coopgo-platform/mobility-accounts
7
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

Replace Fosite OIDC provider with embedded Dex
All checks were successful
Build and Push Docker Image / build_and_push (push) Successful in 2m26s
Details

Browse Source
This commit is contained in:
Arnaud Delcasse
2026-03-02 20:08:06 +01:00
parent 52a6e25bc3
commit 722c89e86a
24 changed files with 896 additions and 2079 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@@ -22,7 +22,7 @@ FROM scratch
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=builder /server /
COPY --from=builder /oidc-provider/templates /oidc-provider/templates
COPY --from=builder /oidc-provider/web /oidc-provider/web
EXPOSE 8080
EXPOSE 80

113
go.mod
View File

@@ -3,87 +3,116 @@ module gitlab.com/mobicoop/solidarity/services/mobility-accounts
go 1.24
require (
ariga.io/atlas v0.10.1
ariga.io/atlas v0.31.1-0.20250212144724-069be8033e83
github.com/dexidp/dex v0.0.0-20250219130842-7d1a7473c8a0
github.com/google/uuid v1.6.0
github.com/gorilla/csrf v1.7.1
github.com/gorilla/mux v1.8.0
github.com/lib/pq v1.10.2
github.com/lib/pq v1.10.9
github.com/mitchellh/mapstructure v1.5.0
github.com/ory/fosite v0.42.2
github.com/rs/zerolog v1.33.0
github.com/santhosh-tekuri/jsonschema/v5 v5.0.0
github.com/spf13/viper v1.15.0
github.com/stretchr/testify v1.8.2
go.etcd.io/etcd/client/v3 v3.5.6
github.com/stretchr/testify v1.10.0
go.etcd.io/etcd/client/v3 v3.5.18
go.mongodb.org/mongo-driver v1.11.4
golang.org/x/crypto v0.27.0
google.golang.org/grpc v1.68.0
google.golang.org/protobuf v1.34.2
gopkg.in/square/go-jose.v2 v2.5.2-0.20210529014059-a5c7eec3c614
golang.org/x/crypto v0.33.0
google.golang.org/grpc v1.70.0
google.golang.org/protobuf v1.36.5
)
require (
cloud.google.com/go/auth v0.14.1 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
cloud.google.com/go/compute/metadata v0.6.0 // indirect
dario.cat/mergo v1.0.1 // indirect
github.com/AppsFlyer/go-sundheit v0.6.0 // indirect
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.3.0 // indirect
github.com/Masterminds/sprig/v3 v3.3.0 // indirect
github.com/agext/levenshtein v1.2.1 // indirect
github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
github.com/cespare/xxhash v1.1.0 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/beevik/etree v1.5.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bmatcuk/doublestar v1.3.4 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/coreos/go-oidc/v3 v3.12.0 // indirect
github.com/coreos/go-semver v0.3.0 // indirect
github.com/coreos/go-systemd/v22 v22.5.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/dgraph-io/ristretto v0.0.3 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/dexidp/dex/api/v2 v2.3.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.8.0 // indirect
github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
github.com/go-jose/go-jose/v4 v4.0.4 // indirect
github.com/go-ldap/ldap/v3 v3.4.10 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/inflect v0.19.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/golang/snappy v0.0.1 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/gorilla/securecookie v1.1.1 // indirect
github.com/gorilla/websocket v1.4.2 // indirect
github.com/google/s2a-go v0.1.9 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
github.com/googleapis/gax-go/v2 v2.14.1 // indirect
github.com/gorilla/handlers v1.5.2 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hashicorp/hcl/v2 v2.16.2 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/klauspost/compress v1.13.6 // indirect
github.com/huandu/xstrings v1.5.0 // indirect
github.com/jonboulle/clockwork v0.2.2 // indirect
github.com/klauspost/compress v1.17.9 // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/goveralls v0.0.6 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 // indirect
github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe // indirect
github.com/ory/go-acc v0.2.6 // indirect
github.com/ory/go-convenience v0.1.0 // indirect
github.com/ory/viper v1.7.5 // indirect
github.com/ory/x v0.0.214 // indirect
github.com/pborman/uuid v1.2.0 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/pelletier/go-toml/v2 v2.0.6 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.20.5 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.55.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/russellhaering/goxmldsig v1.4.0 // indirect
github.com/sergi/go-diff v1.1.0 // indirect
github.com/shopspring/decimal v1.4.0 // indirect
github.com/spf13/afero v1.9.3 // indirect
github.com/spf13/cast v1.5.0 // indirect
github.com/spf13/cobra v1.0.0 // indirect
github.com/spf13/cast v1.7.0 // indirect
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/spf13/pflag v1.0.6 // indirect
github.com/subosito/gotenv v1.4.2 // indirect
github.com/tidwall/pretty v1.1.0 // indirect
github.com/xdg-go/pbkdf2 v1.0.0 // indirect
github.com/xdg-go/scram v1.1.1 // indirect
github.com/xdg-go/stringprep v1.0.3 // indirect
github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect
github.com/zclconf/go-cty v1.12.1 // indirect
go.etcd.io/etcd/api/v3 v3.5.6 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.5.6 // indirect
github.com/zclconf/go-cty v1.14.4 // indirect
github.com/zclconf/go-cty-yaml v1.1.0 // indirect
go.etcd.io/etcd/api/v3 v3.5.18 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.5.18 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
go.opentelemetry.io/otel v1.34.0 // indirect
go.opentelemetry.io/otel/metric v1.34.0 // indirect
go.opentelemetry.io/otel/trace v1.34.0 // indirect
go.uber.org/atomic v1.9.0 // indirect
go.uber.org/multierr v1.8.0 // indirect
go.uber.org/zap v1.21.0 // indirect
golang.org/x/net v0.29.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.27.0 // indirect
golang.org/x/text v0.18.0 // indirect
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
golang.org/x/exp v0.0.0-20221004215720-b9f4876ce741 // indirect
golang.org/x/net v0.35.0 // indirect
golang.org/x/oauth2 v0.26.0 // indirect
golang.org/x/sync v0.11.0 // indirect
golang.org/x/sys v0.30.0 // indirect
golang.org/x/text v0.22.0 // indirect
google.golang.org/api v0.221.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
//replace github.com/ory/fosite => ../../../github.com/ory/fosite

1367
go.sum
View File

File diff suppressed because it is too large Load Diff

151
oidc-provider/connector/connector.go Normal file
View File

@@ -0,0 +1,151 @@
package connector
import (
"context"
"encoding/json"
"fmt"
"log/slog"
"github.com/dexidp/dex/connector"
"gitlab.com/mobicoop/solidarity/services/mobility-accounts/handlers"
"gitlab.com/mobicoop/solidarity/services/mobility-accounts/storage"
)
// Config is the connector configuration used by Dex's ConnectorConfig interface.
// Fields are injected in-process (not via JSON unmarshaling).
type Config struct {
Handler *handlers.MobilityAccountsHandler
Storage storage.Storage
Namespace string
}
// Open satisfies server.ConnectorConfig. It returns a Connector that implements
// connector.PasswordConnector and connector.RefreshConnector.
func (c *Config) Open(id string, logger *slog.Logger) (connector.Connector, error) {
if c.Handler == nil {
return nil, fmt.Errorf("mobilityaccounts connector: handler is nil")
}
return &Connector{
handler: c.Handler,
storage: c.Storage,
namespace: c.Namespace,
logger: logger,
}, nil
}
// Connector bridges Dex authentication to the mobility-accounts handler.
// It implements connector.PasswordConnector and connector.RefreshConnector.
type Connector struct {
handler *handlers.MobilityAccountsHandler
storage storage.Storage
namespace string
logger *slog.Logger
}
// Prompt returns the label displayed on the password form input.
func (c *Connector) Prompt() string { return "Email" }
// Login authenticates a user via the mobility-accounts handler and maps the
// account data to a Dex Identity with standard OIDC claims.
func (c *Connector) Login(ctx context.Context, s connector.Scopes, username, password string) (connector.Identity, bool, error) {
account, err := c.handler.Login(username, password, c.namespace)
if err != nil {
// Invalid credentials: return validPassword=false, no error
return connector.Identity{}, false, nil
}
c.logger.Info("connector login", "account_id", account.ID, "data_keys", dataKeys(account.Data), "groups_raw", fmt.Sprintf("%T: %v", account.Data["groups"], account.Data["groups"]))
identity := buildIdentity(account)
c.logger.Info("connector identity", "groups", identity.Groups, "email", identity.Email, "username", identity.Username)
return identity, true, nil
}
// Refresh is called when a client uses a refresh token. It reloads the account
// from storage to reflect any changes since the last authentication.
func (c *Connector) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
account, err := c.storage.DB.GetAccount(identity.UserID)
if err != nil {
return identity, fmt.Errorf("mobilityaccounts connector: refresh failed: %w", err)
}
return buildIdentity(account), nil
}
// buildIdentity maps a mobility-accounts Account to a Dex connector.Identity.
// Dex maps Identity.Username to the "name" OIDC claim and
// Identity.PreferredUsername to the "preferred_username" claim.
func buildIdentity(account *storage.Account) connector.Identity {
displayName := getStringData(account, "display_name")
if displayName == "" {
displayName = derefString(account.Authentication.Local.Username)
}
return connector.Identity{
UserID: account.ID,
Username: displayName,
PreferredUsername: derefString(account.Authentication.Local.Username),
Email: getStringData(account, "email"),
EmailVerified: true,
Groups: getGroups(account),
ConnectorData: nil,
}
}
// dataKeys returns the keys of a map for debug logging.
func dataKeys(m map[string]any) []string {
keys := make([]string, 0, len(m))
for k := range m {
keys = append(keys, k)
}
return keys
}
// derefString safely dereferences a *string, returning "" if nil.
func derefString(s *string) string {
if s == nil {
return ""
}
return *s
}
// getStringData retrieves a string value from account.Data by key.
func getStringData(account *storage.Account, key string) string {
if account.Data == nil {
return ""
}
v, ok := account.Data[key]
if !ok {
return ""
}
s, ok := v.(string)
if !ok {
return ""
}
return s
}
// getGroups retrieves the groups slice from account.Data["groups"].
// Uses JSON round-tripping to handle any BSON/primitive type from MongoDB.
func getGroups(account *storage.Account) []string {
if account.Data == nil {
return []string{}
}
v, ok := account.Data["groups"]
if !ok || v == nil {
return []string{}
}
// JSON round-trip handles primitive.A, []interface{}, []string, etc.
b, err := json.Marshal(v)
if err != nil {
return []string{}
}
var groups []string
if err := json.Unmarshal(b, &groups); err != nil {
return []string{}
}
if groups == nil {
return []string{}
}
return groups
}

101
oidc-provider/endpoints_auth.go
View File

@@ -1,101 +0,0 @@
package op
import (
"fmt"
"html/template"
"net/http"
"time"
"github.com/gorilla/csrf"
"github.com/gorilla/mux"
"github.com/ory/fosite"
"github.com/ory/fosite/handler/openid"
"github.com/ory/fosite/token/jwt"
)
func (op *OIDCHandler) AuthEndpoint(w http.ResponseWriter, r *http.Request) {
namespace := mux.Vars(r)["namespace"]
oauth2Provider := op.NamespaceProviders[namespace]
templates_dir := op.config.Namespaces[namespace].TemplatesDir
t := template.New("auth")
t = template.Must(t.ParseFiles(
templates_dir + "/auth.html",
))
ctx := r.Context()
ar, err := oauth2Provider.NewAuthorizeRequest(ctx, r)
if err != nil {
oauth2Provider.WriteAuthorizeError(w, ar, err)
return
}
if r.Method == "POST" {
if r.Form.Get("username") == "" || r.Form.Get("password") == "" {
oauth2Provider.WriteAuthorizeError(w, ar, fosite.ErrAccessDenied)
return
}
account, err := op.handler.Login(r.Form.Get("username"), r.Form.Get("password"), namespace)
if err != nil {
if err = t.ExecuteTemplate(w, "auth", map[string]any{
csrf.TemplateTag: csrf.TemplateField(r),
"error": fmt.Sprintf("Wrong username (%v) or password (%v) in namespace \"%v\"", r.Form.Get("username"), r.Form.Get("password"), namespace),
"realError": err,
}); err != nil {
oauth2Provider.WriteAuthorizeError(w, ar, err)
}
return
}
sessionData := &openid.DefaultSession{
Claims: &jwt.IDTokenClaims{
Issuer: fmt.Sprintf("%s://%s/%s", op.Protocol, r.Host, namespace),
Subject: account.ID,
Audience: []string{},
ExpiresAt: time.Now().Add(time.Hour * 30),
IssuedAt: time.Now(),
RequestedAt: time.Now(),
AuthTime: time.Now(),
Extra: make(map[string]interface{}),
},
Username: r.Form.Get("username"),
Subject: account.ID,
Headers: &jwt.Headers{
Extra: make(map[string]interface{}),
},
}
// Manage claims
for _, v := range ar.GetRequestedScopes() {
ar.GrantScope(v)
if v != "openid" { // TODO handle standard claims like profile, email, ...
if mc, ok := op.config.Namespaces[namespace].MatchClaims[v]; ok {
if d, ok := account.Data[mc]; ok {
sessionData.Claims.Extra[v] = d
}
} else if d, ok := account.Data[v]; ok {
sessionData.Claims.Extra[v] = d
}
}
}
response, err := oauth2Provider.NewAuthorizeResponse(ctx, ar, sessionData)
if err != nil {
oauth2Provider.WriteAuthorizeError(w, ar, err)
return
}
oauth2Provider.WriteAuthorizeResponse(w, ar, response)
return
}
err = t.ExecuteTemplate(w, "auth", map[string]any{
// csrf.TemplateTag: csrf.TemplateField(r),
})
if err != nil {
panic(err)
}
}

26
oidc-provider/endpoints_introspection.go
View File

@@ -1,26 +0,0 @@
package op
import (
"log"
"net/http"
"github.com/gorilla/mux"
"github.com/ory/fosite"
)
func (op *OIDCHandler) IntrospectionEndpoint(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin", "*")
namespace := mux.Vars(r)["namespace"]
oauth2Provider := op.NamespaceProviders[namespace]
ctx := r.Context()
mySessionData := new(fosite.DefaultSession)
ir, err := oauth2Provider.NewIntrospectionRequest(ctx, r, mySessionData)
if err != nil {
log.Printf("Error occurred in NewIntrospectionRequest: %+v", err)
oauth2Provider.WriteIntrospectionError(w, err)
return
}
oauth2Provider.WriteIntrospectionResponse(w, ir)
}

41
oidc-provider/endpoints_token.go
View File

@@ -1,41 +0,0 @@
package op
import (
"fmt"
"net/http"
"github.com/gorilla/mux"
"github.com/ory/fosite/handler/openid"
)
func (op *OIDCHandler) TokenEndpoint(w http.ResponseWriter, req *http.Request) {
w.Header().Set("Access-Control-Allow-Origin", "*")
namespace := mux.Vars(req)["namespace"]
provider := op.NamespaceProviders[namespace]
ctx := req.Context()
mySessionData := openid.NewDefaultSession()
accessRequest, err := provider.NewAccessRequest(ctx, req, mySessionData)
if err != nil {
fmt.Printf("Error occurred in NewAccessRequest: %+v", err)
provider.WriteAccessError(w, accessRequest, err)
return
}
if accessRequest.GetGrantTypes().ExactOne("client_credentials") {
for _, scope := range accessRequest.GetRequestedScopes() {
accessRequest.GrantScope(scope)
}
}
response, err := provider.NewAccessResponse(ctx, accessRequest)
if err != nil {
fmt.Printf("Error occurred in NewAccessResponse: %+v", err)
provider.WriteAccessError(w, accessRequest, err)
return
}
provider.WriteAccessResponse(w, accessRequest, response)
}

8
oidc-provider/endpoints_userinfo.go
View File

@@ -1,8 +0,0 @@
package op
import "net/http"
func (op *OIDCHandler) UserinfoEndpoint(w http.ResponseWriter, req *http.Request) {
// TODO
w.WriteHeader(http.StatusNotFound)
}

63
oidc-provider/endpoints_wellknown.go
View File

@@ -1,63 +0,0 @@
package op
import (
"encoding/json"
"fmt"
"net/http"
"github.com/gorilla/mux"
"gopkg.in/square/go-jose.v2"
)
func (op *OIDCHandler) WellKnownOIDCEndpoint(w http.ResponseWriter, r *http.Request) {
var (
host = r.Host
namespace = mux.Vars(r)["namespace"]
protocol = op.Protocol
issuer = fmt.Sprintf("%s://%s/%s", protocol, host, namespace)
)
response := map[string]any{
"issuer": issuer,
"authorization_endpoint": issuer + "/auth",
"token_endpoint": issuer + "/token",
"userinfo_endpoint": issuer + "/userinfo",
"id_token_signing_alg_values_supported": []string{"RS256"},
"grant_types_supported": []string{"authorization_code", "implicit", "client_credentials", "refresh_token"},
"response_types": []string{"code", "code id_token", "id_token", "token id_token", "token", "token id_token code"},
"response_modes_supported": []string{"query", "fragment"},
"jwks_uri": issuer + "/.well-known/jwks.json",
}
json, err := json.Marshal(response)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
w.Write(json)
}
func (op *OIDCHandler) WellKnownJWKSEndpoint(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
jwks := &jose.JSONWebKeySet{
Keys: []jose.JSONWebKey{
{
KeyID: "kid-foo",
Use: "sig",
Key: &op.PrivateKey.PublicKey,
},
},
}
jsonJwks, err := json.Marshal(jwks)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
}
w.WriteHeader(http.StatusOK)
w.Write(jsonJwks)
}

574
oidc-provider/fosite.go
View File

@@ -1,574 +0,0 @@
package op
import (
"context"
"crypto/rsa"
"errors"
"net/url"
"reflect"
"strings"
"time"
"gitlab.com/mobicoop/solidarity/services/mobility-accounts/handlers"
"gitlab.com/mobicoop/solidarity/services/mobility-accounts/storage"
"github.com/mitchellh/mapstructure"
"github.com/ory/fosite"
"github.com/ory/fosite/compose"
"github.com/ory/fosite/handler/openid"
"gopkg.in/square/go-jose.v2"
)
func NewProvider(c OIDCNamespaceConfig, h handlers.MobilityAccountsHandler, s storage.Storage, privateKey *rsa.PrivateKey) fosite.OAuth2Provider {
config := &compose.Config{
RedirectSecureChecker: func(checkUrl *url.URL) bool {
if strings.HasSuffix(checkUrl.Host, "svc.cluster.local") || strings.HasSuffix(checkUrl.Host, "localhost") {
return true
}
return false
},
}
storage := NewOIDCProviderStore(c, h, s.KV)
secret := []byte(c.SecretKey)
return compose.ComposeAllEnabled(config, storage, secret, privateKey)
}
type OIDCProviderStore struct {
Namespace string
MobilityAccountsHandler handlers.MobilityAccountsHandler
KV storage.KVStore
Clients map[string]fosite.Client
}
func NewOIDCProviderStore(c OIDCNamespaceConfig, h handlers.MobilityAccountsHandler, storage storage.KVStore) *OIDCProviderStore {
clients := map[string]fosite.Client{}
for _, v := range c.Clients {
client := &fosite.DefaultClient{
ID: v.ID,
Secret: []byte(v.Secret),
RedirectURIs: v.RedirectURIs,
ResponseTypes: v.ResponseTypes,
GrantTypes: v.GrantTypes,
Scopes: v.Scopes,
Audience: v.Audience,
Public: v.Public,
}
if v.OIDC {
oidc_client := &fosite.DefaultOpenIDConnectClient{
DefaultClient: client,
TokenEndpointAuthMethod: v.TokenEndpointAuthMethod,
}
clients[v.ID] = oidc_client
} else {
clients[v.ID] = client
}
}
return &OIDCProviderStore{
MobilityAccountsHandler: h,
KV: storage,
Clients: clients,
}
}
func (s *OIDCProviderStore) GetClient(_ context.Context, id string) (fosite.Client, error) {
cl, ok := s.Clients[id]
if !ok {
return nil, fosite.ErrNotFound
}
return cl, nil
}
func (s *OIDCProviderStore) Authenticate(_ context.Context, name string, secret string) error {
_, err := s.MobilityAccountsHandler.Login(name, secret, s.Namespace)
if err != nil {
return fosite.ErrNotFound
}
return nil
}
func (s *OIDCProviderStore) CreateOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) error {
err := s.KV.Put("id_sessions/"+authorizeCode, requester)
if err != nil {
return err
}
return nil
}
func (s *OIDCProviderStore) GetOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error) {
d, err := s.KV.Get("id_sessions/" + authorizeCode)
if err != nil {
return nil, fosite.ErrNotFound
}
//return d.(fosite.Requester), nil
return DecodeRequest(d)
// req := fosite.NewRequest()
// req.Session = new(openid.DefaultSession)
// decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
// Metadata: nil,
// DecodeHook: mapstructure.ComposeDecodeHookFunc(
// ToTimeHookFunc()),
// Result: &req,
// })
// if err != nil {
// return req, err
// }
// if err = decoder.Decode(d); err != nil {
// return req, err
// }
// return req, nil
}
// DeleteOpenIDConnectSession is not really called from anywhere and it is deprecated.
func (s *OIDCProviderStore) DeleteOpenIDConnectSession(_ context.Context, authorizeCode string) error {
err := s.KV.Delete("id_sessions/" + authorizeCode)
if err != nil {
return err
}
return nil
}
func (s *OIDCProviderStore) ClientAssertionJWTValid(_ context.Context, jti string) error {
if _, exists := s.KV.Get("blacklisted_jtis/" + jti); exists == nil {
return fosite.ErrJTIKnown
}
return nil
}
func (s *OIDCProviderStore) SetClientAssertionJWT(_ context.Context, jti string, exp time.Time) error {
if _, exists := s.KV.Get("blacklisted_jtis/" + jti); exists == nil {
return fosite.ErrJTIKnown
}
duration := exp.Sub(time.Now())
if duration < 0 {
return errors.New("already expired")
}
err := s.KV.PutWithTTL("blacklisted_jtis/"+jti, true, duration)
if err != nil {
return err
}
return nil
}
func (s *OIDCProviderStore) CreateAuthorizeCodeSession(_ context.Context, code string, req fosite.Requester) error {
res := StoreAuthorizeCode{
Active: true,
Requester: req.(*fosite.Request),
}
err := s.KV.Put("authorize_codes/"+code, res)
if err != nil {
return err
}
return nil
}
func (s *OIDCProviderStore) GetAuthorizeCodeSession(_ context.Context, code string, _ fosite.Session) (fosite.Requester, error) {
rel, err := s.KV.Get("authorize_codes/" + code)
if err != nil {
return nil, fosite.ErrNotFound
}
sac, err := DecodeStoreAuthorizeCode(rel)
if err != nil {
return nil, err
}
if !sac.Active {
return sac.Requester, fosite.ErrInvalidatedAuthorizeCode
}
return sac.Requester, nil
}
func (s *OIDCProviderStore) InvalidateAuthorizeCodeSession(ctx context.Context, code string) error {
rel, err := s.KV.Get("authorize_codes/" + code)
if err != nil {
return fosite.ErrNotFound
}
sac, err := DecodeStoreAuthorizeCode(rel)
if err != nil {
return err
}
sac.Active = false
err = s.KV.Put("authorize_codes/"+code, sac)
if err != nil {
return err
}
return nil
}
func (s *OIDCProviderStore) CreatePKCERequestSession(_ context.Context, code string, req fosite.Requester) error {
err := s.KV.Put("pkce/"+code, req)
if err != nil {
return err
}
return nil
}
func (s *OIDCProviderStore) GetPKCERequestSession(_ context.Context, code string, _ fosite.Session) (fosite.Requester, error) {
rel, err := s.KV.Get("pkce/" + code)
if err != nil {
return nil, fosite.ErrNotFound
}
req := fosite.NewRequest()
req.Session = new(fosite.DefaultSession)
decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
Metadata: nil,
DecodeHook: mapstructure.ComposeDecodeHookFunc(
ToTimeHookFunc()),
Result: &req,
})
if err != nil {
return req, err
}
if err = decoder.Decode(rel); err != nil {
return req, err
}
return req, nil
}
func (s *OIDCProviderStore) DeletePKCERequestSession(_ context.Context, code string) error {
err := s.KV.Delete("pkce/" + code)
if err != nil {
return fosite.ErrNotFound
}
return nil
}
func (s *OIDCProviderStore) CreateAccessTokenSession(_ context.Context, signature string, req fosite.Requester) error {
err := s.KV.Put("access_tokens/"+signature, req)
if err != nil {
return err
}
err = s.KV.Put("access_tokens_request_ids/"+req.GetID(), signature)
if err != nil {
return err
}
return nil
}
func (s *OIDCProviderStore) GetAccessTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error) {
rel, err := s.KV.Get("access_tokens/" + signature)
if err != nil {
return nil, fosite.ErrNotFound
}
//return rel.(fosite.Requester), nil
req := fosite.NewRequest()
req.Session = new(fosite.DefaultSession)
decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
Metadata: nil,
DecodeHook: mapstructure.ComposeDecodeHookFunc(
ToTimeHookFunc()),
Result: &req,
})
if err != nil {
return req, err
}
if err = decoder.Decode(rel); err != nil {
return req, err
}
return req, nil
}
func (s *OIDCProviderStore) DeleteAccessTokenSession(_ context.Context, signature string) error {
err := s.KV.Delete("access_tokens/" + signature)
if err != nil {
return fosite.ErrNotFound
}
return nil
}
func (s *OIDCProviderStore) CreateRefreshTokenSession(_ context.Context, signature string, req fosite.Requester) error {
err := s.KV.Put("refresh_tokens/"+signature, StoreRefreshToken{Active: true, Requester: req})
if err != nil {
return err
}
err = s.KV.Put("refresh_tokens_request_ids/"+req.GetID(), signature)
if err != nil {
return err
}
return nil
}
func (s *OIDCProviderStore) GetRefreshTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error) {
rel, err := s.KV.Get("refresh_tokens/" + signature)
if err != nil {
return nil, fosite.ErrNotFound
}
var srt StoreRefreshToken
if err = mapstructure.Decode(rel.(map[string]any), &srt); err != nil {
return nil, err
}
if !srt.Active {
return nil, fosite.ErrInactiveToken
}
return srt.Requester, nil
}
func (s *OIDCProviderStore) DeleteRefreshTokenSession(_ context.Context, signature string) error {
err := s.KV.Delete("refresh_tokens/" + signature)
if err != nil {
return fosite.ErrNotFound
}
return nil
}
func (s *OIDCProviderStore) RevokeRefreshToken(ctx context.Context, requestID string) error {
if signature, err := s.KV.Get("refresh_tokens_request_ids" + requestID); err == nil {
rel, err := s.KV.Get("refresh_tokens/" + signature.(string))
if err != nil {
return fosite.ErrNotFound
}
var srt StoreRefreshToken
if err = mapstructure.Decode(rel.(map[string]any), &srt); err != nil {
return err
}
srt.Active = false
err = s.KV.Put("refresh_tokens/"+signature.(string), srt)
if err != nil {
return err
}
}
return nil
}
func (s *OIDCProviderStore) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error {
// no configuration option is available; grace period is not available with memory store
return s.RevokeRefreshToken(ctx, requestID)
}
func (s *OIDCProviderStore) RevokeAccessToken(ctx context.Context, requestID string) error {
if signature, err := s.KV.Get("access_tokens_request_ids/" + requestID); err != nil {
if err := s.DeleteAccessTokenSession(ctx, signature.(string)); err != nil {
return err
}
}
return nil
}
func (s *OIDCProviderStore) GetPublicKey(ctx context.Context, issuer string, subject string, keyId string) (*jose.JSONWebKey, error) {
if issuerKeys, err := s.KV.Get("issuer_public_keys/" + issuer); err == nil {
var ipk IssuerPublicKeys
if err = mapstructure.Decode(issuerKeys.(map[string]any), &ipk); err != nil {
return nil, err
}
if subKeys, ok := ipk.KeysBySub[subject]; ok {
if keyScopes, ok := subKeys.Keys[keyId]; ok {
return keyScopes.Key, nil
}
}
}
return nil, fosite.ErrNotFound
}
func (s *OIDCProviderStore) GetPublicKeys(ctx context.Context, issuer string, subject string) (*jose.JSONWebKeySet, error) {
if issuerKeys, err := s.KV.Get("issuer_public_keys/" + issuer); err == nil {
var ipk IssuerPublicKeys
if err = mapstructure.Decode(issuerKeys.(map[string]any), &ipk); err != nil {
return nil, err
}
if subKeys, ok := ipk.KeysBySub[subject]; ok {
if len(subKeys.Keys) == 0 {
return nil, fosite.ErrNotFound
}
keys := make([]jose.JSONWebKey, 0, len(subKeys.Keys))
for _, keyScopes := range subKeys.Keys {
keys = append(keys, *keyScopes.Key)
}
return &jose.JSONWebKeySet{Keys: keys}, nil
}
}
return nil, fosite.ErrNotFound
}
func (s *OIDCProviderStore) GetPublicKeyScopes(ctx context.Context, issuer string, subject string, keyId string) ([]string, error) {
if issuerKeys, err := s.KV.Get("issuer_public_keys/" + issuer); err == nil {
var ipk IssuerPublicKeys
if err = mapstructure.Decode(issuerKeys.(map[string]any), &ipk); err != nil {
return nil, err
}
if subKeys, ok := ipk.KeysBySub[subject]; ok {
if keyScopes, ok := subKeys.Keys[keyId]; ok {
return keyScopes.Scopes, nil
}
}
}
return nil, fosite.ErrNotFound
}
func (s *OIDCProviderStore) IsJWTUsed(ctx context.Context, jti string) (bool, error) {
err := s.ClientAssertionJWTValid(ctx, jti)
if err != nil {
return true, nil
}
return false, nil
}
func (s *OIDCProviderStore) MarkJWTUsedForTime(ctx context.Context, jti string, exp time.Time) error {
return s.SetClientAssertionJWT(ctx, jti, exp)
}
// CreatePARSession stores the pushed authorization request context. The requestURI is used to derive the key.
func (s *OIDCProviderStore) CreatePARSession(ctx context.Context, requestURI string, request fosite.AuthorizeRequester) error {
err := s.KV.Put("par_sessions/"+requestURI, request)
if err != nil {
return err
}
return nil
}
// GetPARSession gets the push authorization request context. If the request is nil, a new request object
// is created. Otherwise, the same object is updated.
func (s *OIDCProviderStore) GetPARSession(ctx context.Context, requestURI string) (fosite.AuthorizeRequester, error) {
rel, err := s.KV.Get("par_sessions/" + requestURI)
if err != nil {
return nil, fosite.ErrNotFound
}
return rel.(fosite.AuthorizeRequester), nil
}
// DeletePARSession deletes the context.
func (s *OIDCProviderStore) DeletePARSession(ctx context.Context, requestURI string) error {
err := s.KV.Delete("par_sessions/" + requestURI)
if err != nil {
return fosite.ErrNotFound
}
return nil
}
type StoreAuthorizeCode struct {
Active bool `json:"active"`
Requester *fosite.Request `json:"requester"`
}
func DecodeStoreAuthorizeCode(rel interface{}) (StoreAuthorizeCode, error) {
sac := StoreAuthorizeCode{
Active: false,
Requester: fosite.NewRequest(),
}
// metadata := mapstructure.Metadata{}
sac.Requester.Session = new(openid.DefaultSession)
decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
// Metadata: &metadata,
DecodeHook: mapstructure.ComposeDecodeHookFunc(
ToTimeHookFunc(),
ToBytes(),
),
TagName: "json",
Result: &sac,
})
if err != nil {
return sac, err
}
if err = decoder.Decode(rel); err != nil {
return sac, err
}
return sac, nil
}
func DecodeRequest(rel interface{}) (*fosite.Request, error) {
req := fosite.NewRequest()
req.Session = new(openid.DefaultSession)
decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
// Metadata: &metadata,
DecodeHook: mapstructure.ComposeDecodeHookFunc(
ToTimeHookFunc(),
ToBytes(),
),
TagName: "json",
Result: &req,
})
if err != nil {
return req, err
}
if err = decoder.Decode(rel); err != nil {
return req, err
}
return req, nil
}
type StoreRefreshToken struct {
Active bool
Requester fosite.Requester
}
type IssuerPublicKeys struct {
Issuer string
KeysBySub map[string]SubjectPublicKeys `mapstructure:"keys_by_sub"`
}
type SubjectPublicKeys struct {
Subject string
Keys map[string]PublicKeyScopes
}
type PublicKeyScopes struct {
Key *jose.JSONWebKey
Scopes []string
}
func ToTimeHookFunc() mapstructure.DecodeHookFunc {
return func(
f reflect.Type,
t reflect.Type,
data interface{}) (interface{}, error) {
if t != reflect.TypeOf(time.Time{}) {
return data, nil
}
switch f.Kind() {
case reflect.String:
return time.Parse(time.RFC3339, data.(string))
case reflect.Float64:
return time.Unix(0, int64(data.(float64))*int64(time.Millisecond)), nil
case reflect.Int64:
return time.Unix(0, data.(int64)*int64(time.Millisecond)), nil
default:
return data, nil
}
// Convert it by parsing
}
}
func ToBytes() mapstructure.DecodeHookFunc {
return func(
f reflect.Type,
t reflect.Type,
data interface{}) (interface{}, error) {
if t == reflect.TypeOf([]byte("")) && f.Kind() == reflect.String {
return []byte(data.(string)), nil
}
return data, nil
}
}

183
oidc-provider/oidc-provider.go
View File

@@ -1,24 +1,33 @@
package op
import (
"crypto/rand"
"crypto/rsa"
"context"
"fmt"
"log/slog"
"net/http"
"os"
"time"
"gitlab.com/mobicoop/solidarity/services/mobility-accounts/handlers"
"gitlab.com/mobicoop/solidarity/services/mobility-accounts/storage"
"github.com/dexidp/dex/server"
dexstorage "github.com/dexidp/dex/storage"
"github.com/dexidp/dex/storage/memory"
"github.com/mitchellh/mapstructure"
"github.com/ory/fosite"
"github.com/rs/zerolog/log"
"github.com/spf13/viper"
"gitlab.com/mobicoop/solidarity/services/mobility-accounts/handlers"
maconnector "gitlab.com/mobicoop/solidarity/services/mobility-accounts/oidc-provider/connector"
"gitlab.com/mobicoop/solidarity/services/mobility-accounts/storage"
)
// OIDCConfig holds the full OIDC provider configuration, decoded from viper.
type OIDCConfig struct {
Enable bool
CSRFKey bool `mapstructure:"csrf_key"`
Port bool
Port string
BaseURL string `mapstructure:"base_url"`
Namespaces map[string]OIDCNamespaceConfig
}
// OIDCNamespaceConfig holds per-namespace OIDC settings.
type OIDCNamespaceConfig struct {
Namespace string
SecretKey string `mapstructure:"secret_key"`
@@ -27,6 +36,7 @@ type OIDCNamespaceConfig struct {
Clients []OIDCClient
}
// OIDCClient represents a static OIDC client.
type OIDCClient struct {
ID string
OIDC bool
@@ -41,60 +51,139 @@ type OIDCClient struct {
TokenEndpointAuthMethod string `mapstructure:"token_endpoint_auth_method"`
}
type OIDCHandler struct {
NamespaceProviders map[string]fosite.OAuth2Provider
config OIDCConfig
handler handlers.MobilityAccountsHandler
Protocol string //HTTP (dev env) or HTTPS
PrivateKey *rsa.PrivateKey
// NewDexServer creates an http.ServeMux that hosts one Dex OIDC server per namespace.
// Each namespace is mounted at /{namespaceName}/ and has its own storage, clients,
// and connector instance.
func NewDexServer(handler *handlers.MobilityAccountsHandler, stor storage.Storage, cfg *viper.Viper) (*http.ServeMux, error) {
var oidcConfig OIDCConfig
mapstructure.Decode(cfg.Get("services.oidc_provider").(map[string]any), &oidcConfig)
baseURL := oidcConfig.BaseURL
if baseURL == "" {
protocol := "https"
if cfg.GetBool("dev_env") {
protocol = "http"
}
baseURL = fmt.Sprintf("%s://0.0.0.0:%s", protocol, cfg.GetString("services.oidc_provider.port"))
}
mux := http.NewServeMux()
logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelInfo}))
// Register our custom connector type in Dex's global registry
server.ConnectorsConfig["mobilityaccounts"] = func() server.ConnectorConfig {
return &maconnector.Config{
Handler: handler,
Storage: stor,
Namespace: "", // will be set per-namespace below
}
}
for nsName, nsCfg := range oidcConfig.Namespaces {
dexServer, err := createNamespaceDexServer(handler, stor, nsCfg, nsName, baseURL, logger)
if err != nil {
return nil, fmt.Errorf("failed to create Dex server for namespace %q: %w", nsName, err)
}
prefix := "/" + nsName
mux.Handle(prefix+"/", dexServer)
}
return mux, nil
}
func NewOIDCHandler(h handlers.MobilityAccountsHandler, storage storage.Storage, config *viper.Viper) *OIDCHandler {
var oidc_config OIDCConfig
// createNamespaceDexServer builds a single Dex server.Server for one namespace.
func createNamespaceDexServer(handler *handlers.MobilityAccountsHandler, stor storage.Storage, nsCfg OIDCNamespaceConfig, nsName, baseURL string, logger *slog.Logger) (*server.Server, error) {
ctx := context.Background()
mapstructure.Decode(config.Get("services.oidc_provider").(map[string]any), &oidc_config)
// In-memory Dex storage
dexStore := memory.New(logger)
providers := map[string]fosite.OAuth2Provider{}
// Register static clients
clients := buildDexClients(nsCfg.Clients)
dexStore = dexstorage.WithStaticClients(dexStore, clients)
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
// Register the connector — we override ConnectorsConfig factory for this namespace
// so that Open() will get the right handler/storage/namespace.
server.ConnectorsConfig["mobilityaccounts"] = func() server.ConnectorConfig {
return &maconnector.Config{
Handler: handler,
Storage: stor,
Namespace: nsCfg.Namespace,
}
}
conn := dexstorage.Connector{
ID: "mobilityaccounts",
Type: "mobilityaccounts",
Name: "Mobility Accounts",
}
dexStore = dexstorage.WithStaticConnectors(dexStore, []dexstorage.Connector{conn})
issuer := fmt.Sprintf("%s/%s", baseURL, nsName)
// Determine web config
webCfg := server.WebConfig{
Issuer: nsName,
}
if nsCfg.TemplatesDir != "" {
webCfg.Dir = nsCfg.TemplatesDir
}
// Dex v2.42 manages signing keys internally via storage.
dexServer, err := server.NewServer(ctx, server.Config{
Issuer: issuer,
Storage: dexStore,
SkipApprovalScreen: true,
IDTokensValidFor: 30 * time.Hour,
Web: webCfg,
Logger: logger,
Now: time.Now,
})
if err != nil {
return nil
return nil, fmt.Errorf("failed to create Dex server: %w", err)
}
for _, c := range oidc_config.Namespaces {
np := NewProvider(c, h, storage, privateKey)
providers[c.Namespace] = np
}
protocol := "https"
if config.GetBool("dev_env") {
protocol = "http"
}
return &OIDCHandler{
config: oidc_config,
handler: h,
NamespaceProviders: providers,
Protocol: protocol,
PrivateKey: privateKey,
}
return dexServer, nil
}
func Run(done chan error, cfg *viper.Viper, handler handlers.MobilityAccountsHandler, storage storage.Storage) {
var (
address = "0.0.0.0:" + cfg.GetString("services.oidc_provider.port")
)
// buildDexClients converts the config OIDCClient list to Dex storage.Client list.
func buildDexClients(clients []OIDCClient) []dexstorage.Client {
dexClients := make([]dexstorage.Client, 0, len(clients))
for _, c := range clients {
dexClients = append(dexClients, dexstorage.Client{
ID: c.ID,
Secret: c.Secret,
RedirectURIs: c.RedirectURIs,
Public: c.Public,
Name: c.ID,
})
}
return dexClients
}
log.Info().Str("address", address).Msg("Running OIDC provider")
s := NewOIDCHandler(handler, storage, cfg)
err := NewOIDCServer(s, cfg)
// Run starts the OIDC provider HTTP server. Called from main.go as a goroutine.
func Run(done chan error, cfg *viper.Viper, handler handlers.MobilityAccountsHandler, stor storage.Storage) {
address := "0.0.0.0:" + cfg.GetString("services.oidc_provider.port")
log.Info().Str("address", address).Msg("Running Dex OIDC provider")
mux, err := NewDexServer(&handler, stor, cfg)
if err != nil {
log.Error().Err(err).Msg("OIDC server ended")
log.Error().Err(err).Msg("Failed to create Dex OIDC server")
done <- err
return
}
srv := &http.Server{
Handler: mux,
Addr: address,
WriteTimeout: 15 * time.Second,
ReadTimeout: 15 * time.Second,
}
err = srv.ListenAndServe()
if err != nil {
log.Error().Err(err).Msg("Dex OIDC server ended")
}
done <- err
}

40
oidc-provider/server.go
View File

@@ -1,40 +0,0 @@
package op
import (
"net/http"
"time"
"github.com/gorilla/csrf"
"github.com/gorilla/mux"
"github.com/spf13/viper"
)
func NewOIDCServer(oidc_handler *OIDCHandler, cfg *viper.Viper) error {
var (
dev_env = cfg.GetBool("dev_env")
address = "0.0.0.0:" + cfg.GetString("services.oidc_provider.port")
//csrf_key = cfg.GetString("services.oidc_provider.csrf_key")
)
router := mux.NewRouter()
router.HandleFunc("/{namespace}/auth", oidc_handler.AuthEndpoint)
router.HandleFunc("/{namespace}/token", oidc_handler.TokenEndpoint)
router.HandleFunc("/{namespace}/introspect", oidc_handler.IntrospectionEndpoint)
router.HandleFunc("/{namespace}/userinfo", oidc_handler.UserinfoEndpoint)
router.HandleFunc("/{namespace}/.well-known/openid-configuration", oidc_handler.WellKnownOIDCEndpoint)
router.HandleFunc("/{namespace}/.well-known/jwks.json", oidc_handler.WellKnownJWKSEndpoint)
if dev_env {
csrf.Secure(false)
}
srv := &http.Server{
Handler: router,
Addr: address,
WriteTimeout: 15 * time.Second,
ReadTimeout: 15 * time.Second,
}
err := srv.ListenAndServe()
return err
}

2
oidc-provider/web/robots.txt Normal file
View File

@@ -0,0 +1,2 @@
User-agent: *
Disallow: /

1
oidc-provider/web/static/main.css Normal file
View File

@@ -0,0 +1 @@
/* Mobicoop Solidaire — static styles are inlined in header.html */

22
oidc-provider/web/templates/approval.html Normal file
View File

@@ -0,0 +1,22 @@
{{ template "header.html" . }}
<h2>Autorisation</h2>
<p style="text-align:center; font-size:0.875rem; margin-bottom:1rem;">
<strong>{{ .Client }}</strong> souhaite acceder a votre compte.
</p>
{{ if .Scopes }}
<p style="font-size:0.875rem;">Permissions demandees :</p>
<ul class="scopes-list">
{{ range $s := .Scopes }}
<li>{{ $s }}</li>
{{ end }}
</ul>
{{ end }}
<form method="POST" action="{{ .Approval }}">
<button type="submit" class="btn-primary">Autoriser</button>
</form>
{{ template "footer.html" . }}

21
oidc-provider/web/templates/device.html Normal file
View File

@@ -0,0 +1,21 @@
{{ template "header.html" . }}
<h2>Connexion appareil</h2>
{{ if .Invalid }}
<div class="error-box">
Code invalide. Veuillez reessayer.
</div>
{{ end }}
<form method="POST" action="{{ .PostURL }}">
<div class="form-group">
<label for="user_code">Code utilisateur</label>
<input required id="user_code" name="user_code" type="text"
{{ if .UserCode }}value="{{ .UserCode }}"{{ end }}
placeholder="XXXX-XXXX" autofocus>
</div>
<button type="submit" class="btn-primary">Valider</button>
</form>
{{ template "footer.html" . }}

9
oidc-provider/web/templates/device_success.html Normal file
View File

@@ -0,0 +1,9 @@
{{ template "header.html" . }}
<h2>Appareil connecte</h2>
<p style="text-align:center; font-size:0.875rem;">
Votre appareil <strong>{{ .ClientName }}</strong> est maintenant connecte. Vous pouvez fermer cette page.
</p>
{{ template "footer.html" . }}

14
oidc-provider/web/templates/error.html Normal file
View File

@@ -0,0 +1,14 @@
{{ template "header.html" . }}
<h2>Erreur</h2>
<div class="error-box">
{{ if .ErrType }}<strong>{{ .ErrType }}</strong><br>{{ end }}
{{ if .ErrMsg }}{{ .ErrMsg }}{{ else }}Une erreur inattendue est survenue.{{ end }}
</div>
<div class="link-center">
<a href="javascript:history.back()">Retour</a>
</div>
{{ template "footer.html" . }}

3
oidc-provider/web/templates/footer.html Normal file
View File

@@ -0,0 +1,3 @@
</div>
</body>
</html>

161
oidc-provider/web/templates/header.html Normal file
View File

@@ -0,0 +1,161 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>{{ issuer }} - Connexion</title>
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;500;600;700&display=swap" rel="stylesheet">
<style>
*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
body {
font-family: 'Poppins', sans-serif;
background-color: #f9fafb;
color: #1f2937;
min-height: 100vh;
display: flex;
align-items: center;
justify-content: center;
}
.card {
background: #fff;
border-radius: 1rem;
box-shadow: 0 1px 3px rgba(0,0,0,0.08);
padding: 2.5rem 2rem;
width: 100%;
max-width: 28rem;
margin: 1rem;
}
.logo {
display: block;
margin: 0 auto 1.5rem;
max-width: 200px;
height: auto;
}
h2 {
text-align: center;
font-size: 1.5rem;
font-weight: 600;
color: #243887;
margin-bottom: 1.5rem;
}
.form-group { margin-bottom: 1rem; }
label {
display: block;
font-size: 0.875rem;
font-weight: 500;
color: #374151;
margin-bottom: 0.25rem;
}
input[type="text"],
input[type="email"],
input[type="password"] {
width: 100%;
padding: 0.625rem 0.875rem;
border: 1px solid #d1d5db;
border-radius: 1rem;
font-family: 'Poppins', sans-serif;
font-size: 0.875rem;
outline: none;
transition: border-color 0.15s;
}
input[type="text"]:focus,
input[type="email"]:focus,
input[type="password"]:focus {
border-color: #243887;
box-shadow: 0 0 0 2px rgba(36,56,135,0.15);
}
.btn-primary {
display: block;
width: 100%;
padding: 0.625rem;
background-color: #243887;
color: #fff;
border: none;
border-radius: 1rem;
font-family: 'Poppins', sans-serif;
font-size: 0.875rem;
font-weight: 600;
cursor: pointer;
transition: background-color 0.15s;
margin-top: 1.25rem;
}
.btn-primary:hover { background-color: #1c2d6e; }
.error-box {
background-color: #fef2f2;
border: 1px solid #fecaca;
color: #991b1b;
padding: 0.75rem 1rem;
border-radius: 0.75rem;
font-size: 0.8125rem;
margin-bottom: 1rem;
}
.link-center {
text-align: center;
margin-top: 1rem;
}
.link-center a {
color: #243887;
font-size: 0.8125rem;
text-decoration: none;
font-weight: 500;
}
.link-center a:hover { text-decoration: underline; }
.back-link {
text-align: center;
margin-top: 0.75rem;
}
.back-link a {
color: #6b7280;
font-size: 0.8125rem;
text-decoration: none;
}
.back-link a:hover { text-decoration: underline; }
.connector-list { list-style: none; }
.connector-list li { margin-bottom: 0.5rem; }
.connector-list a {
display: block;
text-align: center;
padding: 0.625rem;
background-color: #243887;
color: #fff;
border-radius: 1rem;
text-decoration: none;
font-weight: 600;
font-size: 0.875rem;
transition: background-color 0.15s;
}
.connector-list a:hover { background-color: #1c2d6e; }
.scopes-list {
list-style: disc;
padding-left: 1.5rem;
margin: 1rem 0;
font-size: 0.875rem;
}
</style>
</head>
<body>
<div class="card">

18
oidc-provider/web/templates/login.html Normal file
View File

@@ -0,0 +1,18 @@
{{ template "header.html" . }}
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 240 48" class="logo">
<text x="50%" y="50%" dominant-baseline="central" text-anchor="middle"
font-family="Poppins, sans-serif" font-weight="700" font-size="18" fill="#243887">
Mobicoop Solidaire
</text>
</svg>
<h2>Connexion</h2>
<ul class="connector-list">
{{ range $c := .Connectors }}
<li><a href="{{ $c.URL }}">{{ $c.Name }}</a></li>
{{ end }}
</ul>
{{ template "footer.html" . }}

13
oidc-provider/web/templates/oob.html Normal file
View File

@@ -0,0 +1,13 @@
{{ template "header.html" . }}
<h2>Code d'autorisation</h2>
<p style="text-align:center; font-size:0.875rem; margin-bottom:1rem;">
Copiez ce code dans votre application :
</p>
<div style="text-align:center; font-size:1.25rem; font-weight:600; color:#243887; background:#f3f4f6; padding:1rem; border-radius:0.75rem; font-family:monospace;">
{{ .Code }}
</div>
{{ template "footer.html" . }}

41
oidc-provider/web/templates/password.html Normal file
View File

@@ -0,0 +1,41 @@
{{ template "header.html" . }}
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 240 48" class="logo">
<text x="50%" y="50%" dominant-baseline="central" text-anchor="middle"
font-family="Poppins, sans-serif" font-weight="700" font-size="18" fill="#243887">
Mobicoop Solidaire
</text>
</svg>
<h2>Connexion</h2>
{{ if .Invalid }}
<div class="error-box">
Identifiant ou mot de passe incorrect.
</div>
{{ end }}
<form method="POST" action="{{ .PostURL }}">
<div class="form-group">
<label for="login">{{ .UsernamePrompt }}</label>
<input tabindex="1" required id="login" name="login" type="email"
placeholder="email@exemple.fr"
{{ if .Username }}value="{{ .Username }}"{{ else }}autofocus{{ end }}>
</div>
<div class="form-group">
<label for="password">Mot de passe</label>
<input tabindex="2" required id="password" name="password" type="password"
placeholder="mot de passe" {{ if .Invalid }}autofocus{{ end }}>
</div>
<button tabindex="3" type="submit" class="btn-primary">Se connecter</button>
</form>
{{ if .BackLink }}
<div class="back-link">
<a href="{{ .BackLink }}">Choisir une autre methode de connexion</a>
</div>
{{ end }}
{{ template "footer.html" . }}

1
oidc-provider/web/themes/light/styles.css Normal file
View File

@@ -0,0 +1 @@
/* Mobicoop Solidaire theme — styles are inlined in header.html */