bbox-core 0.6.1

Common functionality for BBOX services
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

use super::Identity;
use log::{debug, info};
use openidconnect::{
    core::{CoreClient, CoreErrorResponseType, CoreProviderMetadata, CoreResponseType},
    reqwest::async_http_client,
    AuthenticationFlow, AuthorizationCode, ClaimsVerificationError, ClientId, ClientSecret,
    CsrfToken, IssuerUrl, Nonce, OAuth2TokenResponse, RedirectUrl, RequestTokenError, Scope,
    StandardErrorResponse,
};
use serde::{Deserialize, Serialize};
use serde_json::Value;

#[derive(thiserror::Error, Debug)]
pub enum AuthError {
    #[error(transparent)]
    OidcRequestTokenError(
        #[from]
        RequestTokenError<
            openidconnect::reqwest::Error<reqwest::Error>,
            StandardErrorResponse<CoreErrorResponseType>,
        >,
    ),
    #[error(transparent)]
    OidcClaimsVerificationError(#[from] ClaimsVerificationError),
    #[error("Server did not return an ID token")]
    OpenidIdTokenError,
}

#[derive(Deserialize, Serialize, Default, Clone, Debug)]
#[serde(default, deny_unknown_fields)]
pub struct OidcAuthCfg {
    pub client_id: String,
    pub client_secret: String,
    pub issuer_url: String,
    pub redirect_uri: Option<String>,
    pub scopes: Option<String>,
    pub username_claim: Option<String>,
    pub groupinfo_claim: Option<String>,
}

#[derive(Clone, Debug)]
pub struct OidcClient {
    client: CoreClient,
    pub authorize_url: String,
    nonce: Nonce,
    username_claim: Option<String>,
    groupinfo_claim: String,
}

impl OidcClient {
    pub async fn from_config(cfg: &OidcAuthCfg) -> Self {
        info!(
            "Fetching {}/.well-known/openid-configuration",
            &cfg.issuer_url
        );
        let provider_metadata = CoreProviderMetadata::discover_async(
            IssuerUrl::new(cfg.issuer_url.clone()).expect("Invalid issuer URL"),
            async_http_client,
        )
        .await
        .expect("Failed to discover OpenID Provider");

        // Set up the config for the OAuth2 process.
        let redirect_uri = cfg
            .redirect_uri
            .clone()
            .unwrap_or("http://127.0.0.1:8080/auth".to_string());
        let client = CoreClient::from_provider_metadata(
            provider_metadata,
            ClientId::new(cfg.client_id.clone()),
            Some(ClientSecret::new(cfg.client_secret.clone())),
        )
        .set_redirect_uri(RedirectUrl::new(redirect_uri).expect("Invalid redirect URL"));

        // Generate the authorization URL to which we'll redirect the user.
        let mut auth_client = client.authorize_url(
            AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
            CsrfToken::new_random,
            Nonce::new_random,
        );
        let scopes = cfg.scopes.clone().unwrap_or("email profile".to_string());
        for scope in scopes.split(' ') {
            auth_client = auth_client.add_scope(Scope::new(scope.to_string()));
        }
        let (authorize_url, _csrf_state, nonce) = auth_client.url();
        let groupinfo_claim = cfg.groupinfo_claim.clone().unwrap_or("group".to_string());
        OidcClient {
            client,
            authorize_url: authorize_url.to_string(),
            nonce,
            username_claim: cfg.username_claim.clone(),
            groupinfo_claim,
        }
    }
}

#[derive(Deserialize, Serialize, Debug)]
pub struct AuthRequest {
    pub code: String,
    // pub state: String,
    // pub scope: String,
}

impl AuthRequest {
    pub async fn auth(&self, oidc: &OidcClient) -> Result<Identity, AuthError> {
        // let state = CsrfToken::new(self.state.clone());
        let code = AuthorizationCode::new(self.code.clone());
        // Exchange the code with a token.
        let token_response = oidc
            .client
            .exchange_code(code)
            .request_async(async_http_client)
            .await?;
        debug!("IdP returned scopes: {:?}", token_response.scopes());

        let id_token_verifier = oidc.client.id_token_verifier();
        let id_token_claims = token_response
            .extra_fields()
            .id_token()
            .ok_or(AuthError::OpenidIdTokenError)?
            .claims(&id_token_verifier, &oidc.nonce)?;

        // Convert back to raw JSON to simplify extracting configurable claims
        let userinfo = serde_json::to_value(id_token_claims).unwrap();
        info!("userinfo: {userinfo:#?}");

        let username = if let Some(claim) = &oidc.username_claim {
            userinfo[claim].as_str()
        } else {
            userinfo
                .get("preferred_username")
                .or(userinfo.get("upn"))
                .or(userinfo.get("email"))
                .and_then(|v| v.as_str())
        }
        .unwrap_or("")
        .to_string();
        let groups = match &userinfo[&oidc.groupinfo_claim] {
            Value::String(s) => vec![s.as_str().to_string()],
            Value::Array(arr) => arr
                .iter()
                .filter_map(|v| v.as_str().map(str::to_string))
                .collect(),
            _ => Vec::new(),
        };
        Ok(Identity { username, groups })
    }
}