| -- |
| -- Licensed to the Apache Software Foundation (ASF) under one or more |
| -- contributor license agreements. See the NOTICE file distributed with |
| -- this work for additional information regarding copyright ownership. |
| -- The ASF licenses this file to You under the Apache License, Version 2.0 |
| -- (the "License"); you may not use this file except in compliance with |
| -- the License. You may obtain a copy of the License at |
| -- |
| -- http://www.apache.org/licenses/LICENSE-2.0 |
| -- |
| -- Unless required by applicable law or agreed to in writing, software |
| -- distributed under the License is distributed on an "AS IS" BASIS, |
| -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| -- See the License for the specific language governing permissions and |
| -- limitations under the License. |
| -- |
| |
| -- A Proxy for Google OAuth API |
| local cjson = require "cjson" |
| local http = require "resty.http" |
| local request = require "lib/request" |
| local utils = require "lib/utils" |
| |
| local _M = {} |
| function _M.process (dataStore, token) |
| |
| local result = dataStore:getOAuthToken('google', token) |
| |
| local httpc = http.new() |
| if result ~= ngx.null then |
| local json_resp = cjson.decode(result) |
| ngx.header['X-OIDC-Sub'] = json_resp['sub'] |
| ngx.header['X-OIDC-Email'] = json_resp['email'] |
| ngx.header['X-OIDC-Scope'] = json_resp['scope'] |
| return json_resp |
| end |
| |
| local request_options = { |
| headers = { |
| ["Accept"] = "application/json" |
| }, |
| ssl_verify = false |
| } |
| |
| local envUrl = os.getenv('TOKEN_GOOGLE_URL') |
| envUrl = envUrl ~= nil and envUrl or 'https://www.googleapis.com/oauth2/v3/tokeninfo' |
| local request_uri = utils.concatStrings({envUrl, "?access_token=", token}) |
| local res, err = httpc:request_uri(request_uri, request_options) |
| -- convert response |
| if not res then |
| ngx.log(ngx.WARN, utils.concatStrings({"Could not invoke Google API. Error=", err})) |
| request.err(500, 'Connection to the OAuth provider failed.') |
| return nil |
| end |
| local json_resp = cjson.decode(res.body) |
| if json_resp['error_description'] ~= nil then |
| return nil |
| end |
| |
| -- keep token in cache until it expires |
| local ttl = json_resp['expires_in'] |
| dataStore:saveOAuthToken('google', token, cjson.encode(json_resp), ttl) |
| -- convert Google's response |
| -- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo |
| ngx.header['X-OIDC-Sub'] = json_resp['sub'] |
| ngx.header['X-OIDC-Email'] = json_resp['email'] |
| ngx.header['X-OIDC-Scope'] = json_resp['scope'] |
| return json_resp |
| end |
| |
| return _M |