472 lines
16 KiB
Text
472 lines
16 KiB
Text
[OpenID Connect](https://openid.net/connect/)
|
|
=============================================
|
|
|
|
Use OpenID Connect to authenticate your users.
|
|
This example use google OIDC provider.
|
|
It was made for a working with single page application where
|
|
some login token would be saved in the user agent local storage.
|
|
|
|
Workflow:
|
|
|
|
1. user is presented with a login button,
|
|
2. when the user clicks on the button it is redirected to the OIDC
|
|
provider,
|
|
3. the user login in the OIDC provider,
|
|
4. the OIDC provider will redirect the user and provide a `code`,
|
|
5. the server will use this code to make a POST to the OIDC provider
|
|
and will get back authentication infos,
|
|
6. The user will get display an HTML page that will save a secret
|
|
identifying him in the local storage, then it will be redirected to
|
|
/.
|
|
|
|
Let's put the imports behind us:
|
|
|
|
``` haskell
|
|
{-# LANGUAGE DataKinds #-}
|
|
{-# LANGUAGE DeriveGeneric #-}
|
|
{-# LANGUAGE DuplicateRecordFields #-}
|
|
{-# LANGUAGE FlexibleContexts #-}
|
|
{-# LANGUAGE FlexibleInstances #-}
|
|
{-# LANGUAGE MultiParamTypeClasses #-}
|
|
{-# LANGUAGE NoImplicitPrelude #-}
|
|
{-# LANGUAGE OverloadedLists #-}
|
|
{-# LANGUAGE OverloadedStrings #-}
|
|
{-# LANGUAGE PartialTypeSignatures #-}
|
|
{-# LANGUAGE PolyKinds #-}
|
|
{-# LANGUAGE RankNTypes #-}
|
|
{-# LANGUAGE RecordWildCards #-}
|
|
{-# LANGUAGE ScopedTypeVariables #-}
|
|
{-# LANGUAGE TypeFamilies #-}
|
|
{-# LANGUAGE TypeOperators #-}
|
|
{-# LANGUAGE TypeSynonymInstances #-}
|
|
|
|
module Main where
|
|
|
|
import Protolude
|
|
|
|
import Data.Aeson
|
|
(FromJSON (..), (.:))
|
|
import qualified Data.Aeson as JSON
|
|
import qualified Data.Aeson.Types as AeT
|
|
import qualified Data.ByteString.Lazy as LBS
|
|
import qualified Data.List as List
|
|
import qualified Data.Text as Text
|
|
import Jose.Jwt
|
|
(Jwt (..), decodeClaims)
|
|
import Network.HTTP.Client
|
|
(Manager, newManager)
|
|
import Network.HTTP.Client.TLS
|
|
(tlsManagerSettings)
|
|
import Network.Wai.Handler.Warp
|
|
(run)
|
|
import Servant
|
|
import Servant.HTML.Blaze
|
|
(HTML)
|
|
import qualified System.Random as Random
|
|
import Text.Blaze
|
|
(ToMarkup (..))
|
|
import qualified Text.Blaze.Html as H
|
|
import Text.Blaze.Html5
|
|
((!))
|
|
import qualified Text.Blaze.Html5 as H
|
|
import qualified Text.Blaze.Html5.Attributes as HA
|
|
import Text.Blaze.Renderer.Utf8
|
|
(renderMarkup)
|
|
import qualified Web.OIDC.Client as O
|
|
```
|
|
|
|
You'll need to create a new OpenID Connect client in an OpenID Provider.
|
|
This example was tested with Google.
|
|
|
|
You can find a list of public OIDC provider here:
|
|
https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/openid-connect-providers
|
|
|
|
I copied some here:
|
|
|
|
- Google: https://developers.google.com/identity/protocols/OpenIDConnect
|
|
more precisely: https://console.developers.google.com/apis/credentials
|
|
- Microsoft: https://docs.microsoft.com/en-us/previous-versions/azure/dn645541(v=azure.100)
|
|
- Yahoo: https://developer.yahoo.com/oauth2/guide/openid_connect/
|
|
- PayPal: https://developer.paypal.com/docs/integration/direct/identity/log-in-with-paypal/
|
|
|
|
During the configuration you'll need to provide a redirect uri.
|
|
The redirect_uri should correspond to the uri user will be redirected to
|
|
after a successful login into the OpenID provider.
|
|
|
|
So during your test, you should certainly just use `http://localhost:3000/login/cb`.
|
|
In general you should use your own domain name.
|
|
|
|
You'll then be given a `client_id` and a `client_password`.
|
|
Fill those values in here:
|
|
|
|
``` haskell
|
|
oidcConf :: OIDCConf
|
|
oidcConf = OIDCConf { redirectUri = "http://localhost:3000/login/cb"
|
|
, clientId = "xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com"
|
|
, clientPassword = "************************" }
|
|
```
|
|
|
|
Then we declare our main server:
|
|
|
|
``` haskell
|
|
main :: IO ()
|
|
main = do
|
|
oidcEnv <- initOIDC oidcConf
|
|
run 3000 (app oidcEnv)
|
|
|
|
type API = IdentityRoutes Customer
|
|
:<|> Get '[HTML] Homepage
|
|
|
|
api :: Proxy API
|
|
api = Proxy
|
|
|
|
server :: OIDCEnv -> Server API
|
|
server oidcEnv = serveOIDC oidcEnv handleOIDCLogin
|
|
:<|> return Homepage
|
|
|
|
-- | Then main app
|
|
app :: OIDCEnv -> Application
|
|
app oidcEnv = serve api (server oidcEnv)
|
|
```
|
|
|
|
OIDC
|
|
----
|
|
|
|
That part try to separate concern, and certainly in a real world
|
|
application that should be in its distinct module.
|
|
|
|
``` haskell
|
|
-- * OIDC
|
|
|
|
data OIDCConf =
|
|
OIDCConf { redirectUri :: ByteString
|
|
, clientId :: ByteString
|
|
, clientPassword :: ByteString
|
|
} deriving (Show, Eq)
|
|
```
|
|
|
|
First we need to initialize OIDC.
|
|
A short explanation about it:
|
|
|
|
- to complete the workflow we need to make a POST request to the OIDC provider.
|
|
So we need to create an http manager to make those call properly.
|
|
- Then in order to prevent replay attack, each time an user wants to login we
|
|
should provide a random string called the `state`. When the user is
|
|
redirected to the `redirect_uri`, the OIDC provider should provide the same
|
|
`state` along a `code` parameter.
|
|
|
|
``` haskell
|
|
initOIDC :: OIDCConf -> IO OIDCEnv
|
|
initOIDC OIDCConf{..} = do
|
|
mgr <- newManager tlsManagerSettings
|
|
prov <- O.discover "https://accounts.google.com" mgr
|
|
let oidc = O.setCredentials clientId clientPassword redirectUri (O.newOIDC prov)
|
|
return OIDCEnv { oidc = oidc
|
|
, mgr = mgr
|
|
, genState = genRandomBS
|
|
, prov = prov
|
|
, redirectUri = redirectUri
|
|
, clientId = clientId
|
|
, clientPassword = clientPassword
|
|
}
|
|
|
|
data OIDCEnv = OIDCEnv { oidc :: O.OIDC
|
|
, mgr :: Manager
|
|
, genState :: IO ByteString
|
|
, prov :: O.Provider
|
|
, redirectUri :: ByteString
|
|
, clientId :: ByteString
|
|
, clientPassword :: ByteString
|
|
}
|
|
```
|
|
|
|
The `IdentityRoutes` are two endpoints:
|
|
|
|
- an endpoint to redirect the users to the OIDC Provider,
|
|
- another one the user will be redirected to from the OIDC Provider.
|
|
|
|
``` haskell
|
|
type IdentityRoutes a =
|
|
"login" :> ( -- redirect User to the OpenID Provider
|
|
Get '[JSON] NoContent
|
|
-- render the page that will save the user creds in the user-agent
|
|
:<|> "cb" :> QueryParam "error" Text
|
|
:> QueryParam "code" Text
|
|
:> Get '[HTML] User)
|
|
|
|
-- | gen a 302 redirect helper
|
|
redirects :: (StringConv s ByteString) => s -> Handler ()
|
|
redirects url = throwError err302 { errHeaders = [("Location",toS url)]}
|
|
```
|
|
|
|
That function will generate the URL to redirect the users to when
|
|
they'll click on the login link: `https://yourdomain/login`.
|
|
|
|
``` haskell
|
|
genOIDCURL :: OIDCEnv -> IO ByteString
|
|
genOIDCURL OIDCEnv{..} = do
|
|
st <- genState -- generate a random string
|
|
let oidcCreds = O.setCredentials clientId clientPassword redirectUri (O.newOIDC prov)
|
|
loc <- O.getAuthenticationRequestUrl oidcCreds [O.openId, O.email, O.profile] (Just st) []
|
|
return (show loc)
|
|
|
|
handleLogin :: OIDCEnv -> Handler NoContent
|
|
handleLogin oidcenv = do
|
|
loc <- liftIO (genOIDCURL oidcenv)
|
|
redirects loc
|
|
return NoContent
|
|
```
|
|
|
|
The `AuthInfo` is about the infos we can grab from OIDC provider.
|
|
|
|
To be more precise, the user should come with a `code` (a token) and
|
|
POSTing that code to the correct OIDC provider endpoint should return a JSON
|
|
object. One of the fields should be named `id_token` which should be a
|
|
JWT containing all the information we need. Depending on the scopes we
|
|
asked we might get more information.
|
|
|
|
``` haskell
|
|
-- | @AuthInfo@
|
|
data AuthInfo = AuthInfo { email :: Text
|
|
, emailVerified :: Bool
|
|
, name :: Text } deriving (Eq, Show, Generic)
|
|
|
|
instance FromJSON AuthInfo where
|
|
parseJSON (JSON.Object v) = do
|
|
email :: Text <- v .: "email"
|
|
email_verified :: Bool <- v .: "email_verified"
|
|
name :: Text <- v .: "name"
|
|
return $ AuthInfo (toS email) email_verified (toS name)
|
|
parseJSON invalid = AeT.typeMismatch "Coord" invalid
|
|
instance JSON.ToJSON AuthInfo where
|
|
toJSON (AuthInfo e ev n) =
|
|
JSON.object [ "email" JSON..= (toS e :: Text)
|
|
, "email_verified" JSON..= ev
|
|
, "name" JSON..= (toS n :: Text)
|
|
]
|
|
|
|
type LoginHandler = AuthInfo -> IO (Either Text User)
|
|
```
|
|
|
|
The `handleLoggedIn` is that part that will retrieve the information from
|
|
the user once he is redirected from the OIDC Provider after login.
|
|
|
|
If the user is redirected to the `redirect_uri` but with an `error` query
|
|
parameter then it means something went wrong.
|
|
If there is no error query param but a `code` query param it means the user
|
|
successfully logged in. From there we need to make a request to the token
|
|
endpoint of the OIDC provider. It's a POST that should contain the code
|
|
as well as the client id and secret.
|
|
Making this HTTP POST is the responsibility of `requestTokens`.
|
|
|
|
From there we extract the `claims` of the JWT contained in one of the value
|
|
of the JSON returned by the POST HTTP Request.
|
|
|
|
``` haskell
|
|
data User = User { userId :: Text
|
|
, userSecret :: Text
|
|
, localStorageKey :: Text
|
|
, redirectUrl :: Maybe Text
|
|
} deriving (Show,Eq,Ord)
|
|
|
|
handleLoggedIn :: OIDCEnv
|
|
-> LoginHandler -- ^ handle successful id
|
|
-> Maybe Text -- ^ error
|
|
-> Maybe Text -- ^ code
|
|
-> Handler User
|
|
handleLoggedIn oidcenv handleSuccessfulId err mcode =
|
|
case err of
|
|
Just errorMsg -> forbidden errorMsg
|
|
Nothing -> case mcode of
|
|
Just oauthCode -> do
|
|
tokens <- liftIO $ O.requestTokens (oidc oidcenv) (toS oauthCode) (mgr oidcenv)
|
|
putText . show . O.claims . O.idToken $ tokens
|
|
let jwt = toS . unJwt . O.jwt . O.idToken $ tokens
|
|
eAuthInfo = decodeClaims jwt :: Either O.JwtError (O.JwtHeader,AuthInfo)
|
|
case eAuthInfo of
|
|
Left jwtErr -> forbidden $ "JWT decode/check problem: " <> show jwtErr
|
|
Right (_,authInfo) ->
|
|
if emailVerified authInfo
|
|
then do
|
|
user <- liftIO $ handleSuccessfulId authInfo
|
|
either forbidden return user
|
|
else forbidden "Please verify your email"
|
|
Nothing -> do
|
|
liftIO $ putText "No code param"
|
|
forbidden "no code parameter given"
|
|
```
|
|
|
|
When you render a User with blaze-html, it will generate a page with a js
|
|
that will put a secret for that user in the local storage. And it will
|
|
redirect the user to /.
|
|
|
|
``` haskell
|
|
instance ToMarkup User where
|
|
toMarkup User{..} = H.docTypeHtml $ do
|
|
H.head $
|
|
H.title "Logged In"
|
|
H.body $ do
|
|
H.h1 "Logged In"
|
|
H.p (H.toHtml ("Successful login with id " <> userId))
|
|
H.script (H.toHtml ("localStorage.setItem('" <> localStorageKey <> "','" <> userSecret <> "');"
|
|
<> "localStorage.setItem('user-id','" <> userId <> "');"
|
|
<> "window.location='" <> fromMaybe "/" redirectUrl <> "';" -- redirect the user to /
|
|
));
|
|
|
|
serveOIDC :: OIDCEnv -> LoginHandler -> Server (IdentityRoutes a)
|
|
serveOIDC oidcenv loginHandler =
|
|
handleLogin oidcenv :<|> handleLoggedIn oidcenv loginHandler
|
|
|
|
-- * Auth
|
|
type APIKey = ByteString
|
|
type Account = Text.Text
|
|
type Conf = [(APIKey,Account)]
|
|
data Customer = Customer {
|
|
account :: Account
|
|
, apiKey :: APIKey
|
|
, mail :: Maybe Text
|
|
, fullname :: Maybe Text
|
|
}
|
|
```
|
|
|
|
Here is the code that displays the homepage.
|
|
It should contain a link to the `/login` URL.
|
|
When the user clicks on this link it will be redirected to Google login page
|
|
with some generated information.
|
|
|
|
The page also displays the content of the local storage.
|
|
And in particular the items `api-key` and `user-id`.
|
|
Those items should be set after a successful login when the user is redirected to
|
|
`/login/cb`.
|
|
|
|
The logic used generally is to use that api-key to uniquely identify an user.
|
|
Another option would have been to set a cookie.
|
|
|
|
``` haskell
|
|
data Homepage = Homepage
|
|
|
|
instance ToMarkup Homepage where
|
|
toMarkup Homepage = H.docTypeHtml $ do
|
|
H.head $ do
|
|
H.title "OpenID Connect Servant Example"
|
|
H.style (H.toHtml ("body { font-family: monospace; font-size: 18px; }" :: Text.Text))
|
|
H.body $ do
|
|
H.h1 "OpenID Connect Servant Example"
|
|
H.div $
|
|
H.a ! HA.href "/login" $ "Click here to login"
|
|
H.ul $ do
|
|
H.li $ do
|
|
H.span "API Key in Local storage: "
|
|
H.script (H.toHtml ("document.write(localStorage.getItem('api-key'));" :: Text.Text))
|
|
H.li $ do
|
|
H.span "User ID in Local storage: "
|
|
H.script (H.toHtml ("document.write(localStorage.getItem('user-id'));" :: Text.Text))
|
|
```
|
|
|
|
We need some helpers to generate random string for generating state and API Keys.
|
|
|
|
``` haskell
|
|
-- | generate a random ByteString, not necessarily extremely good randomness
|
|
-- still the password will be long enough to be very difficult to crack
|
|
genRandomBS :: IO ByteString
|
|
genRandomBS = do
|
|
g <- Random.newStdGen
|
|
Random.randomRs (0, n) g & take 42 & fmap toChar & readable 0 & toS & return
|
|
where
|
|
n = length letters - 1
|
|
toChar i = letters List.!! i
|
|
letters = ['A'..'Z'] <> ['0'..'9'] <> ['a'..'z']
|
|
readable :: Int -> [Char] -> [Char]
|
|
readable _ [] = []
|
|
readable i str =
|
|
let blocksize = case n of
|
|
0 -> 8
|
|
1 -> 4
|
|
2 -> 4
|
|
3 -> 4
|
|
_ -> 12
|
|
block = take blocksize str
|
|
rest = drop blocksize str
|
|
in if List.null rest
|
|
then str
|
|
else block <> "-" <> readable (i+1) rest
|
|
|
|
customerFromAuthInfo :: AuthInfo -> IO Customer
|
|
customerFromAuthInfo authinfo = do
|
|
apikey <- genRandomBS
|
|
return Customer { account = toS (email authinfo)
|
|
, apiKey = apikey
|
|
, mail = Just (toS (email authinfo))
|
|
, fullname = Just (toS (name authinfo))
|
|
}
|
|
|
|
handleOIDCLogin :: LoginHandler
|
|
handleOIDCLogin authInfo = do
|
|
custInfo <- customerFromAuthInfo authInfo
|
|
if emailVerified authInfo
|
|
then return . Right . customerToUser $ custInfo
|
|
else return (Left "You emails is not verified by your provider. Please verify your email.")
|
|
where
|
|
customerToUser :: Customer -> User
|
|
customerToUser c =
|
|
User { userId = toS (account c)
|
|
, userSecret = toS (apiKey c)
|
|
, redirectUrl = Nothing
|
|
, localStorageKey = "api-key"
|
|
}
|
|
```
|
|
|
|
`Error` helpers
|
|
---------------
|
|
|
|
``` haskell
|
|
data Err = Err { errTitle :: Text
|
|
, errMsg :: Text }
|
|
|
|
instance ToMarkup Err where
|
|
toMarkup Err{..} = H.docTypeHtml $ do
|
|
H.head $ do
|
|
H.title "Error"
|
|
H.body $ do
|
|
H.h1 (H.a ! HA.href "/" $ "Home")
|
|
H.h2 (H.toHtml errTitle)
|
|
H.p (H.toHtml errMsg)
|
|
|
|
format :: ToMarkup a => a -> LBS.ByteString
|
|
format err = toMarkup err & renderMarkup
|
|
|
|
appToErr :: ServerError -> Text -> ServerError
|
|
appToErr x msg = x
|
|
{ errBody = toS $ format (Err (toS (errReasonPhrase x)) msg)
|
|
, errHeaders = [("Content-Type","text/html")]}
|
|
|
|
unauthorized :: (MonadError ServerError m) => Text -> m a
|
|
unauthorized = throwError . unauthorizedErr
|
|
|
|
unauthorizedErr :: Text -> ServerError
|
|
unauthorizedErr = appToErr err401
|
|
|
|
forbidden :: (MonadError ServerError m) => Text -> m a
|
|
forbidden = throwError . forbiddenErr
|
|
|
|
forbiddenErr :: Text -> ServerError
|
|
forbiddenErr = appToErr err403
|
|
|
|
notFound :: ( MonadError ServerError m) => Text -> m a
|
|
notFound = throwError . notFoundErr
|
|
|
|
notFoundErr :: Text -> ServerError
|
|
notFoundErr = appToErr err404
|
|
|
|
preconditionFailed :: ( MonadError ServerError m) => Text -> m a
|
|
preconditionFailed = throwError . preconditionFailedErr
|
|
|
|
preconditionFailedErr :: Text -> ServerError
|
|
preconditionFailedErr = appToErr err412
|
|
|
|
serverError :: ( MonadError ServerError m) => Text -> m a
|
|
serverError = throwError . serverErrorErr
|
|
|
|
serverErrorErr :: Text -> ServerError
|
|
serverErrorErr = appToErr err500
|
|
```
|