1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-12-04 10:34:59 +02:00
oauth2-proxy/providers/util.go
Ian Roberts 63727103db Support for passing through URL query parameters from /oauth2/start to the ID provider's login URL.
You must explicitly configure oauth2-proxy (alpha config only) with which parameters are allowed to pass through, and optionally provide an allow-list of valid values and/or regular expressions for each one.  Note that this mechanism subsumes the functionality of the "prompt", "approval_prompt" and "acr_values" legacy configuration options, which must be converted to the equivalent YAML when running in alpha config mode.
2022-02-19 16:11:09 +00:00

77 lines
1.8 KiB
Go

package providers
import (
"encoding/json"
"fmt"
"net/http"
"net/url"
"golang.org/x/oauth2"
)
const (
tokenTypeBearer = "Bearer"
tokenTypeToken = "token"
acceptHeader = "Accept"
acceptApplicationJSON = "application/json"
)
func makeAuthorizationHeader(prefix, token string, extraHeaders map[string]string) http.Header {
header := make(http.Header)
for key, value := range extraHeaders {
header.Add(key, value)
}
header.Set("Authorization", fmt.Sprintf("%s %s", prefix, token))
return header
}
func makeOIDCHeader(accessToken string) http.Header {
// extra headers required by the IDP when making authenticated requests
extraHeaders := map[string]string{
acceptHeader: acceptApplicationJSON,
}
return makeAuthorizationHeader(tokenTypeBearer, accessToken, extraHeaders)
}
func makeLoginURL(p *ProviderData, redirectURI, state string, extraParams url.Values) url.URL {
a := *p.LoginURL
params, _ := url.ParseQuery(a.RawQuery)
params.Set("redirect_uri", redirectURI)
params.Add("scope", p.Scope)
params.Set("client_id", p.ClientID)
params.Set("response_type", "code")
params.Add("state", state)
for n, p := range extraParams {
for _, v := range p {
params.Add(n, v)
}
}
a.RawQuery = params.Encode()
return a
}
// getIDToken extracts an IDToken stored in the `Extra` fields of an
// oauth2.Token
func getIDToken(token *oauth2.Token) string {
idToken, ok := token.Extra("id_token").(string)
if !ok {
return ""
}
return idToken
}
// formatGroup coerces an OIDC groups claim into a string
// If it is non-string, marshal it into JSON.
func formatGroup(rawGroup interface{}) (string, error) {
if group, ok := rawGroup.(string); ok {
return group, nil
}
jsonGroup, err := json.Marshal(rawGroup)
if err != nil {
return "", err
}
return string(jsonGroup), nil
}