diff --git a/server/go.mod b/server/go.mod index da00d5c..d2d7063 100644 --- a/server/go.mod +++ b/server/go.mod @@ -4,6 +4,7 @@ go 1.16 require ( github.com/99designs/gqlgen v0.13.0 + github.com/coreos/go-oidc/v3 v3.1.0 // indirect github.com/gin-contrib/location v0.0.2 // indirect github.com/gin-gonic/gin v1.7.2 github.com/go-playground/validator/v10 v10.8.0 // indirect diff --git a/server/go.sum b/server/go.sum index 808720c..de89b22 100644 --- a/server/go.sum +++ b/server/go.sum @@ -109,6 +109,8 @@ github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= +github.com/coreos/go-oidc/v3 v3.1.0 h1:6avEvcdvTa1qYsOZ6I5PRkSYHzpTNWgKYmaJfaYbrRw= +github.com/coreos/go-oidc/v3 v3.1.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= @@ -737,6 +739,7 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200505041828-1ed23360d12c/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= @@ -1100,6 +1103,8 @@ gopkg.in/readline.v1 v1.0.0-20160726135117-62c6fe619375/go.mod h1:lNEQeAhU009zbR gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/sourcemap.v1 v1.0.5 h1:inv58fC9f9J3TK2Y2R1NPntXEn3/wjWHkonhIUODNTI= gopkg.in/sourcemap.v1 v1.0.5/go.mod h1:2RlvNNSMglmRrcvhfuzp4hQHwOtjxlbjX7UPY/GXb78= +gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w= +gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= diff --git a/server/handlers/oauthCallback.go b/server/handlers/oauthCallback.go index 8455bbf..e345da8 100644 --- a/server/handlers/oauthCallback.go +++ b/server/handlers/oauthCallback.go @@ -1,6 +1,7 @@ package handlers import ( + "context" "encoding/json" "fmt" "io/ioutil" @@ -15,36 +16,50 @@ import ( "github.com/authorizerdev/authorizer/server/oauth" "github.com/authorizerdev/authorizer/server/session" "github.com/authorizerdev/authorizer/server/utils" + "github.com/coreos/go-oidc/v3/oidc" "github.com/gin-gonic/gin" "golang.org/x/oauth2" ) func processGoogleUserInfo(code string) (db.User, error) { user := db.User{} - token, err := oauth.OAuthProvider.GoogleConfig.Exchange(oauth2.NoContext, code) + ctx := context.Background() + oauth2Token, err := oauth.OAuthProviders.GoogleConfig.Exchange(ctx, code) if err != nil { return user, fmt.Errorf("invalid google exchange code: %s", err.Error()) } - client := oauth.OAuthProvider.GoogleConfig.Client(oauth2.NoContext, token) - response, err := client.Get(constants.GoogleUserInfoURL) - if err != nil { - return user, err + + verifier := oauth.OIDCProviders.GoogleOIDC.Verifier(&oidc.Config{ClientID: oauth.OAuthProviders.GoogleConfig.ClientID}) + + // Extract the ID Token from OAuth2 token. + rawIDToken, ok := oauth2Token.Extra("id_token").(string) + if !ok { + return user, fmt.Errorf("unable to extract id_token") } - defer response.Body.Close() - body, err := ioutil.ReadAll(response.Body) + // Parse and verify ID Token payload. + idToken, err := verifier.Verify(ctx, rawIDToken) if err != nil { - return user, fmt.Errorf("failed to read google response body: %s", err.Error()) + return user, fmt.Errorf("unable to verify id_token:", err.Error()) } - userRawData := make(map[string]string) - json.Unmarshal(body, &userRawData) + // Extract custom claims + var claims struct { + Email string `json:"email"` + Picture string `json:"picture"` + GivenName string `json:"given_name"` + FamilyName string `json:"family_name"` + Verified bool `json:"email_verified"` + } + if err := idToken.Claims(&claims); err != nil { + return user, fmt.Errorf("unable to extract claims") + } user = db.User{ - FirstName: userRawData["given_name"], - LastName: userRawData["family_name"], - Image: userRawData["picture"], - Email: userRawData["email"], + FirstName: claims.GivenName, + LastName: claims.FamilyName, + Image: claims.Picture, + Email: claims.Email, EmailVerifiedAt: time.Now().Unix(), } @@ -53,7 +68,7 @@ func processGoogleUserInfo(code string) (db.User, error) { func processGithubUserInfo(code string) (db.User, error) { user := db.User{} - token, err := oauth.OAuthProvider.GithubConfig.Exchange(oauth2.NoContext, code) + token, err := oauth.OAuthProviders.GithubConfig.Exchange(oauth2.NoContext, code) if err != nil { return user, fmt.Errorf("invalid github exchange code: %s", err.Error()) } @@ -102,7 +117,7 @@ func processGithubUserInfo(code string) (db.User, error) { func processFacebookUserInfo(code string) (db.User, error) { user := db.User{} - token, err := oauth.OAuthProvider.FacebookConfig.Exchange(oauth2.NoContext, code) + token, err := oauth.OAuthProviders.FacebookConfig.Exchange(oauth2.NoContext, code) if err != nil { return user, fmt.Errorf("invalid facebook exchange code: %s", err.Error()) } diff --git a/server/handlers/oauthLogin.go b/server/handlers/oauthLogin.go index 9f50d9f..1f3cd4e 100644 --- a/server/handlers/oauthLogin.go +++ b/server/handlers/oauthLogin.go @@ -48,28 +48,46 @@ func OAuthLoginHandler() gin.HandlerFunc { oauthStateString := uuid.String() + "___" + redirectURL + "___" + roles provider := c.Param("oauth_provider") - + isProviderConfigured := true switch provider { case enum.Google.String(): + if oauth.OAuthProviders.GoogleConfig == nil { + isProviderConfigured = false + break + } session.SetSocailLoginState(oauthStateString, enum.Google.String()) // during the init of OAuthProvider authorizer url might be empty - oauth.OAuthProvider.GoogleConfig.RedirectURL = constants.AUTHORIZER_URL + "/oauth_callback/google" - url := oauth.OAuthProvider.GoogleConfig.AuthCodeURL(oauthStateString) + oauth.OAuthProviders.GoogleConfig.RedirectURL = constants.AUTHORIZER_URL + "/oauth_callback/google" + url := oauth.OAuthProviders.GoogleConfig.AuthCodeURL(oauthStateString) c.Redirect(http.StatusTemporaryRedirect, url) case enum.Github.String(): + if oauth.OAuthProviders.GithubConfig == nil { + isProviderConfigured = false + break + } session.SetSocailLoginState(oauthStateString, enum.Github.String()) - oauth.OAuthProvider.GithubConfig.RedirectURL = constants.AUTHORIZER_URL + "/oauth_callback/github" - url := oauth.OAuthProvider.GithubConfig.AuthCodeURL(oauthStateString) + oauth.OAuthProviders.GithubConfig.RedirectURL = constants.AUTHORIZER_URL + "/oauth_callback/github" + url := oauth.OAuthProviders.GithubConfig.AuthCodeURL(oauthStateString) c.Redirect(http.StatusTemporaryRedirect, url) case enum.Facebook.String(): + if oauth.OAuthProviders.FacebookConfig == nil { + isProviderConfigured = false + break + } session.SetSocailLoginState(oauthStateString, enum.Facebook.String()) - oauth.OAuthProvider.FacebookConfig.RedirectURL = constants.AUTHORIZER_URL + "/oauth_callback/facebook" - url := oauth.OAuthProvider.FacebookConfig.AuthCodeURL(oauthStateString) + oauth.OAuthProviders.FacebookConfig.RedirectURL = constants.AUTHORIZER_URL + "/oauth_callback/facebook" + url := oauth.OAuthProviders.FacebookConfig.AuthCodeURL(oauthStateString) c.Redirect(http.StatusTemporaryRedirect, url) default: c.JSON(422, gin.H{ "message": "Invalid oauth provider", }) } + + if !isProviderConfigured { + c.JSON(422, gin.H{ + "message": provider + " not configured", + }) + } } } diff --git a/server/oauth/oauth.go b/server/oauth/oauth.go index e295393..64b6927 100644 --- a/server/oauth/oauth.go +++ b/server/oauth/oauth.go @@ -1,33 +1,49 @@ package oauth import ( + "context" + "log" + "github.com/authorizerdev/authorizer/server/constants" + "github.com/coreos/go-oidc/v3/oidc" "golang.org/x/oauth2" facebookOAuth2 "golang.org/x/oauth2/facebook" githubOAuth2 "golang.org/x/oauth2/github" - googleOAuth2 "golang.org/x/oauth2/google" ) -type OAuthProviders struct { +type OAuthProvider struct { GoogleConfig *oauth2.Config GithubConfig *oauth2.Config FacebookConfig *oauth2.Config } -var OAuthProvider OAuthProviders +type OIDCProvider struct { + GoogleOIDC *oidc.Provider +} + +var ( + OAuthProviders OAuthProvider + OIDCProviders OIDCProvider +) func InitOAuth() { + ctx := context.Background() if constants.GOOGLE_CLIENT_ID != "" && constants.GOOGLE_CLIENT_SECRET != "" { - OAuthProvider.GoogleConfig = &oauth2.Config{ + p, err := oidc.NewProvider(ctx, "https://accounts.google.com") + if err != nil { + log.Fatalln("error creating oidc provider for google:", err) + } + OIDCProviders.GoogleOIDC = p + OAuthProviders.GoogleConfig = &oauth2.Config{ ClientID: constants.GOOGLE_CLIENT_ID, ClientSecret: constants.GOOGLE_CLIENT_SECRET, RedirectURL: constants.AUTHORIZER_URL + "/oauth_callback/google", - Endpoint: googleOAuth2.Endpoint, - Scopes: []string{"https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/userinfo.profile"}, + Endpoint: OIDCProviders.GoogleOIDC.Endpoint(), + Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, } } if constants.GITHUB_CLIENT_ID != "" && constants.GITHUB_CLIENT_SECRET != "" { - OAuthProvider.GithubConfig = &oauth2.Config{ + OAuthProviders.GithubConfig = &oauth2.Config{ ClientID: constants.GITHUB_CLIENT_ID, ClientSecret: constants.GITHUB_CLIENT_SECRET, RedirectURL: constants.AUTHORIZER_URL + "/oauth_callback/github", @@ -35,7 +51,7 @@ func InitOAuth() { } } if constants.FACEBOOK_CLIENT_ID != "" && constants.FACEBOOK_CLIENT_SECRET != "" { - OAuthProvider.FacebookConfig = &oauth2.Config{ + OAuthProviders.FacebookConfig = &oauth2.Config{ ClientID: constants.FACEBOOK_CLIENT_ID, ClientSecret: constants.FACEBOOK_CLIENT_SECRET, RedirectURL: constants.AUTHORIZER_URL + "/oauth_callback/facebook", diff --git a/server/resolvers/token.go b/server/resolvers/token.go index 1c4d674..6087a1e 100644 --- a/server/resolvers/token.go +++ b/server/resolvers/token.go @@ -84,14 +84,16 @@ func Token(ctx context.Context, roles []string) (*model.AuthResponse, error) { AccessToken: &token, AccessTokenExpiresAt: &expiresAt, User: &model.User{ - ID: userIdStr, - Email: user.Email, - Image: &user.Image, - FirstName: &user.FirstName, - LastName: &user.LastName, - Roles: strings.Split(user.Roles, ","), - CreatedAt: &user.CreatedAt, - UpdatedAt: &user.UpdatedAt, + ID: userIdStr, + Email: user.Email, + Image: &user.Image, + FirstName: &user.FirstName, + LastName: &user.LastName, + Roles: strings.Split(user.Roles, ","), + CreatedAt: &user.CreatedAt, + UpdatedAt: &user.UpdatedAt, + SignupMethod: user.SignupMethod, + EmailVerifiedAt: &user.EmailVerifiedAt, }, } return res, nil