-
Notifications
You must be signed in to change notification settings - Fork 4
/
config.go
154 lines (129 loc) · 4.78 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
package oidcauth
import (
"errors"
"log"
"os"
"github.com/coreos/go-oidc/v3/oidc"
)
// Config represents available options for oidcauth.
type Config struct {
// ClientID is the OAUTH2 Client ID
// Default value is: (read from OS ENV: OAUTH2_CLIENT_ID)
ClientID string
// ClientSecret is the OAUTH2 Client Secret
// Default value is: (read from OS ENV: OAUTH2_CLIENT_SECRET)
ClientSecret string
// IssuerURL is the root URL to theIdentity Provider
// Default value is: (read from OS ENV: OIDC_ISSUER_URL)
IssuerURL string
// RedirectURL is the path that the Identity Provider will redirect clients to
// Default value is: (read from OS ENV: OIDC_REDIRECT_URL)
RedirectURL string
// Scopes is a list of OIDC Scopes to request.
// Default value is: []string{oidc.ScopeOpenID, "profile", "email"}
Scopes []string
// LoginClaim is the OIDC claim to map to the user's login (username)
// Default value is: "email"
LoginClaim string
// SessionClaims is the list of OIDC claims to add to the user's session (in addition to LoginClaim)
// Example []string{"email", "givenName", "name"}
// NOTE: This can be set to ["*"] to load *all* claims. (nonce will be excluded)
// Default value is: ["*"]
SessionClaims []string
// SessionPrefix is an optional prefix string to prefix to the claims (i.e. google: or corp:) to prevent
// clashes in the session namespace
// Default value is: ""
SessionPrefix string
// DefaultAuthenticatedURL is the URL to redirect a user to after successful authentication. By default, we will
// try to determine where they were when they requested to login and send them back there.
// Default value is: "/"
DefaultAuthenticatedURL string
// LogoutURL is the URL to redirect a user to after logging out.
// NOTE: If you require / to be authenticated, setting this to / will start the login process immediately, which may not be desirable.
// Default value is: "/"
LogoutURL string
}
// DefaultConfig will create a new config object with defaults
// NOTE: This matches the examples on https://github.com/coreos/go-oidc/tree/v3/example
func DefaultConfig() (c *Config) {
c = &Config{
ClientID: os.Getenv("OIDC_CLIENT_ID"),
ClientSecret: os.Getenv("OIDC_CLIENT_SECRET"),
IssuerURL: os.Getenv("OIDC_ISSUER_URL"),
RedirectURL: os.Getenv("OIDC_REDIRECT_URL"),
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
LoginClaim: "email",
SessionClaims: []string{"*"},
DefaultAuthenticatedURL: "/",
LogoutURL: "/",
}
return
}
// ExampleConfigDex will return the config for a default DEX IdP example-app
// DEX: https://github.com/dexidp/dex
func ExampleConfigDex() (c *Config) {
c = DefaultConfig()
c.ClientID = "example-app"
c.ClientSecret = "ZXhhbXBsZS1hcHAtc2VjcmV0"
c.IssuerURL = "http://127.0.0.1:5556/dex"
c.RedirectURL = "http://127.0.0.1:5555/callback"
return
}
// ExampleConfigGoogle will return the config for the Google Accounts IdP like the go-oidc examples
// go-oidc google example: https://github.com/coreos/go-oidc/tree/v3/example
func ExampleConfigGoogle() (c *Config) {
c = DefaultConfig()
c.ClientID = os.Getenv("GOOGLE_OAUTH2_CLIENT_ID")
c.ClientSecret = os.Getenv("GOOGLE_OAUTH2_CLIENT_SECRET")
c.IssuerURL = "https://accounts.google.com"
c.RedirectURL = "http://127.0.0.1:5556/auth/google/callback"
return
}
// Validate will validate the Config
func (c Config) Validate() (err error) {
if c.ClientID == "" {
err = errors.New("ClientID is required")
return
}
if c.ClientSecret == "" {
err = errors.New("ClientSecret is required")
return
}
if c.IssuerURL == "" { // TODO: Validate that its a properly formed URL
err = errors.New("IssuerURL is required")
return
}
if c.RedirectURL == "" { // TODO: Validate that its a properly formed URL
err = errors.New("RedirectURL is required")
return
}
return
}
// GetOidcAuth returns the configured OIDC authentication controller
func GetOidcAuth(c *Config) (o *OidcAuth, err error) {
return c.GetOidcAuth()
}
// GetOidcAuth returns the configured OIDC authentication controller
func (c *Config) GetOidcAuth() (o *OidcAuth, err error) {
err = c.Validate()
if err != nil {
log.Fatal(err)
}
return newOidcAuth(c)
}
// The methods below can be used to return the middleware, but currently do
// not handle the routes. They are of limited use, for now.
//
// // Default returns the location middleware with default configuration.
// func Default() gin.HandlerFunc {
// config := DefaultConfig()
// return New(config)
// }
// // New returns the location middleware with user-defined custom configuration.
// func New(c *Config) gin.HandlerFunc {
// auth, err := c.GetOidcAuth()
// if err != nil {
// log.Fatal("[oidcauth] Error getting auth handler")
// }
// return auth.AuthRequired()
// }