package op import ( "fmt" "html/template" "net/http" "time" "github.com/gorilla/csrf" "github.com/gorilla/mux" "github.com/ory/fosite" "github.com/ory/fosite/handler/openid" "github.com/ory/fosite/token/jwt" ) func (op *OIDCHandler) AuthEndpoint(w http.ResponseWriter, r *http.Request) { namespace := mux.Vars(r)["namespace"] oauth2Provider := op.NamespaceProviders[namespace] templates_dir := op.config.Namespaces[namespace].TemplatesDir t := template.New("auth") t = template.Must(t.ParseFiles( templates_dir + "/auth.html", )) ctx := r.Context() ar, err := oauth2Provider.NewAuthorizeRequest(ctx, r) if err != nil { oauth2Provider.WriteAuthorizeError(w, ar, err) return } if r.Method == "POST" { if r.Form.Get("username") == "" || r.Form.Get("password") == "" { oauth2Provider.WriteAuthorizeError(w, ar, fosite.ErrAccessDenied) return } account, err := op.handler.Login(r.Form.Get("username"), r.Form.Get("password"), namespace) if err != nil { if err = t.ExecuteTemplate(w, "auth", map[string]any{ csrf.TemplateTag: csrf.TemplateField(r), "error": fmt.Sprintf("Wrong username (%v) or password (%v) in namespace \"%v\"", r.Form.Get("username"), r.Form.Get("password"), namespace), "realError": err, }); err != nil { oauth2Provider.WriteAuthorizeError(w, ar, err) } return } sessionData := &openid.DefaultSession{ Claims: &jwt.IDTokenClaims{ Issuer: fmt.Sprintf("%s://%s/%s", op.Protocol, r.Host, namespace), Subject: account.ID, Audience: []string{}, ExpiresAt: time.Now().Add(time.Hour * 30), IssuedAt: time.Now(), RequestedAt: time.Now(), AuthTime: time.Now(), Extra: make(map[string]interface{}), }, Username: r.Form.Get("username"), Subject: account.ID, Headers: &jwt.Headers{ Extra: make(map[string]interface{}), }, } // Manage claims for _, v := range ar.GetRequestedScopes() { ar.GrantScope(v) if v != "openid" { // TODO handle standard claims like profile, email, ... if mc, ok := op.config.Namespaces[namespace].MatchClaims[v]; ok { if d, ok := account.Data[mc]; ok { sessionData.Claims.Extra[v] = d } } else if d, ok := account.Data[v]; ok { sessionData.Claims.Extra[v] = d } } } response, err := oauth2Provider.NewAuthorizeResponse(ctx, ar, sessionData) if err != nil { oauth2Provider.WriteAuthorizeError(w, ar, err) return } oauth2Provider.WriteAuthorizeResponse(w, ar, response) return } err = t.ExecuteTemplate(w, "auth", map[string]any{ // csrf.TemplateTag: csrf.TemplateField(r), }) if err != nil { panic(err) } }