From 98f6cc00854478fd5680bf6f41d9842c687c68c2 Mon Sep 17 00:00:00 2001 From: Steve0x2a Date: Wed, 15 Dec 2021 21:42:16 +0800 Subject: [PATCH] feat: add OIDC feature support. (#373) 1. add nonce parameter. 2. add sub in userinfo endpoint. Signed-off-by: 0x2a --- controllers/account.go | 11 +++++++++-- controllers/auth.go | 4 ++-- controllers/token.go | 3 ++- object/token.go | 4 ++-- object/token_jwt.go | 6 ++++-- web/src/auth/AuthBackend.js | 2 +- web/src/auth/Util.js | 2 ++ 7 files changed, 22 insertions(+), 10 deletions(-) diff --git a/controllers/account.go b/controllers/account.go index 0fb51cd4..ea79e9a2 100644 --- a/controllers/account.go +++ b/controllers/account.go @@ -61,6 +61,7 @@ type RequestForm struct { type Response struct { Status string `json:"status"` Msg string `json:"msg"` + Sub string `json:"sub"` Data interface{} `json:"data"` Data2 interface{} `json:"data2"` } @@ -217,8 +218,14 @@ func (c *ApiController) GetAccount() { } organization := object.GetMaskedOrganization(object.GetOrganizationByUser(user)) - - c.ResponseOk(user, organization) + resp := Response{ + Status: "ok", + Sub: userId, + Data: user, + Data2: organization, + } + c.Data["json"] = resp + c.ServeJSON() } // GetHumanCheck ... diff --git a/controllers/auth.go b/controllers/auth.go index 186de111..442c5c59 100644 --- a/controllers/auth.go +++ b/controllers/auth.go @@ -51,8 +51,8 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob redirectUri := c.Input().Get("redirectUri") scope := c.Input().Get("scope") state := c.Input().Get("state") - - code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state) + nonce := c.Input().Get("nonce") + code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce) resp = codeToResponse(code) if application.HasPromptPage() { diff --git a/controllers/token.go b/controllers/token.go index 706406e6..4cc4e17f 100644 --- a/controllers/token.go +++ b/controllers/token.go @@ -136,8 +136,9 @@ func (c *ApiController) GetOAuthCode() { redirectUri := c.Input().Get("redirect_uri") scope := c.Input().Get("scope") state := c.Input().Get("state") + nonce := c.Input().Get("nonce") - c.Data["json"] = object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state) + c.Data["json"] = object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce) c.ServeJSON() } diff --git a/object/token.go b/object/token.go index fc68dc9e..2702e595 100644 --- a/object/token.go +++ b/object/token.go @@ -175,7 +175,7 @@ func CheckOAuthLogin(clientId string, responseType string, redirectUri string, s return "", application } -func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string) *Code { +func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string) *Code { user := GetUser(userId) if user == nil { return &Code{ @@ -192,7 +192,7 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU } } - accessToken, err := generateJwtToken(application, user) + accessToken, err := generateJwtToken(application, user, nonce) if err != nil { panic(err) } diff --git a/object/token_jwt.go b/object/token_jwt.go index d0cdda03..f3c26a9c 100644 --- a/object/token_jwt.go +++ b/object/token_jwt.go @@ -31,17 +31,19 @@ var tokenJwtPrivateKey string type Claims struct { User + Nonce string `json:"nonce,omitempty"` jwt.RegisteredClaims } -func generateJwtToken(application *Application, user *User) (string, error) { +func generateJwtToken(application *Application, user *User, nonce string) (string, error) { nowTime := time.Now() expireTime := nowTime.Add(time.Duration(application.ExpireInHours) * time.Hour) user.Password = "" claims := Claims{ - User: *user, + User: *user, + Nonce: nonce, RegisteredClaims: jwt.RegisteredClaims{ Issuer: beego.AppConfig.String("origin"), Subject: user.Id, diff --git a/web/src/auth/AuthBackend.js b/web/src/auth/AuthBackend.js index 16c2a54e..708de631 100644 --- a/web/src/auth/AuthBackend.js +++ b/web/src/auth/AuthBackend.js @@ -44,7 +44,7 @@ function oAuthParamsToQuery(oAuthParams) { } // code - return `?clientId=${oAuthParams.clientId}&responseType=${oAuthParams.responseType}&redirectUri=${oAuthParams.redirectUri}&scope=${oAuthParams.scope}&state=${oAuthParams.state}`; + return `?clientId=${oAuthParams.clientId}&responseType=${oAuthParams.responseType}&redirectUri=${oAuthParams.redirectUri}&scope=${oAuthParams.scope}&state=${oAuthParams.state}&nonce=${oAuthParams.nonce}`; } export function getApplicationLogin(oAuthParams) { diff --git a/web/src/auth/Util.js b/web/src/auth/Util.js index 89751c7b..44b7c169 100644 --- a/web/src/auth/Util.js +++ b/web/src/auth/Util.js @@ -82,6 +82,7 @@ export function getOAuthGetParameters(params) { const redirectUri = queries.get("redirect_uri"); const scope = queries.get("scope"); const state = queries.get("state"); + const nonce = queries.get("nonce") if (clientId === undefined || clientId === null) { // login @@ -94,6 +95,7 @@ export function getOAuthGetParameters(params) { redirectUri: redirectUri, scope: scope, state: state, + nonce: nonce, }; } }