0879c88399
* feat(op): user slog for logging integrate with golang.org/x/exp/slog for logging. provide a middleware for request scoped logging. BREAKING CHANGES: 1. OpenIDProvider and sub-interfaces get a Logger() method to return the configured logger; 2. AuthRequestError now takes the complete Authorizer, instead of only the encoder. So that it may use its Logger() method. 3. RequestError now takes a Logger as argument. * use zitadel/logging * finish op and testing without middleware for now * minimum go version 1.19 * update go mod * log value testing only on go 1.20 or later * finish the RP and example * ping logging release
63 lines
2.1 KiB
Go
63 lines
2.1 KiB
Go
package rp
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/client"
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
|
)
|
|
|
|
func newDeviceClientCredentialsRequest(scopes []string, rp RelyingParty) (*oidc.ClientCredentialsRequest, error) {
|
|
confg := rp.OAuthConfig()
|
|
req := &oidc.ClientCredentialsRequest{
|
|
Scope: scopes,
|
|
ClientID: confg.ClientID,
|
|
ClientSecret: confg.ClientSecret,
|
|
}
|
|
|
|
if signer := rp.Signer(); signer != nil {
|
|
assertion, err := client.SignedJWTProfileAssertion(rp.OAuthConfig().ClientID, []string{rp.Issuer()}, time.Hour, signer)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to build assertion: %w", err)
|
|
}
|
|
req.ClientAssertion = assertion
|
|
req.ClientAssertionType = oidc.ClientAssertionTypeJWTAssertion
|
|
}
|
|
|
|
return req, nil
|
|
}
|
|
|
|
// DeviceAuthorization starts a new Device Authorization flow as defined
|
|
// in RFC 8628, section 3.1 and 3.2:
|
|
// https://www.rfc-editor.org/rfc/rfc8628#section-3.1
|
|
func DeviceAuthorization(ctx context.Context, scopes []string, rp RelyingParty, authFn any) (*oidc.DeviceAuthorizationResponse, error) {
|
|
ctx = logCtxWithRPData(ctx, rp, "function", "DeviceAuthorization")
|
|
req, err := newDeviceClientCredentialsRequest(scopes, rp)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return client.CallDeviceAuthorizationEndpoint(ctx, req, rp, authFn)
|
|
}
|
|
|
|
// DeviceAccessToken attempts to obtain tokens from a Device Authorization,
|
|
// by means of polling as defined in RFC, section 3.3 and 3.4:
|
|
// https://www.rfc-editor.org/rfc/rfc8628#section-3.4
|
|
func DeviceAccessToken(ctx context.Context, deviceCode string, interval time.Duration, rp RelyingParty) (resp *oidc.AccessTokenResponse, err error) {
|
|
ctx = logCtxWithRPData(ctx, rp, "function", "DeviceAccessToken")
|
|
req := &client.DeviceAccessTokenRequest{
|
|
DeviceAccessTokenRequest: oidc.DeviceAccessTokenRequest{
|
|
GrantType: oidc.GrantTypeDeviceCode,
|
|
DeviceCode: deviceCode,
|
|
},
|
|
}
|
|
|
|
req.ClientCredentialsRequest, err = newDeviceClientCredentialsRequest(nil, rp)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return client.PollDeviceAccessTokenEndpoint(ctx, interval, req, tokenEndpointCaller{rp})
|
|
}
|