1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
//! This module provides authentication via OIDC compliant
//! authentication sources.
//!
//! Currently Converse only supports a single OIDC provider. Note that
//! this has so far only been tested with Office365.
use actix::prelude::*;
use reqwest;
use url::Url;
use url_serde;
use errors::*;
use reqwest::header::Authorization;
use hyper::header::Bearer;
/// This structure represents the contents of an OIDC discovery
/// document.
#[derive(Deserialize, Debug, Clone)]
pub struct OidcConfig {
#[serde(with = "url_serde")]
authorization_endpoint: Url,
token_endpoint: String,
userinfo_endpoint: String,
scopes_supported: Vec<String>,
issuer: String,
}
#[derive(Clone, Debug)]
pub struct OidcExecutor {
pub client_id: String,
pub client_secret: String,
pub redirect_uri: String,
pub oidc_config: OidcConfig,
}
/// This struct represents the form response returned by an OIDC
/// provider with the `code`.
#[derive(Debug, Deserialize)]
pub struct CodeResponse {
pub code: String,
}
/// This struct represents the data extracted from the ID token and
/// stored in the user's session.
#[derive(Debug)]
pub struct Author {
pub name: String,
pub email: String,
}
impl Actor for OidcExecutor {
type Context = Context<Self>;
}
/// Message used to request the login URL:
pub struct GetLoginUrl; // TODO: Add a nonce parameter stored in session.
impl Message for GetLoginUrl {
type Result = String;
}
impl Handler<GetLoginUrl> for OidcExecutor {
type Result = String;
fn handle(&mut self, _: GetLoginUrl, _: &mut Self::Context) -> Self::Result {
let mut url: Url = self.oidc_config.authorization_endpoint.clone();
{
let mut params = url.query_pairs_mut();
params.append_pair("client_id", &self.client_id);
params.append_pair("response_type", "code");
params.append_pair("scope", "openid");
params.append_pair("redirect_uri", &self.redirect_uri);
params.append_pair("response_mode", "form_post");
}
return url.into_string();
}
}
/// Message used to request the token from the returned code and
/// retrieve userinfo from the appropriate endpoint.
pub struct RetrieveToken(pub CodeResponse);
impl Message for RetrieveToken {
type Result = Result<Author>;
}
#[derive(Debug, Deserialize)]
struct TokenResponse {
access_token: String,
}
// TODO: This is currently hardcoded to Office365 fields.
#[derive(Debug, Deserialize)]
struct Userinfo {
name: String,
unique_name: String, // email in office365
}
impl Handler<RetrieveToken> for OidcExecutor {
type Result = Result<Author>;
fn handle(&mut self, msg: RetrieveToken, _: &mut Self::Context) -> Self::Result {
debug!("Received OAuth2 code, requesting access_token");
let client = reqwest::Client::new();
let params: [(&str, &str); 5] = [
("client_id", &self.client_id),
("client_secret", &self.client_secret),
("grant_type", "authorization_code"),
("code", &msg.0.code),
("redirect_uri", &self.redirect_uri),
];
let response: TokenResponse = client.post(&self.oidc_config.token_endpoint)
.form(¶ms)
.send()?
.json()?;
let user: Userinfo = client.get(&self.oidc_config.userinfo_endpoint)
.header(Authorization(Bearer { token: response.access_token }))
.send()?
.json()?;
Ok(Author {
name: user.name,
email: user.unique_name,
})
}
}
/// Convenience function to attempt loading an OIDC discovery document
/// from a specified URL:
pub fn load_oidc(url: &str) -> Result<OidcConfig> {
let config: OidcConfig = reqwest::get(url)?.json()?;
Ok(config)
}
|
