mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-12-20 12:51:17 +00:00
parent
5e40728ec3
commit
68780426b5
1 changed files with 19 additions and 4 deletions
|
@ -16,6 +16,7 @@ import (
|
||||||
"github.com/gorilla/sessions"
|
"github.com/gorilla/sessions"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
|
||||||
|
"github.com/Luzifer/go_helpers/v2/str"
|
||||||
"github.com/Luzifer/nginx-sso/plugins"
|
"github.com/Luzifer/nginx-sso/plugins"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -30,8 +31,9 @@ type AuthGoogleOAuth struct {
|
||||||
ClientSecret string `yaml:"client_secret"`
|
ClientSecret string `yaml:"client_secret"`
|
||||||
RedirectURL string `yaml:"redirect_url"`
|
RedirectURL string `yaml:"redirect_url"`
|
||||||
|
|
||||||
RequireDomain string `yaml:"require_domain"`
|
RequireDomain string `yaml:"require_domain"` // Deprecated: Use RequireDomains
|
||||||
UserIDMethod string `yaml:"user_id_method"`
|
RequireDomains []string `yaml:"require_domains"`
|
||||||
|
UserIDMethod string `yaml:"user_id_method"`
|
||||||
|
|
||||||
cookie plugins.CookieConfig
|
cookie plugins.CookieConfig
|
||||||
cookieStore *sessions.CookieStore
|
cookieStore *sessions.CookieStore
|
||||||
|
@ -77,7 +79,15 @@ func (a *AuthGoogleOAuth) Configure(yamlSource []byte) (err error) {
|
||||||
a.ClientID = envelope.Providers.GoogleOAuth.ClientID
|
a.ClientID = envelope.Providers.GoogleOAuth.ClientID
|
||||||
a.ClientSecret = envelope.Providers.GoogleOAuth.ClientSecret
|
a.ClientSecret = envelope.Providers.GoogleOAuth.ClientSecret
|
||||||
a.RedirectURL = envelope.Providers.GoogleOAuth.RedirectURL
|
a.RedirectURL = envelope.Providers.GoogleOAuth.RedirectURL
|
||||||
a.RequireDomain = envelope.Providers.GoogleOAuth.RequireDomain
|
a.RequireDomains = envelope.Providers.GoogleOAuth.RequireDomains
|
||||||
|
|
||||||
|
if len(envelope.Providers.GoogleOAuth.RequireDomain) > 0 {
|
||||||
|
// Migration for old configuration with only single require_domain
|
||||||
|
a.RequireDomains = append(
|
||||||
|
a.RequireDomains,
|
||||||
|
envelope.Providers.GoogleOAuth.RequireDomain,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
if envelope.Providers.GoogleOAuth.UserIDMethod != "" {
|
if envelope.Providers.GoogleOAuth.UserIDMethod != "" {
|
||||||
a.UserIDMethod = envelope.Providers.GoogleOAuth.UserIDMethod
|
a.UserIDMethod = envelope.Providers.GoogleOAuth.UserIDMethod
|
||||||
|
@ -224,7 +234,12 @@ func (a *AuthGoogleOAuth) getUserFromToken(ctx context.Context, token *oauth2.To
|
||||||
return "", errors.Wrap(err, "Unable to fetch token-info")
|
return "", errors.Wrap(err, "Unable to fetch token-info")
|
||||||
}
|
}
|
||||||
|
|
||||||
if a.RequireDomain != "" && !strings.HasSuffix(tok.Email, "@"+a.RequireDomain) {
|
var mailParts = strings.Split(tok.Email, "@")
|
||||||
|
if len(mailParts) != 2 {
|
||||||
|
return "", errors.New("Invalid email returned")
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(a.RequireDomains) > 0 && !str.StringInSlice(mailParts[1], a.RequireDomains) {
|
||||||
// E-Mail domain is enforced, ignore all other users
|
// E-Mail domain is enforced, ignore all other users
|
||||||
return "", plugins.ErrNoValidUserFound
|
return "", plugins.ErrNoValidUserFound
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue