[#1377] added Authentik OAuth2 provider

Co-authored-by: Marc Singer <ms@pr0.tech>
2023-01-16 11:47:08 +02:00
parent fd97732d4d
commit 6d08a5f36f
41 changed files with 261 additions and 116 deletions
@@ -112,6 +112,8 @@ func NewProviderByName(name string) (Provider, error) {
 		return NewGiteeProvider(), nil
 	case NameLivechat:
 		return NewLivechatProvider(), nil
+	case NameAuthentik:
+		return NewAuthentikProvider(), nil
 	default:
 		return nil, errors.New("Missing provider " + name)
 	}
@@ -135,4 +135,13 @@ func TestNewProviderByName(t *testing.T) {
 	if _, ok := p.(*auth.Livechat); !ok {
 		t.Error("Expected to be instance of *auth.Livechat")
 	}
+
+	// authentik
+	p, err = auth.NewProviderByName(auth.NameAuthentik)
+	if err != nil {
+		t.Errorf("Expected nil, got error %v", err)
+	}
+	if _, ok := p.(*auth.Authentik); !ok {
+		t.Error("Expected to be instance of *auth.Authentik")
+	}
 }
@@ -0,0 +1,71 @@
+package auth
+
+import (
+	"encoding/json"
+
+	"golang.org/x/oauth2"
+)
+
+var _ Provider = (*Authentik)(nil)
+
+// NameAuthentik is the unique name of the Authentik provider.
+const NameAuthentik string = "authentik"
+
+// Authentik allows authentication via Authentik OAuth2.
+type Authentik struct {
+	*baseProvider
+}
+
+// NewAuthentikProvider creates new Authentik provider instance with some defaults.
+func NewAuthentikProvider() *Authentik {
+	return &Authentik{&baseProvider{
+		scopes: []string{
+			"openid", // minimal requirement to return the id
+			"email",
+			"profile",
+		},
+	}}
+}
+
+// FetchAuthUser returns an AuthUser instance based the Authentik's user api.
+//
+// API reference: https://goauthentik.io/docs/providers/oauth2/
+func (p *Authentik) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
+	data, err := p.FetchRawUserData(token)
+	if err != nil {
+		return nil, err
+	}
+
+	rawUser := map[string]any{}
+	if err := json.Unmarshal(data, &rawUser); err != nil {
+		return nil, err
+	}
+
+	extracted := struct {
+		Id            string `json:"sub"`
+		Name          string `json:"name"`
+		Username      string `json:"preferred_username"`
+		Picture       string `json:"picture"`
+		Email         string `json:"email"`
+		EmailVerified bool   `json:"email_verified"`
+	}{}
+	if err := json.Unmarshal(data, &extracted); err != nil {
+		return nil, err
+	}
+
+	user := &AuthUser{
+		Id:           extracted.Id,
+		Name:         extracted.Name,
+		Username:     extracted.Username,
+		AvatarUrl:    extracted.Picture,
+		RawUser:      rawUser,
+		AccessToken:  token.AccessToken,
+		RefreshToken: token.RefreshToken,
+	}
+
+	if extracted.EmailVerified {
+		user.Email = extracted.Email
+	}
+
+	return user, nil
+}
@@ -58,7 +58,6 @@ func (p *Strava) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
 	}

 	user := &AuthUser{
-		Id:           strconv.Itoa(extracted.Id),
 		Name:         extracted.FirstName + " " + extracted.LastName,
 		Username:     extracted.Username,
 		AvatarUrl:    extracted.ProfileImageUrl,
@@ -67,5 +66,9 @@ func (p *Strava) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
 		RefreshToken: token.RefreshToken,
 	}

+	if extracted.Id != 0 {
+		user.Id = strconv.Itoa(extracted.Id)
+	}
+
 	return user, nil
 }