Added flow initialization and completed implementation

2025-12-20 03:27:02 -07:00 · 2024-02-26 09:20:07 -07:00 · 2024-02-26 09:20:07 -07:00 · 1de4d3a5d5
commit 1de4d3a5d5
parent a3f0caf4ff
6 changed files with 262 additions and 41 deletions
--- a/internal/client.go
+++ b/internal/client.go
@ -21,6 +21,8 @@ type Client struct {
 	Id           string   `yaml:"id"`
 	Secret       string   `yaml:"secret"`
 	RedirectUris []string `yaml:"redirect-uris"`
+	FlowId       string
+	CsrfToken    string
 }

 func NewClientWithConfig(config *Config) *Client {
@ -33,6 +35,10 @@ func NewClientWithConfig(config *Config) *Client {
 	}
 }

+func (client *Client) IsFlowInitiated() bool {
+	return client.FlowId != ""
+}
+
 func (client *Client) BuildAuthorizationUrl(authEndpoint string, state string, responseType string, scope []string) string {
 	return authEndpoint + "?" + "client_id=" + client.Id +
 		"&redirect_uri=" + util.URLEscape(strings.Join(client.RedirectUris, ",")) +
@ -41,6 +47,80 @@ func (client *Client) BuildAuthorizationUrl(authEndpoint string, state string, r
 		"&scope=" + strings.Join(scope, "+")
 }

+func (client *Client) InitiateLoginFlow(loginUrl string) error {
+	// kratos: GET /self-service/login/api
+	req, err := http.NewRequest("GET", loginUrl, bytes.NewBuffer([]byte{}))
+	if err != nil {
+		return fmt.Errorf("failed to make request: %v", err)
+	}
+	res, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to do request: %v", err)
+	}
+	defer res.Body.Close()
+
+	// get the flow ID from response
+	body, err := io.ReadAll(res.Body)
+
+	var flowData map[string]any
+	err = json.Unmarshal(body, &flowData)
+	if err != nil {
+		return fmt.Errorf("failed to unmarshal flow data: %v\n%v", err, string(body))
+	} else {
+		client.FlowId = flowData["id"].(string)
+	}
+	return nil
+}
+
+func (client *Client) FetchFlowData(flowUrl string) (JsonObject, error) {
+	//kratos: GET /self-service/login/flows?id={flowId}
+
+	// replace {id} in string with actual value
+	flowUrl = strings.ReplaceAll(flowUrl, "{id}", client.FlowId)
+	req, err := http.NewRequest("GET", flowUrl, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to make request: %v", err)
+	}
+	res, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to do request: %v", err)
+	}
+	defer res.Body.Close()
+
+	// get the flow data from response
+	body, err := io.ReadAll(res.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %v", err)
+	}
+
+	var flowData JsonObject
+	err = json.Unmarshal(body, &flowData)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal flow data: %v", err)
+	}
+	return flowData, nil
+}
+
+func (client *Client) FetchCSRFToken(flowUrl string) error {
+	data, err := client.FetchFlowData(flowUrl)
+	if err != nil {
+		return fmt.Errorf("failed to fetch flow data: %v", err)
+	}
+
+	// iterate through nodes and extract the CSRF token attribute from the flow data
+	ui := data["ui"].(map[string]any)
+	nodes := ui["nodes"].([]any)
+	for _, node := range nodes {
+		attrs := node.(map[string]any)["attributes"].(map[string]any)
+		name := attrs["name"].(string)
+		if name == "csrf_token" {
+			client.CsrfToken = attrs["value"].(string)
+			return nil
+		}
+	}
+	return fmt.Errorf("failed to extract CSRF token: not found")
+}
+
 func (client *Client) FetchTokenFromAuthenticationServer(code string, remoteUrl string, state string) ([]byte, error) {
 	data := url.Values{
 		"grant_type":    {"authorization_code"},
@ -56,14 +136,19 @@ func (client *Client) FetchTokenFromAuthenticationServer(code string, remoteUrl
 	}
 	defer res.Body.Close()

+	domain, _ := url.Parse("http://127.0.0.1")
+	client.Jar.SetCookies(domain, res.Cookies())
+
 	return io.ReadAll(res.Body)
 }

 func (client *Client) FetchTokenFromAuthorizationServer(remoteUrl string, jwt string, scope []string) ([]byte, error) {
 	// hydra endpoint: /oauth/token
 	data := "grant_type=" + util.URLEscape("urn:ietf:params:oauth:grant-type:jwt-bearer") +
-		"&assertion=" + jwt +
-		"&scope=" + strings.Join(scope, "+")
+		"&client_id=" + client.Id +
+		"&client_secret=" + client.Secret +
+		"&scope=" + strings.Join(scope, "+") +
+		"&assertion=" + jwt
 	fmt.Printf("encoded params: %v\n\n", data)
 	req, err := http.NewRequest("POST", remoteUrl, bytes.NewBuffer([]byte(data)))
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
@ -76,11 +161,14 @@ func (client *Client) FetchTokenFromAuthorizationServer(remoteUrl string, jwt st
 	}
 	defer res.Body.Close()

+	// set flow ID back to empty string to indicate a completed flow
+	client.FlowId = ""
+
 	return io.ReadAll(res.Body)
 }

 func (client *Client) AddTrustedIssuer(remoteUrl string, idp *oidc.IdentityProvider, subject string, duration time.Duration, scope []string) ([]byte, error) {
-	// hydra endpoint: /admin/trust/grants/jwt-bearer/issuers
+	// hydra endpoint: POST /admin/trust/grants/jwt-bearer/issuers
 	if idp == nil {
 		return nil, fmt.Errorf("identity provided is nil")
 	}
@ -88,14 +176,20 @@ func (client *Client) AddTrustedIssuer(remoteUrl string, idp *oidc.IdentityProvi
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal JWK: %v", err)
 	}
+	quotedScopes := make([]string, len(scope))
+	for i, s := range scope {
+		quotedScopes[i] = fmt.Sprintf("\"%s\"", s)
+	}
+	// NOTE: Can also include "jwks_uri" instead
 	data := []byte(fmt.Sprintf(`{
-		"allow_any_subject": true,
+		"allow_any_subject": false,
 		"issuer": "%s",
-		"subject": "%s"
-		"expires_at": "%v"
+		"subject": "%s",
+		"expires_at": "%v",
 		"jwk": %v,
-		"scope": [ %s ],
-	}`, idp.Issuer, subject, time.Now().Add(duration), string(jwkstr), strings.Join(scope, ",")))
+		"scope": [ %s ]
+	}`, idp.Issuer, subject, time.Now().Add(duration).Format(time.RFC3339), string(jwkstr), strings.Join(quotedScopes, ",")))
+	fmt.Printf("%v\n", string(data))

 	req, err := http.NewRequest("POST", remoteUrl, bytes.NewBuffer(data))
 	// req.Header.Add("X-CSRF-Token", client.CsrfToken.Value)
@ -113,6 +207,32 @@ func (client *Client) AddTrustedIssuer(remoteUrl string, idp *oidc.IdentityProvi
 	return io.ReadAll(res.Body)
 }

+func (client *Client) RegisterOAuthClient(registerUrl string) ([]byte, error) {
+	// hydra endpoint: POST /clients
+	data := []byte(fmt.Sprintf(`{
+		"client_name":                "%s",
+		"client_secret":              "%s",
+		"token_endpoint_auth_method": "client_secret_post",
+		"scope":                      "openid email profile",
+		"grant_types":                ["client_credentials", "urn:ietf:params:oauth:grant-type:jwt-bearer"],
+		"response_types":             ["token"]
+	}`, client.Id, client.Secret))
+
+	req, err := http.NewRequest("POST", registerUrl, bytes.NewBuffer(data))
+	if err != nil {
+		return nil, fmt.Errorf("failed to make request: %v", err)
+	}
+	req.Header.Add("Content-Type", "application/json")
+	// req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", idToken))
+	res, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to do request: %v", err)
+	}
+	defer res.Body.Close()
+
+	return io.ReadAll(res.Body)
+}
+
 func (client *Client) CreateIdentity(remoteUrl string, idToken string) ([]byte, error) {
 	// kratos endpoint: /admin/identities
 	data := []byte(`{
@ -150,3 +270,8 @@ func (client *Client) FetchIdentities(remoteUrl string) ([]byte, error) {

 	return io.ReadAll(res.Body)
 }
+
+func (client *Client) ClearCookies() {
+	jar, _ := cookiejar.New(&cookiejar.Options{PublicSuffixList: publicsuffix.List})
+	client.Jar = jar
+}