sign in with apple

alan-nettica · alan-nettica · commit de0fcb9abe81 · 2025-03-12T13:22:22.000Z
diff --git a/api/v1/auth/auth.go b/api/v1/auth/auth.go
@@ -39,6 +39,9 @@ func oauth2URL(c *gin.Context) {
 	oauth2Client := c.MustGet("oauth2Client").(model.Authentication)
 
 	referer := c.Request.URL.Query().Get("referer")
+	connection := c.Request.URL.Query().Get("connection")
+
+	providers := []string{}
 
 	var err error
 	var state, clientId, codeUrl, audience, redirect_uri string
@@ -90,15 +93,23 @@ func oauth2URL(c *gin.Context) {
 		if referer != "" {
 			codeUrl = codeUrl + "&referer=" + referer
 		}
+		if connection != "" {
+			codeUrl = codeUrl + "&connection=" + connection
+		}
+	}
+
+	if os.Getenv("PROVIDERS") != "" {
+		providers = strings.Split(os.Getenv("PROVIDERS"), ",")
 	}
 
 	data := &model.Auth{
-		Oauth2:   true,
-		ClientId: clientId,
-		State:    state,
-		CodeUrl:  codeUrl,
-		Audience: audience,
-		Redirect: redirect_uri,
+		Oauth2:    true,
+		ClientId:  clientId,
+		State:     state,
+		CodeUrl:   codeUrl,
+		Audience:  audience,
+		Redirect:  redirect_uri,
+		Providers: providers,
 	}
 
 	log.Infof("model.Auth = %v", data)
@@ -146,8 +157,8 @@ func oauth2Exchange(c *gin.Context) {
 	var oauth2Token *oauth2.Token
 	var err error
 
-	if loginVals.Redirect != "com.nettica.agent://callback/agent" {
-		oauth2Token, err = oauth2Client.Exchange(loginVals.Code)
+	if loginVals.Redirect != "com.nettica.agent://callback/agent" || loginVals.Connection == "apple" {
+		oauth2Token, err = oauth2Client.Exchange(loginVals)
 	} else {
 		oauth2Token, err = oauth2Client.Exchange2(loginVals.Code)
 	}
@@ -201,7 +212,7 @@ func token(c *gin.Context) {
 	var err error
 
 	if loginVals.Redirect != "com.nettica.agent://callback/agent" {
-		oauth2Token, err = oauth2Client.Exchange(loginVals.Code)
+		oauth2Token, err = oauth2Client.Exchange(loginVals)
 	} else {
 		oauth2Token, err = oauth2Client.Exchange2(loginVals.Code)
 	}
diff --git a/auth/basic/basic.go b/auth/basic/basic.go
@@ -46,11 +46,11 @@ func (o *Oauth2Basic) CodeUrl2(state string) string {
 }
 
 // Exchange exchange code for Oauth2 token
-func (o *Oauth2Basic) Exchange(code string) (*oauth2.Token, error) {
+func (o *Oauth2Basic) Exchange(auth model.Auth) (*oauth2.Token, error) {
 
 	// code contains the username and password base64 encoded
 	// base64 decode the string
-	userpass, err := base64.StdEncoding.DecodeString(code)
+	userpass, err := base64.StdEncoding.DecodeString(auth.Code)
 	if err != nil {
 		return nil, err
 	}
@@ -89,7 +89,7 @@ func (o *Oauth2Basic) Exchange(code string) (*oauth2.Token, error) {
 }
 
 func (o *Oauth2Basic) Exchange2(code string) (*oauth2.Token, error) {
-	token, err := o.Exchange(code)
+	token, err := o.Exchange(model.Auth{Code: code})
 	return token, err
 }
 
diff --git a/auth/fake/fake.go b/auth/fake/fake.go
@@ -26,7 +26,7 @@ func (o *Fake) CodeUrl2(state string) string {
 }
 
 // Exchange exchange code for Oauth2 token
-func (o *Fake) Exchange(code string) (*oauth2.Token, error) {
+func (o *Fake) Exchange(auth model.Auth) (*oauth2.Token, error) {
 	rand, err := util.GenerateRandomString(32)
 	if err != nil {
 		return nil, err
@@ -40,7 +40,7 @@ func (o *Fake) Exchange(code string) (*oauth2.Token, error) {
 	}, nil
 }
 func (o *Fake) Exchange2(code string) (*oauth2.Token, error) {
-	token, err := o.Exchange(code)
+	token, err := o.Exchange(model.Auth{Code: code})
 	return token, err
 }
 
diff --git a/auth/github/github.go b/auth/github/github.go
@@ -44,8 +44,8 @@ func (o *Github) CodeUrl2(state string) string {
 }
 
 // Exchange exchange code for Oauth2 token
-func (o *Github) Exchange(code string) (*oauth2.Token, error) {
-	oauth2Token, err := oauth2Config.Exchange(context.TODO(), code)
+func (o *Github) Exchange(auth model.Auth) (*oauth2.Token, error) {
+	oauth2Token, err := oauth2Config.Exchange(context.TODO(), auth.Code)
 	if err != nil {
 		return nil, err
 	}
@@ -54,7 +54,7 @@ func (o *Github) Exchange(code string) (*oauth2.Token, error) {
 }
 
 func (o *Github) Exchange2(code string) (*oauth2.Token, error) {
-	token, err := o.Exchange(code)
+	token, err := o.Exchange(model.Auth{Code: code})
 	return token, err
 }
 
diff --git a/auth/google/google.go b/auth/google/google.go
@@ -62,8 +62,8 @@ func (o *OAuth2Google) CodeUrl2(state string) string {
 }
 
 // Exchange exchange code for Oauth2 token
-func (o *OAuth2Google) Exchange(code string) (*oauth2.Token, error) {
-	oauth2Token, err := oauth2Config.Exchange(context.TODO(), code)
+func (o *OAuth2Google) Exchange(auth model.Auth) (*oauth2.Token, error) {
+	oauth2Token, err := oauth2Config.Exchange(context.TODO(), auth.Code)
 	if err != nil {
 		return nil, err
 	}
@@ -72,7 +72,7 @@ func (o *OAuth2Google) Exchange(code string) (*oauth2.Token, error) {
 }
 
 func (o *OAuth2Google) Exchange2(code string) (*oauth2.Token, error) {
-	token, err := o.Exchange(code)
+	token, err := o.Exchange(model.Auth{Code: code})
 	return token, err
 }
 
diff --git a/auth/microsoft/microsoft.go b/auth/microsoft/microsoft.go
@@ -63,8 +63,8 @@ func (o *Oauth2Msft) CodeUrl2(state string) string {
 }
 
 // Exchange exchange code for Oauth2 token
-func (o *Oauth2Msft) Exchange(code string) (*oauth2.Token, error) {
-	oauth2Token, err := oauth2Config.Exchange(context.TODO(), code)
+func (o *Oauth2Msft) Exchange(auth model.Auth) (*oauth2.Token, error) {
+	oauth2Token, err := oauth2Config.Exchange(context.TODO(), auth.Code)
 	if err != nil {
 		return nil, err
 	}
@@ -73,7 +73,7 @@ func (o *Oauth2Msft) Exchange(code string) (*oauth2.Token, error) {
 }
 
 func (o *Oauth2Msft) Exchange2(code string) (*oauth2.Token, error) {
-	token, err := o.Exchange(code)
+	token, err := o.Exchange(model.Auth{Code: code})
 	return token, err
 }
 
diff --git a/auth/microsoft2/microsoft2.go b/auth/microsoft2/microsoft2.go
@@ -103,10 +103,10 @@ func (o *Oauth2Microsoft) CodeUrl2(state string) string {
 }
 
 // Exchange exchange code for Oauth2 token
-func (o *Oauth2Microsoft) Exchange(code string) (*oauth2.Token, error) {
+func (o *Oauth2Microsoft) Exchange(auth model.Auth) (*oauth2.Token, error) {
 	// oauth2Token, err := oauth2Config.Exchange(context.TODO(), code)
 
-	authResult, err := clientApp.AcquireTokenByAuthCode(context.Background(), code, oauth2Config.RedirectURL, oauth2Config.Scopes)
+	authResult, err := clientApp.AcquireTokenByAuthCode(context.Background(), auth.Code, oauth2Config.RedirectURL, oauth2Config.Scopes)
 	if err != nil {
 		return nil, err
 	}
diff --git a/auth/oauth2oidc/oauth2oidc.go b/auth/oauth2oidc/oauth2oidc.go
@@ -121,14 +121,80 @@ func (o *Oauth2idc) CodeUrl2(state string) string {
 }
 
 // Exchange exchange code for Oauth2 token
-func (o *Oauth2idc) Exchange(code string) (*oauth2.Token, error) {
+func (o *Oauth2idc) Exchange(auth model.Auth) (*oauth2.Token, error) {
+
+	if auth.Connection == "apple" {
+		// Make a http request using the agent configuration information
+		client_id := os.Getenv("OAUTH2_AGENT_CLIENT_ID")
+		client_secret := os.Getenv("OAUTH2_AGENT_CLIENT_SECRET")
+		redirect_url := os.Getenv("OAUTH2_AGENT_REDIRECT_URL")
+		audience := os.Getenv("OAUTH2_AGENT_AUDIENCE")
+
+		provider := os.Getenv("OAUTH2_AGENT_PROVIDER")
+
+		// make an http post to the oauth2 token endpoint
+		// with the code and other required parameters
+		// to get the access token
+		// and other information
+
+		httpClient := &http.Client{
+			Transport: &CustomTransport{
+				Transport: http.DefaultTransport,
+				UserAgent: "nettica-admin/2.0",
+			},
+		}
+		rsp, err := httpClient.PostForm(provider+"oauth/token/", url.Values{
+			"grant_type":         {"urn:ietf:params:oauth:grant-type:token-exchange"},
+			"client_id":          {client_id},
+			"client_secret":      {client_secret},
+			"redirect_uri":       {redirect_url},
+			"audience":           {audience},
+			"subject_token":      {auth.Code},
+			"subject_token_type": {"http://auth0.com/oauth/token-type/apple-authz-code"},
+		})
+		if err != nil {
+			log.Info(err)
+			return nil, err
+		}
+		defer rsp.Body.Close()
 
-	oauth2Token, err := oauth2Config.Exchange(ctx, code)
-	if err != nil {
-		return nil, err
+		body, err := io.ReadAll(rsp.Body)
+		if err != nil {
+			log.Info(err)
+			return nil, err
+		}
+		log.Infof("body: %s", body)
+
+		// read the response body and serialize it into a TokenResponse struct
+		var tokenResponse TokenResponse
+
+		// decode the body bytes into the struct
+
+		err = json.Unmarshal(body, &tokenResponse)
+		if err != nil {
+			log.Info(err)
+			return nil, err
+		}
+
+		oauth2Token := &oauth2.Token{
+			AccessToken: tokenResponse.AccessToken,
+			Expiry:      time.Now().Add(time.Duration(tokenResponse.ExpiresIn) * time.Second),
+			TokenType:   tokenResponse.TokenType,
+		}
+		oauth2Token = oauth2Token.WithExtra(map[string]interface{}{ // Add the ID token to the extra parameters
+			"id_token": auth.IdToken})
+
+		return oauth2Token, nil
+
+	} else {
+		oauth2Token, err := oauth2Config.Exchange(ctx, auth.Code)
+		if err != nil {
+			return nil, err
+		}
+		return oauth2Token, nil
 	}
 
-	return oauth2Token, nil
+	return nil, nil
 }
 func (o *Oauth2idc) Exchange2(code string) (*oauth2.Token, error) {
 
@@ -199,6 +265,29 @@ func (o *Oauth2idc) Exchange2(code string) (*oauth2.Token, error) {
 	return oauth2Token, nil
 }
 
+func verifyAppleIDToken(ctx context.Context, tokenString string) (*oidc.IDToken, error) {
+	// Apple's OIDC discovery URL
+	provider, err := oidc.NewProvider(ctx, "https://appleid.apple.com")
+	if err != nil {
+		return nil, fmt.Errorf("failed to get Apple OIDC provider: %v", err)
+	}
+
+	// Set up an ID Token verifier using the provider and your client ID
+	verifier := provider.Verifier(&oidc.Config{ClientID: "com.nettica.agent"})
+	if verifier == nil {
+		return nil, fmt.Errorf("failed to create verifier")
+	}
+
+	// Verify and parse ID Token
+	idToken, err := verifier.Verify(ctx, tokenString)
+	if err != nil {
+		return nil, fmt.Errorf("ID Token verification failed: %v", err)
+	}
+
+	// Successfully verified ID Token
+	return idToken, nil
+}
+
 // UserInfo get token user
 func (o *Oauth2idc) UserInfo(oauth2Token *oauth2.Token) (*model.User, error) {
 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
@@ -208,7 +297,10 @@ func (o *Oauth2idc) UserInfo(oauth2Token *oauth2.Token) (*model.User, error) {
 
 	verified := false
 	var idToken *oidc.IDToken
+	var userInfo *oidc.UserInfo
 	var err error
+	// ID Token payload is just JSON
+	var claims map[string]interface{}
 
 	for _, verifier := range oidcIDTokenVerifier {
 		idToken, err = verifier.Verify(ctx, rawIDToken)
@@ -218,6 +310,21 @@ func (o *Oauth2idc) UserInfo(oauth2Token *oauth2.Token) (*model.User, error) {
 		}
 	}
 
+	if !verified {
+		idToken, err = verifyAppleIDToken(ctx, rawIDToken)
+		if err == nil {
+			verified = true
+		}
+
+		// get the user info from the id token
+		idToken.Claims(&claims)
+		userInfo = &oidc.UserInfo{
+			Subject: "apple|" + idToken.Subject,
+			Email:   claims["email"].(string),
+		}
+		// add the claims to the user info
+	}
+
 	if !verified || err != nil {
 		return nil, err
 	}
@@ -227,15 +334,16 @@ func (o *Oauth2idc) UserInfo(oauth2Token *oauth2.Token) (*model.User, error) {
 		return cacheUser.(*model.User), nil
 	}
 
-	userInfo, err := oidcProvider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
-	if err != nil {
-		return nil, err
-	}
+	if userInfo == nil {
+		userInfo, err = oidcProvider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
+		if err != nil {
+			return nil, err
+		}
+
+		if err := userInfo.Claims(&claims); err != nil {
+			return nil, fmt.Errorf("failed to get id token claims: %s", err)
+		}
 
-	// ID Token payload is just JSON
-	var claims map[string]interface{}
-	if err := userInfo.Claims(&claims); err != nil {
-		return nil, fmt.Errorf("failed to get id token claims: %s", err)
 	}
 
 	// get some infos about user
diff --git a/model/auth.go b/model/auth.go
@@ -4,13 +4,16 @@ import "golang.org/x/oauth2"
 
 // Auth structure
 type Auth struct {
-	Oauth2   bool   `json:"oauth2"`
-	ClientId string `json:"clientId"`
-	Code     string `json:"code"`
-	State    string `json:"state"`
-	CodeUrl  string `json:"codeUrl"`
-	Redirect string `json:"redirect_uri"`
-	Audience string `json:"audience"`
+	Oauth2     bool     `json:"oauth2"`
+	ClientId   string   `json:"clientId"`
+	Code       string   `json:"code"`
+	State      string   `json:"state"`
+	CodeUrl    string   `json:"codeUrl"`
+	Redirect   string   `json:"redirect_uri"`
+	Audience   string   `json:"audience"`
+	Connection string   `json:"connection"`
+	IdToken    string   `json:"id_token"`
+	Providers  []string `json:"providers"`
 }
 
 type OAuth2Token struct {
@@ -26,7 +29,7 @@ type Authentication interface {
 	Setup() error
 	CodeUrl(state string) string
 	CodeUrl2(state string) string
-	Exchange(code string) (*oauth2.Token, error)
+	Exchange(auth Auth) (*oauth2.Token, error)
 	Exchange2(code string) (*oauth2.Token, error)
 	UserInfo(oauth2Token *oauth2.Token) (*User, error)
 }
diff --git a/util/util.go b/util/util.go
@@ -25,7 +25,7 @@ var (
 
 func GetCleanAuthToken(c *gin.Context) string {
 	token := c.Request.Header.Get(AuthTokenHeaderName)
-	if len(token) > 0 && token[:7] == "Bearer " {
+	if len(token) > 0 && strings.HasPrefix(token, "Bearer ") {
 		token = token[7:]
 		token = strings.Trim(token, "\"")
 	}

Original file line number	Diff line number	Diff line change
`@@ -46,11 +46,11 @@ func (o *Oauth2Basic) CodeUrl2(state string) string {`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`// Exchange exchange code for Oauth2 token`
`49`		`-func (o Oauth2Basic) Exchange(code string) (oauth2.Token, error) {`
	`49`	`+func (o Oauth2Basic) Exchange(auth model.Auth) (oauth2.Token, error) {`
`50`	`50`
`51`	`51`	`// code contains the username and password base64 encoded`
`52`	`52`	`// base64 decode the string`
`53`		`- userpass, err := base64.StdEncoding.DecodeString(code)`
	`53`	`+ userpass, err := base64.StdEncoding.DecodeString(auth.Code)`
`54`	`54`	`if err != nil {`
`55`	`55`	`return nil, err`
`56`	`56`	`}`
`@@ -89,7 +89,7 @@ func (o Oauth2Basic) Exchange(code string) (oauth2.Token, error) {`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`func (o Oauth2Basic) Exchange2(code string) (oauth2.Token, error) {`
`92`		`- token, err := o.Exchange(code)`
	`92`	`+ token, err := o.Exchange(model.Auth{Code: code})`
`93`	`93`	`return token, err`
`94`	`94`	`}`
`95`	`95`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ func (o *Fake) CodeUrl2(state string) string {`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`// Exchange exchange code for Oauth2 token`
`29`		`-func (o Fake) Exchange(code string) (oauth2.Token, error) {`
	`29`	`+func (o Fake) Exchange(auth model.Auth) (oauth2.Token, error) {`
`30`	`30`	`rand, err := util.GenerateRandomString(32)`
`31`	`31`	`if err != nil {`
`32`	`32`	`return nil, err`
`@@ -40,7 +40,7 @@ func (o Fake) Exchange(code string) (oauth2.Token, error) {`
`40`	`40`	`}, nil`
`41`	`41`	`}`
`42`	`42`	`func (o Fake) Exchange2(code string) (oauth2.Token, error) {`
`43`		`- token, err := o.Exchange(code)`
	`43`	`+ token, err := o.Exchange(model.Auth{Code: code})`
`44`	`44`	`return token, err`
`45`	`45`	`}`
`46`	`46`
Original file line number	Diff line number	Diff line change
`@@ -44,8 +44,8 @@ func (o *Github) CodeUrl2(state string) string {`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`// Exchange exchange code for Oauth2 token`
`47`		`-func (o Github) Exchange(code string) (oauth2.Token, error) {`
`48`		`- oauth2Token, err := oauth2Config.Exchange(context.TODO(), code)`
	`47`	`+func (o Github) Exchange(auth model.Auth) (oauth2.Token, error) {`
	`48`	`+ oauth2Token, err := oauth2Config.Exchange(context.TODO(), auth.Code)`
`49`	`49`	`if err != nil {`
`50`	`50`	`return nil, err`
`51`	`51`	`}`
`@@ -54,7 +54,7 @@ func (o Github) Exchange(code string) (oauth2.Token, error) {`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`func (o Github) Exchange2(code string) (oauth2.Token, error) {`
`57`		`- token, err := o.Exchange(code)`
	`57`	`+ token, err := o.Exchange(model.Auth{Code: code})`
`58`	`58`	`return token, err`
`59`	`59`	`}`
`60`	`60`
Original file line number	Diff line number	Diff line change
`@@ -62,8 +62,8 @@ func (o *OAuth2Google) CodeUrl2(state string) string {`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`// Exchange exchange code for Oauth2 token`
`65`		`-func (o OAuth2Google) Exchange(code string) (oauth2.Token, error) {`
`66`		`- oauth2Token, err := oauth2Config.Exchange(context.TODO(), code)`
	`65`	`+func (o OAuth2Google) Exchange(auth model.Auth) (oauth2.Token, error) {`
	`66`	`+ oauth2Token, err := oauth2Config.Exchange(context.TODO(), auth.Code)`
`67`	`67`	`if err != nil {`
`68`	`68`	`return nil, err`
`69`	`69`	`}`
`@@ -72,7 +72,7 @@ func (o OAuth2Google) Exchange(code string) (oauth2.Token, error) {`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`func (o OAuth2Google) Exchange2(code string) (oauth2.Token, error) {`
`75`		`- token, err := o.Exchange(code)`
	`75`	`+ token, err := o.Exchange(model.Auth{Code: code})`
`76`	`76`	`return token, err`
`77`	`77`	`}`
`78`	`78`
Original file line number	Diff line number	Diff line change
`@@ -63,8 +63,8 @@ func (o *Oauth2Msft) CodeUrl2(state string) string {`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`// Exchange exchange code for Oauth2 token`
`66`		`-func (o Oauth2Msft) Exchange(code string) (oauth2.Token, error) {`
`67`		`- oauth2Token, err := oauth2Config.Exchange(context.TODO(), code)`
	`66`	`+func (o Oauth2Msft) Exchange(auth model.Auth) (oauth2.Token, error) {`
	`67`	`+ oauth2Token, err := oauth2Config.Exchange(context.TODO(), auth.Code)`
`68`	`68`	`if err != nil {`
`69`	`69`	`return nil, err`
`70`	`70`	`}`
`@@ -73,7 +73,7 @@ func (o Oauth2Msft) Exchange(code string) (oauth2.Token, error) {`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`func (o Oauth2Msft) Exchange2(code string) (oauth2.Token, error) {`
`76`		`- token, err := o.Exchange(code)`
	`76`	`+ token, err := o.Exchange(model.Auth{Code: code})`
`77`	`77`	`return token, err`
`78`	`78`	`}`
`79`	`79`
Original file line number	Diff line number	Diff line change
`@@ -103,10 +103,10 @@ func (o *Oauth2Microsoft) CodeUrl2(state string) string {`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`// Exchange exchange code for Oauth2 token`
`106`		`-func (o Oauth2Microsoft) Exchange(code string) (oauth2.Token, error) {`
	`106`	`+func (o Oauth2Microsoft) Exchange(auth model.Auth) (oauth2.Token, error) {`
`107`	`107`	`// oauth2Token, err := oauth2Config.Exchange(context.TODO(), code)`
`108`	`108`
`109`		`- authResult, err := clientApp.AcquireTokenByAuthCode(context.Background(), code, oauth2Config.RedirectURL, oauth2Config.Scopes)`
	`109`	`+ authResult, err := clientApp.AcquireTokenByAuthCode(context.Background(), auth.Code, oauth2Config.RedirectURL, oauth2Config.Scopes)`
`110`	`110`	`if err != nil {`
`111`	`111`	`return nil, err`
`112`	`112`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ var (`
`25`	`25`
`26`	`26`	`func GetCleanAuthToken(c *gin.Context) string {`
`27`	`27`	`token := c.Request.Header.Get(AuthTokenHeaderName)`
`28`		`- if len(token) > 0 && token[:7] == "Bearer " {`
	`28`	`+ if len(token) > 0 && strings.HasPrefix(token, "Bearer ") {`
`29`	`29`	`token = token[7:]`
`30`	`30`	`token = strings.Trim(token, "\"")`
`31`	`31`	`}`