2023-06-19 17:42:47 -04:00
|
|
|
// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
2020-03-07 21:45:19 -05:00
|
|
|
|
2023-08-10 22:46:45 -04:00
|
|
|
package oauth2 // import "miniflux.app/v2/internal/oauth2"
|
2020-03-07 21:45:19 -05:00
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2023-09-08 21:01:17 -04:00
|
|
|
"errors"
|
|
|
|
"fmt"
|
2020-12-22 00:14:10 -05:00
|
|
|
|
2023-08-10 22:46:45 -04:00
|
|
|
"miniflux.app/v2/internal/model"
|
2020-12-22 00:14:10 -05:00
|
|
|
|
2023-06-27 23:21:51 -04:00
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
2020-03-07 21:45:19 -05:00
|
|
|
"golang.org/x/oauth2"
|
|
|
|
)
|
|
|
|
|
2023-09-08 21:01:17 -04:00
|
|
|
var (
|
|
|
|
ErrEmptyUsername = errors.New("oidc: username is empty")
|
|
|
|
)
|
|
|
|
|
2020-03-07 21:45:19 -05:00
|
|
|
type oidcProvider struct {
|
|
|
|
clientID string
|
|
|
|
clientSecret string
|
|
|
|
redirectURL string
|
|
|
|
provider *oidc.Provider
|
|
|
|
}
|
|
|
|
|
2023-09-03 00:35:10 -04:00
|
|
|
func NewOidcProvider(ctx context.Context, clientID, clientSecret, redirectURL, discoveryEndpoint string) (*oidcProvider, error) {
|
|
|
|
provider, err := oidc.NewProvider(ctx, discoveryEndpoint)
|
|
|
|
if err != nil {
|
2023-09-08 22:52:28 -04:00
|
|
|
return nil, fmt.Errorf(`oidc: failed to initialize provider %q: %w`, discoveryEndpoint, err)
|
2023-09-03 00:35:10 -04:00
|
|
|
}
|
|
|
|
|
2023-09-08 22:52:28 -04:00
|
|
|
return &oidcProvider{
|
|
|
|
clientID: clientID,
|
|
|
|
clientSecret: clientSecret,
|
|
|
|
redirectURL: redirectURL,
|
|
|
|
provider: provider,
|
|
|
|
}, nil
|
2023-09-03 00:35:10 -04:00
|
|
|
}
|
|
|
|
|
2020-12-22 00:14:10 -05:00
|
|
|
func (o *oidcProvider) GetUserExtraKey() string {
|
|
|
|
return "openid_connect_id"
|
2020-03-07 21:45:19 -05:00
|
|
|
}
|
|
|
|
|
2023-09-03 00:35:10 -04:00
|
|
|
func (o *oidcProvider) GetConfig() *oauth2.Config {
|
|
|
|
return &oauth2.Config{
|
|
|
|
RedirectURL: o.redirectURL,
|
|
|
|
ClientID: o.clientID,
|
|
|
|
ClientSecret: o.clientSecret,
|
2023-09-08 22:52:28 -04:00
|
|
|
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
|
2023-09-03 00:35:10 -04:00
|
|
|
Endpoint: o.provider.Endpoint(),
|
|
|
|
}
|
2020-03-07 21:45:19 -05:00
|
|
|
}
|
|
|
|
|
2023-09-03 00:35:10 -04:00
|
|
|
func (o *oidcProvider) GetProfile(ctx context.Context, code, codeVerifier string) (*Profile, error) {
|
|
|
|
conf := o.GetConfig()
|
|
|
|
token, err := conf.Exchange(ctx, code, oauth2.SetAuthURLParam("code_verifier", codeVerifier))
|
2020-03-07 21:45:19 -05:00
|
|
|
if err != nil {
|
2023-09-08 21:01:17 -04:00
|
|
|
return nil, fmt.Errorf(`oidc: failed to exchange token: %w`, err)
|
2020-03-07 21:45:19 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
userInfo, err := o.provider.UserInfo(ctx, oauth2.StaticTokenSource(token))
|
|
|
|
if err != nil {
|
2023-09-08 21:01:17 -04:00
|
|
|
return nil, fmt.Errorf(`oidc: failed to get user info: %w`, err)
|
2020-03-07 21:45:19 -05:00
|
|
|
}
|
|
|
|
|
2023-09-08 22:52:28 -04:00
|
|
|
profile := &Profile{
|
|
|
|
Key: o.GetUserExtraKey(),
|
|
|
|
ID: userInfo.Subject,
|
|
|
|
}
|
|
|
|
|
|
|
|
var userClaims userClaims
|
|
|
|
if err := userInfo.Claims(&userClaims); err != nil {
|
|
|
|
return nil, fmt.Errorf(`oidc: failed to parse user claims: %w`, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, value := range []string{userClaims.Email, userClaims.PreferredUsername, userClaims.Name, userClaims.Profile} {
|
|
|
|
if value != "" {
|
|
|
|
profile.Username = value
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
2023-09-08 21:01:17 -04:00
|
|
|
|
|
|
|
if profile.Username == "" {
|
|
|
|
return nil, ErrEmptyUsername
|
|
|
|
}
|
|
|
|
|
2020-03-07 21:45:19 -05:00
|
|
|
return profile, nil
|
|
|
|
}
|
|
|
|
|
2021-01-04 00:20:21 -05:00
|
|
|
func (o *oidcProvider) PopulateUserCreationWithProfileID(user *model.UserCreationRequest, profile *Profile) {
|
|
|
|
user.OpenIDConnectID = profile.ID
|
|
|
|
}
|
|
|
|
|
2020-12-22 00:14:10 -05:00
|
|
|
func (o *oidcProvider) PopulateUserWithProfileID(user *model.User, profile *Profile) {
|
|
|
|
user.OpenIDConnectID = profile.ID
|
|
|
|
}
|
|
|
|
|
|
|
|
func (o *oidcProvider) UnsetUserProfileID(user *model.User) {
|
|
|
|
user.OpenIDConnectID = ""
|
|
|
|
}
|
2023-09-08 22:52:28 -04:00
|
|
|
|
|
|
|
type userClaims struct {
|
|
|
|
Email string `json:"email"`
|
|
|
|
Profile string `json:"profile"`
|
|
|
|
Name string `json:"name"`
|
|
|
|
PreferredUsername string `json:"preferred_username"`
|
|
|
|
}
|