| package oauth |
|
|
| import ( |
| "context" |
| "encoding/json" |
| "fmt" |
| "net/http" |
| "net/url" |
| "strings" |
| "time" |
|
|
| "github.com/QuantumNous/new-api/i18n" |
| "github.com/QuantumNous/new-api/logger" |
| "github.com/QuantumNous/new-api/model" |
| "github.com/QuantumNous/new-api/setting/system_setting" |
| "github.com/gin-gonic/gin" |
| ) |
|
|
| func init() { |
| Register("oidc", &OIDCProvider{}) |
| } |
|
|
| |
| type OIDCProvider struct{} |
|
|
| type oidcOAuthResponse struct { |
| AccessToken string `json:"access_token"` |
| IDToken string `json:"id_token"` |
| RefreshToken string `json:"refresh_token"` |
| TokenType string `json:"token_type"` |
| ExpiresIn int `json:"expires_in"` |
| Scope string `json:"scope"` |
| } |
|
|
| type oidcUser struct { |
| OpenID string `json:"sub"` |
| Email string `json:"email"` |
| Name string `json:"name"` |
| PreferredUsername string `json:"preferred_username"` |
| Picture string `json:"picture"` |
| } |
|
|
| func (p *OIDCProvider) GetName() string { |
| return "OIDC" |
| } |
|
|
| func (p *OIDCProvider) IsEnabled() bool { |
| return system_setting.GetOIDCSettings().Enabled |
| } |
|
|
| func (p *OIDCProvider) ExchangeToken(ctx context.Context, code string, c *gin.Context) (*OAuthToken, error) { |
| if code == "" { |
| return nil, NewOAuthError(i18n.MsgOAuthInvalidCode, nil) |
| } |
|
|
| logger.LogDebug(ctx, "[OAuth-OIDC] ExchangeToken: code=%s...", code[:min(len(code), 10)]) |
|
|
| settings := system_setting.GetOIDCSettings() |
| redirectUri := fmt.Sprintf("%s/oauth/oidc", system_setting.ServerAddress) |
| values := url.Values{} |
| values.Set("client_id", settings.ClientId) |
| values.Set("client_secret", settings.ClientSecret) |
| values.Set("code", code) |
| values.Set("grant_type", "authorization_code") |
| values.Set("redirect_uri", redirectUri) |
|
|
| logger.LogDebug(ctx, "[OAuth-OIDC] ExchangeToken: token_endpoint=%s, redirect_uri=%s", settings.TokenEndpoint, redirectUri) |
|
|
| req, err := http.NewRequestWithContext(ctx, "POST", settings.TokenEndpoint, strings.NewReader(values.Encode())) |
| if err != nil { |
| return nil, err |
| } |
| req.Header.Set("Content-Type", "application/x-www-form-urlencoded") |
| req.Header.Set("Accept", "application/json") |
|
|
| client := http.Client{ |
| Timeout: 5 * time.Second, |
| } |
| res, err := client.Do(req) |
| if err != nil { |
| logger.LogError(ctx, fmt.Sprintf("[OAuth-OIDC] ExchangeToken error: %s", err.Error())) |
| return nil, NewOAuthErrorWithRaw(i18n.MsgOAuthConnectFailed, map[string]any{"Provider": "OIDC"}, err.Error()) |
| } |
| defer res.Body.Close() |
|
|
| logger.LogDebug(ctx, "[OAuth-OIDC] ExchangeToken response status: %d", res.StatusCode) |
|
|
| var oidcResponse oidcOAuthResponse |
| err = json.NewDecoder(res.Body).Decode(&oidcResponse) |
| if err != nil { |
| logger.LogError(ctx, fmt.Sprintf("[OAuth-OIDC] ExchangeToken decode error: %s", err.Error())) |
| return nil, err |
| } |
|
|
| if oidcResponse.AccessToken == "" { |
| logger.LogError(ctx, "[OAuth-OIDC] ExchangeToken failed: empty access token") |
| return nil, NewOAuthError(i18n.MsgOAuthTokenFailed, map[string]any{"Provider": "OIDC"}) |
| } |
|
|
| logger.LogDebug(ctx, "[OAuth-OIDC] ExchangeToken success: scope=%s", oidcResponse.Scope) |
|
|
| return &OAuthToken{ |
| AccessToken: oidcResponse.AccessToken, |
| TokenType: oidcResponse.TokenType, |
| RefreshToken: oidcResponse.RefreshToken, |
| ExpiresIn: oidcResponse.ExpiresIn, |
| Scope: oidcResponse.Scope, |
| IDToken: oidcResponse.IDToken, |
| }, nil |
| } |
|
|
| func (p *OIDCProvider) GetUserInfo(ctx context.Context, token *OAuthToken) (*OAuthUser, error) { |
| settings := system_setting.GetOIDCSettings() |
|
|
| logger.LogDebug(ctx, "[OAuth-OIDC] GetUserInfo: userinfo_endpoint=%s", settings.UserInfoEndpoint) |
|
|
| req, err := http.NewRequestWithContext(ctx, "GET", settings.UserInfoEndpoint, nil) |
| if err != nil { |
| return nil, err |
| } |
| req.Header.Set("Authorization", "Bearer "+token.AccessToken) |
|
|
| client := http.Client{ |
| Timeout: 5 * time.Second, |
| } |
| res, err := client.Do(req) |
| if err != nil { |
| logger.LogError(ctx, fmt.Sprintf("[OAuth-OIDC] GetUserInfo error: %s", err.Error())) |
| return nil, NewOAuthErrorWithRaw(i18n.MsgOAuthConnectFailed, map[string]any{"Provider": "OIDC"}, err.Error()) |
| } |
| defer res.Body.Close() |
|
|
| logger.LogDebug(ctx, "[OAuth-OIDC] GetUserInfo response status: %d", res.StatusCode) |
|
|
| if res.StatusCode != http.StatusOK { |
| logger.LogError(ctx, fmt.Sprintf("[OAuth-OIDC] GetUserInfo failed: status=%d", res.StatusCode)) |
| return nil, NewOAuthError(i18n.MsgOAuthGetUserErr, nil) |
| } |
|
|
| var oidcUser oidcUser |
| err = json.NewDecoder(res.Body).Decode(&oidcUser) |
| if err != nil { |
| logger.LogError(ctx, fmt.Sprintf("[OAuth-OIDC] GetUserInfo decode error: %s", err.Error())) |
| return nil, err |
| } |
|
|
| if oidcUser.OpenID == "" || oidcUser.Email == "" { |
| logger.LogError(ctx, fmt.Sprintf("[OAuth-OIDC] GetUserInfo failed: empty fields (sub=%s, email=%s)", oidcUser.OpenID, oidcUser.Email)) |
| return nil, NewOAuthError(i18n.MsgOAuthUserInfoEmpty, map[string]any{"Provider": "OIDC"}) |
| } |
|
|
| logger.LogDebug(ctx, "[OAuth-OIDC] GetUserInfo success: sub=%s, username=%s, name=%s, email=%s", oidcUser.OpenID, oidcUser.PreferredUsername, oidcUser.Name, oidcUser.Email) |
|
|
| return &OAuthUser{ |
| ProviderUserID: oidcUser.OpenID, |
| Username: oidcUser.PreferredUsername, |
| DisplayName: oidcUser.Name, |
| Email: oidcUser.Email, |
| }, nil |
| } |
|
|
| func (p *OIDCProvider) IsUserIDTaken(providerUserID string) bool { |
| return model.IsOidcIdAlreadyTaken(providerUserID) |
| } |
|
|
| func (p *OIDCProvider) FillUserByProviderID(user *model.User, providerUserID string) error { |
| user.OidcId = providerUserID |
| return user.FillUserByOidcId() |
| } |
|
|
| func (p *OIDCProvider) SetProviderUserID(user *model.User, providerUserID string) { |
| user.OidcId = providerUserID |
| } |
|
|
| func (p *OIDCProvider) GetProviderPrefix() string { |
| return "oidc_" |
| } |
|
|
