✨ feat(auth): implement OIDC client methods (ADR-0028 Phase B.3) (#74)

Co-authored-by: Gabriel Radureau <arcodange@gmail.com> Co-committed-by: Gabriel Radureau <arcodange@gmail.com>
2026-05-05 19:54:08 +02:00
parent 0c01789605
commit 9b4087b765
2 changed files with 664 additions and 20 deletions
--- a/pkg/auth/oidc.go
+++ b/pkg/auth/oidc.go
@@ -8,9 +8,17 @@ package auth
 import (
 	"context"
 	"crypto/rsa"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"math/big"
 	"net/http"
+	"net/url"
+	"strings"
 	"sync"
 	"time"
+
+	"github.com/golang-jwt/jwt/v5"
 )

 // OIDCClient is a per-provider OIDC client.
@@ -52,14 +60,25 @@ type TokenResponse struct {

 // IDTokenClaims represents the parsed claims from an ID token.
 type IDTokenClaims struct {
-	Issuer         string `json:"iss"`
-	Subject        string `json:"sub"`
-	Audience       string `json:"aud"`
-	ExpirationTime int64  `json:"exp"`
-	IssuedAt       int64  `json:"iat"`
-	Nonce          string `json:"nonce,omitempty"`
-	Email          string `json:"email,omitempty"`
-	EmailVerified  bool   `json:"email_verified,omitempty"`
+	jwt.RegisteredClaims
+	Email         string `json:"email,omitempty"`
+	EmailVerified bool   `json:"email_verified,omitempty"`
+	Name          string `json:"name,omitempty"`
+}
+
+// jwks represents the JWKS (JSON Web Key Set) response.
+type jwks struct {
+	Keys []jwk `json:"keys"`
+}
+
+// jwk represents a single JSON Web Key.
+type jwk struct {
+	Kid string `json:"kid"`
+	Kty string `json:"kty"`
+	N   string `json:"n"`
+	E   string `json:"e"`
+	Use string `json:"use,omitempty"`
+	Alg string `json:"alg,omitempty"`
 }

 // NewOIDCClient constructs a client. Discovery + JWKS are NOT fetched eagerly;
@@ -75,30 +94,237 @@ func NewOIDCClient(issuerURL, clientID, clientSecret string) *OIDCClient {
 	}
 }

+// decodeRSAPublicKey reconstructs an *rsa.PublicKey from JWK n and e values.
+func decodeRSAPublicKey(j jwk) (*rsa.PublicKey, error) {
+	nBytes, err := base64.RawURLEncoding.DecodeString(j.N)
+	if err != nil {
+		return nil, fmt.Errorf("decode n: %w", err)
+	}
+	eBytes, err := base64.RawURLEncoding.DecodeString(j.E)
+	if err != nil {
+		return nil, fmt.Errorf("decode e: %w", err)
+	}
+	n := new(big.Int).SetBytes(nBytes)
+	e := new(big.Int).SetBytes(eBytes)
+	return &rsa.PublicKey{N: n, E: int(e.Int64())}, nil
+}
+
 // Discover fetches and caches the .well-known document. Idempotent.
 // First call: HTTP fetch + cache. Subsequent calls: cached value.
 func (c *OIDCClient) Discover(ctx context.Context) (*Discovery, error) {
-	// TODO Phase B.3: implement (HTTP GET issuerURL + "/.well-known/openid-configuration")
-	return nil, nil // placeholder for skeleton phase
+	c.discoveryMu.RLock()
+	if c.discovery != nil {
+		c.discoveryMu.RUnlock()
+		return c.discovery, nil
+	}
+	c.discoveryMu.RUnlock()
+
+	c.discoveryMu.Lock()
+	defer c.discoveryMu.Unlock()
+
+	// Double-check after acquiring write lock
+	if c.discovery != nil {
+		return c.discovery, nil
+	}
+
+	wellKnownURL := fmt.Sprintf("%s/.well-known/openid-configuration", c.issuerURL)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, wellKnownURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("create discovery request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("fetch discovery: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("discovery HTTP %d", resp.StatusCode)
+	}
+
+	var disc Discovery
+	if err := json.NewDecoder(resp.Body).Decode(&disc); err != nil {
+		return nil, fmt.Errorf("decode discovery: %w", err)
+	}
+
+	c.discovery = &disc
+	return &disc, nil
 }

 // RefreshJWKS fetches JWKS URI, parse keys, populate jwks map.
-// TODO Phase B.3: implement
 func (c *OIDCClient) RefreshJWKS(ctx context.Context) error {
-	// TODO Phase B.3: implement (HTTP GET to JWKS URI from discovery, parse keys)
-	return nil // placeholder for skeleton phase
+	// Ensure discovery is loaded
+	if c.discovery == nil {
+		if _, err := c.Discover(ctx); err != nil {
+			return fmt.Errorf("discover: %w", err)
+		}
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.discovery.JWKSUri, nil)
+	if err != nil {
+		return fmt.Errorf("create JWKS request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("fetch JWKS: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("JWKS HTTP %d", resp.StatusCode)
+	}
+
+	var keySet jwks
+	if err := json.NewDecoder(resp.Body).Decode(&keySet); err != nil {
+		return fmt.Errorf("decode JWKS: %w", err)
+	}
+
+	c.jwksMu.Lock()
+	defer c.jwksMu.Unlock()
+
+	c.jwks = make(map[string]*rsa.PublicKey)
+	for _, key := range keySet.Keys {
+		if key.Kty == "RSA" {
+			pubKey, err := decodeRSAPublicKey(key)
+			if err != nil {
+				return fmt.Errorf("decode RSA key %s: %w", key.Kid, err)
+			}
+			c.jwks[key.Kid] = pubKey
+		}
+	}
+
+	c.jwksFetched = time.Now()
+	return nil
 }

 // ExchangeCode exchanges an authorization code for an access token and ID token.
-// TODO Phase B.3: implement
 func (c *OIDCClient) ExchangeCode(ctx context.Context, code, codeVerifier, redirectURI string) (*TokenResponse, error) {
-	// TODO Phase B.3: implement (POST to token_endpoint with code, code_verifier, redirect_uri)
-	return nil, nil // placeholder for skeleton phase
+	// Ensure discovery is loaded
+	if c.discovery == nil {
+		if _, err := c.Discover(ctx); err != nil {
+			return nil, fmt.Errorf("discover: %w", err)
+		}
+	}
+
+	form := url.Values{}
+	form.Set("grant_type", "authorization_code")
+	form.Set("code", code)
+	form.Set("code_verifier", codeVerifier)
+	form.Set("redirect_uri", redirectURI)
+	form.Set("client_id", c.clientID)
+	form.Set("client_secret", c.clientSecret)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, c.discovery.TokenEndpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return nil, fmt.Errorf("create token request: %w", err)
+	}
+
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("exchange code: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("token HTTP %d", resp.StatusCode)
+	}
+
+	var tokenResp TokenResponse
+	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+		return nil, fmt.Errorf("decode token response: %w", err)
+	}
+
+	return &tokenResp, nil
 }

 // ValidateIDToken verifies the signature and claims of an ID token.
-// TODO Phase B.3: implement
 func (c *OIDCClient) ValidateIDToken(ctx context.Context, idToken string) (*IDTokenClaims, error) {
-	// TODO Phase B.3: implement (verify signature with JWKS, validate claims)
-	return nil, nil // placeholder for skeleton phase
+	// First, parse without verification to get the kid
+	parser := jwt.NewParser()
+	unverifiedToken, _, err := parser.ParseUnverified(idToken, &IDTokenClaims{})
+	if err != nil {
+		return nil, fmt.Errorf("parse unverified token: %w", err)
+	}
+
+	claims, ok := unverifiedToken.Claims.(*IDTokenClaims)
+	if !ok {
+		return nil, fmt.Errorf("invalid claims type")
+	}
+
+	// Get kid from header
+	kid, ok := unverifiedToken.Header["kid"].(string)
+	if !ok || kid == "" {
+		return nil, fmt.Errorf("missing kid in token header")
+	}
+
+	// Get the key, refreshing JWKS if needed
+	c.jwksMu.RLock()
+	_, keyExists := c.jwks[kid]
+	c.jwksMu.RUnlock()
+
+	if !keyExists {
+		if err := c.RefreshJWKS(ctx); err != nil {
+			return nil, fmt.Errorf("refresh JWKS: %w", err)
+		}
+
+		c.jwksMu.RLock()
+		_, keyExists = c.jwks[kid]
+		c.jwksMu.RUnlock()
+
+		if !keyExists {
+			return nil, fmt.Errorf("key %s not found in JWKS", kid)
+		}
+	}
+
+	// Parse with verification
+	keyFunc := func(token *jwt.Token) (interface{}, error) {
+		if kid, ok := token.Header["kid"].(string); ok {
+			c.jwksMu.RLock()
+			defer c.jwksMu.RUnlock()
+			if key, exists := c.jwks[kid]; exists {
+				return key, nil
+			}
+		}
+		return nil, fmt.Errorf("key not found")
+	}
+
+	parsedToken, err := jwt.ParseWithClaims(idToken, &IDTokenClaims{}, keyFunc)
+	if err != nil {
+		return nil, fmt.Errorf("parse token: %w", err)
+	}
+
+	claims, ok = parsedToken.Claims.(*IDTokenClaims)
+	if !ok {
+		return nil, fmt.Errorf("invalid claims type after parse")
+	}
+
+	// Validate claims
+	if claims.Issuer != c.issuerURL {
+		return nil, fmt.Errorf("issuer mismatch: expected %s, got %s", c.issuerURL, claims.Issuer)
+	}
+
+	// Check audience contains clientID
+	audValid := false
+	if claims.Audience != nil {
+		for _, aud := range claims.Audience {
+			if aud == c.clientID {
+				audValid = true
+				break
+			}
+		}
+	}
+	if !audValid {
+		return nil, fmt.Errorf("audience does not contain client ID %s", c.clientID)
+	}
+
+	// Check expiration
+	if claims.ExpiresAt != nil && time.Now().UTC().After(claims.ExpiresAt.Time) {
+		return nil, fmt.Errorf("token expired")
+	}
+
+	return claims, nil
 }