ThetaDev/oidc-forward-auth
1
0
Fork 0
Code Issues Pull requests Projects Releases Activity
oidc-forward-auth/pkg/forwardauth/auth.go
Stefan Kürzeder 140cbf807d Improved claims handling
2020-06-04 15:29:18 +02:00

100 lines
2.5 KiB
Go
Raw Permalink Blame History

/*
Copyright (c) 2020 Stefan Kürzeder <info@stivik.de>
This code is licensed under MIT license (see LICENSE for details)
*/
package forwardauth
import (
"context"
"errors"
"net/http"
"strings"
"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
"github.com/sirupsen/logrus"
)
type AuthenticatationResult struct {
IDToken string
RefreshToken string
IDTokenClaims *Claims
}
func (fw *ForwardAuth) HandleAuthentication(ctx context.Context, logger *logrus.Entry, state string, code string) (*AuthenticatationResult, error) {
var result AuthenticatationResult
logger = logger.WithField("FunctionSource", "HandleAuthentication")
oauth2Token, err := fw.OAuth2Config.Exchange(ctx, code)
if err != nil {
logger.Error(err.Error())
return &result, err
}
result, err = fw.VerifyToken(ctx, oauth2Token)
if err != nil {
logger.Error(err.Error())
return &result, err
}
logger.Info("Authentication was succesfully.")
return &result, nil
}
func (fw *ForwardAuth) IsAuthenticated(context context.Context, logger *logrus.Entry, w http.ResponseWriter, r *http.Request, options *options.Options) (*Claims, error) {
var claims Claims
logger = logger.WithField("FunctionSource", "IsAuthenticated")
// Check if we have an Auth cookie
cookie, err := fw.GetAuthCookie(r)
if err != nil {
logger.Error(err.Error())
return &claims, err
}
// check if the token is valid
idToken, err := fw.OidcVefifier.Verify(context, cookie.Value)
switch {
case err == nil: // Token is valid
logger.Info("Received valid token.")
claims = Claims{}
if err := idToken.Claims(&claims); err != nil {
logger.Error(err.Error())
return &claims, err
}
return &claims, nil
// Todo: Updating the cookies does sadly not work here
case strings.Contains(err.Error(), "expired"): // Token is expired
logger.Info("Received expired token, trying to refesh it.")
refreshCookie, err := fw.GetRefreshAuthCookie(r)
if err != nil {
logger.Error(err.Error())
return &claims, err
}
result, err := fw.RefreshToken(context, refreshCookie.Value)
if err != nil {
logger.Error(err.Error())
return &claims, err
}
http.SetCookie(w, fw.MakeAuthCookie(options, result))
if len(result.RefreshToken) > 0 { // Do we have an refresh token?
http.SetCookie(w, fw.MakeRefreshAuthCookie(options, result))
}
return result.IDTokenClaims, nil
case err != nil: // Other error
logger.Error(err.Error())
return &claims, err
default:
logger.Error("default case, should not happen")
return &claims, errors.New("default case")
}
}
Reference in a new issue View git blame Copy permalink