From 479458c35185b1fdae6725f0af929d9504ee7712 Mon Sep 17 00:00:00 2001 From: ostempel Date: Wed, 5 Nov 2025 11:07:28 +0100 Subject: [PATCH 1/4] add possibility to configure http client for oidc provider --- providers/openidConnect/openidConnect.go | 7 ++++--- providers/openidConnect/openidConnect_test.go | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/providers/openidConnect/openidConnect.go b/providers/openidConnect/openidConnect.go index dea40d2d..86b5d1aa 100644 --- a/providers/openidConnect/openidConnect.go +++ b/providers/openidConnect/openidConnect.go @@ -107,13 +107,13 @@ type RefreshTokenResponse struct { // See http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth // ID Token decryption is not (yet) supported // UserInfo decryption is not (yet) supported -func New(clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, scopes ...string) (*Provider, error) { - return NewNamed("", clientKey, secret, callbackURL, openIDAutoDiscoveryURL, scopes...) +func New(clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, httpClient *http.Client, scopes ...string) (*Provider, error) { + return NewNamed("", clientKey, secret, callbackURL, openIDAutoDiscoveryURL, httpClient, scopes...) } // NewNamed is similar to New(...) but can be used to set a custom name for the // provider in order to use multiple OIDC providers -func NewNamed(name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, scopes ...string) (*Provider, error) { +func NewNamed(name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, httpClient *http.Client, scopes ...string) (*Provider, error) { switch len(name) { case 0: name = "openid-connect" @@ -124,6 +124,7 @@ func NewNamed(name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL strin ClientKey: clientKey, Secret: secret, CallbackURL: callbackURL, + HTTPClient: httpClient, UserIdClaims: []string{subjectClaim}, NameClaims: []string{NameClaim}, diff --git a/providers/openidConnect/openidConnect_test.go b/providers/openidConnect/openidConnect_test.go index 7dd76e04..472a078f 100644 --- a/providers/openidConnect/openidConnect_test.go +++ b/providers/openidConnect/openidConnect_test.go @@ -118,6 +118,6 @@ func Test_SessionFromJSON(t *testing.T) { } func openidConnectProvider() *Provider { - provider, _ := New(os.Getenv("OPENID_CONNECT_KEY"), os.Getenv("OPENID_CONNECT_SECRET"), "http://localhost/foo", server.URL) + provider, _ := New(os.Getenv("OPENID_CONNECT_KEY"), os.Getenv("OPENID_CONNECT_SECRET"), "http://localhost/foo", server.URL, nil) return provider } From 101756d58909a91366e3c641f51cfd7811a6a88d Mon Sep 17 00:00:00 2001 From: ostempel Date: Wed, 5 Nov 2025 14:00:01 +0100 Subject: [PATCH 2/4] set httpclient to default if not set --- providers/openidConnect/openidConnect.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/providers/openidConnect/openidConnect.go b/providers/openidConnect/openidConnect.go index 86b5d1aa..f924a72f 100644 --- a/providers/openidConnect/openidConnect.go +++ b/providers/openidConnect/openidConnect.go @@ -120,6 +120,11 @@ func NewNamed(name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL strin default: name = fmt.Sprintf("%s-oidc", strings.ToLower(name)) } + + if httpClient == nil { + httpClient = http.DefaultClient + } + p := &Provider{ ClientKey: clientKey, Secret: secret, From e3638ba82d49a7be58b3d69b7aa38ca55fb97258 Mon Sep 17 00:00:00 2001 From: ostempel Date: Thu, 6 Nov 2025 08:37:25 +0100 Subject: [PATCH 3/4] make goth oidc provider backwards compatible --- providers/openidConnect/openidConnect.go | 34 ++++++++++++++----- providers/openidConnect/openidConnect_test.go | 2 +- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/providers/openidConnect/openidConnect.go b/providers/openidConnect/openidConnect.go index f924a72f..2d1283f8 100644 --- a/providers/openidConnect/openidConnect.go +++ b/providers/openidConnect/openidConnect.go @@ -107,29 +107,23 @@ type RefreshTokenResponse struct { // See http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth // ID Token decryption is not (yet) supported // UserInfo decryption is not (yet) supported -func New(clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, httpClient *http.Client, scopes ...string) (*Provider, error) { - return NewNamed("", clientKey, secret, callbackURL, openIDAutoDiscoveryURL, httpClient, scopes...) +func New(clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, scopes ...string) (*Provider, error) { + return NewNamed("", clientKey, secret, callbackURL, openIDAutoDiscoveryURL, scopes...) } // NewNamed is similar to New(...) but can be used to set a custom name for the // provider in order to use multiple OIDC providers -func NewNamed(name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, httpClient *http.Client, scopes ...string) (*Provider, error) { +func NewNamed(name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, scopes ...string) (*Provider, error) { switch len(name) { case 0: name = "openid-connect" default: name = fmt.Sprintf("%s-oidc", strings.ToLower(name)) } - - if httpClient == nil { - httpClient = http.DefaultClient - } - p := &Provider{ ClientKey: clientKey, Secret: secret, CallbackURL: callbackURL, - HTTPClient: httpClient, UserIdClaims: []string{subjectClaim}, NameClaims: []string{NameClaim}, @@ -153,6 +147,28 @@ func NewNamed(name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL strin return p, nil } +// NewCustomisedHttpClient is similar to NewNamed(...) but can be used to set a custom http.Client +func NewCustomisedHttpClient(client *http.Client, name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, scopes ...string) (*Provider, error) { + switch len(name) { + case 0: + name = "openid-connect" + default: + name = fmt.Sprintf("%s-oidc", strings.ToLower(name)) + } + + p, err := NewNamed(name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL, scopes...) + if err != nil { + return nil, err + } + + if client == nil { + client = http.DefaultClient + } + p.HTTPClient = client + + return p, nil +} + // NewCustomisedURL is similar to New(...) but can be used to set custom URLs hence omit the auto-discovery step func NewCustomisedURL(clientKey, secret, callbackURL, authURL, tokenURL, issuerURL, userInfoURL, endSessionEndpointURL string, scopes ...string) (*Provider, error) { p := &Provider{ diff --git a/providers/openidConnect/openidConnect_test.go b/providers/openidConnect/openidConnect_test.go index 472a078f..7dd76e04 100644 --- a/providers/openidConnect/openidConnect_test.go +++ b/providers/openidConnect/openidConnect_test.go @@ -118,6 +118,6 @@ func Test_SessionFromJSON(t *testing.T) { } func openidConnectProvider() *Provider { - provider, _ := New(os.Getenv("OPENID_CONNECT_KEY"), os.Getenv("OPENID_CONNECT_SECRET"), "http://localhost/foo", server.URL, nil) + provider, _ := New(os.Getenv("OPENID_CONNECT_KEY"), os.Getenv("OPENID_CONNECT_SECRET"), "http://localhost/foo", server.URL) return provider } From e8152d793c22c4e6a4a75a67dd9eb345da55aafb Mon Sep 17 00:00:00 2001 From: ostempel Date: Thu, 6 Nov 2025 09:39:18 +0100 Subject: [PATCH 4/4] refactor code --- providers/openidConnect/openidConnect.go | 76 ++++++++++-------------- 1 file changed, 30 insertions(+), 46 deletions(-) diff --git a/providers/openidConnect/openidConnect.go b/providers/openidConnect/openidConnect.go index 2d1283f8..762b7034 100644 --- a/providers/openidConnect/openidConnect.go +++ b/providers/openidConnect/openidConnect.go @@ -114,28 +114,7 @@ func New(clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, scopes . // NewNamed is similar to New(...) but can be used to set a custom name for the // provider in order to use multiple OIDC providers func NewNamed(name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, scopes ...string) (*Provider, error) { - switch len(name) { - case 0: - name = "openid-connect" - default: - name = fmt.Sprintf("%s-oidc", strings.ToLower(name)) - } - p := &Provider{ - ClientKey: clientKey, - Secret: secret, - CallbackURL: callbackURL, - - UserIdClaims: []string{subjectClaim}, - NameClaims: []string{NameClaim}, - NickNameClaims: []string{NicknameClaim, PreferredUsernameClaim}, - EmailClaims: []string{EmailClaim}, - AvatarURLClaims: []string{PictureClaim}, - FirstNameClaims: []string{GivenNameClaim}, - LastNameClaims: []string{FamilyNameClaim}, - LocationClaims: []string{AddressClaim}, - - providerName: name, - } + p := newBaseProvider(name, clientKey, secret, callbackURL, nil) openIDConfig, err := getOpenIDConfig(p, openIDAutoDiscoveryURL) if err != nil { @@ -149,39 +128,47 @@ func NewNamed(name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL strin // NewCustomisedHttpClient is similar to NewNamed(...) but can be used to set a custom http.Client func NewCustomisedHttpClient(client *http.Client, name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL string, scopes ...string) (*Provider, error) { - switch len(name) { - case 0: - name = "openid-connect" - default: - name = fmt.Sprintf("%s-oidc", strings.ToLower(name)) - } + p := newBaseProvider(name, clientKey, secret, callbackURL, client) - p, err := NewNamed(name, clientKey, secret, callbackURL, openIDAutoDiscoveryURL, scopes...) + openIDConfig, err := getOpenIDConfig(p, openIDAutoDiscoveryURL) if err != nil { return nil, err } + p.OpenIDConfig = openIDConfig - if client == nil { - client = http.DefaultClient - } - p.HTTPClient = client - + p.config = newConfig(p, scopes, openIDConfig) return p, nil } // NewCustomisedURL is similar to New(...) but can be used to set custom URLs hence omit the auto-discovery step func NewCustomisedURL(clientKey, secret, callbackURL, authURL, tokenURL, issuerURL, userInfoURL, endSessionEndpointURL string, scopes ...string) (*Provider, error) { - p := &Provider{ + p := newBaseProvider("", clientKey, secret, callbackURL, nil) + p.OpenIDConfig = &OpenIDConfig{ + AuthEndpoint: authURL, + TokenEndpoint: tokenURL, + Issuer: issuerURL, + UserInfoEndpoint: userInfoURL, + EndSessionEndpoint: endSessionEndpointURL, + } + + p.config = newConfig(p, scopes, p.OpenIDConfig) + return p, nil +} + +// newBaseProvider centralises default Provider initialisation to avoid duplication +func newBaseProvider(name, clientKey, secret, callbackURL string, httpClient *http.Client) *Provider { + switch len(name) { + case 0: + name = "openid-connect" + default: + name = fmt.Sprintf("%s-oidc", strings.ToLower(name)) + } + + return &Provider{ ClientKey: clientKey, Secret: secret, CallbackURL: callbackURL, - OpenIDConfig: &OpenIDConfig{ - AuthEndpoint: authURL, - TokenEndpoint: tokenURL, - Issuer: issuerURL, - UserInfoEndpoint: userInfoURL, - EndSessionEndpoint: endSessionEndpointURL, - }, + HTTPClient: httpClient, UserIdClaims: []string{subjectClaim}, NameClaims: []string{NameClaim}, @@ -192,11 +179,8 @@ func NewCustomisedURL(clientKey, secret, callbackURL, authURL, tokenURL, issuerU LastNameClaims: []string{FamilyNameClaim}, LocationClaims: []string{AddressClaim}, - providerName: "openid-connect", + providerName: name, } - - p.config = newConfig(p, scopes, p.OpenIDConfig) - return p, nil } // Name is the name used to retrieve this provider later.