package controllers import ( "fmt" "net/http" beego "github.com/beego/beego/v2/server/web" oidc "github.com/coreos/go-oidc" "golang.org/x/net/context" "golang.org/x/oauth2" ) // OidcController is the controller in oidc type OidcController struct { beego.Controller } var oauth2Config oauth2.Config var idTokenVerifier *oidc.IDTokenVerifier var ctx context.Context // Connect implements open id connection to openid provider func (c *OidcController) Connect() { ctx = context.Background() // Initialize a provider by specifying dex's issuer URL. provider, err := oidc.NewProvider(ctx, "http://127.0.0.1:5556/dex") if err != nil { fmt.Println(err.Error()) return } // Configure the OAuth2 config with the client values. oauth2Config = oauth2.Config{ // client_id and client_secret of the client. ClientID: "opencloud-search", ClientSecret: "ZXhhbXBsZS1hcHAtc2VjcmV0", // The redirectURL. RedirectURL: "http://127.0.0.1:8080/oidc-callback", // Discovery returns the OAuth2 endpoints. Endpoint: provider.Endpoint(), // "openid" is a required scope for OpenID Connect flows. // // Other scopes, such as "groups" can be requested. Scopes: []string{oidc.ScopeOpenID, "profile", "email", "groups"}, } // Create an ID token parser. idTokenVerifier = provider.Verifier(&oidc.Config{ClientID: "opencloud-search"}) //state := newState() c.Redirect(oauth2Config.AuthCodeURL("foobar"), http.StatusFound) } // Callback implements open id callback from openid provider func (c *OidcController) Callback() { state := c.GetString("state") code := c.GetString("code") _ = state // Verify state. oauth2Token, err := oauth2Config.Exchange(ctx, code) if err != nil { fmt.Println(err.Error()) } // Extract the ID Token from OAuth2 token. rawIDToken, ok := oauth2Token.Extra("id_token").(string) if !ok { // handle missing token } fmt.Println(rawIDToken) // Parse and verify ID Token payload. idToken, err := idTokenVerifier.Verify(ctx, rawIDToken) if err != nil { // handle error } // Extract custom claims. var claims struct { Email string `json:"email"` Verified bool `json:"email_verified"` Groups []string `json:"groups"` } if err := idToken.Claims(&claims); err != nil { // handle error } c.SetSession("login", claims.Email) c.Redirect("/user", http.StatusFound) }