2017-06-19 20:27:55 +00:00
|
|
|
package oauth2
|
|
|
|
|
|
|
|
import (
|
2017-06-26 20:05:15 +00:00
|
|
|
"encoding/json"
|
|
|
|
"net/http"
|
2017-06-19 20:27:55 +00:00
|
|
|
"net/url"
|
|
|
|
|
|
|
|
"github.com/influxdata/chronograf"
|
|
|
|
)
|
|
|
|
|
|
|
|
type Auth0 struct {
|
|
|
|
Generic
|
2017-06-26 20:05:15 +00:00
|
|
|
Organizations map[string]bool // the set of allowed organizations users may belong to
|
2017-06-19 20:27:55 +00:00
|
|
|
}
|
|
|
|
|
2017-06-26 20:05:15 +00:00
|
|
|
func (a *Auth0) PrincipalID(provider *http.Client) (string, error) {
|
|
|
|
type Account struct {
|
|
|
|
Email string `json:"email"`
|
|
|
|
Organization string `json:"organization"`
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := provider.Get(a.Generic.APIURL)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
defer resp.Body.Close()
|
|
|
|
act := Account{}
|
|
|
|
if err = json.NewDecoder(resp.Body).Decode(&act); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
// check for organization membership if required
|
|
|
|
if len(a.Organizations) > 0 && !a.Organizations[act.Organization] {
|
|
|
|
a.Logger.
|
|
|
|
WithField("org", act.Organization).
|
|
|
|
Error(ErrOrgMembership)
|
|
|
|
|
|
|
|
return "", ErrOrgMembership
|
|
|
|
}
|
|
|
|
return act.Email, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewAuth0(auth0Domain, clientID, clientSecret, redirectURL string, organizations []string, logger chronograf.Logger) (Auth0, error) {
|
2017-06-19 20:27:55 +00:00
|
|
|
domain, err := url.Parse(auth0Domain)
|
|
|
|
if err != nil {
|
|
|
|
return Auth0{}, err
|
|
|
|
}
|
|
|
|
|
|
|
|
domain.Scheme = "https"
|
|
|
|
|
|
|
|
domain.Path = "/authorize"
|
|
|
|
authURL := domain.String()
|
|
|
|
|
|
|
|
domain.Path = "/oauth/token"
|
|
|
|
tokenURL := domain.String()
|
|
|
|
|
|
|
|
domain.Path = "/userinfo"
|
|
|
|
apiURL := domain.String()
|
|
|
|
|
2017-06-26 20:05:15 +00:00
|
|
|
a0 := Auth0{
|
2017-06-19 20:27:55 +00:00
|
|
|
Generic: Generic{
|
|
|
|
PageName: "auth0",
|
|
|
|
|
|
|
|
ClientID: clientID,
|
|
|
|
ClientSecret: clientSecret,
|
|
|
|
|
2017-06-27 23:29:51 +00:00
|
|
|
RequiredScopes: []string{"openid", "email"},
|
2017-06-19 20:27:55 +00:00
|
|
|
|
|
|
|
RedirectURL: redirectURL,
|
|
|
|
AuthURL: authURL,
|
|
|
|
TokenURL: tokenURL,
|
|
|
|
APIURL: apiURL,
|
|
|
|
|
|
|
|
Logger: logger,
|
|
|
|
},
|
2017-06-26 20:05:15 +00:00
|
|
|
Organizations: make(map[string]bool, len(organizations)),
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, org := range organizations {
|
|
|
|
a0.Organizations[org] = true
|
|
|
|
}
|
|
|
|
return a0, nil
|
2017-06-19 20:27:55 +00:00
|
|
|
}
|