MCPcopy Index your code
hub / github.com/coder/coder / userOIDC

Method userOIDC

coderd/userauth.go:1212–1565  ·  view source on GitHub ↗

@Summary OpenID Connect Callback @ID openid-connect-callback @Security CoderSessionToken @Tags Users @Success 307 @Router /api/v2/users/oidc/callback [get]

(rw http.ResponseWriter, r *http.Request)

Source from the content-addressed store, hash-verified

1210// @Success 307
1211// @Router /api/v2/users/oidc/callback [get]
1212func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
1213 var (
1214 // userOIDC is a system function.
1215 //nolint:gocritic
1216 ctx = dbauthz.AsSystemRestricted(r.Context())
1217 state = httpmw.OAuth2(r)
1218 auditor = api.Auditor.Load()
1219 aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
1220 Audit: *auditor,
1221 Log: api.Logger,
1222 Request: r,
1223 Action: database.AuditActionLogin,
1224 })
1225 )
1226 aReq.Old = database.APIKey{}
1227 defer commitAudit()
1228
1229 // See the example here: https://github.com/coreos/go-oidc
1230 rawIDToken, ok := state.Token.Extra("id_token").(string)
1231 if !ok {
1232 httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
1233 Message: "id_token not found in response payload. Ensure your OIDC callback is configured correctly!",
1234 })
1235 return
1236 }
1237
1238 idToken, err := api.OIDCConfig.Verifier.Verify(ctx, rawIDToken)
1239 if err != nil {
1240 httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
1241 Message: "Failed to verify OIDC token.",
1242 Detail: err.Error(),
1243 })
1244 return
1245 }
1246
1247 logger := api.Logger.Named(userAuthLoggerName)
1248
1249 // "email_verified" is an optional claim that changes the behavior
1250 // of our OIDC handler, so each property must be pulled manually out
1251 // of the claim mapping.
1252 idtokenClaims := map[string]interface{}{}
1253 err = idToken.Claims(&idtokenClaims)
1254 if err != nil {
1255 logger.Error(ctx, "oauth2: unable to extract OIDC claims", slog.Error(err))
1256 httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
1257 Message: "Failed to extract OIDC claims.",
1258 Detail: err.Error(),
1259 })
1260 return
1261 }
1262
1263 if idToken.Subject == "" {
1264 logger.Error(ctx, "oauth2: missing 'sub' claim field in OIDC token",
1265 slog.F("source", "id_token"),
1266 slog.F("claim_fields", claimFields(idtokenClaims)),
1267 slog.F("blank", blankFields(idtokenClaims)),
1268 )
1269 httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{

Callers

nothing calls this directly

Calls 15

userInfoClaimsMethod · 0.95
accessTokenClaimsMethod · 0.95
oauthLoginMethod · 0.95
AsSystemRestrictedFunction · 0.92
OAuth2Function · 0.92
InitRequestFunction · 0.92
WriteFunction · 0.92
RenderStaticErrorPageFunction · 0.92
NameValidFunction · 0.92
UsernameFromFunction · 0.92
NormalizeRealUsernameFunction · 0.92
IsHTTPErrorFunction · 0.92

Tested by

no test coverage detected