mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-28 18:06:34 +02:00
b9fd926618
* identity: add support for verifying access and identity tokens * allow overriding with policy option * authenticate: add verify endpoints * wip * implement session creation * add verify test * implement idp token login * fix tests * add pr permission * make session ids route-specific * rename method * add test * add access token test * test for newUserFromIDPClaims * more tests * make the session id per-idp * use type for * add test * remove nil checks
76 lines
1.9 KiB
Go
76 lines
1.9 KiB
Go
package authenticate
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
|
|
"github.com/pomerium/pomerium/internal/httputil"
|
|
"github.com/pomerium/pomerium/internal/log"
|
|
"github.com/pomerium/pomerium/pkg/authenticateapi"
|
|
)
|
|
|
|
func (a *Authenticate) verifyAccessToken(w http.ResponseWriter, r *http.Request) error {
|
|
var req authenticateapi.VerifyAccessTokenRequest
|
|
err := json.NewDecoder(r.Body).Decode(&req)
|
|
if err != nil {
|
|
return httputil.NewError(http.StatusBadRequest, err)
|
|
}
|
|
|
|
authenticator, err := a.cfg.getIdentityProvider(r.Context(), a.tracerProvider, a.options.Load(), req.IdentityProviderID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var res authenticateapi.VerifyTokenResponse
|
|
claims, err := authenticator.VerifyAccessToken(r.Context(), req.AccessToken)
|
|
if err == nil {
|
|
res.Valid = true
|
|
res.Claims = claims
|
|
} else {
|
|
res.Valid = false
|
|
log.Ctx(r.Context()).Info().
|
|
Err(err).
|
|
Str("idp", authenticator.Name()).
|
|
Msg("access token failed verification")
|
|
}
|
|
|
|
err = json.NewEncoder(w).Encode(&res)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *Authenticate) verifyIdentityToken(w http.ResponseWriter, r *http.Request) error {
|
|
var req authenticateapi.VerifyIdentityTokenRequest
|
|
err := json.NewDecoder(r.Body).Decode(&req)
|
|
if err != nil {
|
|
return httputil.NewError(http.StatusBadRequest, err)
|
|
}
|
|
|
|
authenticator, err := a.cfg.getIdentityProvider(r.Context(), a.tracerProvider, a.options.Load(), req.IdentityProviderID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var res authenticateapi.VerifyTokenResponse
|
|
claims, err := authenticator.VerifyIdentityToken(r.Context(), req.IdentityToken)
|
|
if err == nil {
|
|
res.Valid = true
|
|
res.Claims = claims
|
|
} else {
|
|
res.Valid = false
|
|
log.Ctx(r.Context()).Info().
|
|
Err(err).
|
|
Str("idp", authenticator.Name()).
|
|
Msg("identity token failed verification")
|
|
}
|
|
|
|
err = json.NewEncoder(w).Encode(&res)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|