1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
// Package msauth implements a library to authorize against Microsoft identity platform:
// https://docs.microsoft.com/en-us/azure/active-directory/develop/
//
// It utilizes v2.0 endpoint
// so it can authorize users with both personal (Microsoft) and organizational (Azure AD) account.
package msauth
import (
"context"
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"sync"
"time"
"golang.org/x/oauth2"
)
const (
// DefaultMSGraphScope is the default scope for MS Graph API
DefaultMSGraphScope = "https://graph.microsoft.com/.default"
endpointURLFormat = "https://login.microsoftonline.com/%s/oauth2/v2.0/%s"
)
// TokenError is returned on failed authentication
type TokenError struct {
ErrorObject string `json:"error"`
ErrorDescription string `json:"error_description"`
}
// Error implements error interface
func (t *TokenError) Error() string {
return fmt.Sprintf("%s: %s", t.ErrorObject, t.ErrorDescription)
}
func generateKey(tenantID, clientID string) string {
return fmt.Sprintf("%s:%s", tenantID, clientID)
}
func deviceCodeURL(tenantID string) string {
return fmt.Sprintf(endpointURLFormat, tenantID, "devicecode")
}
func tokenURL(tenantID string) string {
return fmt.Sprintf(endpointURLFormat, tenantID, "token")
}
type tokenJSON struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
RefreshToken string `json:"refresh_token"`
ExpiresIn int `json:"expires_in"`
}
func (e *tokenJSON) expiry() (t time.Time) {
if v := e.ExpiresIn; v != 0 {
return time.Now().Add(time.Duration(v) * time.Second)
}
return
}
// Manager is oauth2 token cache manager
type Manager struct {
mu sync.Mutex
TokenCache map[string]*oauth2.Token
}
// NewManager returns a new Manager instance
func NewManager() *Manager {
return &Manager{TokenCache: map[string]*oauth2.Token{}}
}
// LoadBytes loads token cache from opaque bytes (it's actually JSON)
func (m *Manager) LoadBytes(b []byte) error {
m.mu.Lock()
defer m.mu.Unlock()
return json.Unmarshal(b, &m.TokenCache)
}
// SaveBytes saves token cache to opaque bytes (it's actually JSON)
func (m *Manager) SaveBytes() ([]byte, error) {
m.mu.Lock()
defer m.mu.Unlock()
return json.Marshal(m.TokenCache)
}
// LoadFile loads token cache from file
func (m *Manager) LoadFile(path string) error {
b, err := ioutil.ReadFile(path)
if err != nil {
return err
}
return m.LoadBytes(b)
}
// SaveFile saves token cache to file
func (m *Manager) SaveFile(path string) error {
b, err := m.SaveBytes()
if err != nil {
return err
}
return ioutil.WriteFile(path, b, 0644)
}
// Cache stores a token into token cache
func (m *Manager) Cache(tenantID, clientID string, token *oauth2.Token) {
m.TokenCache[generateKey(tenantID, clientID)] = token
}
// requestToken requests a token from the token endpoint
// TODO(ctx): use http client from ctx
func (m *Manager) requestToken(ctx context.Context, tenantID, clientID string, values url.Values) (*oauth2.Token, error) {
res, err := http.PostForm(tokenURL(tenantID), values)
if err != nil {
return nil, err
}
defer res.Body.Close()
b, err := ioutil.ReadAll(res.Body)
if err != nil {
return nil, err
}
if res.StatusCode != http.StatusOK {
var terr *TokenError
err = json.Unmarshal(b, &terr)
if err != nil {
return nil, err
}
return nil, terr
}
var tj *tokenJSON
err = json.Unmarshal(b, &tj)
if err != nil {
return nil, err
}
token := &oauth2.Token{
AccessToken: tj.AccessToken,
TokenType: tj.TokenType,
RefreshToken: tj.RefreshToken,
Expiry: tj.expiry(),
}
if token.AccessToken == "" {
return nil, errors.New("msauth: server response missing access_token")
}
return token, nil
}
|
