mirror of
https://github.com/casdoor/casdoor.git
synced 2025-05-23 02:35:49 +08:00
d1f88ca9b8
* feat: add google one tap support * feat: gofumpt * feat: add google provider rule conf * feat: update i18n
179 lines
5.3 KiB
Go
179 lines
5.3 KiB
Go
// Copyright 2021 The Casdoor Authors. All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package idp
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/casdoor/casdoor/util"
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
const GoogleIdTokenKey = "GoogleIdToken"
|
|
|
|
type GoogleIdProvider struct {
|
|
Client *http.Client
|
|
Config *oauth2.Config
|
|
}
|
|
|
|
// https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint
|
|
type GoogleIdToken struct {
|
|
// These six fields are included in all Google ID Tokens.
|
|
Iss string `json:"iss"` // The issuer, or signer, of the token. For Google-signed ID tokens, this value is https://accounts.google.com.
|
|
Sub string `json:"sub"` // The subject: the ID that represents the principal making the request.
|
|
Azp string `json:"azp"` // Optional. Who the token was issued to. Here is the ClientID
|
|
Aud string `json:"aud"` // The audience of the token. Here is the ClientID
|
|
Iat string `json:"iat"` // Unix epoch time when the token was issued.
|
|
Exp string `json:"exp"` // Unix epoch time when the token expires.
|
|
// These seven fields are only included when the user has granted the "profile" and "email" OAuth scopes to the application.
|
|
Email string `json:"email"`
|
|
EmailVerified string `json:"email_verified"`
|
|
Name string `json:"name"`
|
|
Picture string `json:"picture"`
|
|
GivenName string `json:"given_name"`
|
|
FamilyName string `json:"family_name"`
|
|
Locale string `json:"locale"`
|
|
}
|
|
|
|
func NewGoogleIdProvider(clientId string, clientSecret string, redirectUrl string) *GoogleIdProvider {
|
|
idp := &GoogleIdProvider{}
|
|
|
|
config := idp.getConfig()
|
|
config.ClientID = clientId
|
|
config.ClientSecret = clientSecret
|
|
config.RedirectURL = redirectUrl
|
|
idp.Config = config
|
|
|
|
return idp
|
|
}
|
|
|
|
func (idp *GoogleIdProvider) SetHttpClient(client *http.Client) {
|
|
idp.Client = client
|
|
}
|
|
|
|
func (idp *GoogleIdProvider) getConfig() *oauth2.Config {
|
|
endpoint := oauth2.Endpoint{
|
|
AuthURL: "https://accounts.google.com/o/oauth2/auth",
|
|
TokenURL: "https://accounts.google.com/o/oauth2/token",
|
|
}
|
|
|
|
config := &oauth2.Config{
|
|
Scopes: []string{"profile", "email"},
|
|
Endpoint: endpoint,
|
|
}
|
|
|
|
return config
|
|
}
|
|
|
|
func (idp *GoogleIdProvider) GetToken(code string) (*oauth2.Token, error) {
|
|
// Obtained the GoogleIdToken through Google OneTap authorization.
|
|
if strings.HasPrefix(code, GoogleIdTokenKey) {
|
|
code = strings.TrimPrefix(code, GoogleIdTokenKey+"-")
|
|
var googleIdToken GoogleIdToken
|
|
if err := json.Unmarshal([]byte(code), &googleIdToken); err != nil {
|
|
return nil, err
|
|
}
|
|
expiry := int64(util.ParseInt(googleIdToken.Exp))
|
|
token := &oauth2.Token{
|
|
AccessToken: fmt.Sprintf("%v-%v", GoogleIdTokenKey, googleIdToken.Sub),
|
|
TokenType: "Bearer",
|
|
Expiry: time.Unix(expiry, 0),
|
|
}
|
|
token = token.WithExtra(map[string]interface{}{
|
|
GoogleIdTokenKey: googleIdToken,
|
|
})
|
|
return token, nil
|
|
}
|
|
|
|
ctx := context.WithValue(context.Background(), oauth2.HTTPClient, idp.Client)
|
|
return idp.Config.Exchange(ctx, code)
|
|
}
|
|
|
|
//{
|
|
// "id": "110613473084924141234",
|
|
// "email": "jimgreen@gmail.com",
|
|
// "verified_email": true,
|
|
// "name": "Jim Green",
|
|
// "given_name": "Jim",
|
|
// "family_name": "Green",
|
|
// "picture": "https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg",
|
|
// "locale": "en"
|
|
//}
|
|
|
|
type GoogleUserInfo struct {
|
|
Id string `json:"id"`
|
|
Email string `json:"email"`
|
|
VerifiedEmail bool `json:"verified_email"`
|
|
Name string `json:"name"`
|
|
GivenName string `json:"given_name"`
|
|
FamilyName string `json:"family_name"`
|
|
Picture string `json:"picture"`
|
|
Locale string `json:"locale"`
|
|
}
|
|
|
|
func (idp *GoogleIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
|
|
if strings.HasPrefix(token.AccessToken, GoogleIdTokenKey) {
|
|
googleIdToken, ok := token.Extra(GoogleIdTokenKey).(GoogleIdToken)
|
|
if !ok {
|
|
return nil, errors.New("invalid googleIdToken")
|
|
}
|
|
userInfo := UserInfo{
|
|
Id: googleIdToken.Sub,
|
|
Username: googleIdToken.Email,
|
|
DisplayName: googleIdToken.Name,
|
|
Email: googleIdToken.Email,
|
|
AvatarUrl: googleIdToken.Picture,
|
|
}
|
|
return &userInfo, nil
|
|
}
|
|
url := fmt.Sprintf("https://www.googleapis.com/oauth2/v2/userinfo?alt=json&access_token=%s", token.AccessToken)
|
|
resp, err := idp.Client.Get(url)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
body, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var googleUserInfo GoogleUserInfo
|
|
err = json.Unmarshal(body, &googleUserInfo)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if googleUserInfo.Email == "" {
|
|
return nil, errors.New("google email is empty")
|
|
}
|
|
|
|
userInfo := UserInfo{
|
|
Id: googleUserInfo.Id,
|
|
Username: googleUserInfo.Email,
|
|
DisplayName: googleUserInfo.Name,
|
|
Email: googleUserInfo.Email,
|
|
AvatarUrl: googleUserInfo.Picture,
|
|
}
|
|
return &userInfo, nil
|
|
}
|