jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-03-06 17:40:51 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
a554ee1cebdb60bb166d3abcbc287bd68e940d23
higress/plugins/wasm-go/extensions/oidc/oc/config.go
Ffyyt 3b1b621627 feat:add oidc wasm plugin (#568)
2023-10-31 17:15:55 +08:00

117 lines
3.3 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package oc
import (
"errors"
"net/url"
"regexp"
"strings"
"time"
"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
"golang.org/x/oauth2"
)
type Accessmod int
const (
Access Accessmod = 0
SenBack Accessmod = 1
)
var invalidRedirectRegex = regexp.MustCompile(`[/\\](?:[\s\v]*|\.{1,2})[/\\]`)
type IDConfig struct {
ClientID string
SupportedSigningAlgs []string
SkipExpiryCheck bool
//SkipIssuerCheck 用于特殊情况,其中调用者希望推迟对签发者的验证。
//当启用时,调用者必须独立验证令牌的签发者是否为已知的有效值。
//
//
//不匹配的签发者通常指示客户端配置错误。如果不希望发生不匹配请检查所提供的签发者URL是否正确而不是启用这个选项。
SkipIssuerCheck bool
SkipNonceCheck bool
Now func() time.Time
}
type idToken struct {
Issuer string `json:"iss"`
Subject string `json:"sub"`
Audience audience `json:"aud"`
Expiry jsonTime `json:"exp"`
IssuedAt jsonTime `json:"iat"`
NotBefore *jsonTime `json:"nbf"`
Nonce string `json:"nonce"`
AtHash string `json:"at_hash"`
ClaimNames map[string]string `json:"_claim_names"`
ClaimSources map[string]claimSource `json:"_claim_sources"`
}
type claimSource struct {
Endpoint string `json:"endpoint"`
AccessToken string `json:"access_token"`
}
type Oatuh2Config struct {
oauth2.Config
Issuer string
JwksURL string
ClientUrl string
Path string
SupportedSigningAlgs []string
SkipExpiryCheck bool
Timeout int
Client wrapper.HttpClient
SkipNonceCheck bool
Option *OidcOption
CookieOption *CookieOption
CookieData *CookieData
}
type OidcOption struct {
StateStr string
Nonce string
Code string
Mod Accessmod
RawIdToken string
AuthStyle AuthStyle
}
func IsValidRedirect(redirect string) error {
if !strings.HasSuffix(redirect, "oauth2/callback") {
return errors.New("redirect URL must end with oauth2/callback")
}
switch {
case redirect == "":
return errors.New("redirect URL is empty")
case strings.HasPrefix(redirect, "/"):
if strings.HasPrefix(redirect, "//") || invalidRedirectRegex.MatchString(redirect) {
return errors.New("invalid local redirect URL")
}
return nil
case strings.HasPrefix(redirect, "http://"), strings.HasPrefix(redirect, "https://"):
_, err := url.ParseRequestURI(redirect)
if err != nil {
return errors.New("invalid remote redirect URL")
}
return nil
default:
return errors.New("redirect URL must start with /, http://, or https://")
}
}
Reference in New Issue View Git Blame Copy Permalink