kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity
Files
bf64f82507c98ba4f8cfa2995650ca5d74bc03ef
baron-sso/backend/internal/service/federation_service.go

91 lines
2.7 KiB
Go
Raw Blame History

package service
import (
"baron-sso-backend/internal/repository"
"context"
"crypto/rand"
"encoding/base64"
"fmt"
"time"
"github.com/coreos/go-oidc/v3/oidc"
"golang.org/x/oauth2"
)
type FederationService struct {
repo repository.FederationRepository
hydraSvc *HydraAdminService
redisSvc *RedisService
}
func NewFederationService(repo repository.FederationRepository, hydraSvc *HydraAdminService, redisSvc *RedisService) *FederationService {
return &FederationService{repo: repo, hydraSvc: hydraSvc, redisSvc: redisSvc}
}
func (s *FederationService) InitiateOIDCLogin(ctx context.Context, providerID, loginChallenge string) (string, error) {
provider, err := s.repo.FindProviderByID(ctx, providerID)
if err != nil {
return "", fmt.Errorf("failed to find provider: %w", err)
}
if provider == nil || provider.IssuerURL == nil || provider.OIDCClientID == nil || provider.OIDCClientSecret == nil || provider.Scopes == nil {
return "", fmt.Errorf("OIDC configuration for provider %s is incomplete", providerID)
}
oidcProvider, err := oidc.NewProvider(ctx, *provider.IssuerURL)
if err != nil {
return "", fmt.Errorf("failed to create OIDC provider: %w", err)
}
config := oauth2.Config{
ClientID: *provider.OIDCClientID,
ClientSecret: *provider.OIDCClientSecret,
Endpoint: oidcProvider.Endpoint(),
RedirectURL: "http://localhost:8080/api/v1/federation/oidc/callback", // This should be configurable
Scopes: []string{*provider.Scopes},
}
state, err := generateState()
if err != nil {
return "", fmt.Errorf("failed to generate state: %w", err)
}
// Store state and login_challenge in Redis
redisKey := fmt.Sprintf("oidc_state:%s", state)
if err := s.redisSvc.Set(redisKey, loginChallenge, 10*time.Minute); err != nil {
return "", fmt.Errorf("failed to save state to Redis: %w", err)
}
return config.AuthCodeURL(state), nil
}
func (s *FederationService) HandleOIDCCallback(ctx context.Context, code, state string) (string, error) {
// 1. Retrieve login_challenge from Redis
redisKey := fmt.Sprintf("oidc_state:%s", state)
loginChallenge, err := s.redisSvc.Get(redisKey)
if err != nil {
return "", fmt.Errorf("failed to get state from Redis or state expired: %w", err)
}
// Delete the state from Redis now that it's been used
s.redisSvc.Delete(redisKey)
// TODO: Finish the rest of the callback logic
// 2. Exchange code for token
// 3. Verify ID token
// 4. JIT Provisioning
// 5. Accept Hydra Login Request
fmt.Println("Login challenge found:", loginChallenge)
return "http://localhost:3000/login?login_successful=true", nil // Placeholder
}
func generateState() (string, error) {
b := make([]byte, 32)
_, err := rand.Read(b)
if err != nil {
return "", err
}
return base64.RawURLEncoding.EncodeToString(b), nil
}
View Git Blame Copy Permalink