@Summary OpenID Connect Callback @ID openid-connect-callback @Security CoderSessionToken @Tags Users @Success 307 @Router /api/v2/users/oidc/callback [get]
(rw http.ResponseWriter, r *http.Request)
| 1210 | // @Success 307 |
| 1211 | // @Router /api/v2/users/oidc/callback [get] |
| 1212 | func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { |
| 1213 | var ( |
| 1214 | // userOIDC is a system function. |
| 1215 | //nolint:gocritic |
| 1216 | ctx = dbauthz.AsSystemRestricted(r.Context()) |
| 1217 | state = httpmw.OAuth2(r) |
| 1218 | auditor = api.Auditor.Load() |
| 1219 | aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{ |
| 1220 | Audit: *auditor, |
| 1221 | Log: api.Logger, |
| 1222 | Request: r, |
| 1223 | Action: database.AuditActionLogin, |
| 1224 | }) |
| 1225 | ) |
| 1226 | aReq.Old = database.APIKey{} |
| 1227 | defer commitAudit() |
| 1228 | |
| 1229 | // See the example here: https://github.com/coreos/go-oidc |
| 1230 | rawIDToken, ok := state.Token.Extra("id_token").(string) |
| 1231 | if !ok { |
| 1232 | httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ |
| 1233 | Message: "id_token not found in response payload. Ensure your OIDC callback is configured correctly!", |
| 1234 | }) |
| 1235 | return |
| 1236 | } |
| 1237 | |
| 1238 | idToken, err := api.OIDCConfig.Verifier.Verify(ctx, rawIDToken) |
| 1239 | if err != nil { |
| 1240 | httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ |
| 1241 | Message: "Failed to verify OIDC token.", |
| 1242 | Detail: err.Error(), |
| 1243 | }) |
| 1244 | return |
| 1245 | } |
| 1246 | |
| 1247 | logger := api.Logger.Named(userAuthLoggerName) |
| 1248 | |
| 1249 | // "email_verified" is an optional claim that changes the behavior |
| 1250 | // of our OIDC handler, so each property must be pulled manually out |
| 1251 | // of the claim mapping. |
| 1252 | idtokenClaims := map[string]interface{}{} |
| 1253 | err = idToken.Claims(&idtokenClaims) |
| 1254 | if err != nil { |
| 1255 | logger.Error(ctx, "oauth2: unable to extract OIDC claims", slog.Error(err)) |
| 1256 | httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ |
| 1257 | Message: "Failed to extract OIDC claims.", |
| 1258 | Detail: err.Error(), |
| 1259 | }) |
| 1260 | return |
| 1261 | } |
| 1262 | |
| 1263 | if idToken.Subject == "" { |
| 1264 | logger.Error(ctx, "oauth2: missing 'sub' claim field in OIDC token", |
| 1265 | slog.F("source", "id_token"), |
| 1266 | slog.F("claim_fields", claimFields(idtokenClaims)), |
| 1267 | slog.F("blank", blankFields(idtokenClaims)), |
| 1268 | ) |
| 1269 | httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ |
nothing calls this directly
no test coverage detected