3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-04 01:09:36 +02:00
Code Issues Projects Releases Packages Wiki Activity

Prototype device authorization flow (core)

Browse source
This commit is contained in:
Joe Kralicky 2024-05-16 16:47:02 -04:00
parent 229ef72e58
commit 56ce79e662
No known key found for this signature in database
GPG key ID: 75C4875F34A9FB79
13 changed files with 333 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

11
internal/authenticateflow/stateful.go
View file

@ -342,6 +342,17 @@ func (s *Stateful) AuthenticateSignInURL(
return redirectTo, nil
}
func (s *Stateful) AuthenticateDeviceCode(w http.ResponseWriter, r *http.Request, params url.Values) error {
deviceAuthURL := s.authenticateURL.ResolveReference(&url.URL{
Path: "/.pomerium/device_auth",
RawQuery: params.Encode(),
})
signedURL := urlutil.NewSignedURL(s.sharedKey, deviceAuthURL)
httputil.Redirect(w, r, signedURL.String(), http.StatusFound)
return nil
}
// GetIdentityProviderIDForURLValues returns the identity provider ID
// associated with the given URL values.
func (s *Stateful) GetIdentityProviderIDForURLValues(vs url.Values) string {

11
internal/authenticateflow/stateless.go
View file

@ -379,6 +379,17 @@ func (s *Stateless) AuthenticateSignInURL(
)
}
func (s *Stateless) AuthenticateDeviceCode(w http.ResponseWriter, r *http.Request, params url.Values) error {
signinURL := s.authenticateURL.ResolveReference(&url.URL{
Path: "/.pomerium/device_auth",
RawQuery: params.Encode(),
})
signedURL := urlutil.NewSignedURL(s.sharedKey, signinURL)
httputil.Redirect(w, r, signedURL.String(), http.StatusFound)
return nil
}
// Callback handles a redirect to a route domain once signed in.
func (s *Stateless) Callback(w http.ResponseWriter, r *http.Request) error {
if err := r.ParseForm(); err != nil {

38
internal/urlutil/query_params.go
View file

@ -4,24 +4,26 @@ package urlutil
// services over HTTP calls and redirects. They are typically used in
// conjunction with a HMAC to ensure authenticity.
const (
QueryCallbackURI = "pomerium_callback_uri"
QueryDeviceCredentialID = "pomerium_device_credential_id"
QueryDeviceType = "pomerium_device_type"
QueryEnrollmentToken = "pomerium_enrollment_token" //nolint
QueryExpiry = "pomerium_expiry"
QueryIdentityProfile = "pomerium_identity_profile"
QueryIdentityProviderID = "pomerium_idp_id"
QueryIsProgrammatic = "pomerium_programmatic"
QueryIssued = "pomerium_issued"
QueryPomeriumJWT = "pomerium_jwt"
QueryRedirectURI = "pomerium_redirect_uri"
QuerySession = "pomerium_session"
QuerySessionEncrypted = "pomerium_session_encrypted"
QuerySessionState = "pomerium_session_state"
QueryVersion = "pomerium_version"
QueryRequestUUID = "pomerium_request_uuid"
QueryTraceparent = "pomerium_traceparent"
QueryTracestate = "pomerium_tracestate"
QueryCallbackURI = "pomerium_callback_uri"
QueryDeviceCredentialID = "pomerium_device_credential_id"
QueryDeviceType = "pomerium_device_type"
QueryEnrollmentToken = "pomerium_enrollment_token" //nolint
QueryExpiry = "pomerium_expiry"
QueryIdentityProfile = "pomerium_identity_profile"
QueryIdentityProviderID = "pomerium_idp_id"
QueryIsProgrammatic = "pomerium_programmatic"
QueryIssued = "pomerium_issued"
QueryPomeriumJWT = "pomerium_jwt"
QueryRedirectURI = "pomerium_redirect_uri"
QuerySession = "pomerium_session"
QuerySessionEncrypted = "pomerium_session_encrypted"
QuerySessionState = "pomerium_session_state"
QueryVersion = "pomerium_version"
QueryRequestUUID = "pomerium_request_uuid"
QueryTraceparent = "pomerium_traceparent"
QueryTracestate = "pomerium_tracestate"
QueryDeviceAuthRetryToken = "pomerium_device_auth_retry_token"
QueryDeviceAuthRouteURI = "pomerium_device_auth_route_uri"
)
// URL signature based query params used for verifying the authenticity of a URL.