pengchang/oidc-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

更新依赖项,优化 OAuth2 服务,添加 PKCE 支持,增强 OIDC 处理器,新增客户端注册和令牌管理端点,改进数据库模型以支持新功能。

Browse Source
This commit is contained in:
chang
2025-04-17 01:25:46 +08:00
parent 0368547137
commit a3f3cc17cf
13 changed files with 738 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
services/oauth.go
View File

@@ -2,8 +2,11 @@ package services
import (
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"time"
"github.com/golang-jwt/jwt/v4"
@@ -13,17 +16,20 @@ import (
)
type OAuthService struct {
db *gorm.DB
jwtSecret []byte
tokenTTL time.Duration
db *gorm.DB
keyManager *KeyManager
tokenTTL time.Duration
}
type AuthorizeRequest struct {
ResponseType string
ClientID string
RedirectURI string
Scope string
State string
ResponseType string
ClientID string
RedirectURI string
Scope string
State string
CodeChallenge string
CodeChallengeMethod string
Nonce string
}
type TokenRequest struct {
@@ -32,6 +38,7 @@ type TokenRequest struct {
RedirectURI string
ClientID string
ClientSecret string
CodeVerifier string
}
type TokenResponse struct {
@@ -42,12 +49,17 @@ type TokenResponse struct {
RefreshToken string `json:"refresh_token,omitempty"`
}
func NewOAuthService(db *gorm.DB, jwtSecret []byte) *OAuthService {
return &OAuthService{
db: db,
jwtSecret: jwtSecret,
tokenTTL: time.Hour,
func NewOAuthService(db *gorm.DB) (*OAuthService, error) {
keyManager, err := NewKeyManager()
if err != nil {
return nil, err
}
return &OAuthService{
db: db,
keyManager: keyManager,
tokenTTL: time.Hour,
}, nil
}
func (s *OAuthService) ValidateAuthorizeRequest(req *AuthorizeRequest) error {
@@ -61,8 +73,13 @@ func (s *OAuthService) ValidateAuthorizeRequest(req *AuthorizeRequest) error {
}
// 验证重定向 URI
var redirectURIs []string
if err := json.Unmarshal(client.RedirectURIs, &redirectURIs); err != nil {
return errors.New("invalid redirect URIs format")
}
validRedirect := false
for _, uri := range client.RedirectURIs {
for _, uri := range redirectURIs {
if uri == req.RedirectURI {
validRedirect = true
break
@@ -72,6 +89,16 @@ func (s *OAuthService) ValidateAuthorizeRequest(req *AuthorizeRequest) error {
return errors.New("invalid redirect URI")
}
// 验证 PKCE
if req.CodeChallenge != "" {
if req.CodeChallengeMethod != "S256" && req.CodeChallengeMethod != "plain" {
return errors.New("invalid code challenge method")
}
if len(req.CodeChallenge) < 43 || len(req.CodeChallenge) > 128 {
return errors.New("invalid code challenge length")
}
}
return nil
}
@@ -84,13 +111,16 @@ func (s *OAuthService) GenerateAuthorizationCode(userID uint, req *AuthorizeRequ
code := base64.RawURLEncoding.EncodeToString(b)
authCode := &models.AuthorizationCode{
Code: code,
ClientID: req.ClientID,
RedirectURI: req.RedirectURI,
UserID: userID,
Scope: req.Scope,
ExpiresAt: time.Now().Add(10 * time.Minute),
Used: false,
Code: code,
ClientID: req.ClientID,
RedirectURI: req.RedirectURI,
UserID: userID,
Scope: req.Scope,
ExpiresAt: time.Now().Add(10 * time.Minute),
Used: false,
CodeChallenge: req.CodeChallenge,
CodeChallengeMethod: req.CodeChallengeMethod,
Nonce: req.Nonce,
}
// 保存授权码到数据库
@@ -119,6 +149,17 @@ func (s *OAuthService) ExchangeToken(req *TokenRequest) (*TokenResponse, error)
return nil, errors.New("redirect URI mismatch")
}
// 验证 PKCE
if authCode.CodeChallenge != "" {
if req.CodeVerifier == "" {
return nil, errors.New("code verifier required")
}
if err := validatePKCE(authCode.CodeChallenge, authCode.CodeChallengeMethod, req.CodeVerifier); err != nil {
return nil, err
}
}
// 验证客户端
client := &models.Client{}
if err := s.db.Where("client_id = ? AND client_secret = ?",
@@ -139,7 +180,7 @@ func (s *OAuthService) ExchangeToken(req *TokenRequest) (*TokenResponse, error)
}
// 生成 ID 令牌
idToken, err := s.generateIDToken(user, client, authCode.Scope)
idToken, err := s.generateIDToken(user, client, authCode.Scope, "")
if err != nil {
return nil, err
}
@@ -167,20 +208,56 @@ func (s *OAuthService) generateAccessToken(user *models.User, client *models.Cli
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(s.jwtSecret)
return token.SignedString(s.keyManager.GetPrivateKey())
}
func (s *OAuthService) generateIDToken(user *models.User, client *models.Client, scope string) (string, error) {
func (s *OAuthService) generateIDToken(user *models.User, client *models.Client, scope string, nonce string) (string, error) {
now := time.Now()
claims := jwt.MapClaims{
"sub": user.ID,
"iss": client.ClientID,
"sub": fmt.Sprintf("%d", user.ID),
"aud": client.ClientID,
"exp": now.Add(s.tokenTTL).Unix(),
"iat": now.Unix(),
"iss": client.ClientID,
"auth_time": now.Unix(),
"nonce": nonce,
"acr": "1",
"email": user.Email,
"email_verified": true,
"name": user.Username,
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(s.jwtSecret)
token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
token.Header["kid"] = s.keyManager.GetKID()
return token.SignedString(s.keyManager.GetPrivateKey())
}
func validatePKCE(challenge, method, verifier string) error {
if len(verifier) < 43 || len(verifier) > 128 {
return errors.New("invalid code verifier length")
}
var computedChallenge string
if method == "S256" {
h := sha256.New()
h.Write([]byte(verifier))
computedChallenge = base64.RawURLEncoding.EncodeToString(h.Sum(nil))
} else {
computedChallenge = verifier
}
if computedChallenge != challenge {
return errors.New("code verifier does not match challenge")
}
return nil
}
func (s *OAuthService) GetJWKS() (*JSONWebKeySet, error) {
return s.keyManager.GetJWKS()
}
func (s *OAuthService) GetKeyManager() *KeyManager {
return s.keyManager
}