Query userinfo endpoint
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
b26e283f7d
commit
bf20e5ad13
@ -20,8 +20,7 @@ use crate::data::code_challenge::CodeChallenge;
|
||||
use crate::data::current_user::CurrentUser;
|
||||
use crate::data::id_token::IdToken;
|
||||
use crate::data::jwt_signer::{JWTSigner, JsonWebKey};
|
||||
use crate::data::open_id_user_info::OpenIDUserInfo;
|
||||
use crate::data::openid_primitive::{OpenIDConfig, TokenResponse};
|
||||
use crate::data::openid_primitive::{OpenIDConfig, OpenIDUserInfo, TokenResponse};
|
||||
use crate::data::session_identity::SessionIdentity;
|
||||
use crate::data::user::User;
|
||||
use crate::utils::string_utils::rand_str;
|
||||
@ -627,12 +626,12 @@ async fn user_info(
|
||||
};
|
||||
|
||||
HttpResponse::Ok().json(OpenIDUserInfo {
|
||||
name: user.full_name(),
|
||||
name: Some(user.full_name()),
|
||||
sub: user.uid.0,
|
||||
given_name: user.first_name,
|
||||
family_name: user.last_name,
|
||||
preferred_username: user.username,
|
||||
email: user.email,
|
||||
email_verified: true,
|
||||
given_name: Some(user.first_name),
|
||||
family_name: Some(user.last_name),
|
||||
preferred_username: Some(user.username),
|
||||
email: Some(user.email),
|
||||
email_verified: Some(true),
|
||||
})
|
||||
}
|
||||
|
@ -225,9 +225,10 @@ pub async fn finish_login(
|
||||
}
|
||||
};
|
||||
|
||||
println!("go on {:?}", token);
|
||||
// Use access token to get user information
|
||||
let info = provider_config.get_userinfo(&token).await;
|
||||
println!("info: {:?}", info);
|
||||
|
||||
// TODO : check token signature
|
||||
// TODO : check if user is authorized to access application
|
||||
// TODO : check if 2FA is enabled
|
||||
// TODO : redirect user to login route
|
||||
|
@ -1,24 +1 @@
|
||||
/// Refer to <https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims> for more information
|
||||
#[derive(Debug, serde::Serialize)]
|
||||
pub struct OpenIDUserInfo {
|
||||
/// Subject - Identifier for the End-User at the Issuer
|
||||
pub sub: String,
|
||||
|
||||
/// End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
|
||||
pub name: String,
|
||||
|
||||
/// Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.
|
||||
pub given_name: String,
|
||||
|
||||
/// Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.
|
||||
pub family_name: String,
|
||||
|
||||
/// Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. The RP MUST NOT rely upon this value being unique, as discussed in
|
||||
pub preferred_username: String,
|
||||
|
||||
/// End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 RFC5322 addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.
|
||||
pub email: String,
|
||||
|
||||
/// True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.
|
||||
pub email_verified: bool,
|
||||
}
|
||||
|
@ -72,3 +72,36 @@ pub struct TokenResponse {
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub id_token: Option<String>,
|
||||
}
|
||||
|
||||
/// Refer to <https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims> for more information
|
||||
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
|
||||
pub struct OpenIDUserInfo {
|
||||
/// Subject - Identifier for the End-User at the Issuer
|
||||
///
|
||||
/// This is the only mandatory field
|
||||
pub sub: String,
|
||||
|
||||
/// End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub name: Option<String>,
|
||||
|
||||
/// Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub given_name: Option<String>,
|
||||
|
||||
/// Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub family_name: Option<String>,
|
||||
|
||||
/// Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. The RP MUST NOT rely upon this value being unique, as discussed in
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub preferred_username: Option<String>,
|
||||
|
||||
/// End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 RFC5322 addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub email: Option<String>,
|
||||
|
||||
/// True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub email_verified: Option<bool>,
|
||||
}
|
||||
|
@ -8,7 +8,7 @@ use crate::actors::providers_states_actor::ProviderLoginState;
|
||||
use crate::constants::OIDC_PROVIDERS_LIFETIME;
|
||||
use crate::data::app_config::AppConfig;
|
||||
use crate::data::jwt_signer::JsonWebKey;
|
||||
use crate::data::openid_primitive::TokenResponse;
|
||||
use crate::data::openid_primitive::{OpenIDUserInfo, TokenResponse};
|
||||
use crate::data::provider::Provider;
|
||||
use crate::utils::err::Res;
|
||||
use crate::utils::time::time;
|
||||
@ -32,7 +32,7 @@ pub struct ProviderJWKs {
|
||||
#[derive(Debug, Clone)]
|
||||
pub struct ProviderConfiguration {
|
||||
pub discovery: ProviderDiscovery,
|
||||
pub keys: ProviderJWKs,
|
||||
//pub keys: ProviderJWKs,
|
||||
pub expire: u64,
|
||||
}
|
||||
|
||||
@ -72,6 +72,22 @@ impl ProviderConfiguration {
|
||||
.json()
|
||||
.await?)
|
||||
}
|
||||
|
||||
/// Retrieve information about the user, using given [TokenResponse]
|
||||
pub async fn get_userinfo(&self, token: &TokenResponse) -> Res<OpenIDUserInfo> {
|
||||
Ok(reqwest::Client::new()
|
||||
.get(
|
||||
self.discovery
|
||||
.userinfo_endpoint
|
||||
.as_ref()
|
||||
.expect("Userinfo endpoint is required by this implementation!"),
|
||||
)
|
||||
.header("Authorization", format!("Bearer {}", token.access_token))
|
||||
.send()
|
||||
.await?
|
||||
.json()
|
||||
.await?)
|
||||
}
|
||||
}
|
||||
|
||||
thread_local! {
|
||||
@ -108,11 +124,11 @@ impl ProviderConfigurationHelper {
|
||||
.json()
|
||||
.await?;
|
||||
|
||||
let keys: ProviderJWKs = reqwest::get(&discovery.jwks_uri).await?.json().await?;
|
||||
// let keys: ProviderJWKs = reqwest::get(&discovery.jwks_uri).await?.json().await?;
|
||||
|
||||
Ok(ProviderConfiguration {
|
||||
discovery,
|
||||
keys,
|
||||
// keys,
|
||||
expire: time() + OIDC_PROVIDERS_LIFETIME,
|
||||
})
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user