3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-02 16:30:17 +02:00
Code Issues Projects Releases Packages Wiki Activity

core/authenticate: refactor identity authenticators to initiate redirect (#4858)

Browse source 
* core/authenticate: refactor identity authenticators to initiate redirect, use cookie for redirect url for cognito

* set secure and http only, update test
This commit is contained in:
Caleb Doxsey 2023-12-19 12:04:23 -07:00 committed by GitHub
parent 4c15b202d1
commit 3adbc65d37
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 237 additions and 125 deletions
Download patch file Download diff file Expand all files Collapse all files

51
internal/identity/oauth/apple/apple.go
View file

@ -83,31 +83,6 @@ func (p *Provider) Name() string {
return Name
}
// GetSignInURL returns the url of the provider's OAuth 2.0 consent page
// that asks for permissions for the required scopes explicitly.
//
// State is a token to protect the user from CSRF attacks. You must
// always provide a non-empty string and validate that it matches the
// the state query parameter on your redirect callback.
// See http://tools.ietf.org/html/rfc6749#section-10.12 for more info.
func (p *Provider) GetSignInURL(state string) (string, error) {
opts := []oauth2.AuthCodeOption{}
for k, v := range p.authCodeOptions {
opts = append(opts, oauth2.SetAuthURLParam(k, v))
}
authURL := p.oauth.AuthCodeURL(state, opts...)
// Apple is very picky here and we need to use %20 instead of +
authURL = strings.ReplaceAll(authURL, "+", "%20")
return authURL, nil
}
// GetSignOutURL is not implemented.
func (p *Provider) GetSignOutURL(_, _ string) (string, error) {
return "", oidc.ErrSignoutNotImplemented
}
// Authenticate converts an authorization code returned from the identity
// provider into a token which is then converted into a user session.
func (p *Provider) Authenticate(ctx context.Context, code string, v identity.State) (*oauth2.Token, error) {
@ -181,3 +156,29 @@ func (p *Provider) UpdateUserInfo(_ context.Context, t *oauth2.Token, v interfac
return idToken.UnsafeClaimsWithoutVerification(v)
}
// SignIn redirects to the url of the provider's OAuth 2.0 consent page
// that asks for permissions for the required scopes explicitly.
//
// State is a token to protect the user from CSRF attacks. You must
// always provide a non-empty string and validate that it matches the
// the state query parameter on your redirect callback.
// See http://tools.ietf.org/html/rfc6749#section-10.12 for more info.
func (p *Provider) SignIn(w http.ResponseWriter, r *http.Request, state string) error {
opts := []oauth2.AuthCodeOption{}
for k, v := range p.authCodeOptions {
opts = append(opts, oauth2.SetAuthURLParam(k, v))
}
authURL := p.oauth.AuthCodeURL(state, opts...)
// Apple is very picky here and we need to use %20 instead of +
authURL = strings.ReplaceAll(authURL, "+", "%20")
httputil.Redirect(w, r, authURL, http.StatusFound)
return nil
}
// SignOut is not implemented.
func (p *Provider) SignOut(_ http.ResponseWriter, _ *http.Request, _, _, _ string) error {
return oidc.ErrSignoutNotImplemented
}