oidc: parsing userinfo

b82ed482 · Christian Pointner · 659b9c4d · b82ed482
Commit b82ed482 authored 6 years ago by Christian Pointner
--- a/auth/oidc.go
+++ b/auth/oidc.go
@@ -26,6 +26,7 @@ package auth
 import (
 	"context"
+	"encoding/json"
 	"net/http"
 	oidc "github.com/coreos/go-oidc"
@@ -130,6 +131,11 @@ type oidcCallbackHandler struct {
 	backend *OIDCBackend
 }
+func invalidateSessionCookie(w http.ResponseWriter) {
+	// TODO: this needs to improve
+	http.SetCookie(w, &http.Cookie{Name: SessionCookieName, Value: "invalid", MaxAge: -1})
+}
 func (h *oidcCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	sc, err := r.Cookie(SessionCookieName)
 	if sc == nil || err != nil {
@@ -138,6 +144,7 @@ func (h *oidcCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 	}
 	s := auth.sessions.get(sc.Value)
 	if s == nil {
+		invalidateSessionCookie(w)
 		http.Error(w, "invalid session cookie or session already expired", http.StatusUnauthorized)
 		return
 	}
@@ -151,37 +158,64 @@ func (h *oidcCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 	}
 	if r.URL.Query().Get("state") != s.oidc.State {
+		invalidateSessionCookie(w)
+		auth.sessions.remove(sc.Value)
 		http.Error(w, "OIDC: state did not match", http.StatusBadRequest)
 		return
 	}
 	oauth2Token, err := h.backend.oauth2Config.Exchange(r.Context(), r.URL.Query().Get("code"))
 	if err != nil {
-		http.Error(w, "OIDC: failed to exchange token: "+err.Error(), http.StatusInternalServerError)
+		invalidateSessionCookie(w)
+		auth.sessions.remove(sc.Value)
+		http.Error(w, "OIDC: failed to exchange token: "+err.Error(), http.StatusBadRequest)
 		return
 	}
 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
 	if !ok {
+		invalidateSessionCookie(w)
+		auth.sessions.remove(sc.Value)
 		http.Error(w, "OIDC: no id_token field in oauth2 token.", http.StatusInternalServerError)
 		return
 	}
 	// Verify the ID Token signature and nonce.
 	idToken, err := h.backend.verifier.Verify(r.Context(), rawIDToken)
 	if err != nil {
+		invalidateSessionCookie(w)
+		auth.sessions.remove(sc.Value)
 		http.Error(w, "OIDC: failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
 	if idToken.Nonce != s.oidc.Nonce {
+		invalidateSessionCookie(w)
+		auth.sessions.remove(sc.Value)
 		http.Error(w, "OIDC: invalid ID token nonce", http.StatusInternalServerError)
 		return
 	}
-	// TODO: parse userInfo, populeate new session and update it inside the session-manager
+	userInfo, err := h.backend.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(oauth2Token))
+	if err != nil {
+		invalidateSessionCookie(w)
+		auth.sessions.remove(sc.Value)
+		http.Error(w, "OIDC: failed to get userinfo: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+	resp := struct {
+		OAuth2Token *oauth2.Token
+		UserInfo    *json.RawMessage
+	}{oauth2Token, new(json.RawMessage)}
-	// userInfo, err := h.backend.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(oauth2Token))
+	if err := userInfo.Claims(&resp.UserInfo); err != nil {
-	// if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
-	// 	http.Error(w, "OIDC: failed to get userinfo: "+err.Error(), http.StatusInternalServerError)
+		return
-	// 	return
+	}
-	// }
+	data, err := json.MarshalIndent(resp, "", "    ")
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.Write(data)
 }