feat: add token introspection on sample /user/home endpoint and inject access_token into client cookie

2024-09-08 20:47:11 +02:00 · 2024-09-08 20:47:11 +02:00 · 80619164e3
commit 80619164e3
parent 436dbe1393
10 changed files with 126 additions and 18 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -165,6 +165,7 @@ dependencies = [
 "axum",
 "axum-core",
 "bytes",
+ "cookie",
 "futures-util",
 "http 1.1.0",
 "http-body 1.0.1",
@ -372,6 +373,17 @@ dependencies = [
 "unicode-segmentation",
 ]

+[[package]]
+name = "cookie"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747"
+dependencies = [
+ "percent-encoding",
+ "time",
+ "version_check",
+]
+
 [[package]]
 name = "core-foundation"
 version = "0.9.4"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -9,7 +9,7 @@ edition = "2021"
 askama = "0.12.1"
 axum = { version = "0.7.5", features = ["tracing", "multipart", "macros", "http2"] }
 axum-core = { version = "0.4.3", features = ["tracing"] }
-axum-extra = { version = "0.9.3", features = ["form"] }
+axum-extra = { version = "0.9.3", features = ["cookie", "form"] }
 config = "0.14.0"
 http = "1.1.0"
 openidconnect = "3.5.0"
--- a/config.example.yml
+++ b/config.example.yml
@ -11,3 +11,4 @@ oidc:
    client_id: client-id-you-generated
    client_secret: client-secret-that-you-generated-or-copied
    callback: https://the-public-domain-of-this.service.tld/openid/callback
+    introspection_url: [...]
--- a/src/config.rs
+++ b/src/config.rs
@ -27,6 +27,7 @@ pub struct OidcConfig {
 	pub client_id: String,
 	pub client_secret: String,
 	pub callback: Url,
+	pub introspection_url: Url,
 }

 #[derive(Debug, Deserialize, Clone)]
--- a/src/error/mod.rs
+++ b/src/error/mod.rs
@ -1 +1,2 @@
+pub mod openid;
 pub mod powerdns;
--- a/src/error/openid.rs
+++ b/src/error/openid.rs
@ -0,0 +1,43 @@
+use std::fmt::Display;
+
+use axum::response::IntoResponse;
+use reqwest::StatusCode;
+
+#[derive(Debug)]
+pub enum AuthError {
+	OpenIdConfig(openidconnect::ConfigurationError),
+//	ReqTokenError(openidconnect::RequestTokenError),
+}
+
+impl Display for AuthError {
+	fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+		match self {
+			AuthError::OpenIdConfig(e) => f.write_fmt(format_args!("OpenID Connect configuration error: {:?}", e)),
+//			AuthError::ReqTokenError(e) => f.write_fmt(format_args!("Request token error: {:?}", e)),
+		}
+	}
+}
+
+impl std::error::Error for AuthError {}
+
+impl From<openidconnect::ConfigurationError> for AuthError {
+	fn from(e: openidconnect::ConfigurationError) -> Self {
+		Self::OpenIdConfig(e)
+	}
+}
+
+//impl From<openidconnect::RequestTokenError<RE, T>> for AuthError {
+//	fn from(e: openidconnect::RequestTokenError<RE, T>) -> Self {
+//		Self::ReqTokenError(e)
+//	}
+//}
+
+
+impl IntoResponse for AuthError {
+	fn into_response(self) -> axum::response::Response {
+		(
+			StatusCode::INTERNAL_SERVER_ERROR,
+			format!("Authentication error: {}", self),
+		).into_response()
+	}
+}
--- a/src/handlers/openid.rs
+++ b/src/handlers/openid.rs
@ -1,6 +1,7 @@
 use axum::response::{
 	IntoResponse,
 	Redirect,
+	Response,
 };
 use axum::extract::{
 	State,
@ -47,19 +48,20 @@ pub async fn callback(
 	State(app_state): State<AppState>,
 	Query(callback): Query<OidcCallback>,
 ) -> impl IntoResponse {
-	println!("Received auth code: {}", callback.code.clone());
 	let token_response = app_state.oidc_client
 		.exchange_code(AuthorizationCode::new(callback.code.to_owned()))
 		.request_async(async_http_client)
 		.await
 		.unwrap();
-	println!("Exchanged for access token: {}", token_response.access_token().secret());
-	println!("\tvalid for scopes {:?}", token_response.scopes());
-	Redirect::to("/user/home")
-//	let id_token_verifier: CoreIdTokenVerifier = app_state.oidc_client.id_token_verifier();
-//	let id_token_claims: &CoreIdTokenClaims = token_response
-//		.extra_fields()
-//		.id_token()
-//		.expect("IdP did not return an ID token")
-//		.claims(&id_token_verifier, &nonce)
+	Response::builder()
+		.status(200)
+		// TODO: set 'Secure' flag when served over https
+		.header("Set-Cookie", format!(
+			"access_token={}; SameSite=Strict; HttpOnly; Path=/;",
+			token_response.access_token().secret(),
+		))
+		//.header("Location", "/user/home")
+		.header("Content-Type", "text/html")
+		.body("Click here to go to your <a href=\"/user/home\">User Home</a>".to_string())
+		.unwrap()
 }
--- a/src/handlers/user.rs
+++ b/src/handlers/user.rs
@ -1,12 +1,48 @@
+use std::time::{
+	Duration,
+	Instant,
+};
+
 use askama::Template;
 use axum::response::IntoResponse;
+use axum::extract::State;
+use axum_extra::extract::cookie::CookieJar;
+
+use openidconnect::{
+	AccessToken,
+	reqwest::async_http_client,
+	TokenIntrospectionResponse,
+};

 use crate::util::askama::HtmlTemplate;
+use crate::AppState;
+use crate::error::openid::AuthError;

 #[derive(Template)]
 #[template(path = "user_home.html")]
-struct UserHomeTemplate {}
-
-pub async fn home() -> impl IntoResponse {
-	HtmlTemplate(UserHomeTemplate {})
+struct UserHomeTemplate {
+	is_active: bool,
+	username: String,
+	duration: Duration,
+}
+
+pub async fn home(
+	State(app_state): State<AppState>,
+	cookies: CookieJar
+) -> Result<impl IntoResponse, AuthError> {
+	let now = Instant::now();
+	let token_serialized: Option<String> = cookies.get("access_token")
+		.map(|cookie| cookie.value().to_owned());
+	let (is_active, username);
+	(is_active, username) = match token_serialized {
+		Some(token) => {
+			let introspection_response = app_state.oidc_client
+				.introspect(&AccessToken::new(token))?
+				.request_async(async_http_client).await.unwrap();
+			println!("Token introspected, answer is {:?}", introspection_response);
+			(introspection_response.active(), introspection_response.username().unwrap_or("").to_string())
+		},
+		None => (false, "".to_string())
+	};
+	Ok(HtmlTemplate(UserHomeTemplate { is_active, username, duration: now.elapsed() }))
 }
--- a/src/main.rs
+++ b/src/main.rs
@ -5,7 +5,10 @@ use tokio::sync::Mutex;

 use axum::Router;
 use axum::routing::{get, post};
-use openidconnect::core::CoreClient;
+use openidconnect::{
+	IntrospectionUrl,
+	core::CoreClient,
+};

 pub mod model;
 mod config;
@ -32,7 +35,8 @@ async fn main() {
 		config.oidc.client_id,
 		config.oidc.client_secret,
 		config.oidc.callback,
-	).await;
+	).await
+	.set_introspection_uri(IntrospectionUrl::from_url(config.oidc.introspection_url));

 	let pdns_client = util::powerdns::PowerDnsApi::new(
 		config.powerdns.server_url,
--- a/templates/user_home.html
+++ b/templates/user_home.html
@ -1,5 +1,13 @@
 {% extends "base.html" %}

 {% block content %}
+{% if username != "" %}
+<h1>Hello <i>{{ username }}</i></h1>
+{% else %}
 <h1>User Home</h1>
+{% endif %}
+
+<p>Your user session is <b>{% if is_active %}active{% else %}inactive{% endif %}</b></p>
+
+<p>Request took <b>{{ duration.as_millis() }}</b>ms</p>
 {% endblock content %}