example-resource/example-resource.go at main · b1-systems/example-resource · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
/* author: B1 Systems GmbH
 * authoremail: info@b1-systems.de
 * license: MIT License <https://opensource.org/licenses/MIT>
 * summary: OpenID Connect example
 * */

/* Simple "Resource Server", receiving an OAuth2 access token
   and (for demonstration purposes) accessing the OIDC userinfo
   endpoint for the access token's subject identity
   See also: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo */

package main

import (
  "encoding/json"
  "log"
  "net/http"
  "os"
  "strings"
  "github.com/coreos/go-oidc/v3/oidc"
  "golang.org/x/net/context"
  "golang.org/x/oauth2"
  "example-resource/ini"
)

var (
  clientName = "example-resource"
  providerUrl = ""
  listenAddress = ""
)

func main() {
  arr := []ini.Ref{
    {Name: "providerUrl", Value: &providerUrl},
    {Name: "listenAddress", Value: &listenAddress}}

  err := ini.ReadIni(clientName, arr)

  if err != nil {
    log.Fatal()
    os.Exit(1)
  }

  ctx := context.Background()
  provider, err := oidc.NewProvider(ctx, providerUrl)

  if err != nil {
    log.Fatal(err)
    os.Exit(1)
  }

  config := oauth2.Config{
    Endpoint: provider.Endpoint(),
    Scopes: []string{oidc.ScopeOpenID},
  }

  http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
    auth_header := r.Header.Get("Authorization")

    if auth_header == "" {
      log.Printf("Authorization header missing from request")
      http.Error(w, "Bad request", http.StatusBadRequest)
    } else if !strings.HasPrefix(auth_header, "Bearer") {
      log.Printf("Authorization header is not a Bearer token")
      http.Error(w, "Bad request", http.StatusBadRequest)
    } else {
      access_token := strings.TrimPrefix(auth_header, "Bearer ")

      tokenSource := config.TokenSource(context.Background(), &oauth2.Token{
        AccessToken: access_token,
        TokenType: "Bearer",
      })

      if _, err := tokenSource.Token(); err != nil {
        log.Printf("Invalid access token: %s", err)
        http.Error(w, "Bad request", http.StatusBadRequest)
      } else {
        if userInfo, err := provider.UserInfo(ctx, tokenSource) ; err != nil {
          log.Printf("Error getting UserInfo: %s", err)
          http.Error(w, "Internal error", http.StatusInternalServerError)
        } else {
          var claims struct {
            Sub string `json:"sub"`
            Email string `json:"email"`
            EmailVerified bool `json:"email_verified"`
            PreferredUsername string `json:"preferred_username"`
            Name string `json:"name"`
            GivenName string `json:"given_name"`
            FamilyName string `json:"family_name"`
            ResourceAccess struct {
              ExampleFrontend struct {
                Roles []string `json:"roles"`
              } `json:"example-frontend"`
            } `json:"resource_access"`
          }

          if err := userInfo.Claims(&claims); err != nil {
            log.Printf("Error parsing claims from UserInfo: %s", err)
            http.Error(w, "Internal error", http.StatusInternalServerError)
          } else {
            data, err := json.MarshalIndent(claims, "", "    ")

            if err != nil {
              http.Error(w, err.Error(), http.StatusInternalServerError)
            } else {
              w.Write(data)
            }
          }
        }
      }
    }
  })

  log.Printf("Listening on http://%s/", listenAddress)
  log.Fatal(http.ListenAndServe(listenAddress, nil))
}

/* vim: set tabstop=2 shiftwidth=2 softtabstop=2 expandtab: */