mirror of
https://github.com/zitadel/zitadel.git
synced 2025-04-16 11:21:33 +00:00
f680dd934d
* chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
165 lines
5.0 KiB
Go
165 lines
5.0 KiB
Go
package login
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"github.com/zitadel/logging"
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
|
"golang.org/x/oauth2"
|
|
|
|
http_util "github.com/zitadel/zitadel/internal/api/http"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/idp/providers/jwt"
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
type jwtRequest struct {
|
|
AuthRequestID string `schema:"authRequestID"`
|
|
UserAgentID string `schema:"userAgentID"`
|
|
}
|
|
|
|
func (l *Login) handleJWTRequest(w http.ResponseWriter, r *http.Request) {
|
|
data := new(jwtRequest)
|
|
err := l.getParseData(r, data)
|
|
if err != nil {
|
|
l.renderError(w, r, nil, err)
|
|
return
|
|
}
|
|
if data.AuthRequestID == "" || data.UserAgentID == "" {
|
|
l.renderError(w, r, nil, zerrors.ThrowInvalidArgument(nil, "LOGIN-adfzz", "Errors.AuthRequest.MissingParameters"))
|
|
return
|
|
}
|
|
id, err := base64.RawURLEncoding.DecodeString(data.UserAgentID)
|
|
if err != nil {
|
|
l.renderError(w, r, nil, err)
|
|
return
|
|
}
|
|
userAgentID, err := l.idpConfigAlg.DecryptString(id, l.idpConfigAlg.EncryptionKeyID())
|
|
if err != nil {
|
|
l.renderError(w, r, nil, err)
|
|
return
|
|
}
|
|
authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.AuthRequestID, userAgentID)
|
|
if err != nil {
|
|
l.renderError(w, r, authReq, err)
|
|
return
|
|
}
|
|
idpConfig, err := l.getIDPByID(r, authReq.SelectedIDPConfigID)
|
|
if err != nil {
|
|
l.renderError(w, r, authReq, err)
|
|
return
|
|
}
|
|
if idpConfig.Type != domain.IDPTypeJWT {
|
|
if err != nil {
|
|
l.renderError(w, r, nil, err)
|
|
return
|
|
}
|
|
}
|
|
l.handleJWTExtraction(w, r, authReq, idpConfig)
|
|
}
|
|
|
|
func (l *Login) handleJWTExtraction(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, identityProvider *query.IDPTemplate) {
|
|
token, err := getToken(r, identityProvider.JWTIDPTemplate.HeaderName)
|
|
if err != nil {
|
|
if _, _, actionErr := l.runPostExternalAuthenticationActions(new(domain.ExternalUser), nil, authReq, r, nil, err); actionErr != nil {
|
|
logging.WithError(err).Error("both external user authentication and action post authentication failed")
|
|
}
|
|
|
|
l.renderError(w, r, authReq, err)
|
|
return
|
|
}
|
|
provider, err := l.jwtProvider(identityProvider)
|
|
if err != nil {
|
|
if _, _, actionErr := l.runPostExternalAuthenticationActions(new(domain.ExternalUser), nil, authReq, r, nil, err); actionErr != nil {
|
|
logging.WithError(err).Error("both external user authentication and action post authentication failed")
|
|
}
|
|
l.renderError(w, r, authReq, err)
|
|
return
|
|
}
|
|
session := &jwt.Session{Provider: provider, Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{IDToken: token, Token: &oauth2.Token{}}}
|
|
user, err := session.FetchUser(r.Context())
|
|
if err != nil {
|
|
if _, _, actionErr := l.runPostExternalAuthenticationActions(new(domain.ExternalUser), tokens(session), authReq, r, user, err); actionErr != nil {
|
|
logging.WithError(err).Error("both external user authentication and action post authentication failed")
|
|
}
|
|
l.renderError(w, r, authReq, err)
|
|
return
|
|
}
|
|
l.handleExternalUserAuthenticated(w, r, authReq, identityProvider, session, user, l.jwtCallback)
|
|
}
|
|
|
|
func (l *Login) jwtCallback(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
|
|
redirect, err := l.redirectToJWTCallback(r.Context(), authReq)
|
|
if err != nil {
|
|
l.renderError(w, r, nil, err)
|
|
return
|
|
}
|
|
http.Redirect(w, r, redirect, http.StatusFound)
|
|
}
|
|
|
|
func (l *Login) redirectToJWTCallback(ctx context.Context, authReq *domain.AuthRequest) (string, error) {
|
|
redirect, err := url.Parse(l.baseURL(ctx) + EndpointJWTCallback)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
q := redirect.Query()
|
|
q.Set(QueryAuthRequestID, authReq.ID)
|
|
nonce, err := l.idpConfigAlg.Encrypt([]byte(authReq.AgentID))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
q.Set(queryUserAgentID, base64.RawURLEncoding.EncodeToString(nonce))
|
|
redirect.RawQuery = q.Encode()
|
|
return redirect.String(), nil
|
|
}
|
|
|
|
func (l *Login) handleJWTCallback(w http.ResponseWriter, r *http.Request) {
|
|
data := new(jwtRequest)
|
|
err := l.getParseData(r, data)
|
|
if err != nil {
|
|
l.renderError(w, r, nil, err)
|
|
return
|
|
}
|
|
id, err := base64.RawURLEncoding.DecodeString(data.UserAgentID)
|
|
if err != nil {
|
|
l.renderError(w, r, nil, err)
|
|
return
|
|
}
|
|
userAgentID, err := l.idpConfigAlg.DecryptString(id, l.idpConfigAlg.EncryptionKeyID())
|
|
if err != nil {
|
|
l.renderError(w, r, nil, err)
|
|
return
|
|
}
|
|
authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.AuthRequestID, userAgentID)
|
|
if err != nil {
|
|
l.renderError(w, r, authReq, err)
|
|
return
|
|
}
|
|
idpConfig, err := l.getIDPByID(r, authReq.SelectedIDPConfigID)
|
|
if err != nil {
|
|
l.renderError(w, r, authReq, err)
|
|
return
|
|
}
|
|
if idpConfig.Type != domain.IDPTypeJWT {
|
|
l.renderLogin(w, r, authReq, err)
|
|
return
|
|
}
|
|
l.renderNextStep(w, r, authReq)
|
|
}
|
|
|
|
func getToken(r *http.Request, headerName string) (string, error) {
|
|
if headerName == "" {
|
|
headerName = http_util.Authorization
|
|
}
|
|
auth := r.Header.Get(headerName)
|
|
if auth == "" {
|
|
return "", zerrors.ThrowInvalidArgument(nil, "LOGIN-adh42", "Errors.AuthRequest.TokenNotFound")
|
|
}
|
|
return strings.TrimPrefix(auth, oidc.PrefixBearer), nil
|
|
}
|