2020-09-18 13:26:28 +02:00
|
|
|
package handler
|
|
|
|
|
|
|
|
|
|
import (
|
2021-02-08 11:30:30 +01:00
|
|
|
"github.com/caos/zitadel/internal/v2/domain"
|
2020-10-16 07:49:38 +02:00
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
|
|
|
|
|
2020-09-18 13:26:28 +02:00
|
|
|
"github.com/caos/oidc/pkg/oidc"
|
|
|
|
|
"github.com/caos/oidc/pkg/rp"
|
|
|
|
|
http_mw "github.com/caos/zitadel/internal/api/http/middleware"
|
|
|
|
|
caos_errors "github.com/caos/zitadel/internal/errors"
|
|
|
|
|
iam_model "github.com/caos/zitadel/internal/iam/model"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func (l *Login) handleExternalRegister(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
data := new(externalIDPData)
|
|
|
|
|
authReq, err := l.getAuthRequestAndParseData(r, data)
|
|
|
|
|
if err != nil {
|
|
|
|
|
l.renderError(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if authReq == nil {
|
|
|
|
|
http.Redirect(w, r, l.zitadelURL, http.StatusFound)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
idpConfig, err := l.getIDPConfigByID(r, data.IDPConfigID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
l.renderError(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
|
|
|
|
|
err = l.authRepo.SelectExternalIDP(r.Context(), authReq.ID, idpConfig.IDPConfigID, userAgentID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
l.renderLogin(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if !idpConfig.IsOIDC {
|
|
|
|
|
l.renderError(w, r, authReq, caos_errors.ThrowInternal(nil, "LOGIN-Rio9s", "Errors.User.ExternalIDP.IDPTypeNotImplemented"))
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
l.handleOIDCAuthorize(w, r, authReq, idpConfig, EndpointExternalRegisterCallback)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (l *Login) handleExternalRegisterCallback(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
data := new(externalIDPCallbackData)
|
|
|
|
|
err := l.getParseData(r, data)
|
|
|
|
|
if err != nil {
|
|
|
|
|
l.renderError(w, r, nil, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
|
|
|
|
|
authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.State, userAgentID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
l.renderError(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
idpConfig, err := l.authRepo.GetIDPConfigByID(r.Context(), authReq.SelectedIDPConfigID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
l.renderError(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
provider := l.getRPConfig(w, r, authReq, idpConfig, EndpointExternalRegisterCallback)
|
|
|
|
|
tokens, err := rp.CodeExchange(r.Context(), data.Code, provider)
|
|
|
|
|
if err != nil {
|
|
|
|
|
l.renderRegisterOption(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
l.handleExternalUserRegister(w, r, authReq, idpConfig, userAgentID, tokens)
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-08 11:30:30 +01:00
|
|
|
func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, idpConfig *iam_model.IDPConfigView, userAgentID string, tokens *oidc.Tokens) {
|
2020-09-18 13:26:28 +02:00
|
|
|
iam, err := l.authRepo.GetIAM(r.Context())
|
|
|
|
|
if err != nil {
|
|
|
|
|
l.renderRegisterOption(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
resourceOwner := iam.GlobalOrgID
|
2021-02-08 11:30:30 +01:00
|
|
|
memberRoles := []string{domain.RoleOrgProjectCreator}
|
2020-09-18 13:26:28 +02:00
|
|
|
|
2020-12-14 10:54:29 +01:00
|
|
|
if authReq.RequestedOrgID != "" && authReq.RequestedOrgID != iam.GlobalOrgID {
|
2021-02-08 11:30:30 +01:00
|
|
|
memberRoles = nil
|
2020-12-14 10:54:29 +01:00
|
|
|
resourceOwner = authReq.RequestedOrgID
|
2020-09-28 09:29:41 +02:00
|
|
|
}
|
|
|
|
|
orgIamPolicy, err := l.getOrgIamPolicy(r, resourceOwner)
|
|
|
|
|
if err != nil {
|
|
|
|
|
l.renderRegisterOption(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
2021-02-08 11:30:30 +01:00
|
|
|
user, externalIDP := l.mapTokenToLoginHumanAndExternalIDP(orgIamPolicy, tokens, idpConfig)
|
|
|
|
|
_, err = l.command.RegisterHuman(setContext(r.Context(), resourceOwner), resourceOwner, user, externalIDP, memberRoles)
|
2020-09-18 13:26:28 +02:00
|
|
|
if err != nil {
|
|
|
|
|
l.renderRegisterOption(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
l.renderNextStep(w, r, authReq)
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-08 11:30:30 +01:00
|
|
|
func (l *Login) mapTokenToLoginHumanAndExternalIDP(orgIamPolicy *iam_model.OrgIAMPolicyView, tokens *oidc.Tokens, idpConfig *iam_model.IDPConfigView) (*domain.Human, *domain.ExternalIDP) {
|
2020-10-16 07:49:38 +02:00
|
|
|
username := tokens.IDTokenClaims.GetPreferredUsername()
|
2020-09-18 13:26:28 +02:00
|
|
|
switch idpConfig.OIDCUsernameMapping {
|
|
|
|
|
case iam_model.OIDCMappingFieldEmail:
|
2020-10-16 07:49:38 +02:00
|
|
|
if tokens.IDTokenClaims.IsEmailVerified() && tokens.IDTokenClaims.GetEmail() != "" {
|
|
|
|
|
username = tokens.IDTokenClaims.GetEmail()
|
2020-09-18 13:26:28 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if orgIamPolicy.UserLoginMustBeDomain {
|
|
|
|
|
splittedUsername := strings.Split(username, "@")
|
|
|
|
|
if len(splittedUsername) > 1 {
|
|
|
|
|
username = splittedUsername[0]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-08 11:30:30 +01:00
|
|
|
human := &domain.Human{
|
|
|
|
|
Username: username,
|
|
|
|
|
Profile: &domain.Profile{
|
|
|
|
|
FirstName: tokens.IDTokenClaims.GetGivenName(),
|
|
|
|
|
LastName: tokens.IDTokenClaims.GetFamilyName(),
|
|
|
|
|
PreferredLanguage: tokens.IDTokenClaims.GetLocale(),
|
|
|
|
|
NickName: tokens.IDTokenClaims.GetNickname(),
|
|
|
|
|
},
|
|
|
|
|
Email: &domain.Email{
|
|
|
|
|
EmailAddress: tokens.IDTokenClaims.GetEmail(),
|
|
|
|
|
IsEmailVerified: tokens.IDTokenClaims.IsEmailVerified(),
|
2020-09-18 13:26:28 +02:00
|
|
|
},
|
|
|
|
|
}
|
2021-02-08 11:30:30 +01:00
|
|
|
|
2020-10-16 07:49:38 +02:00
|
|
|
if tokens.IDTokenClaims.GetPhoneNumber() != "" {
|
2021-02-08 11:30:30 +01:00
|
|
|
human.Phone = &domain.Phone{
|
2020-10-16 07:49:38 +02:00
|
|
|
PhoneNumber: tokens.IDTokenClaims.GetPhoneNumber(),
|
|
|
|
|
IsPhoneVerified: tokens.IDTokenClaims.IsPhoneNumberVerified(),
|
2020-09-18 13:26:28 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-16 07:49:38 +02:00
|
|
|
displayName := tokens.IDTokenClaims.GetPreferredUsername()
|
2020-09-18 13:26:28 +02:00
|
|
|
switch idpConfig.OIDCIDPDisplayNameMapping {
|
|
|
|
|
case iam_model.OIDCMappingFieldEmail:
|
2020-10-16 07:49:38 +02:00
|
|
|
if tokens.IDTokenClaims.IsEmailVerified() && tokens.IDTokenClaims.GetEmail() != "" {
|
|
|
|
|
displayName = tokens.IDTokenClaims.GetEmail()
|
2020-09-18 13:26:28 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-08 11:30:30 +01:00
|
|
|
externalIDP := &domain.ExternalIDP{
|
|
|
|
|
IDPConfigID: idpConfig.IDPConfigID,
|
|
|
|
|
ExternalUserID: tokens.IDTokenClaims.GetSubject(),
|
|
|
|
|
DisplayName: displayName,
|
2020-09-18 13:26:28 +02:00
|
|
|
}
|
2021-02-08 11:30:30 +01:00
|
|
|
return human, externalIDP
|
2020-09-18 13:26:28 +02:00
|
|
|
}
|
