rauthy-client 0.14.0

Client for the Rauthy OIDC IAM project
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

use crate::build_lax_cookie_300;
use crate::cookie_state::{OIDC_STATE_COOKIE, OidcCookieState};
use crate::handler::{OidcCallbackParams, OidcCookieInsecure, OidcSetRedirectStatus};
use crate::principal::PrincipalOidc;
use crate::provider::OidcProvider;
use crate::rauthy_error::RauthyError;
use crate::token_set::OidcTokenSet;
use crate::tokens::claims::IdToken;
use axum::{
    body::Body,
    extract::Query,
    http::{StatusCode, header},
    response::Response,
};
use axum_extra::extract::CookieJar;

/// Check the authentication
///
/// Extracts the `Bearer` token from the `Authorization` header. It redirects to the OIDC login if
/// the token is not valid.
///
/// # Returns
/// HTTP 202 if the user is logged in
/// HTTP 200 with a Location header for the login endpoint if set_redirect_status is set to No
/// HTTP 302 with a Location header for the login endpoint if set_redirect_status is set to Yes
///
/// # Panics
/// If the given `enc_key` is not exactly 32 bytes long
pub async fn validate_redirect_principal(
    principal: Option<PrincipalOidc>,
    enc_key: &[u8],
    insecure: OidcCookieInsecure,
    set_redirect_status: OidcSetRedirectStatus,
) -> Response<Body> {
    if principal.is_some() {
        Response::builder()
            .status(StatusCode::ACCEPTED)
            .body(Body::empty())
            .unwrap()
    } else {
        let (cookie_state, challenge) = OidcCookieState::generate();
        let loc = {
            let base = match OidcProvider::config() {
                Ok(c) => &c.auth_url_base,
                Err(_) => {
                    return Response::builder()
                        .status(StatusCode::INTERNAL_SERVER_ERROR)
                        .body(Body::from("OIDC Provider has not been set up"))
                        .unwrap();
                }
            };
            format!(
                "{base}&code_challenge={challenge}&nonce={}&state={}",
                cookie_state.nonce, cookie_state.state
            )
        };

        let value = cookie_state.to_encrypted_cookie_value(enc_key);
        let cookie = build_lax_cookie_300(OIDC_STATE_COOKIE, &value, insecure);

        if set_redirect_status == OidcSetRedirectStatus::Yes {
            Response::builder().status(302)
        } else {
            Response::builder().status(200)
        }
        .header(header::LOCATION, loc)
        .header(header::SET_COOKIE, cookie)
        .body(Body::empty())
        .unwrap()
    }
}

/// Handles the OIDC callback
///
/// # Panics
/// If the given `enc_key` is not exactly 32 bytes long
pub async fn oidc_callback(
    jar: &CookieJar,
    params: Query<OidcCallbackParams>,
    enc_key: &[u8],
    insecure: OidcCookieInsecure,
) -> Result<(String, OidcTokenSet, IdToken), RauthyError> {
    let cookie_state = OidcCookieState::from_jar_cookie_value(jar, enc_key)?;
    crate::handler::oidc_callback(cookie_state, params.0, insecure).await
}