add acr parameter for auth-layer

This commit is contained in:
Michael Michel 2024-05-24 14:39:22 +02:00 committed by spiegie
parent e62aba722c
commit d837f3b6d6
3 changed files with 17 additions and 2 deletions

View file

@ -41,6 +41,7 @@ pub async fn run(
client_id, client_id,
client_secret, client_secret,
vec![], vec![],
None,
) )
.await .await
.unwrap(), .unwrap(),

View file

@ -100,6 +100,7 @@ pub struct OidcClient<AC: AdditionalClaims> {
client: Client<AC>, client: Client<AC>,
application_base_url: Uri, application_base_url: Uri,
end_session_endpoint: Option<Uri>, end_session_endpoint: Option<Uri>,
acr: Option<String>,
} }
impl<AC: AdditionalClaims> OidcClient<AC> { impl<AC: AdditionalClaims> OidcClient<AC> {
@ -110,6 +111,7 @@ impl<AC: AdditionalClaims> OidcClient<AC> {
client_id: String, client_id: String,
client_secret: Option<String>, client_secret: Option<String>,
scopes: Vec<String>, scopes: Vec<String>,
acr: Option<String>,
) -> Result<Self, Error> { ) -> Result<Self, Error> {
let end_session_endpoint = provider_metadata let end_session_endpoint = provider_metadata
.additional_metadata() .additional_metadata()
@ -129,6 +131,7 @@ impl<AC: AdditionalClaims> OidcClient<AC> {
client_id, client_id,
application_base_url, application_base_url,
end_session_endpoint, end_session_endpoint,
acr,
}) })
} }
@ -140,6 +143,7 @@ impl<AC: AdditionalClaims> OidcClient<AC> {
client_id: String, client_id: String,
client_secret: Option<String>, client_secret: Option<String>,
scopes: Vec<String>, scopes: Vec<String>,
acr: Option<String>,
) -> Result<Self, Error> { ) -> Result<Self, Error> {
let client = reqwest::Client::default(); let client = reqwest::Client::default();
Self::discover_new_with_client( Self::discover_new_with_client(
@ -149,6 +153,7 @@ impl<AC: AdditionalClaims> OidcClient<AC> {
client_secret, client_secret,
scopes, scopes,
&client, &client,
acr,
) )
.await .await
} }
@ -163,6 +168,7 @@ impl<AC: AdditionalClaims> OidcClient<AC> {
client_secret: Option<String>, client_secret: Option<String>,
scopes: Vec<String>, scopes: Vec<String>,
client: &reqwest::Client, client: &reqwest::Client,
acr: Option<String>,
) -> Result<Self, Error> { ) -> Result<Self, Error> {
// modified version of `openidconnect::reqwest::async_client::async_http_client`. // modified version of `openidconnect::reqwest::async_client::async_http_client`.
let async_http_client = |request: HttpRequest| async move { let async_http_client = |request: HttpRequest| async move {
@ -202,6 +208,7 @@ impl<AC: AdditionalClaims> OidcClient<AC> {
client_id, client_id,
client_secret, client_secret,
scopes, scopes,
acr,
) )
} }
} }

View file

@ -17,8 +17,9 @@ use tower_sessions::Session;
use openidconnect::{ use openidconnect::{
core::{CoreAuthenticationFlow, CoreErrorResponseType, CoreGenderClaim}, core::{CoreAuthenticationFlow, CoreErrorResponseType, CoreGenderClaim},
reqwest::async_http_client, reqwest::async_http_client,
AccessToken, AccessTokenHash, AuthorizationCode, CsrfToken, IdTokenClaims, Nonce, AccessToken, AccessTokenHash, AuthenticationContextClass, AuthorizationCode, CsrfToken,
OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, IdTokenClaims, Nonce, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl,
RefreshToken,
RequestTokenError::ServerResponse, RequestTokenError::ServerResponse,
Scope, TokenResponse, Scope, TokenResponse,
}; };
@ -187,6 +188,10 @@ where
for scope in oidcclient.scopes.iter() { for scope in oidcclient.scopes.iter() {
auth = auth.add_scope(Scope::new(scope.to_string())); auth = auth.add_scope(Scope::new(scope.to_string()));
} }
if let Some(acr) = oidcclient.acr {
auth =
auth.add_auth_context_value(AuthenticationContextClass::new(acr));
}
auth.set_pkce_challenge(pkce_challenge).url() auth.set_pkce_challenge(pkce_challenge).url()
}; };
@ -228,6 +233,7 @@ impl<AC: AdditionalClaims> OidcAuthLayer<AC> {
client_id: String, client_id: String,
client_secret: Option<String>, client_secret: Option<String>,
scopes: Vec<String>, scopes: Vec<String>,
acr: Option<String>,
) -> Result<Self, Error> { ) -> Result<Self, Error> {
Ok(Self { Ok(Self {
client: OidcClient::<AC>::discover_new( client: OidcClient::<AC>::discover_new(
@ -236,6 +242,7 @@ impl<AC: AdditionalClaims> OidcAuthLayer<AC> {
client_id, client_id,
client_secret, client_secret,
scopes, scopes,
acr,
) )
.await?, .await?,
}) })