Refactor OIDC/Oauth2 Handling (#161)

Separate oauth2 from OIDC, which is a layer on top of the former to provide a common set of interfaces that can then be consumed by the providers to do whatever special handling they need.
unikorn-cloud · Jan 27, 2025 · a0cf760 · a0cf760
1 parent a35007c
commit a0cf760
Show file tree

Hide file tree

Showing 14 changed files with 677 additions and 544 deletions.
diff --git a/charts/identity/Chart.yaml b/charts/identity/Chart.yaml
@@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn's IdP
 
 type: application
 
-version: v0.2.52-rc4
-appVersion: v0.2.52-rc4
+version: v0.2.52-rc5
+appVersion: v0.2.52-rc5
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png
 

diff --git a/charts/identity/templates/identity/ingress.yaml b/charts/identity/templates/identity/ingress.yaml
@@ -7,6 +7,8 @@ metadata:
   annotations:
     {{- include "unikorn.ingress.clusterIssuer.annotations" . | nindent 4 }}
     {{- include "unikorn.ingress.mtls.annotations" . | nindent 4 }}
+    # Handles large token sizes.
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
     {{- if (include "unikorn.ingress.externalDNS" .) }}
     external-dns.alpha.kubernetes.io/hostname: {{ include "unikorn.identity.host" . }}
     {{- end }}

diff --git a/pkg/oauth2/common/authorization_code.go b/pkg/oauth2/common/authorization_code.go
@@ -0,0 +1,52 @@
+/*
+Copyright 2024-2025 the Unikorn Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package common
+
+import (
+	"context"
+
+	"golang.org/x/oauth2"
+
+	"github.com/unikorn-cloud/identity/pkg/oauth2/types"
+)
+
+// Config returns an oauth2 configuration.
+func Config(parameters *types.ConfigParameters, scopes []string) *oauth2.Config {
+	config := &oauth2.Config{
+		ClientID:     parameters.Provider.Spec.ClientID,
+		ClientSecret: parameters.Provider.Spec.ClientSecret,
+		RedirectURL:  "https://" + parameters.Host + "/oidc/callback",
+		Scopes:       scopes,
+	}
+
+	if parameters.Provider.Spec.AuthorizationURI != nil && parameters.Provider.Spec.TokenURI != nil {
+		config.Endpoint.AuthURL = *parameters.Provider.Spec.AuthorizationURI
+		config.Endpoint.TokenURL = *parameters.Provider.Spec.TokenURI
+	}
+
+	return config
+}
+
+// Authorization gets the oauth2 authorization URL.
+func Authorization(config *oauth2.Config, parameters *types.AuthorizationParamters, requestParameters []oauth2.AuthCodeOption) string {
+	return config.AuthCodeURL(parameters.State, requestParameters...)
+}
+
+// CodeExchange exchanges a code with an oauth2 server.
+func CodeExchange(ctx context.Context, parameters *types.CodeExchangeParameters) (*oauth2.Token, error) {
+	return Config(&parameters.ConfigParameters, nil).Exchange(ctx, parameters.Code)
+}