core/oc-auth
6
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Neo OcLib

Browse Source
This commit is contained in:
mr
2026-05-27 16:09:00 +02:00
parent bc7f0be53b
commit 453d913896
13 changed files with 332 additions and 231 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infrastructure/auth_connector/hydra_connector.go
+26 -1
View File
@@ -21,6 +21,7 @@ import (
)
type HydraConnector struct {
Mu sync.RWMutex
Caller *tools.HTTPCaller
cookieJars sync.Map // map[loginChallenge] *cookiejar.Jar
}
@@ -33,6 +34,8 @@ func (h *HydraConnector) Status() tools.State {
host = "localhost"
}
port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
if err != nil {
return tools.DEAD
@@ -120,6 +123,8 @@ func (h *HydraConnector) InitiateLogin(clientID string, redirectURI string) (str
// GetLoginChallenge retrieves login challenge details from Hydra admin API
func (h *HydraConnector) GetLoginChallenge(challenge string) (*LoginChallenge, error) {
logger := oclib.GetLogger()
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallGet(h.getPath(true, true), "/auth/requests/login?login_challenge="+url.QueryEscape(challenge))
if err != nil {
logger.Error().Msg("Failed to get login challenge: " + err.Error())
@@ -141,6 +146,8 @@ func (h *HydraConnector) AcceptLogin(challenge string, subject string) (*Redirec
"remember": true,
"remember_for": 3600,
}
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallRaw(http.MethodPut,
h.getPath(true, true), "/auth/requests/login/accept?login_challenge="+url.QueryEscape(challenge),
body, "application/json", true)
@@ -170,6 +177,8 @@ func (h *HydraConnector) RejectLogin(challenge string, reason string) (*Redirect
"error": "access_denied",
"error_description": reason,
}
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallRaw(http.MethodPut,
h.getPath(true, true), "/auth/requests/login/reject?login_challenge="+url.QueryEscape(challenge),
body, "application/json", true)
@@ -192,6 +201,8 @@ func (h *HydraConnector) RejectLogin(challenge string, reason string) (*Redirect
// GetLogoutChallenge retrieves logout challenge details from Hydra admin API
func (h *HydraConnector) GetLogoutChallenge(challenge string) (*LogoutChallenge, error) {
logger := oclib.GetLogger()
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallGet(h.getPath(true, true), "/auth/requests/logout?logout_challenge="+url.QueryEscape(challenge))
if err != nil {
logger.Error().Msg("Failed to get logout challenge: " + err.Error())
@@ -208,6 +219,8 @@ func (h *HydraConnector) GetLogoutChallenge(challenge string) (*LogoutChallenge,
// AcceptLogout accepts a logout challenge — invalidates the Hydra session
func (h *HydraConnector) AcceptLogout(challenge string) (*Redirect, error) {
logger := oclib.GetLogger()
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallRaw(http.MethodPut,
h.getPath(true, true), "/auth/requests/logout/accept?logout_challenge="+url.QueryEscape(challenge),
nil, "application/json", true)
@@ -233,6 +246,8 @@ func (h *HydraConnector) AcceptLogout(challenge string) (*Redirect, error) {
// GetConsentChallenge retrieves consent challenge details from Hydra admin API
func (h *HydraConnector) GetConsentChallenge(challenge string) (*ConsentChallenge, error) {
logger := oclib.GetLogger()
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallGet(h.getPath(true, true), "/auth/requests/consent?consent_challenge="+url.QueryEscape(challenge))
if err != nil {
logger.Error().Msg("Failed to get consent challenge: " + err.Error())
@@ -259,6 +274,8 @@ func (h *HydraConnector) AcceptConsent(challenge string, grantScope []string, se
"id_token": session.Session.IDToken,
},
}
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallRaw(http.MethodPut,
h.getPath(true, true), "/auth/requests/consent/accept?consent_challenge="+url.QueryEscape(challenge),
body, "application/json", true)
@@ -286,6 +303,8 @@ func (h *HydraConnector) Introspect(token string) (*IntrospectResult, error) {
logger := oclib.GetLogger()
urls := url.Values{}
urls.Add("token", token)
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallForm(http.MethodPost, h.getPath(true, true), "/introspect", urls,
"application/x-www-form-urlencoded", true)
if err != nil {
@@ -314,6 +333,8 @@ func (h *HydraConnector) RevokeToken(token string, clientID string) error {
urls.Add("token", token)
urls.Add("client_id", clientID)
urls.Add("client_secret", conf.GetConfig().ClientSecret)
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallForm(http.MethodPost, h.getPath(false, true), "/revoke", urls,
"application/x-www-form-urlencoded", true)
if err != nil {
@@ -336,6 +357,8 @@ func (h *HydraConnector) RefreshToken(refreshToken string, clientID string) (*To
urls.Add("refresh_token", refreshToken)
urls.Add("client_id", clientID)
urls.Add("client_secret", conf.GetConfig().ClientSecret)
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallForm(http.MethodPost, h.getPath(false, true), "/token", urls,
"application/x-www-form-urlencoded", true)
if err != nil {
@@ -393,7 +416,7 @@ func (h *HydraConnector) CheckAuthForward(reqToken string, publicKey string, hos
}
// For SELF peer requests skip the signature check (internal traffic).
pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(nil, fmt.Sprintf("%v", peer.SELF.EnumIndex()), false)
pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(nil, fmt.Sprintf("%v", peer.SELF.EnumIndex()), false, 0, 1)
if len(pp.Data) > 0 {
p := pp.Data[0].(*peer.Peer)
if p.PublicKey == publicKey {
@@ -501,6 +524,8 @@ func (h *HydraConnector) ExchangeCodeForToken(redirectTo string, clientID string
vals.Add("client_id", clientID)
vals.Add("client_secret", cfg.ClientSecret)
vals.Add("redirect_uri", redirectURI)
h.Mu.Lock()
defer h.Mu.Unlock()
resp2, err := h.Caller.CallForm(http.MethodPost, h.getPath(false, true), "/token", vals,
"application/x-www-form-urlencoded", true)
if err != nil {