miniflux/internal/oauth2/oidc.go

// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
// SPDX-License-Identifier: Apache-2.0

package oauth2 // import "miniflux.app/v2/internal/oauth2"

import (
	"context"
	"errors"
	"fmt"

	"miniflux.app/v2/internal/model"

	"github.com/coreos/go-oidc/v3/oidc"
	"golang.org/x/oauth2"
)

var (
	ErrEmptyUsername = errors.New("oidc: username is empty")
)

type oidcProvider struct {
	clientID     string
	clientSecret string
	redirectURL  string
	provider     *oidc.Provider
}

func NewOidcProvider(ctx context.Context, clientID, clientSecret, redirectURL, discoveryEndpoint string) (*oidcProvider, error) {
	provider, err := oidc.NewProvider(ctx, discoveryEndpoint)
	if err != nil {
		return nil, fmt.Errorf(`oidc: failed to initialize provider %q: %w`, discoveryEndpoint, err)
	}

	return &oidcProvider{
		clientID:     clientID,
		clientSecret: clientSecret,
		redirectURL:  redirectURL,
		provider:     provider,
	}, nil
}

func (o *oidcProvider) GetUserExtraKey() string {
	return "openid_connect_id"
}

func (o *oidcProvider) GetConfig() *oauth2.Config {
	return &oauth2.Config{
		RedirectURL:  o.redirectURL,
		ClientID:     o.clientID,
		ClientSecret: o.clientSecret,
		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
		Endpoint:     o.provider.Endpoint(),
	}
}

func (o *oidcProvider) GetProfile(ctx context.Context, code, codeVerifier string) (*Profile, error) {
	conf := o.GetConfig()
	token, err := conf.Exchange(ctx, code, oauth2.SetAuthURLParam("code_verifier", codeVerifier))
	if err != nil {
		return nil, fmt.Errorf(`oidc: failed to exchange token: %w`, err)
	}

	userInfo, err := o.provider.UserInfo(ctx, oauth2.StaticTokenSource(token))
	if err != nil {
		return nil, fmt.Errorf(`oidc: failed to get user info: %w`, err)
	}

	profile := &Profile{
		Key: o.GetUserExtraKey(),
		ID:  userInfo.Subject,
	}

	var userClaims userClaims
	if err := userInfo.Claims(&userClaims); err != nil {
		return nil, fmt.Errorf(`oidc: failed to parse user claims: %w`, err)
	}

	for _, value := range []string{userClaims.Email, userClaims.PreferredUsername, userClaims.Name, userClaims.Profile} {
		if value != "" {
			profile.Username = value
			break
		}
	}

	if profile.Username == "" {
		return nil, ErrEmptyUsername
	}

	return profile, nil
}

func (o *oidcProvider) PopulateUserCreationWithProfileID(user *model.UserCreationRequest, profile *Profile) {
	user.OpenIDConnectID = profile.ID
}

func (o *oidcProvider) PopulateUserWithProfileID(user *model.User, profile *Profile) {
	user.OpenIDConnectID = profile.ID
}

func (o *oidcProvider) UnsetUserProfileID(user *model.User) {
	user.OpenIDConnectID = ""
}

type userClaims struct {
	Email             string `json:"email"`
	Profile           string `json:"profile"`
	Name              string `json:"name"`
	PreferredUsername string `json:"preferred_username"`
}
Replace copyright header with SPDX identifier 2023-06-19 23:42:47 +02:00			`// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.`
			`// SPDX-License-Identifier: Apache-2.0`
Add generic OpenID Connect provider (OAuth2) This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are. Configuration is similar to setting up the Google Authentication with these changes: * `OAUTH2_PROVIDER = oidc` * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery` 2020-03-08 03:45:19 +01:00
Move internal packages to an internal folder For reference: https://go.dev/doc/go1.4#internalpackages 2023-08-11 04:46:45 +02:00			`package oauth2 // import "miniflux.app/v2/internal/oauth2"`
Add generic OpenID Connect provider (OAuth2) This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are. Configuration is similar to setting up the Google Authentication with these changes: * `OAUTH2_PROVIDER = oidc` * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery` 2020-03-08 03:45:19 +01:00
			`import (`
			`"context"`
Prevent empty username when using the OIDC integration 2023-09-09 03:01:17 +02:00			`"errors"`
			`"fmt"`
Remove extra column from users table (HSTORE field) Migrated key/value pairs to specific columns. 2020-12-22 06:14:10 +01:00
Move internal packages to an internal folder For reference: https://go.dev/doc/go1.4#internalpackages 2023-08-11 04:46:45 +02:00			`"miniflux.app/v2/internal/model"`
Remove extra column from users table (HSTORE field) Migrated key/value pairs to specific columns. 2020-12-22 06:14:10 +01:00
Bump `go-oidc` to v3.6.0 2023-06-28 05:21:51 +02:00			`"github.com/coreos/go-oidc/v3/oidc"`
Add generic OpenID Connect provider (OAuth2) This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are. Configuration is similar to setting up the Google Authentication with these changes: * `OAUTH2_PROVIDER = oidc` * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery` 2020-03-08 03:45:19 +01:00			`"golang.org/x/oauth2"`
			`)`

Prevent empty username when using the OIDC integration 2023-09-09 03:01:17 +02:00			`var (`
			`ErrEmptyUsername = errors.New("oidc: username is empty")`
			`)`

Add generic OpenID Connect provider (OAuth2) This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are. Configuration is similar to setting up the Google Authentication with these changes: * `OAUTH2_PROVIDER = oidc` * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery` 2020-03-08 03:45:19 +01:00			`type oidcProvider struct {`
			`clientID string`
			`clientSecret string`
			`redirectURL string`
			`provider *oidc.Provider`
			`}`

Add OAuth2 PKCE support 2023-09-03 06:35:10 +02:00			`func NewOidcProvider(ctx context.Context, clientID, clientSecret, redirectURL, discoveryEndpoint string) (*oidcProvider, error) {`
			`provider, err := oidc.NewProvider(ctx, discoveryEndpoint)`
			`if err != nil {`
Add profile scope to OIDC integration to support accounts without email 2023-09-09 04:52:28 +02:00			return nil, fmt.Errorf(`oidc: failed to initialize provider %q: %w`, discoveryEndpoint, err)
Add OAuth2 PKCE support 2023-09-03 06:35:10 +02:00			`}`

Add profile scope to OIDC integration to support accounts without email 2023-09-09 04:52:28 +02:00			`return &oidcProvider{`
			`clientID: clientID,`
			`clientSecret: clientSecret,`
			`redirectURL: redirectURL,`
			`provider: provider,`
			`}, nil`
Add OAuth2 PKCE support 2023-09-03 06:35:10 +02:00			`}`

Remove extra column from users table (HSTORE field) Migrated key/value pairs to specific columns. 2020-12-22 06:14:10 +01:00			`func (o *oidcProvider) GetUserExtraKey() string {`
			`return "openid_connect_id"`
Add generic OpenID Connect provider (OAuth2) This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are. Configuration is similar to setting up the Google Authentication with these changes: * `OAUTH2_PROVIDER = oidc` * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery` 2020-03-08 03:45:19 +01:00			`}`

Add OAuth2 PKCE support 2023-09-03 06:35:10 +02:00			`func (o oidcProvider) GetConfig() oauth2.Config {`
			`return &oauth2.Config{`
			`RedirectURL: o.redirectURL,`
			`ClientID: o.clientID,`
			`ClientSecret: o.clientSecret,`
Add profile scope to OIDC integration to support accounts without email 2023-09-09 04:52:28 +02:00			`Scopes: []string{oidc.ScopeOpenID, "profile", "email"},`
Add OAuth2 PKCE support 2023-09-03 06:35:10 +02:00			`Endpoint: o.provider.Endpoint(),`
			`}`
Add generic OpenID Connect provider (OAuth2) This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are. Configuration is similar to setting up the Google Authentication with these changes: * `OAUTH2_PROVIDER = oidc` * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery` 2020-03-08 03:45:19 +01:00			`}`

Add OAuth2 PKCE support 2023-09-03 06:35:10 +02:00			`func (o oidcProvider) GetProfile(ctx context.Context, code, codeVerifier string) (Profile, error) {`
			`conf := o.GetConfig()`
			`token, err := conf.Exchange(ctx, code, oauth2.SetAuthURLParam("code_verifier", codeVerifier))`
Add generic OpenID Connect provider (OAuth2) This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are. Configuration is similar to setting up the Google Authentication with these changes: * `OAUTH2_PROVIDER = oidc` * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery` 2020-03-08 03:45:19 +01:00			`if err != nil {`
Prevent empty username when using the OIDC integration 2023-09-09 03:01:17 +02:00			return nil, fmt.Errorf(`oidc: failed to exchange token: %w`, err)
Add generic OpenID Connect provider (OAuth2) This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are. Configuration is similar to setting up the Google Authentication with these changes: * `OAUTH2_PROVIDER = oidc` * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery` 2020-03-08 03:45:19 +01:00			`}`

			`userInfo, err := o.provider.UserInfo(ctx, oauth2.StaticTokenSource(token))`
			`if err != nil {`
Prevent empty username when using the OIDC integration 2023-09-09 03:01:17 +02:00			return nil, fmt.Errorf(`oidc: failed to get user info: %w`, err)
Add generic OpenID Connect provider (OAuth2) This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are. Configuration is similar to setting up the Google Authentication with these changes: * `OAUTH2_PROVIDER = oidc` * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery` 2020-03-08 03:45:19 +01:00			`}`

Add profile scope to OIDC integration to support accounts without email 2023-09-09 04:52:28 +02:00			`profile := &Profile{`
			`Key: o.GetUserExtraKey(),`
			`ID: userInfo.Subject,`
			`}`

			`var userClaims userClaims`
			`if err := userInfo.Claims(&userClaims); err != nil {`
			return nil, fmt.Errorf(`oidc: failed to parse user claims: %w`, err)
			`}`

			`for _, value := range []string{userClaims.Email, userClaims.PreferredUsername, userClaims.Name, userClaims.Profile} {`
			`if value != "" {`
			`profile.Username = value`
			`break`
			`}`
			`}`
Prevent empty username when using the OIDC integration 2023-09-09 03:01:17 +02:00
			`if profile.Username == "" {`
			`return nil, ErrEmptyUsername`
			`}`

Add generic OpenID Connect provider (OAuth2) This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are. Configuration is similar to setting up the Google Authentication with these changes: * `OAUTH2_PROVIDER = oidc` * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery` 2020-03-08 03:45:19 +01:00			`return profile, nil`
			`}`

Refactor user validation Validate each user field for creation/modification via API and web UI 2021-01-04 06:20:21 +01:00			`func (o oidcProvider) PopulateUserCreationWithProfileID(user model.UserCreationRequest, profile *Profile) {`
			`user.OpenIDConnectID = profile.ID`
			`}`

Remove extra column from users table (HSTORE field) Migrated key/value pairs to specific columns. 2020-12-22 06:14:10 +01:00			`func (o oidcProvider) PopulateUserWithProfileID(user model.User, profile *Profile) {`
			`user.OpenIDConnectID = profile.ID`
			`}`

			`func (o oidcProvider) UnsetUserProfileID(user model.User) {`
			`user.OpenIDConnectID = ""`
			`}`
Add profile scope to OIDC integration to support accounts without email 2023-09-09 04:52:28 +02:00
			`type userClaims struct {`
			Email string `json:"email"`
			Profile string `json:"profile"`
			Name string `json:"name"`
			PreferredUsername string `json:"preferred_username"`
			`}`