baisc structure and server begin server impl

2019-11-18 15:37:48 +01:00 · 2019-11-18 15:37:48 +01:00 · f6ba7ab75e
commit f6ba7ab75e
parent 26bd873f4e
17 changed files with 575 additions and 0 deletions
--- a/pkg/oidc/authorization.go
+++ b/pkg/oidc/authorization.go
@ -0,0 +1,50 @@
+package oidc
+
+import (
+	"golang.org/x/text/language"
+)
+
+const (
+	ResponseTypeCode        = "code"
+	ResponseTypeIDToken     = "id_token token"
+	ResponseTypeIDTokenOnly = "id_token"
+
+	DisplayPage  = "page"
+	DisplayPopup = "popup"
+	DisplayTouch = "touch"
+	DisplayWAP   = "wap"
+
+	PromptNone          = "none"
+	PromptLogin         = "login"
+	PromptConsent       = "consent"
+	PromptSelectAccount = "select_account"
+)
+
+//AuthRequest according to:
+//https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+//
+type AuthRequest struct {
+	Scopes       []string     `schema:"scope"`
+	ResponseType ResponseType `schema:"response_type"`
+	ClientID     string
+	RedirectURI  string //TODO: type
+
+	State string
+
+	// ResponseMode TODO: ?
+
+	Nonce       string
+	Display     Display
+	Prompt      Prompt
+	MaxAge      uint32
+	UILocales   []language.Tag
+	IDTokenHint string
+	LoginHint   string
+	ACRValues   []string
+}
+
+type ResponseType string
+
+type Display string
+
+type Prompt string
--- a/pkg/oidc/client_credentials.go
+++ b/pkg/oidc/client_credentials.go
@ -0,0 +1,33 @@
+package oidc
+
+import "strings"
+
+type clientCredentialsGrantBasic struct {
+	grantType string `schema:"grant_type"`
+	scope     string `schema:"scope"`
+}
+
+type clientCredentialsGrant struct {
+	*clientCredentialsGrantBasic
+	clientID     string `schema:"client_id"`
+	clientSecret string `schema:"client_secret"`
+}
+
+//ClientCredentialsGrantBasic creates an oauth2 `Client Credentials` Grant
+//sneding client_id and client_secret as basic auth header
+func ClientCredentialsGrantBasic(scopes ...string) *clientCredentialsGrantBasic {
+	return &clientCredentialsGrantBasic{
+		grantType: "client_credentials",
+		scope:     strings.Join(scopes, " "),
+	}
+}
+
+//ClientCredentialsGrantValues creates an oauth2 `Client Credentials` Grant
+//sneding client_id and client_secret as form values
+func ClientCredentialsGrantValues(clientID, clientSecret string, scopes ...string) *clientCredentialsGrant {
+	return &clientCredentialsGrant{
+		clientCredentialsGrantBasic: ClientCredentialsGrantBasic(scopes...),
+		clientID:                    clientID,
+		clientSecret:                clientSecret,
+	}
+}
--- a/pkg/oidc/discovery.go
+++ b/pkg/oidc/discovery.go
@ -0,0 +1,24 @@
+package oidc
+
+const (
+	DiscoveryEndpoint = "/.well-known/openid-configuration"
+)
+
+type DiscoveryConfiguration struct {
+	Issuer                            string   `json:"issuer,omitempty"`
+	AuthorizationEndpoint             string   `json:"authorization_endpoint,omitempty"`
+	TokenEndpoint                     string   `json:"token_endpoint,omitempty"`
+	IntrospectionEndpoint             string   `json:"introspection_endpoint,omitempty"`
+	UserinfoEndpoint                  string   `json:"userinfo_endpoint,omitempty"`
+	EndSessionEndpoint                string   `json:"end_session_endpoint,omitempty"`
+	CheckSessionIframe                string   `json:"check_session_iframe,omitempty"`
+	JwksURI                           string   `json:"jwks_uri,omitempty"`
+	ScopesSupported                   []string `json:"scopes_supported,omitempty"`
+	ResponseTypesSupported            []string `json:"response_types_supported,omitempty"`
+	ResponseModesSupported            []string `json:"response_modes_supported,omitempty"`
+	GrantTypesSupported               []string `json:"grant_types_supported,omitempty"`
+	SubjectTypesSupported             []string `json:"subject_types_supported,omitempty"`
+	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported,omitempty"`
+	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
+	ClaimsSupported                   []string `json:"claims_supported,omitempty"`
+}
--- a/pkg/oidc/token.go
+++ b/pkg/oidc/token.go
@ -0,0 +1,84 @@
+package oidc
+
+import (
+	"encoding/json"
+	"time"
+
+	"golang.org/x/oauth2"
+	"gopkg.in/square/go-jose.v2"
+)
+
+type IDTokenClaims struct {
+	Issuer                              string    `json:"iss,omitempty"`
+	Subject                             string    `json:"sub,omitempty"`
+	Audiences                           []string  `json:"aud,omitempty"`
+	Expiration                          time.Time `json:"exp,omitempty"`
+	IssuedAt                            time.Time `json:"iat,omitempty"`
+	AuthTime                            time.Time `json:"auth_time,omitempty"`
+	Nonce                               string    `json:"nonce,omitempty"`
+	AuthenticationContextClassReference string    `json:"acr,omitempty"`
+	AuthenticationMethodsReferences     []string  `json:"amr,omitempty"`
+	AuthorizedParty                     string    `json:"azp,omitempty"`
+	AccessTokenHash                     string    `json:"at_hash,omitempty"`
+
+	Signature jose.SignatureAlgorithm //TODO: ???
+}
+
+func (t *IDTokenClaims) UnmarshalJSON(b []byte) error {
+	var i jsonIDToken
+	if err := json.Unmarshal(b, &i); err != nil {
+		return err
+	}
+	t.Issuer = i.Issuer
+	t.Subject = i.Subject
+	// t.Audiences = strings.Split(i.Audiences, " ")
+	t.Audiences = i.Audiences
+	t.Expiration = time.Unix(i.Expiration, 0).UTC()
+	t.IssuedAt = time.Unix(i.IssuedAt, 0).UTC()
+	t.AuthTime = time.Unix(i.AuthTime, 0).UTC()
+	t.Nonce = i.Nonce
+	t.AuthenticationContextClassReference = i.AuthenticationContextClassReference
+	t.AuthenticationMethodsReferences = i.AuthenticationMethodsReferences
+	t.AuthorizedParty = i.AuthorizedParty
+	t.AccessTokenHash = i.AccessTokenHash
+	return nil
+}
+
+func (t *IDTokenClaims) MarshalJSON() ([]byte, error) {
+	j := jsonIDToken{
+		Issuer:  t.Issuer,
+		Subject: t.Subject,
+		// Audiences:                           strings.Join(t.Audiences, " "),
+		Audiences:                           t.Audiences,
+		Expiration:                          t.Expiration.Unix(),
+		IssuedAt:                            t.IssuedAt.Unix(),
+		AuthTime:                            t.AuthTime.Unix(),
+		Nonce:                               t.Nonce,
+		AuthenticationContextClassReference: t.AuthenticationContextClassReference,
+		AuthenticationMethodsReferences:     t.AuthenticationMethodsReferences,
+		AuthorizedParty:                     t.AuthorizedParty,
+		AccessTokenHash:                     t.AccessTokenHash,
+	}
+	return json.Marshal(j)
+}
+
+// type jsonTime time.Time
+
+type jsonIDToken struct {
+	Issuer                              string   `json:"iss,omitempty"`
+	Subject                             string   `json:"sub,omitempty"`
+	Audiences                           []string `json:"aud,omitempty"`
+	Expiration                          int64    `json:"exp,omitempty"`
+	IssuedAt                            int64    `json:"iat,omitempty"`
+	AuthTime                            int64    `json:"auth_time,omitempty"`
+	Nonce                               string   `json:"nonce,omitempty"`
+	AuthenticationContextClassReference string   `json:"acr,omitempty"`
+	AuthenticationMethodsReferences     []string `json:"amr,omitempty"`
+	AuthorizedParty                     string   `json:"azp,omitempty"`
+	AccessTokenHash                     string   `json:"at_hash,omitempty"`
+}
+
+type Tokens struct {
+	*oauth2.Token
+	IDTokenClaims *IDTokenClaims
+}