forked from mystiq/dex
Update comments
This commit is contained in:
parent
c03c98b951
commit
6a9bc889b5
1 changed files with 8 additions and 4 deletions
|
@ -22,7 +22,7 @@ const (
|
||||||
issuerURL = "https://accounts.google.com"
|
issuerURL = "https://accounts.google.com"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Config holds configuration options for OpenID Connect logins.
|
// Config holds configuration options for Google logins.
|
||||||
type Config struct {
|
type Config struct {
|
||||||
ClientID string `json:"clientID"`
|
ClientID string `json:"clientID"`
|
||||||
ClientSecret string `json:"clientSecret"`
|
ClientSecret string `json:"clientSecret"`
|
||||||
|
@ -45,8 +45,7 @@ type Config struct {
|
||||||
AdminEmail string
|
AdminEmail string
|
||||||
}
|
}
|
||||||
|
|
||||||
// Open returns a connector which can be used to login users through an upstream
|
// Open returns a connector which can be used to login users through Google.
|
||||||
// OpenID Connect provider.
|
|
||||||
func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, err error) {
|
func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, err error) {
|
||||||
ctx, cancel := context.WithCancel(context.Background())
|
ctx, cancel := context.WithCancel(context.Background())
|
||||||
|
|
||||||
|
@ -151,7 +150,6 @@ func (c *googleConnector) HandleCallback(s connector.Scopes, r *http.Request) (i
|
||||||
return c.createIdentity(r.Context(), identity, s, token)
|
return c.createIdentity(r.Context(), identity, s, token)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Refresh is implemented for backwards compatibility, even though it's a no-op.
|
|
||||||
func (c *googleConnector) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
|
func (c *googleConnector) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
|
||||||
t := &oauth2.Token{
|
t := &oauth2.Token{
|
||||||
RefreshToken: string(identity.ConnectorData),
|
RefreshToken: string(identity.ConnectorData),
|
||||||
|
@ -218,6 +216,8 @@ func (c *googleConnector) createIdentity(ctx context.Context, identity connector
|
||||||
return identity, nil
|
return identity, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// getGroups creates a connection to the admin directory service and lists
|
||||||
|
// all groups the user is a member of
|
||||||
func (c *googleConnector) getGroups(email string) ([]string, error) {
|
func (c *googleConnector) getGroups(email string) ([]string, error) {
|
||||||
srv, err := createDirectoryService(c.serviceAccountFilePath, c.adminEmail)
|
srv, err := createDirectoryService(c.serviceAccountFilePath, c.adminEmail)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -237,6 +237,9 @@ func (c *googleConnector) getGroups(email string) ([]string, error) {
|
||||||
return userGroups, nil
|
return userGroups, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// createDirectoryService loads a google service account credentials file,
|
||||||
|
// sets up super user impersonation and creates an admin client for calling
|
||||||
|
// the google admin api
|
||||||
func createDirectoryService(serviceAccountFilePath string, email string) (*admin.Service, error) {
|
func createDirectoryService(serviceAccountFilePath string, email string) (*admin.Service, error) {
|
||||||
jsonCredentials, err := ioutil.ReadFile(serviceAccountFilePath)
|
jsonCredentials, err := ioutil.ReadFile(serviceAccountFilePath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -248,6 +251,7 @@ func createDirectoryService(serviceAccountFilePath string, email string) (*admin
|
||||||
return nil, fmt.Errorf("unable to parse client secret file to config: %v", err)
|
return nil, fmt.Errorf("unable to parse client secret file to config: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Impersonate an admin. This is mandatory for the admin APIs.
|
||||||
config.Subject = email
|
config.Subject = email
|
||||||
|
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
|
|
Loading…
Reference in a new issue