}
2018-11-29 14:26:41 +00:00
// RefreshSessionIfNeeded should refresh the user's session if required and
// do nothing if a refresh is not required
2019-05-05 12:33:13 +00:00
func (p *ProviderData) RefreshSessionIfNeeded(s *sessions.SessionState) (bool, error) {
return false, nil
}