2023-01-23 07:11:40 +00:00
|
|
|
package oidc
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
|
2023-10-17 15:19:51 +00:00
|
|
|
"github.com/zitadel/oidc/v3/pkg/client/rp"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
2023-11-13 08:25:26 +00:00
|
|
|
"golang.org/x/oauth2"
|
2023-01-23 07:11:40 +00:00
|
|
|
|
|
|
|
"github.com/zitadel/zitadel/internal/idp"
|
|
|
|
)
|
|
|
|
|
|
|
|
var _ idp.Provider = (*Provider)(nil)
|
|
|
|
|
|
|
|
// Provider is the [idp.Provider] implementation for a generic OIDC provider
|
|
|
|
type Provider struct {
|
|
|
|
rp.RelyingParty
|
|
|
|
options []rp.Option
|
|
|
|
name string
|
|
|
|
isLinkingAllowed bool
|
|
|
|
isCreationAllowed bool
|
|
|
|
isAutoCreation bool
|
|
|
|
isAutoUpdate bool
|
2023-03-16 15:47:22 +00:00
|
|
|
useIDToken bool
|
2023-03-28 11:28:56 +00:00
|
|
|
userInfoMapper func(info *oidc.UserInfo) idp.User
|
2023-11-13 08:25:26 +00:00
|
|
|
authOptions []func(bool) rp.AuthURLOpt
|
2023-01-23 07:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type ProviderOpts func(provider *Provider)
|
|
|
|
|
|
|
|
// WithLinkingAllowed allows end users to link the federated user to an existing one.
|
|
|
|
func WithLinkingAllowed() ProviderOpts {
|
|
|
|
return func(p *Provider) {
|
|
|
|
p.isLinkingAllowed = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// WithCreationAllowed allows end users to create a new user using the federated information.
|
|
|
|
func WithCreationAllowed() ProviderOpts {
|
|
|
|
return func(p *Provider) {
|
|
|
|
p.isCreationAllowed = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// WithAutoCreation enables that federated users are automatically created if not already existing.
|
|
|
|
func WithAutoCreation() ProviderOpts {
|
|
|
|
return func(p *Provider) {
|
|
|
|
p.isAutoCreation = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// WithAutoUpdate enables that information retrieved from the provider is automatically used to update
|
|
|
|
// the existing user on each authentication.
|
|
|
|
func WithAutoUpdate() ProviderOpts {
|
|
|
|
return func(p *Provider) {
|
|
|
|
p.isAutoUpdate = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-03-16 15:47:22 +00:00
|
|
|
// WithIDTokenMapping enables that information to map the user is retrieved from the id_token and not the userinfo endpoint.
|
|
|
|
func WithIDTokenMapping() ProviderOpts {
|
|
|
|
return func(p *Provider) {
|
|
|
|
p.useIDToken = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-01-23 07:11:40 +00:00
|
|
|
// WithRelyingPartyOption allows to set an additional [rp.Option] like [rp.WithPKCE].
|
|
|
|
func WithRelyingPartyOption(option rp.Option) ProviderOpts {
|
|
|
|
return func(p *Provider) {
|
|
|
|
p.options = append(p.options, option)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-11-13 08:25:26 +00:00
|
|
|
// WithSelectAccount adds the select_account prompt to the auth request (if no login_hint is set)
|
2023-03-13 16:34:29 +00:00
|
|
|
func WithSelectAccount() ProviderOpts {
|
|
|
|
return func(p *Provider) {
|
2023-11-13 08:25:26 +00:00
|
|
|
p.authOptions = append(p.authOptions, func(loginHintSet bool) rp.AuthURLOpt {
|
|
|
|
if loginHintSet {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return rp.WithPrompt(oidc.PromptSelectAccount)
|
|
|
|
})
|
2023-03-13 16:34:29 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-08-31 06:39:16 +00:00
|
|
|
// WithResponseMode sets the `response_mode` params in the auth request
|
|
|
|
func WithResponseMode(mode oidc.ResponseMode) ProviderOpts {
|
|
|
|
return func(p *Provider) {
|
|
|
|
paramOpt := rp.WithResponseModeURLParam(mode)
|
2023-11-13 08:25:26 +00:00
|
|
|
p.authOptions = append(p.authOptions, func(_ bool) rp.AuthURLOpt {
|
|
|
|
return rp.AuthURLOpt(paramOpt)
|
|
|
|
})
|
2023-08-31 06:39:16 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-03-28 11:28:56 +00:00
|
|
|
type UserInfoMapper func(info *oidc.UserInfo) idp.User
|
2023-01-23 07:11:40 +00:00
|
|
|
|
2023-03-28 11:28:56 +00:00
|
|
|
var DefaultMapper UserInfoMapper = func(info *oidc.UserInfo) idp.User {
|
2023-01-23 07:11:40 +00:00
|
|
|
return NewUser(info)
|
|
|
|
}
|
|
|
|
|
|
|
|
// New creates a generic OIDC provider
|
2023-02-28 20:20:58 +00:00
|
|
|
func New(name, issuer, clientID, clientSecret, redirectURI string, scopes []string, userInfoMapper UserInfoMapper, options ...ProviderOpts) (provider *Provider, err error) {
|
2023-01-23 07:11:40 +00:00
|
|
|
provider = &Provider{
|
|
|
|
name: name,
|
|
|
|
userInfoMapper: userInfoMapper,
|
|
|
|
}
|
|
|
|
for _, option := range options {
|
|
|
|
option(provider)
|
|
|
|
}
|
2023-10-17 15:19:51 +00:00
|
|
|
provider.RelyingParty, err = rp.NewRelyingPartyOIDC(context.TODO(), issuer, clientID, clientSecret, redirectURI, setDefaultScope(scopes), provider.options...)
|
2023-01-23 07:11:40 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return provider, nil
|
|
|
|
}
|
|
|
|
|
2023-02-28 20:20:58 +00:00
|
|
|
// setDefaultScope ensures that at least openid ist set
|
|
|
|
// if none is provided it will request `openid profile email phone`
|
|
|
|
func setDefaultScope(scopes []string) []string {
|
|
|
|
if len(scopes) == 0 {
|
|
|
|
return []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopePhone}
|
|
|
|
}
|
|
|
|
for _, scope := range scopes {
|
|
|
|
if scope == oidc.ScopeOpenID {
|
|
|
|
return scopes
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return append(scopes, oidc.ScopeOpenID)
|
|
|
|
}
|
|
|
|
|
2023-01-23 07:11:40 +00:00
|
|
|
// Name implements the [idp.Provider] interface
|
|
|
|
func (p *Provider) Name() string {
|
|
|
|
return p.name
|
|
|
|
}
|
|
|
|
|
|
|
|
// BeginAuth implements the [idp.Provider] interface.
|
|
|
|
// It will create a [Session] with an OIDC authorization request as AuthURL.
|
2023-11-13 08:25:26 +00:00
|
|
|
func (p *Provider) BeginAuth(ctx context.Context, state string, params ...idp.Parameter) (idp.Session, error) {
|
|
|
|
opts := make([]rp.AuthURLOpt, 0)
|
|
|
|
var loginHintSet bool
|
2023-03-14 15:42:29 +00:00
|
|
|
for _, param := range params {
|
2023-11-13 08:25:26 +00:00
|
|
|
if username, ok := param.(idp.LoginHintParam); ok {
|
|
|
|
loginHintSet = true
|
|
|
|
opts = append(opts, loginHint(string(username)))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for _, option := range p.authOptions {
|
|
|
|
if opt := option(loginHintSet); opt != nil {
|
|
|
|
opts = append(opts, opt)
|
2023-03-14 15:42:29 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
url := rp.AuthURL(state, p.RelyingParty, opts...)
|
2023-01-23 07:11:40 +00:00
|
|
|
return &Session{AuthURL: url, Provider: p}, nil
|
|
|
|
}
|
|
|
|
|
2023-11-13 08:25:26 +00:00
|
|
|
func loginHint(hint string) rp.AuthURLOpt {
|
|
|
|
return func() []oauth2.AuthCodeOption {
|
|
|
|
return []oauth2.AuthCodeOption{oauth2.SetAuthURLParam("login_hint", hint)}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-01-23 07:11:40 +00:00
|
|
|
// IsLinkingAllowed implements the [idp.Provider] interface.
|
|
|
|
func (p *Provider) IsLinkingAllowed() bool {
|
|
|
|
return p.isLinkingAllowed
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsCreationAllowed implements the [idp.Provider] interface.
|
|
|
|
func (p *Provider) IsCreationAllowed() bool {
|
|
|
|
return p.isCreationAllowed
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsAutoCreation implements the [idp.Provider] interface.
|
|
|
|
func (p *Provider) IsAutoCreation() bool {
|
|
|
|
return p.isAutoCreation
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsAutoUpdate implements the [idp.Provider] interface.
|
|
|
|
func (p *Provider) IsAutoUpdate() bool {
|
|
|
|
return p.isAutoUpdate
|
|
|
|
}
|