vendor: revendor

vendor/github.com/coreos/go-oidc/example/README.md

@@ -0,0 +1,21 @@
+# Examples
+
+These are example uses of the oidc package. Each requires a Google account and the client ID and secret of a registered OAuth2 application. To create one:
+
+1. Visit your [Google Developer Console][google-developer-console].
+2. Click "Credentials" on the left column.
+3. Click the "Create credentials" button followed by "OAuth client ID".
+4. Select "Web application" and add "http://127.0.0.1:5556/auth/google/callback" as an authorized redirect URI.
+5. Click create and add the printed client ID and secret to your environment using the following variables:
+
+```
+GOOGLE_OAUTH2_CLIENT_ID
+GOOGLE_OAUTH2_CLIENT_SECRET
+```
+
+Finally run the examples using the Go tool and navigate to http://127.0.0.1:5556.
+
+```
+go run ./examples/idtoken/app.go
+```
+[google-developer-console]: https://console.developers.google.com/apis/dashboard

vendor/github.com/coreos/go-oidc/example/idtoken/app.go

@@ -0,0 +1,89 @@
+/*
+This is an example application to demonstrate parsing an ID Token.
+*/
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"os"
+
+	oidc "github.com/coreos/go-oidc"
+
+	"golang.org/x/net/context"
+	"golang.org/x/oauth2"
+)
+
+var (
+	clientID     = os.Getenv("GOOGLE_OAUTH2_CLIENT_ID")
+	clientSecret = os.Getenv("GOOGLE_OAUTH2_CLIENT_SECRET")
+)
+
+func main() {
+	ctx := context.Background()
+
+	provider, err := oidc.NewProvider(ctx, "https://accounts.google.com")
+	if err != nil {
+		log.Fatal(err)
+	}
+	verifier := provider.Verifier()
+
+	config := oauth2.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		Endpoint:     provider.Endpoint(),
+		RedirectURL:  "http://127.0.0.1:5556/auth/google/callback",
+		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
+	}
+
+	state := "foobar" // Don't do this in production.
+
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		http.Redirect(w, r, config.AuthCodeURL(state), http.StatusFound)
+	})
+
+	http.HandleFunc("/auth/google/callback", func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Query().Get("state") != state {
+			http.Error(w, "state did not match", http.StatusBadRequest)
+			return
+		}
+
+		oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code"))
+		if err != nil {
+			http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
+		rawIDToken, ok := oauth2Token.Extra("id_token").(string)
+		if !ok {
+			http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError)
+			return
+		}
+		idToken, err := verifier.Verify(ctx, rawIDToken)
+		if err != nil {
+			http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		oauth2Token.AccessToken = "*REDACTED*"
+
+		resp := struct {
+			OAuth2Token   *oauth2.Token
+			IDTokenClaims *json.RawMessage // ID Token payload is just JSON.
+		}{oauth2Token, new(json.RawMessage)}
+
+		if err := idToken.Claims(&resp.IDTokenClaims); err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		data, err := json.MarshalIndent(resp, "", "    ")
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.Write(data)
+	})
+
+	log.Printf("listening on http://%s/", "127.0.0.1:5556")
+	log.Fatal(http.ListenAndServe("127.0.0.1:5556", nil))
+}

vendor/github.com/coreos/go-oidc/example/nonce/app.go

@@ -0,0 +1,104 @@
+/*
+This is an example application to demonstrate verifying an ID Token with a nonce.
+*/
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"log"
+	"net/http"
+	"os"
+
+	oidc "github.com/coreos/go-oidc"
+
+	"golang.org/x/net/context"
+	"golang.org/x/oauth2"
+)
+
+var (
+	clientID     = os.Getenv("GOOGLE_OAUTH2_CLIENT_ID")
+	clientSecret = os.Getenv("GOOGLE_OAUTH2_CLIENT_SECRET")
+)
+
+const appNonce = "a super secret nonce"
+
+// Create a nonce source.
+type nonceSource struct{}
+
+func (n nonceSource) ClaimNonce(nonce string) error {
+	if nonce != appNonce {
+		return errors.New("unregonized nonce")
+	}
+	return nil
+}
+
+func main() {
+	ctx := context.Background()
+
+	provider, err := oidc.NewProvider(ctx, "https://accounts.google.com")
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Use the nonce source to create a custom ID Token verifier.
+	nonceEnabledVerifier := provider.Verifier(oidc.VerifyNonce(nonceSource{}))
+
+	config := oauth2.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		Endpoint:     provider.Endpoint(),
+		RedirectURL:  "http://127.0.0.1:5556/auth/google/callback",
+		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
+	}
+
+	state := "foobar" // Don't do this in production.
+
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		http.Redirect(w, r, config.AuthCodeURL(state, oidc.Nonce(appNonce)), http.StatusFound)
+	})
+
+	http.HandleFunc("/auth/google/callback", func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Query().Get("state") != state {
+			http.Error(w, "state did not match", http.StatusBadRequest)
+			return
+		}
+
+		oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code"))
+		if err != nil {
+			http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		rawIDToken, ok := oauth2Token.Extra("id_token").(string)
+		if !ok {
+			http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError)
+			return
+		}
+		// Verify the ID Token signature and nonce.
+		idToken, err := nonceEnabledVerifier.Verify(ctx, rawIDToken)
+		if err != nil {
+			http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		resp := struct {
+			OAuth2Token   *oauth2.Token
+			IDTokenClaims *json.RawMessage // ID Token payload is just JSON.
+		}{oauth2Token, new(json.RawMessage)}
+
+		if err := idToken.Claims(&resp.IDTokenClaims); err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		data, err := json.MarshalIndent(resp, "", "    ")
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.Write(data)
+	})
+
+	log.Printf("listening on http://%s/", "127.0.0.1:5556")
+	log.Fatal(http.ListenAndServe("127.0.0.1:5556", nil))
+}

vendor/github.com/coreos/go-oidc/example/userinfo/app.go

@@ -0,0 +1,76 @@
+/*
+This is an example application to demonstrate querying the user info endpoint.
+*/
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"os"
+
+	oidc "github.com/coreos/go-oidc"
+
+	"golang.org/x/net/context"
+	"golang.org/x/oauth2"
+)
+
+var (
+	clientID     = os.Getenv("GOOGLE_OAUTH2_CLIENT_ID")
+	clientSecret = os.Getenv("GOOGLE_OAUTH2_CLIENT_SECRET")
+)
+
+func main() {
+	ctx := context.Background()
+
+	provider, err := oidc.NewProvider(ctx, "https://accounts.google.com")
+	if err != nil {
+		log.Fatal(err)
+	}
+	config := oauth2.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		Endpoint:     provider.Endpoint(),
+		RedirectURL:  "http://127.0.0.1:5556/auth/google/callback",
+		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
+	}
+
+	state := "foobar" // Don't do this in production.
+
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		http.Redirect(w, r, config.AuthCodeURL(state), http.StatusFound)
+	})
+
+	http.HandleFunc("/auth/google/callback", func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Query().Get("state") != state {
+			http.Error(w, "state did not match", http.StatusBadRequest)
+			return
+		}
+
+		oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code"))
+		if err != nil {
+			http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		userInfo, err := provider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
+		if err != nil {
+			http.Error(w, "Failed to get userinfo: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		resp := struct {
+			OAuth2Token *oauth2.Token
+			UserInfo    *oidc.UserInfo
+		}{oauth2Token, userInfo}
+		data, err := json.MarshalIndent(resp, "", "    ")
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.Write(data)
+	})
+
+	log.Printf("listening on http://%s/", "127.0.0.1:5556")
+	log.Fatal(http.ListenAndServe("127.0.0.1:5556", nil))
+}