Source file src/edge-infra.dev/pkg/edge/iam/oauth2/oauth2.go

Documentation: edge-infra.dev/pkg/edge/iam/oauth2

     1  package oauth2
     2  
     3  import (
     4  	"net/url"
     5  
     6  	"edge-infra.dev/pkg/edge/iam/barcode"
     7  	"edge-infra.dev/pkg/edge/iam/client"
     8  	"edge-infra.dev/pkg/edge/iam/config"
     9  	"edge-infra.dev/pkg/edge/iam/profile"
    10  	"edge-infra.dev/pkg/edge/iam/session"
    11  	"edge-infra.dev/pkg/edge/iam/util"
    12  
    13  	"github.com/gin-gonic/gin"
    14  	"github.com/gorilla/sessions"
    15  	"github.com/ory/fosite"
    16  	"github.com/ory/fosite/compose"
    17  )
    18  
    19  type OAuth2 struct {
    20  	fosite              fosite.OAuth2Provider
    21  	LoginSessionStorage session.LoginSessionStorage
    22  	ProfileStorage      profile.Storage
    23  	store               sessions.Store
    24  }
    25  
    26  func NewOAuth2(router *gin.Engine, store sessions.Store, storage interface{}) *OAuth2 {
    27  	oauth2 := &OAuth2{
    28  		fosite:              newFosite(storage),
    29  		LoginSessionStorage: storage.(session.LoginSessionStorage),
    30  		ProfileStorage:      storage.(profile.Storage),
    31  		store:               store,
    32  	}
    33  	// register endpoints
    34  	router.GET("/oauth2/auth", util.MakeHandlerFunc(oauth2.auth))
    35  	router.POST("/oauth2/token", util.MakeHandlerFunc(oauth2.token))
    36  	router.GET("/userinfo", util.MakeHandlerFunc(oauth2.userInfo))
    37  	router.POST("/userinfo", util.MakeHandlerFunc(oauth2.userInfo))
    38  	router.GET("/.well-known/openid-configuration", oauth2.wellknown)
    39  	router.GET("/.well-known/jwks.json", oauth2.jwks)
    40  	router.POST("/oauth2/setup-auth", oauth2.loginOptions)
    41  
    42  	return oauth2
    43  }
    44  
    45  func newFosite(storage interface{}) fosite.OAuth2Provider {
    46  	cfg := &compose.Config{
    47  		RefreshTokenScopes:  []string{"offline", "offline_access"},
    48  		AccessTokenLifespan: config.AccessTokenLifespan(),
    49  		RedirectSecureChecker: func(_ *url.URL) bool {
    50  			return true // override to allow insecure redirect URL
    51  		},
    52  		AuthorizeCodeLifespan:      config.GetAuthCodeLifeSpan(),
    53  		SendDebugMessagesToClients: !config.IsProduction(),
    54  	}
    55  
    56  	provider := compose.Compose(
    57  		cfg,
    58  		storage,
    59  		&compose.CommonStrategy{
    60  			CoreStrategy: compose.NewOAuth2JWTStrategy(
    61  				config.PrivateKey(),
    62  				compose.NewOAuth2HMACStrategy(cfg, config.Secret(), nil),
    63  			),
    64  			OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(cfg, config.PrivateKey()),
    65  			JWTStrategy:                config.GetJWTStrategy(),
    66  		},
    67  		&fosite.BCrypt{
    68  			WorkFactor: config.FositeBcryptCost(),
    69  		},
    70  
    71  		compose.OAuth2AuthorizeExplicitFactory,
    72  		compose.OAuth2RefreshTokenGrantFactory,
    73  		RefreshTokenVerifyFactory,
    74  		client.RolesFactory,
    75  		compose.OAuth2ClientCredentialsGrantFactory,
    76  		compose.OAuth2TokenIntrospectionFactory,
    77  		compose.OAuth2TokenRevocationFactory,
    78  		compose.OAuth2PKCEFactory,
    79  
    80  		compose.OpenIDConnectExplicitFactory,
    81  		compose.OpenIDConnectRefreshFactory,
    82  
    83  		barcode.ScopeFactory,
    84  		barcode.CodeGrantFactory,
    85  		barcode.GrantFactory,
    86  	)
    87  
    88  	return provider
    89  }
    90  

View as plain text