mirror of
https://github.com/netbirdio/netbird.git
synced 2026-04-18 00:06:38 +00:00
62 lines
1.3 KiB
Go
62 lines
1.3 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/url"
|
|
|
|
"google.golang.org/grpc"
|
|
|
|
"github.com/netbirdio/netbird/proxy/auth"
|
|
"github.com/netbirdio/netbird/shared/management/proto"
|
|
)
|
|
|
|
type urlGenerator interface {
|
|
GetOIDCURL(context.Context, *proto.GetOIDCURLRequest, ...grpc.CallOption) (*proto.GetOIDCURLResponse, error)
|
|
}
|
|
|
|
type OIDC struct {
|
|
id, accountId string
|
|
client urlGenerator
|
|
}
|
|
|
|
// NewOIDC creates a new OIDC authentication scheme
|
|
func NewOIDC(client urlGenerator, id, accountId string) OIDC {
|
|
return OIDC{
|
|
id: id,
|
|
accountId: accountId,
|
|
client: client,
|
|
}
|
|
}
|
|
|
|
func (OIDC) Type() auth.Method {
|
|
return auth.MethodOIDC
|
|
}
|
|
|
|
func (o OIDC) Authenticate(r *http.Request) (string, string) {
|
|
// Check for the session_token query param (from OIDC redirects).
|
|
// The management server passes the token in the URL because it cannot set
|
|
// cookies for the proxy's domain (cookies are domain-scoped per RFC 6265).
|
|
if token := r.URL.Query().Get("session_token"); token != "" {
|
|
return token, ""
|
|
}
|
|
|
|
redirectURL := &url.URL{
|
|
Scheme: "https",
|
|
Host: r.Host,
|
|
Path: r.URL.Path,
|
|
}
|
|
|
|
res, err := o.client.GetOIDCURL(r.Context(), &proto.GetOIDCURLRequest{
|
|
Id: o.id,
|
|
AccountId: o.accountId,
|
|
RedirectUrl: redirectURL.String(),
|
|
})
|
|
if err != nil {
|
|
// TODO: log
|
|
return "", ""
|
|
}
|
|
|
|
return "", res.GetUrl()
|
|
}
|