influxdb/oauth2/auth0.go

85 lines
1.7 KiB
Go

package oauth2
import (
"encoding/json"
"net/http"
"net/url"
"github.com/influxdata/chronograf"
)
type Auth0 struct {
Generic
Organizations map[string]bool // the set of allowed organizations users may belong to
}
func (a *Auth0) PrincipalID(provider *http.Client) (string, error) {
type Account struct {
Email string `json:"email"`
Organization string `json:"organization"`
}
resp, err := provider.Get(a.Generic.APIURL)
if err != nil {
return "", err
}
defer resp.Body.Close()
act := Account{}
if err = json.NewDecoder(resp.Body).Decode(&act); err != nil {
return "", err
}
// check for organization membership if required
if len(a.Organizations) > 0 && !a.Organizations[act.Organization] {
a.Logger.
WithField("org", act.Organization).
Error(ErrOrgMembership)
return "", ErrOrgMembership
}
return act.Email, nil
}
func NewAuth0(auth0Domain, clientID, clientSecret, redirectURL string, organizations []string, logger chronograf.Logger) (Auth0, error) {
domain, err := url.Parse(auth0Domain)
if err != nil {
return Auth0{}, err
}
domain.Scheme = "https"
domain.Path = "/authorize"
authURL := domain.String()
domain.Path = "/oauth/token"
tokenURL := domain.String()
domain.Path = "/userinfo"
apiURL := domain.String()
a0 := Auth0{
Generic: Generic{
PageName: "auth0",
ClientID: clientID,
ClientSecret: clientSecret,
RequiredScopes: []string{"openid", "email"},
RedirectURL: redirectURL,
AuthURL: authURL,
TokenURL: tokenURL,
APIURL: apiURL,
Logger: logger,
},
Organizations: make(map[string]bool, len(organizations)),
}
for _, org := range organizations {
a0.Organizations[org] = true
}
return a0, nil
}