2020-11-03 20:06:07 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package provider
|
|
|
|
|
|
|
|
import (
|
2020-11-18 21:38:13 +00:00
|
|
|
"context"
|
2020-11-03 20:06:07 +00:00
|
|
|
"net/url"
|
|
|
|
"sync"
|
2020-11-18 21:38:13 +00:00
|
|
|
|
2020-11-30 23:08:27 +00:00
|
|
|
"golang.org/x/oauth2"
|
|
|
|
|
2020-11-20 23:13:25 +00:00
|
|
|
"go.pinniped.dev/pkg/oidcclient/nonce"
|
2020-11-30 23:02:03 +00:00
|
|
|
"go.pinniped.dev/pkg/oidcclient/oidctypes"
|
2020-11-20 23:13:25 +00:00
|
|
|
"go.pinniped.dev/pkg/oidcclient/pkce"
|
2020-11-03 20:06:07 +00:00
|
|
|
)
|
|
|
|
|
2020-11-18 21:38:13 +00:00
|
|
|
type UpstreamOIDCIdentityProviderI interface {
|
2020-11-03 20:06:07 +00:00
|
|
|
// A name for this upstream provider, which will be used as a component of the path for the callback endpoint
|
|
|
|
// hosted by the Supervisor.
|
2020-11-18 21:38:13 +00:00
|
|
|
GetName() string
|
2020-11-03 20:06:07 +00:00
|
|
|
|
2020-11-18 21:38:13 +00:00
|
|
|
// The Oauth client ID registered with the upstream provider to be used in the authorization code flow.
|
|
|
|
GetClientID() string
|
2020-11-03 20:06:07 +00:00
|
|
|
|
|
|
|
// The Authorization Endpoint fetched from discovery.
|
2020-11-18 21:38:13 +00:00
|
|
|
GetAuthorizationURL() *url.URL
|
2020-11-03 20:06:07 +00:00
|
|
|
|
|
|
|
// Scopes to request in authorization flow.
|
2020-11-18 21:38:13 +00:00
|
|
|
GetScopes() []string
|
|
|
|
|
|
|
|
// ID Token username claim name. May return empty string, in which case we will use some reasonable defaults.
|
|
|
|
GetUsernameClaim() string
|
|
|
|
|
|
|
|
// ID Token groups claim name. May return empty string, in which case we won't try to read groups from the upstream provider.
|
|
|
|
GetGroupsClaim() string
|
|
|
|
|
2020-11-30 20:54:11 +00:00
|
|
|
// Performs upstream OIDC authorization code exchange and token validation.
|
|
|
|
// Returns the validated raw tokens as well as the parsed claims of the ID token.
|
2020-11-18 21:38:13 +00:00
|
|
|
ExchangeAuthcodeAndValidateTokens(
|
|
|
|
ctx context.Context,
|
|
|
|
authcode string,
|
|
|
|
pkceCodeVerifier pkce.Code,
|
|
|
|
expectedIDTokenNonce nonce.Nonce,
|
2020-12-02 16:36:07 +00:00
|
|
|
redirectURI string,
|
2020-11-30 23:02:03 +00:00
|
|
|
) (tokens oidctypes.Token, parsedIDTokenClaims map[string]interface{}, err error)
|
2020-11-30 23:08:27 +00:00
|
|
|
|
|
|
|
ValidateToken(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce) (oidctypes.Token, map[string]interface{}, error)
|
2020-11-18 21:38:13 +00:00
|
|
|
}
|
|
|
|
|
2020-11-03 20:06:07 +00:00
|
|
|
type DynamicUpstreamIDPProvider interface {
|
2020-11-18 21:38:13 +00:00
|
|
|
SetIDPList(oidcIDPs []UpstreamOIDCIdentityProviderI)
|
|
|
|
GetIDPList() []UpstreamOIDCIdentityProviderI
|
2020-11-03 20:06:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type dynamicUpstreamIDPProvider struct {
|
2020-11-18 21:38:13 +00:00
|
|
|
oidcProviders []UpstreamOIDCIdentityProviderI
|
2020-11-03 20:06:07 +00:00
|
|
|
mutex sync.RWMutex
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider {
|
|
|
|
return &dynamicUpstreamIDPProvider{
|
2020-11-18 21:38:13 +00:00
|
|
|
oidcProviders: []UpstreamOIDCIdentityProviderI{},
|
2020-11-03 20:06:07 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-11-18 21:38:13 +00:00
|
|
|
func (p *dynamicUpstreamIDPProvider) SetIDPList(oidcIDPs []UpstreamOIDCIdentityProviderI) {
|
2020-11-03 20:06:07 +00:00
|
|
|
p.mutex.Lock() // acquire a write lock
|
|
|
|
defer p.mutex.Unlock()
|
|
|
|
p.oidcProviders = oidcIDPs
|
|
|
|
}
|
|
|
|
|
2020-11-18 21:38:13 +00:00
|
|
|
func (p *dynamicUpstreamIDPProvider) GetIDPList() []UpstreamOIDCIdentityProviderI {
|
2020-11-03 20:06:07 +00:00
|
|
|
p.mutex.RLock() // acquire a read lock
|
|
|
|
defer p.mutex.RUnlock()
|
|
|
|
return p.oidcProviders
|
|
|
|
}
|