Implement refresh in OIDC connector
This has added the access=offline parameter and prompt=consent parameter to the initial request, this works with google, assuming other providers will ignore the prompt parameter
This commit is contained in:
parent
5c88713177
commit
0857a0fe09
1 changed files with 53 additions and 2 deletions
|
@ -9,6 +9,7 @@ import (
|
||||||
"net/url"
|
"net/url"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/coreos/go-oidc"
|
"github.com/coreos/go-oidc"
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
|
@ -172,9 +173,9 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string)
|
||||||
if len(c.hostedDomains) > 1 {
|
if len(c.hostedDomains) > 1 {
|
||||||
preferredDomain = "*"
|
preferredDomain = "*"
|
||||||
}
|
}
|
||||||
return c.oauth2Config.AuthCodeURL(state, oauth2.SetAuthURLParam("hd", preferredDomain)), nil
|
return c.oauth2Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent"), oauth2.SetAuthURLParam("hd", preferredDomain)), nil
|
||||||
}
|
}
|
||||||
return c.oauth2Config.AuthCodeURL(state), nil
|
return c.oauth2Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent")), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
type oauth2Error struct {
|
type oauth2Error struct {
|
||||||
|
@ -265,6 +266,7 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
|
||||||
Username: name,
|
Username: name,
|
||||||
Email: email,
|
Email: email,
|
||||||
EmailVerified: emailVerified,
|
EmailVerified: emailVerified,
|
||||||
|
ConnectorData: []byte(token.RefreshToken),
|
||||||
}
|
}
|
||||||
|
|
||||||
if c.userIDKey != "" {
|
if c.userIDKey != "" {
|
||||||
|
@ -280,5 +282,54 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
|
||||||
|
|
||||||
// Refresh is implemented for backwards compatibility, even though it's a no-op.
|
// Refresh is implemented for backwards compatibility, even though it's a no-op.
|
||||||
func (c *oidcConnector) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
|
func (c *oidcConnector) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
|
||||||
|
t := &oauth2.Token{
|
||||||
|
RefreshToken: string(identity.ConnectorData),
|
||||||
|
Expiry: time.Now().Add(-time.Hour),
|
||||||
|
}
|
||||||
|
token, err := c.oauth2Config.TokenSource(ctx, t).Token()
|
||||||
|
if err != nil {
|
||||||
|
return identity, fmt.Errorf("oidc: failed to get token: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
rawIDToken, ok := token.Extra("id_token").(string)
|
||||||
|
if !ok {
|
||||||
|
return identity, errors.New("oidc: no id_token in token response")
|
||||||
|
}
|
||||||
|
idToken, err := c.verifier.Verify(ctx, rawIDToken)
|
||||||
|
if err != nil {
|
||||||
|
return identity, fmt.Errorf("oidc: failed to verify ID Token: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
var claims struct {
|
||||||
|
Username string `json:"name"`
|
||||||
|
Email string `json:"email"`
|
||||||
|
EmailVerified bool `json:"email_verified"`
|
||||||
|
HostedDomain string `json:"hd"`
|
||||||
|
}
|
||||||
|
if err := idToken.Claims(&claims); err != nil {
|
||||||
|
return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(c.hostedDomains) > 0 {
|
||||||
|
found := false
|
||||||
|
for _, domain := range c.hostedDomains {
|
||||||
|
if claims.HostedDomain == domain {
|
||||||
|
found = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !found {
|
||||||
|
return identity, fmt.Errorf("oidc: unexpected hd claim %v", claims.HostedDomain)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
identity = connector.Identity{
|
||||||
|
UserID: idToken.Subject,
|
||||||
|
Username: claims.Username,
|
||||||
|
Email: claims.Email,
|
||||||
|
EmailVerified: claims.EmailVerified,
|
||||||
|
ConnectorData: []byte(token.RefreshToken),
|
||||||
|
}
|
||||||
return identity, nil
|
return identity, nil
|
||||||
}
|
}
|
||||||
|
|
Reference in a new issue