wg-portal/internal/app/auth/auth_oidc.go

package auth

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"

	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/h44z/wg-portal/internal/config"
	"github.com/h44z/wg-portal/internal/domain"
	"github.com/sirupsen/logrus"
	"golang.org/x/oauth2"
)

type OidcAuthenticator struct {
	name                string
	provider            *oidc.Provider
	verifier            *oidc.IDTokenVerifier
	cfg                 *oauth2.Config
	userInfoMapping     config.OauthFields
	userAdminMapping    *config.OauthAdminMapping
	registrationEnabled bool
	userInfoLogging     bool
}

func newOidcAuthenticator(
	_ context.Context,
	callbackUrl string,
	cfg *config.OpenIDConnectProvider,
) (*OidcAuthenticator, error) {
	var err error
	var provider = &OidcAuthenticator{}

	provider.name = cfg.ProviderName
	provider.provider, err = oidc.NewProvider(context.Background(),
		cfg.BaseUrl) // use new context here, see https://github.com/coreos/go-oidc/issues/339
	if err != nil {
		return nil, fmt.Errorf("failed to create new oidc provider: %w", err)
	}
	provider.verifier = provider.provider.Verifier(&oidc.Config{
		ClientID: cfg.ClientID,
	})

	scopes := []string{oidc.ScopeOpenID}
	scopes = append(scopes, cfg.ExtraScopes...)
	provider.cfg = &oauth2.Config{
		ClientID:     cfg.ClientID,
		ClientSecret: cfg.ClientSecret,
		Endpoint:     provider.provider.Endpoint(),
		RedirectURL:  callbackUrl,
		Scopes:       scopes,
	}
	provider.userInfoMapping = getOauthFieldMapping(cfg.FieldMap)
	provider.userAdminMapping = &cfg.AdminMapping
	provider.registrationEnabled = cfg.RegistrationEnabled
	provider.userInfoLogging = cfg.LogUserInfo

	return provider, nil
}

func (o OidcAuthenticator) GetName() string {
	return o.name
}

func (o OidcAuthenticator) RegistrationEnabled() bool {
	return o.registrationEnabled
}

func (o OidcAuthenticator) GetType() domain.AuthenticatorType {
	return domain.AuthenticatorTypeOidc
}

func (o OidcAuthenticator) AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string {
	return o.cfg.AuthCodeURL(state, opts...)
}

func (o OidcAuthenticator) Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (
	*oauth2.Token,
	error,
) {
	return o.cfg.Exchange(ctx, code, opts...)
}

func (o OidcAuthenticator) GetUserInfo(ctx context.Context, token *oauth2.Token, nonce string) (
	map[string]interface{},
	error,
) {
	rawIDToken, ok := token.Extra("id_token").(string)
	if !ok {
		return nil, errors.New("token does not contain id_token")
	}
	idToken, err := o.verifier.Verify(ctx, rawIDToken)
	if err != nil {
		return nil, fmt.Errorf("failed to validate id_token: %w", err)
	}
	if idToken.Nonce != nonce {
		return nil, errors.New("nonce mismatch")
	}

	var tokenFields map[string]interface{}
	if err = idToken.Claims(&tokenFields); err != nil {
		return nil, fmt.Errorf("failed to parse extra claims: %w", err)
	}

	if o.userInfoLogging {
		contents, _ := json.Marshal(tokenFields)
		logrus.Tracef("User info from OIDC source %s: %v", o.name, string(contents))
	}

	return tokenFields, nil
}

func (o OidcAuthenticator) ParseUserInfo(raw map[string]interface{}) (*domain.AuthenticatorUserInfo, error) {
	return parseOauthUserInfo(o.userInfoMapping, o.userAdminMapping, raw)
}
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`package auth`

			`import (`
			`"context"`
Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`"encoding/json"`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`"errors"`
			`"fmt"`

			`"github.com/coreos/go-oidc/v3/oidc"`
			`"github.com/h44z/wg-portal/internal/config"`
			`"github.com/h44z/wg-portal/internal/domain"`
Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`"github.com/sirupsen/logrus"`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`"golang.org/x/oauth2"`
			`)`

			`type OidcAuthenticator struct {`
			`name string`
			`provider *oidc.Provider`
			`verifier *oidc.IDTokenVerifier`
			`cfg *oauth2.Config`
			`userInfoMapping config.OauthFields`
Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`userAdminMapping *config.OauthAdminMapping`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`registrationEnabled bool`
Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`userInfoLogging bool`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`}`

Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`func newOidcAuthenticator(`
			`_ context.Context,`
			`callbackUrl string,`
			`cfg *config.OpenIDConnectProvider,`
			`) (*OidcAuthenticator, error) {`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`var err error`
			`var provider = &OidcAuthenticator{}`

			`provider.name = cfg.ProviderName`
Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`provider.provider, err = oidc.NewProvider(context.Background(),`
			`cfg.BaseUrl) // use new context here, see https://github.com/coreos/go-oidc/issues/339`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`if err != nil {`
			`return nil, fmt.Errorf("failed to create new oidc provider: %w", err)`
			`}`
			`provider.verifier = provider.provider.Verifier(&oidc.Config{`
			`ClientID: cfg.ClientID,`
			`})`

			`scopes := []string{oidc.ScopeOpenID}`
			`scopes = append(scopes, cfg.ExtraScopes...)`
			`provider.cfg = &oauth2.Config{`
			`ClientID: cfg.ClientID,`
			`ClientSecret: cfg.ClientSecret,`
			`Endpoint: provider.provider.Endpoint(),`
			`RedirectURL: callbackUrl,`
			`Scopes: scopes,`
			`}`
			`provider.userInfoMapping = getOauthFieldMapping(cfg.FieldMap)`
Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`provider.userAdminMapping = &cfg.AdminMapping`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`provider.registrationEnabled = cfg.RegistrationEnabled`
Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`provider.userInfoLogging = cfg.LogUserInfo`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00
			`return provider, nil`
			`}`

			`func (o OidcAuthenticator) GetName() string {`
			`return o.name`
			`}`

			`func (o OidcAuthenticator) RegistrationEnabled() bool {`
			`return o.registrationEnabled`
			`}`

			`func (o OidcAuthenticator) GetType() domain.AuthenticatorType {`
			`return domain.AuthenticatorTypeOidc`
			`}`

			`func (o OidcAuthenticator) AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string {`
			`return o.cfg.AuthCodeURL(state, opts...)`
			`}`

Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`func (o OidcAuthenticator) Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (`
			`*oauth2.Token,`
			`error,`
			`) {`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`return o.cfg.Exchange(ctx, code, opts...)`
			`}`

Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`func (o OidcAuthenticator) GetUserInfo(ctx context.Context, token *oauth2.Token, nonce string) (`
			`map[string]interface{},`
			`error,`
			`) {`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`rawIDToken, ok := token.Extra("id_token").(string)`
			`if !ok {`
			`return nil, errors.New("token does not contain id_token")`
			`}`
			`idToken, err := o.verifier.Verify(ctx, rawIDToken)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to validate id_token: %w", err)`
			`}`
			`if idToken.Nonce != nonce {`
			`return nil, errors.New("nonce mismatch")`
			`}`

			`var tokenFields map[string]interface{}`
			`if err = idToken.Claims(&tokenFields); err != nil {`
			`return nil, fmt.Errorf("failed to parse extra claims: %w", err)`
			`}`

Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`if o.userInfoLogging {`
			`contents, _ := json.Marshal(tokenFields)`
			`logrus.Tracef("User info from OIDC source %s: %v", o.name, string(contents))`
			`}`

V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`return tokenFields, nil`
			`}`

			`func (o OidcAuthenticator) ParseUserInfo(raw map[string]interface{}) (*domain.AuthenticatorUserInfo, error) {`
Improve admin privilege handling for OAuth. Update documentation. 2025-01-18 10:55:56 +00:00			`return parseOauthUserInfo(o.userInfoMapping, o.userAdminMapping, raw)`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`}`