authenticate: use gRPC for service endpoints (#39)

* authenticate: set cookie secure as default. * authenticate: remove single flight provider. * authenticate/providers: Rename “ProviderData” to “IdentityProvider” * authenticate/providers: Fixed an issue where scopes were not being overwritten * proxy/authenticate : http client code removed. * proxy: standardized session variable names between services. * docs: change basic docker-config to be an “all-in-one” example with no nginx load. * docs: nginx balanced docker compose example with intra-ingress settings. * license: attribution for adaptation of goji’s middleware pattern.
2025-07-19 09:38:03 +02:00 · 2019-02-08 10:10:38 -08:00 · 2019-02-08 10:10:38 -08:00 · c886b924e7
commit c886b924e7
parent 9ca3ff4fa2
54 changed files with 2184 additions and 1463 deletions
--- a/authenticate/grpc.go
+++ b/authenticate/grpc.go
@ -0,0 +1,64 @@
+package authenticate // import "github.com/pomerium/pomerium/authenticate"
+import (
+	"context"
+	"fmt"
+
+	"github.com/golang/protobuf/ptypes"
+
+	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/internal/sessions"
+	pb "github.com/pomerium/pomerium/proto/authenticate"
+)
+
+// Authenticate takes an encrypted code, and returns the authentication result.
+func (p *Authenticate) Authenticate(ctx context.Context, in *pb.AuthenticateRequest) (*pb.AuthenticateReply, error) {
+	session, err := sessions.UnmarshalSession(in.Code, p.cipher)
+	if err != nil {
+		return nil, fmt.Errorf("authenticate/grpc: %v", err)
+	}
+	expiryTimestamp, err := ptypes.TimestampProto(session.RefreshDeadline)
+	if err != nil {
+		return nil, err
+	}
+
+	return &pb.AuthenticateReply{
+		AccessToken:  session.AccessToken,
+		RefreshToken: session.RefreshToken,
+		IdToken:      session.IDToken,
+		User:         session.User,
+		Email:        session.Email,
+		Expiry:       expiryTimestamp,
+	}, nil
+}
+
+// Validate locally validates a JWT id token; does NOT do nonce or revokation validation.
+// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+func (p *Authenticate) Validate(ctx context.Context, in *pb.ValidateRequest) (*pb.ValidateReply, error) {
+	isValid, err := p.provider.Validate(in.IdToken)
+	if err != nil {
+		return &pb.ValidateReply{IsValid: false}, err
+	}
+	return &pb.ValidateReply{IsValid: isValid}, nil
+}
+
+// Refresh renews a user's session checks if the session has been revoked using an access token
+// without reprompting the user.
+func (p *Authenticate) Refresh(ctx context.Context, in *pb.RefreshRequest) (*pb.RefreshReply, error) {
+	newToken, err := p.provider.Refresh(in.RefreshToken)
+	if err != nil {
+		return nil, err
+	}
+	expiryTimestamp, err := ptypes.TimestampProto(newToken.Expiry)
+	if err != nil {
+		return nil, err
+	}
+	log.Info().
+		Str("session.AccessToken", newToken.AccessToken).
+		Msg("authenticate: grpc: refresh: ok")
+
+	return &pb.RefreshReply{
+		AccessToken: newToken.AccessToken,
+		Expiry:      expiryTimestamp,
+	}, nil
+
+}