feat: Enhance GoogleProvider to support OpenID

idylicaro · idylicaro · commit f3548c0efe40 · 2025-01-04T11:43:44.000-03:00
diff --git a/internal/auth/providers/google_provider.go b/internal/auth/providers/google_provider.go
@@ -3,9 +3,13 @@ package providers
 
 import (
 	"context"
+	"crypto/rsa"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"net/http"
 
+	"github.com/golang-jwt/jwt/v4"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 )
@@ -20,7 +24,7 @@ func NewGoogleProvider(clientID, clientSecret, redirectURL string) *GoogleProvid
 			ClientID:     clientID,
 			ClientSecret: clientSecret,
 			RedirectURL:  redirectURL,
-			Scopes:       []string{"https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/userinfo.profile"},
+			Scopes:       []string{"openid", "profile", "email"},
 			Endpoint:     google.Endpoint,
 		},
 	}
@@ -37,9 +41,14 @@ func (g *GoogleProvider) ExchangeCode(ctx context.Context, code string) (TokenRe
 	if err != nil {
 		return TokenResponse{}, err
 	}
+	idToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return TokenResponse{}, fmt.Errorf("ID Token not found in response")
+	}
 	return TokenResponse{
 		AccessToken:  token.AccessToken,
 		RefreshToken: token.RefreshToken,
+		IDToken:      idToken,
 		ExpiresIn:    int(token.Expiry.Sub(token.Expiry).Seconds()),
 	}, nil
 }
@@ -64,3 +73,70 @@ func (g *GoogleProvider) GetUserInfo(accessToken string) (UserInfo, error) {
 	}
 	return userInfo, nil
 }
+
+func (g *GoogleProvider) GetUserInfoFromIDToken(idToken string) (UserInfo, error) {
+	var userInfo UserInfo
+
+	// Parse and validate the ID token
+	parsedToken, err := jwt.Parse(idToken, func(token *jwt.Token) (interface{}, error) {
+		return getGooglePublicKey()
+	})
+	if err != nil {
+		return userInfo, err
+	}
+
+	// Check if the token is valid and has the expected claims
+	claims, ok := parsedToken.Claims.(jwt.MapClaims)
+	if !ok {
+		return userInfo, errors.New("invalid claims in ID Token")
+	}
+
+	// Extract user info from the claims
+	userInfo.Email = claims["email"].(string)
+	userInfo.Name = claims["name"].(string)
+	userInfo.PictureURL = claims["picture"].(string)
+
+	return userInfo, nil
+}
+
+func getGooglePublicKey() (*rsa.PublicKey, error) {
+	const certsURL = "https://www.googleapis.com/oauth2/v3/certs"
+	resp, err := http.Get(certsURL)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	var certs map[string]interface{}
+	if err := json.NewDecoder(resp.Body).Decode(&certs); err != nil {
+		return nil, err
+	}
+
+	keyID := "some-key-id"
+	if keyData, ok := certs[keyID]; ok {
+		keyDataMap, ok := keyData.(map[string]interface{})
+		if !ok {
+			return nil, fmt.Errorf("invalid key data")
+		}
+
+		publicKeyData, ok := keyDataMap["x5c"].([]interface{})
+		if !ok || len(publicKeyData) == 0 {
+			return nil, fmt.Errorf("x5c field missing or invalid")
+		}
+
+		certData := publicKeyData[0].(string)
+		certBytes, err := json.Marshal(certData)
+		if err != nil {
+			return nil, err
+		}
+
+		publicKey, err := jwt.ParseRSAPublicKeyFromPEM(certBytes)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse public key: %w", err)
+		}
+
+		return publicKey, nil
+	}
+
+	return nil, fmt.Errorf("key not found")
+}
diff --git a/internal/auth/providers/oauth_provider.go b/internal/auth/providers/oauth_provider.go
@@ -11,14 +11,15 @@ type OAuthProvider interface {
 
 // TokenResponse represents the response after exchanging the authorization code.
 type TokenResponse struct {
-	AccessToken  string
-	RefreshToken string
-	ExpiresIn    int
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	IDToken      string `json:"id_token"`
+	ExpiresIn    int    `json:"expires_in"`
 }
 
 // UserInfo represents the user information retrieved from the provider.
 type UserInfo struct {
-	Email      string
-	Name       string
-	PictureURL string
+	Email      string `json:"email"`
+	Name       string `json:"name"`
+	PictureURL string `json:"picture"`
 }
