examples, static: Add cross-client auth to example

* add trustedPeers to a client in client.json.sample
* add optional cross client auth to example web app
* login page is now templated

examples/app/assets.go

@@ -0,0 +1,237 @@
+// Code generated by go-bindata.
+// sources:
+// data/index.html
+// DO NOT EDIT!
+
+package main
+
+import (
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+func bindataRead(data []byte, name string) ([]byte, error) {
+	gz, err := gzip.NewReader(bytes.NewBuffer(data))
+	if err != nil {
+		return nil, fmt.Errorf("Read %q: %v", name, err)
+	}
+
+	var buf bytes.Buffer
+	_, err = io.Copy(&buf, gz)
+	clErr := gz.Close()
+
+	if err != nil {
+		return nil, fmt.Errorf("Read %q: %v", name, err)
+	}
+	if clErr != nil {
+		return nil, err
+	}
+
+	return buf.Bytes(), nil
+}
+
+type asset struct {
+	bytes []byte
+	info  os.FileInfo
+}
+
+type bindataFileInfo struct {
+	name    string
+	size    int64
+	mode    os.FileMode
+	modTime time.Time
+}
+
+func (fi bindataFileInfo) Name() string {
+	return fi.name
+}
+func (fi bindataFileInfo) Size() int64 {
+	return fi.size
+}
+func (fi bindataFileInfo) Mode() os.FileMode {
+	return fi.mode
+}
+func (fi bindataFileInfo) ModTime() time.Time {
+	return fi.modTime
+}
+func (fi bindataFileInfo) IsDir() bool {
+	return false
+}
+func (fi bindataFileInfo) Sys() interface{} {
+	return nil
+}
+
+var _dataIndexHtml = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\x7c\x91\xbd\x6e\x03\x21\x10\x84\x7b\x3f\xc5\x8a\x2a\x29\x2c\xfa\x08\x9f\x94\x3e\x55\x5e\x20\xe2\xb8\xb5\xbd\x12\x3f\x27\x58\xa2\xf8\xed\xb3\x88\x38\xc7\x45\x91\xbb\x19\xc1\x7e\x03\xb3\xe6\xca\xc1\x4f\x07\x00\x33\xa7\xe5\xd6\x84\xc8\x73\xca\x01\xac\x63\x4a\xf1\xa4\xb4\x4f\x17\x8a\xaa\x1f\xc9\x21\xdb\xd9\xe3\xdd\x35\x9f\x37\xd3\xec\x32\xc1\x6b\xe5\x2b\x46\x26\x67\x19\x41\x60\x2f\xc3\x85\x96\xb4\x9b\x00\x78\x72\x29\x04\x7b\x2c\xb8\xda\x2c\x13\x0b\x78\x2a\x0c\xe9\x0c\xce\x93\x60\x8e\xb4\x94\xe7\x31\x42\x4b\xc6\xdf\x48\x43\x71\xad\x0c\x7c\x5b\xf1\xa4\x18\xbf\x58\x41\xb4\x41\xb4\xcb\xa9\x94\x8f\x4e\x52\xd3\xcf\xf0\x61\x60\xfd\x3e\x46\x74\xff\xda\xdd\x8f\xc8\x52\xe7\x40\x02\xfd\xb4\xbe\x8a\x7d\x1b\x3a\x31\xba\xf5\xf5\x6f\x75\x19\x2f\xf2\x15\xcc\x5b\x7b\x0f\x98\xef\xfb\xcb\x1b\xd6\xe8\xbe\x1b\xa3\xfb\xb2\xbe\x03\x00\x00\xff\xff\x27\x69\xf8\xf2\xb4\x01\x00\x00")
+
+func dataIndexHtmlBytes() ([]byte, error) {
+	return bindataRead(
+		_dataIndexHtml,
+		"data/index.html",
+	)
+}
+
+func dataIndexHtml() (*asset, error) {
+	bytes, err := dataIndexHtmlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "data/index.html", size: 436, mode: os.FileMode(420), modTime: time.Unix(1465417812, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
+// Asset loads and returns the asset for the given name.
+// It returns an error if the asset could not be found or
+// could not be loaded.
+func Asset(name string) ([]byte, error) {
+	cannonicalName := strings.Replace(name, "\\", "/", -1)
+	if f, ok := _bindata[cannonicalName]; ok {
+		a, err := f()
+		if err != nil {
+			return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err)
+		}
+		return a.bytes, nil
+	}
+	return nil, fmt.Errorf("Asset %s not found", name)
+}
+
+// MustAsset is like Asset but panics when Asset would return an error.
+// It simplifies safe initialization of global variables.
+func MustAsset(name string) []byte {
+	a, err := Asset(name)
+	if err != nil {
+		panic("asset: Asset(" + name + "): " + err.Error())
+	}
+
+	return a
+}
+
+// AssetInfo loads and returns the asset info for the given name.
+// It returns an error if the asset could not be found or
+// could not be loaded.
+func AssetInfo(name string) (os.FileInfo, error) {
+	cannonicalName := strings.Replace(name, "\\", "/", -1)
+	if f, ok := _bindata[cannonicalName]; ok {
+		a, err := f()
+		if err != nil {
+			return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err)
+		}
+		return a.info, nil
+	}
+	return nil, fmt.Errorf("AssetInfo %s not found", name)
+}
+
+// AssetNames returns the names of the assets.
+func AssetNames() []string {
+	names := make([]string, 0, len(_bindata))
+	for name := range _bindata {
+		names = append(names, name)
+	}
+	return names
+}
+
+// _bindata is a table, holding each asset generator, mapped to its name.
+var _bindata = map[string]func() (*asset, error){
+	"data/index.html": dataIndexHtml,
+}
+
+// AssetDir returns the file names below a certain
+// directory embedded in the file by go-bindata.
+// For example if you run go-bindata on data/... and data contains the
+// following hierarchy:
+//     data/
+//       foo.txt
+//       img/
+//         a.png
+//         b.png
+// then AssetDir("data") would return []string{"foo.txt", "img"}
+// AssetDir("data/img") would return []string{"a.png", "b.png"}
+// AssetDir("foo.txt") and AssetDir("notexist") would return an error
+// AssetDir("") will return []string{"data"}.
+func AssetDir(name string) ([]string, error) {
+	node := _bintree
+	if len(name) != 0 {
+		cannonicalName := strings.Replace(name, "\\", "/", -1)
+		pathList := strings.Split(cannonicalName, "/")
+		for _, p := range pathList {
+			node = node.Children[p]
+			if node == nil {
+				return nil, fmt.Errorf("Asset %s not found", name)
+			}
+		}
+	}
+	if node.Func != nil {
+		return nil, fmt.Errorf("Asset %s not found", name)
+	}
+	rv := make([]string, 0, len(node.Children))
+	for childName := range node.Children {
+		rv = append(rv, childName)
+	}
+	return rv, nil
+}
+
+type bintree struct {
+	Func     func() (*asset, error)
+	Children map[string]*bintree
+}
+
+var _bintree = &bintree{nil, map[string]*bintree{
+	"data": &bintree{nil, map[string]*bintree{
+		"index.html": &bintree{dataIndexHtml, map[string]*bintree{}},
+	}},
+}}
+
+// RestoreAsset restores an asset under the given directory
+func RestoreAsset(dir, name string) error {
+	data, err := Asset(name)
+	if err != nil {
+		return err
+	}
+	info, err := AssetInfo(name)
+	if err != nil {
+		return err
+	}
+	err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755))
+	if err != nil {
+		return err
+	}
+	err = ioutil.WriteFile(_filePath(dir, name), data, info.Mode())
+	if err != nil {
+		return err
+	}
+	err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime())
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// RestoreAssets restores an asset under the given directory recursively
+func RestoreAssets(dir, name string) error {
+	children, err := AssetDir(name)
+	// File
+	if err != nil {
+		return RestoreAsset(dir, name)
+	}
+	// Dir
+	for _, child := range children {
+		err = RestoreAssets(dir, filepath.Join(name, child))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func _filePath(dir, name string) string {
+	cannonicalName := strings.Replace(name, "\\", "/", -1)
+	return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...)
+}

examples/app/data/index.html

@@ -0,0 +1,21 @@
+<html>
+  <body>
+    <form action="/login">
+      <table>
+        <tr>
+          <td> Authenticate for:
+            <br>
+            (comma-separated list of client-ids)
+          </td>
+          <td> <input type="text" name="cross_client"> </td>
+
+        </tr>
+      </table>
+
+      <input type="submit" value="Login">
+    </form>
+    <form action="/register">
+      <input type="submit" value="Register">
+    </form>
+  </body>
+</html>

examples/app/main.go

@@ -1,5 +1,8 @@
 package main
 
+//go:generate go-bindata -pkg main -o assets.go data/
+//go:generate gofmt -w assets.go
+
 import (
 	"bytes"
 	"crypto/tls"
@@ -7,11 +10,13 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
+	"html/template"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/coreos/go-oidc/jose"
@@ -21,8 +26,11 @@ import (
 	pflag "github.com/coreos/dex/pkg/flag"
 	phttp "github.com/coreos/dex/pkg/http"
 	"github.com/coreos/dex/pkg/log"
+	"github.com/coreos/dex/scope"
 )
 
+var indexTemplate *template.Template
+
 func main() {
 	fs := flag.NewFlagSet("oidc-app", flag.ExitOnError)
 	listen := fs.String("listen", "http://127.0.0.1:5555", "")
@@ -136,8 +144,14 @@ func main() {
 		Handler: hdlr,
 	}
 
-	log.Infof("Binding to %s...", httpsrv.Addr)
+	indexBytes, err := Asset("data/index.html")
+	if err != nil {
+		log.Fatalf("could not load template: %q", err)
+	}
 
+	indexTemplate = template.Must(template.New("root").Parse(string(indexBytes)))
+
+	log.Infof("Binding to %s...", httpsrv.Addr)
 	if useTLS {
 		log.Info("Key and cert file provided. Using TLS")
 		log.Fatal(httpsrv.ListenAndServeTLS(*certFile, *keyFile))
@@ -167,13 +181,22 @@ func NewClientHandler(c *oidc.Client, issuer string, cbURL url.URL) http.Handler
 }
 
 func handleIndex(w http.ResponseWriter, r *http.Request) {
-	w.Write([]byte("<a href='/login'>login</a>"))
+	err := indexTemplate.Execute(w, nil)
-	w.Write([]byte("<br>"))
+	if err != nil {
-	w.Write([]byte("<a href='/register'>register</a>"))
+		phttp.WriteError(w, http.StatusInternalServerError,
+			fmt.Sprintf("unable to execute template: %v", err))
+
+	}
 }
 
 func handleLoginFunc(c *oidc.Client) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		err := r.ParseForm()
+		if err != nil {
+			phttp.WriteError(w, http.StatusBadRequest,
+				fmt.Sprintf("Could not parse request: %v", err))
+		}
+
 		oac, err := c.OAuthClient()
 		if err != nil {
 			panic("unable to proceed")
@@ -183,6 +206,22 @@ func handleLoginFunc(c *oidc.Client) http.HandlerFunc {
 		if err != nil {
 			panic("unable to proceed")
 		}
+
+		xClient := r.Form.Get("cross_client")
+		if xClient != "" {
+			xClients := strings.Split(xClient, ",")
+			for i, x := range xClients {
+				xClients[i] = scope.ScopeGoogleCrossClient + x
+			}
+			q := u.Query()
+			scope := q.Get("scope")
+			scopes := strings.Split(scope, " ")
+			scopes = append(scopes, xClients...)
+			scope = strings.Join(scopes, " ")
+			q.Set("scope", scope)
+			u.RawQuery = q.Encode()
+		}
+
 		http.Redirect(w, r, u.String(), http.StatusFound)
 	}
 }

static/fixtures/clients.json.sample

@@ -2,7 +2,8 @@
   {
     "id": "XXX",
     "secret": "c2VjcmV0ZQ==",
-    "redirectURLs": ["http://127.0.0.1:5555/callback"]
+    "redirectURLs": ["http://127.0.0.1:5555/callback"],
+    "trustedPeers": ["example-app"]
   },
   {
     "id": "example-app",