mirror of
https://github.com/casdoor/casdoor.git
synced 2025-05-22 18:25:47 +08:00
201 lines
6.9 KiB
Go
201 lines
6.9 KiB
Go
// Copyright 2022 The Casdoor Authors. All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package idp
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
"time"
|
|
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
type OktaIdProvider struct {
|
|
Client *http.Client
|
|
Config *oauth2.Config
|
|
Host string
|
|
}
|
|
|
|
func NewOktaIdProvider(clientId string, clientSecret string, redirectUrl string, hostUrl string) *OktaIdProvider {
|
|
idp := &OktaIdProvider{}
|
|
|
|
config := idp.getConfig(hostUrl, clientId, clientSecret, redirectUrl)
|
|
config.ClientID = clientId
|
|
config.ClientSecret = clientSecret
|
|
config.RedirectURL = redirectUrl
|
|
idp.Config = config
|
|
idp.Host = hostUrl
|
|
return idp
|
|
}
|
|
|
|
func (idp *OktaIdProvider) SetHttpClient(client *http.Client) {
|
|
idp.Client = client
|
|
}
|
|
|
|
func (idp *OktaIdProvider) getConfig(hostUrl string, clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
|
|
endpoint := oauth2.Endpoint{
|
|
TokenURL: fmt.Sprintf("%s/v1/token", hostUrl),
|
|
AuthURL: fmt.Sprintf("%s/v1/authorize", hostUrl),
|
|
}
|
|
|
|
config := &oauth2.Config{
|
|
// openid is required for authentication requests
|
|
// get more details via: https://developer.okta.com/docs/reference/api/oidc/#reserved-scopes
|
|
Scopes: []string{"openid", "profile", "email"},
|
|
Endpoint: endpoint,
|
|
ClientID: clientId,
|
|
ClientSecret: clientSecret,
|
|
RedirectURL: redirectUrl,
|
|
}
|
|
|
|
return config
|
|
}
|
|
|
|
// get more details via: https://developer.okta.com/docs/reference/api/oidc/#token
|
|
/*
|
|
{
|
|
"access_token" : "eyJhbGciOiJSUzI1NiJ9.eyJ2ZXIiOjEsImlzcyI6Imh0dHA6Ly9yYWluLm9rdGExLmNvbToxODAyIiwiaWF0IjoxNDQ5Nj
|
|
I0MDI2LCJleHAiOjE0NDk2Mjc2MjYsImp0aSI6IlVmU0lURzZCVVNfdHA3N21BTjJxIiwic2NvcGVzIjpbIm9wZW5pZCIsI
|
|
mVtYWlsIl0sImNsaWVudF9pZCI6InVBYXVub2ZXa2FESnh1a0NGZUJ4IiwidXNlcl9pZCI6IjAwdWlkNEJ4WHc2STZUVjRt
|
|
MGczIn0.HaBu5oQxdVCIvea88HPgr2O5evqZlCT4UXH4UKhJnZ5px-ArNRqwhxXWhHJisslswjPpMkx1IgrudQIjzGYbtLF
|
|
jrrg2ueiU5-YfmKuJuD6O2yPWGTsV7X6i7ABT6P-t8PRz_RNbk-U1GXWIEkNnEWbPqYDAm_Ofh7iW0Y8WDA5ez1jbtMvd-o
|
|
XMvJLctRiACrTMLJQ2e5HkbUFxgXQ_rFPNHJbNSUBDLqdi2rg_ND64DLRlXRY7hupNsvWGo0gF4WEUk8IZeaLjKw8UoIs-E
|
|
TEwJlAMcvkhoVVOsN5dPAaEKvbyvPC1hUGXb4uuThlwdD3ECJrtwgKqLqcWonNtiw",
|
|
"token_type" : "Bearer",
|
|
"expires_in" : 3600,
|
|
"scope" : "openid email",
|
|
"refresh_token" : "a9VpZDRCeFh3Nkk2VdY",
|
|
"id_token" : "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwMHVpZDRCeFh3Nkk2VFY0bTBnMyIsImVtYWlsIjoid2VibWFzdGVyQGNsb3VkaXR1ZG
|
|
UubmV0IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInZlciI6MSwiaXNzIjoiaHR0cDovL3JhaW4ub2t0YTEuY29tOjE4MDIiLCJsb
|
|
2dpbiI6ImFkbWluaXN0cmF0b3IxQGNsb3VkaXR1ZGUubmV0IiwiYXVkIjoidUFhdW5vZldrYURKeHVrQ0ZlQngiLCJpYXQiOjE0
|
|
NDk2MjQwMjYsImV4cCI6MTQ0OTYyNzYyNiwiYW1yIjpbInB3ZCJdLCJqdGkiOiI0ZUFXSk9DTUIzU1g4WGV3RGZWUiIsImF1dGh
|
|
fdGltZSI6MTQ0OTYyNDAyNiwiYXRfaGFzaCI6ImNwcUtmZFFBNWVIODkxRmY1b0pyX1EifQ.Btw6bUbZhRa89DsBb8KmL9rfhku
|
|
--_mbNC2pgC8yu8obJnwO12nFBepui9KzbpJhGM91PqJwi_AylE6rp-ehamfnUAO4JL14PkemF45Pn3u_6KKwxJnxcWxLvMuuis
|
|
nvIs7NScKpOAab6ayZU0VL8W6XAijQmnYTtMWQfSuaaR8rYOaWHrffh3OypvDdrQuYacbkT0csxdrayXfBG3UF5-ZAlhfch1fhF
|
|
T3yZFdWwzkSDc0BGygfiFyNhCezfyT454wbciSZgrA9ROeHkfPCaX7KCFO8GgQEkGRoQntFBNjluFhNLJIUkEFovEDlfuB4tv_M
|
|
8BM75celdy3jkpOurg"
|
|
}
|
|
*/
|
|
|
|
type OktaToken struct {
|
|
AccessToken string `json:"access_token"`
|
|
TokenType string `json:"token_type"`
|
|
ExpiresIn int `json:"expires_in"`
|
|
Scope string `json:"scope"`
|
|
RefreshToken string `json:"refresh_token"`
|
|
IdToken string `json:"id_token"`
|
|
}
|
|
|
|
// GetToken use code to get access_token
|
|
// get more details via: https://developer.okta.com/docs/reference/api/oidc/#token
|
|
func (idp *OktaIdProvider) GetToken(code string) (*oauth2.Token, error) {
|
|
payload := url.Values{}
|
|
payload.Set("code", code)
|
|
payload.Set("grant_type", "authorization_code")
|
|
payload.Set("client_id", idp.Config.ClientID)
|
|
payload.Set("client_secret", idp.Config.ClientSecret)
|
|
payload.Set("redirect_uri", idp.Config.RedirectURL)
|
|
resp, err := idp.Client.PostForm(idp.Config.Endpoint.TokenURL, payload)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
data, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pToken := &OktaToken{}
|
|
err = json.Unmarshal(data, pToken)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("fail to unmarshal token response: %s", err.Error())
|
|
}
|
|
|
|
token := &oauth2.Token{
|
|
AccessToken: pToken.AccessToken,
|
|
TokenType: "Bearer",
|
|
RefreshToken: pToken.RefreshToken,
|
|
Expiry: time.Unix(time.Now().Unix()+int64(pToken.ExpiresIn), 0),
|
|
}
|
|
return token, nil
|
|
}
|
|
|
|
// get more details via: https://developer.okta.com/docs/reference/api/oidc/#userinfo
|
|
/*
|
|
{
|
|
"sub": "00uid4BxXw6I6TV4m0g3",
|
|
"name" :"John Doe",
|
|
"nickname":"Jimmy",
|
|
"given_name":"John",
|
|
"middle_name":"James",
|
|
"family_name":"Doe",
|
|
"profile":"https://example.com/john.doe",
|
|
"zoneinfo":"America/Los_Angeles",
|
|
"locale":"en-US",
|
|
"updated_at":1311280970,
|
|
"email":"john.doe@example.com",
|
|
"email_verified":true,
|
|
"address" : { "street_address":"123 Hollywood Blvd.", "locality":"Los Angeles", "region":"CA", "postal_code":"90210", "country":"US" },
|
|
"phone_number":"+1 (425) 555-1212"
|
|
}
|
|
*/
|
|
|
|
type OktaUserInfo struct {
|
|
Email string `json:"email"`
|
|
Name string `json:"name"`
|
|
PreferredUsername string `json:"preferred_username"`
|
|
Picture string `json:"picture"`
|
|
Sub string `json:"sub"`
|
|
}
|
|
|
|
// GetUserInfo use token to get user profile
|
|
// get more details via: https://developer.okta.com/docs/reference/api/oidc/#userinfo
|
|
func (idp *OktaIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
|
|
req, err := http.NewRequest("GET", fmt.Sprintf("%s/v1/userinfo", idp.Host), nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token.AccessToken))
|
|
req.Header.Add("Accept", "application/json")
|
|
resp, err := idp.Client.Do(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
body, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var oktaUserInfo OktaUserInfo
|
|
err = json.Unmarshal(body, &oktaUserInfo)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
userInfo := UserInfo{
|
|
Id: oktaUserInfo.Sub,
|
|
Username: oktaUserInfo.PreferredUsername,
|
|
DisplayName: oktaUserInfo.Name,
|
|
Email: oktaUserInfo.Email,
|
|
AvatarUrl: oktaUserInfo.Picture,
|
|
}
|
|
return &userInfo, nil
|
|
}
|