添加 OIDC 和 OAuth2 服务器的基础结构，包括配置、数据库模型、服务、处理器和路由。新增登录页面模板，支持用户认证和授权流程。

2025-04-17 01:08:15 +08:00
commit 0368547137
17 changed files with 1049 additions and 0 deletions
--- a/services/auth.go
+++ b/services/auth.go
@@ -0,0 +1,79 @@
+package services
+
+import (
+	"errors"
+	"time"
+
+	"golang.org/x/crypto/bcrypt"
+	"gorm.io/gorm"
+
+	"oidc-oauth2-server/models"
+)
+
+type AuthService struct {
+	db *gorm.DB
+}
+
+func NewAuthService(db *gorm.DB) *AuthService {
+	return &AuthService{db: db}
+}
+
+func (s *AuthService) Authenticate(username, password string) (*models.User, error) {
+	user := &models.User{}
+	if err := s.db.Where("username = ?", username).First(user).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, errors.New("invalid username or password")
+		}
+		return nil, err
+	}
+
+	if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)); err != nil {
+		return nil, errors.New("invalid username or password")
+	}
+
+	// 更新最后登录时间
+	user.LastLogin = time.Now()
+	s.db.Save(user)
+
+	return user, nil
+}
+
+func (s *AuthService) CreateUser(username, password, email string) (*models.User, error) {
+	// 检查用户名是否已存在
+	var count int64
+	s.db.Model(&models.User{}).Where("username = ?", username).Count(&count)
+	if count > 0 {
+		return nil, errors.New("username already exists")
+	}
+
+	// 加密密码
+	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, err
+	}
+
+	user := &models.User{
+		Username: username,
+		Password: string(hashedPassword),
+		Email:    email,
+		IsActive: true,
+	}
+
+	if err := s.db.Create(user).Error; err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
+
+// GetUserByID 根据用户 ID 获取用户信息
+func (s *AuthService) GetUserByID(id uint, user *models.User) error {
+	result := s.db.First(user, id)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return errors.New("user not found")
+		}
+		return result.Error
+	}
+	return nil
+}
--- a/services/oauth.go
+++ b/services/oauth.go
@@ -0,0 +1,186 @@
+package services
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+	"gorm.io/gorm"
+
+	"oidc-oauth2-server/models"
+)
+
+type OAuthService struct {
+	db        *gorm.DB
+	jwtSecret []byte
+	tokenTTL  time.Duration
+}
+
+type AuthorizeRequest struct {
+	ResponseType string
+	ClientID     string
+	RedirectURI  string
+	Scope        string
+	State        string
+}
+
+type TokenRequest struct {
+	GrantType    string
+	Code         string
+	RedirectURI  string
+	ClientID     string
+	ClientSecret string
+}
+
+type TokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+	IDToken      string `json:"id_token,omitempty"`
+	RefreshToken string `json:"refresh_token,omitempty"`
+}
+
+func NewOAuthService(db *gorm.DB, jwtSecret []byte) *OAuthService {
+	return &OAuthService{
+		db:        db,
+		jwtSecret: jwtSecret,
+		tokenTTL:  time.Hour,
+	}
+}
+
+func (s *OAuthService) ValidateAuthorizeRequest(req *AuthorizeRequest) error {
+	if req.ResponseType != "code" {
+		return errors.New("unsupported response type")
+	}
+
+	client := &models.Client{}
+	if err := s.db.First(client, "client_id = ?", req.ClientID).Error; err != nil {
+		return errors.New("invalid client")
+	}
+
+	// 验证重定向 URI
+	validRedirect := false
+	for _, uri := range client.RedirectURIs {
+		if uri == req.RedirectURI {
+			validRedirect = true
+			break
+		}
+	}
+	if !validRedirect {
+		return errors.New("invalid redirect URI")
+	}
+
+	return nil
+}
+
+func (s *OAuthService) GenerateAuthorizationCode(userID uint, req *AuthorizeRequest) (*models.AuthorizationCode, error) {
+	// 生成随机授权码
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return nil, err
+	}
+	code := base64.RawURLEncoding.EncodeToString(b)
+
+	authCode := &models.AuthorizationCode{
+		Code:        code,
+		ClientID:    req.ClientID,
+		RedirectURI: req.RedirectURI,
+		UserID:      userID,
+		Scope:       req.Scope,
+		ExpiresAt:   time.Now().Add(10 * time.Minute),
+		Used:        false,
+	}
+
+	// 保存授权码到数据库
+	if err := s.db.Create(authCode).Error; err != nil {
+		return nil, err
+	}
+
+	return authCode, nil
+}
+
+func (s *OAuthService) ExchangeToken(req *TokenRequest) (*TokenResponse, error) {
+	// 验证授权码
+	authCode := &models.AuthorizationCode{}
+	if err := s.db.Where("code = ? AND client_id = ? AND used = ?",
+		req.Code, req.ClientID, false).First(authCode).Error; err != nil {
+		return nil, errors.New("invalid authorization code")
+	}
+
+	// 验证授权码是否过期
+	if time.Now().After(authCode.ExpiresAt) {
+		return nil, errors.New("authorization code expired")
+	}
+
+	// 验证重定向 URI
+	if authCode.RedirectURI != req.RedirectURI {
+		return nil, errors.New("redirect URI mismatch")
+	}
+
+	// 验证客户端
+	client := &models.Client{}
+	if err := s.db.Where("client_id = ? AND client_secret = ?",
+		req.ClientID, req.ClientSecret).First(client).Error; err != nil {
+		return nil, errors.New("invalid client credentials")
+	}
+
+	// 获取用户信息
+	user := &models.User{}
+	if err := s.db.First(user, authCode.UserID).Error; err != nil {
+		return nil, errors.New("user not found")
+	}
+
+	// 生成访问令牌
+	accessToken, err := s.generateAccessToken(user, client, authCode.Scope)
+	if err != nil {
+		return nil, err
+	}
+
+	// 生成 ID 令牌
+	idToken, err := s.generateIDToken(user, client, authCode.Scope)
+	if err != nil {
+		return nil, err
+	}
+
+	// 标记授权码为已使用
+	authCode.Used = true
+	s.db.Save(authCode)
+
+	return &TokenResponse{
+		AccessToken: accessToken,
+		TokenType:   "Bearer",
+		ExpiresIn:   int(s.tokenTTL.Seconds()),
+		IDToken:     idToken,
+	}, nil
+}
+
+func (s *OAuthService) generateAccessToken(user *models.User, client *models.Client, scope string) (string, error) {
+	now := time.Now()
+	claims := jwt.MapClaims{
+		"sub":   user.ID,
+		"exp":   now.Add(s.tokenTTL).Unix(),
+		"iat":   now.Unix(),
+		"iss":   client.ClientID,
+		"scope": scope,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return token.SignedString(s.jwtSecret)
+}
+
+func (s *OAuthService) generateIDToken(user *models.User, client *models.Client, scope string) (string, error) {
+	now := time.Now()
+	claims := jwt.MapClaims{
+		"sub":            user.ID,
+		"exp":            now.Add(s.tokenTTL).Unix(),
+		"iat":            now.Unix(),
+		"iss":            client.ClientID,
+		"email":          user.Email,
+		"email_verified": true,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return token.SignedString(s.jwtSecret)
+}