feat(auth): integrate oauth extension (#4152)

* refactor(oauth): move oauth client code * feat(oauth): move extension code into server code * feat(oauth): enable oauth without extension * refactor(oauth): make it easier to remove providers
2025-07-19 13:29:41 +02:00 · 2020-08-05 11:36:46 +03:00 · 2020-08-05 11:36:46 +03:00 · 00f4fe0039
commit 00f4fe0039
parent 148ccd1bc4
21 changed files with 201 additions and 135 deletions
--- a/api/oauth/oauth.go
+++ b/api/oauth/oauth.go
@ -0,0 +1,130 @@
+package oauth
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"golang.org/x/oauth2"
+	"io/ioutil"
+	"log"
+	"mime"
+	"net/http"
+	"net/url"
+
+	"github.com/portainer/portainer/api"
+)
+
+// Service represents a service used to authenticate users against an authorization server
+type Service struct{}
+
+// NewService returns a pointer to a new instance of this service
+func NewService() *Service {
+	return &Service{}
+}
+
+// Authenticate takes an access code and exchanges it for an access token from portainer OAuthSettings token endpoint.
+// On success, it will then return the username associated to authenticated user by fetching this information
+// from the resource server and matching it with the user identifier setting.
+func (*Service) Authenticate(code string, configuration *portainer.OAuthSettings) (string, error) {
+	token, err := getAccessToken(code, configuration)
+	if err != nil {
+		log.Printf("[DEBUG] - Failed retrieving access token: %v", err)
+		return "", err
+	}
+
+	return getUsername(token, configuration)
+}
+
+func getAccessToken(code string, configuration *portainer.OAuthSettings) (string, error) {
+	unescapedCode, err := url.QueryUnescape(code)
+	if err != nil {
+		return "", err
+	}
+
+	config := buildConfig(configuration)
+	token, err := config.Exchange(context.Background(), unescapedCode)
+	if err != nil {
+		return "", err
+	}
+
+	return token.AccessToken, nil
+}
+
+func getUsername(token string, configuration *portainer.OAuthSettings) (string, error) {
+	req, err := http.NewRequest("GET", configuration.ResourceURI, nil)
+	if err != nil {
+		return "", err
+	}
+
+	client := &http.Client{}
+	req.Header.Set("Authorization", "Bearer "+token)
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return "", &oauth2.RetrieveError{
+			Response: resp,
+			Body:     body,
+		}
+	}
+
+	content, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+	if err != nil {
+		return "", err
+	}
+
+	if content == "application/x-www-form-urlencoded" || content == "text/plain" {
+		values, err := url.ParseQuery(string(body))
+		if err != nil {
+			return "", err
+		}
+
+		username := values.Get(configuration.UserIdentifier)
+		return username, nil
+	}
+
+	var datamap map[string]interface{}
+	if err = json.Unmarshal(body, &datamap); err != nil {
+		return "", err
+	}
+
+	username, ok := datamap[configuration.UserIdentifier].(string)
+	if ok && username != "" {
+		return username, nil
+	}
+
+	if !ok {
+		username, ok := datamap[configuration.UserIdentifier].(float64)
+		if ok && username != 0 {
+			return fmt.Sprint(int(username)), nil
+		}
+	}
+
+	return "", &oauth2.RetrieveError{
+		Response: resp,
+		Body:     body,
+	}
+}
+
+func buildConfig(configuration *portainer.OAuthSettings) *oauth2.Config {
+	endpoint := oauth2.Endpoint{
+		AuthURL:  configuration.AuthorizationURI,
+		TokenURL: configuration.AccessTokenURI,
+	}
+
+	return &oauth2.Config{
+		ClientID:     configuration.ClientID,
+		ClientSecret: configuration.ClientSecret,
+		Endpoint:     endpoint,
+		RedirectURL:  configuration.RedirectURI,
+		Scopes:       []string{configuration.Scopes},
+	}
+}