添加 OIDC 认证支持，更新环境变量配置，重构 Docker Compose 文件，移除旧的 Dex 初始化脚本，优化用户模型，更新前端登录流程，支持通过 OIDC 登录。

2026-06-03 22:02:57 +00:00 · 2025-08-18 20:50:43 +08:00
parent fa80805bb1
commit 4da39f2d6a
12 changed files with 233 additions and 179 deletions
@@ -0,0 +1,155 @@
+package auth
+
+import (
+	"context"
+	"excalidraw-complete/core"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/oauth2"
+)
+
+var (
+	oidcOauthConfig *oauth2.Config
+	oidcProvider    *oidc.Provider
+	verifier        *oidc.IDTokenVerifier
+)
+
+// OIDCClaims represents the claims from OIDC token
+type OIDCClaims struct {
+	Email             string `json:"email"`
+	Name              string `json:"name"`
+	PreferredUsername string `json:"preferred_username"`
+	Picture           string `json:"picture"`
+	Sub               string `json:"sub"`
+}
+
+func InitDex() {
+	providerURL := os.Getenv("OIDC_ISSUER_URL")
+	clientID := os.Getenv("OIDC_CLIENT_ID")
+	clientSecret := os.Getenv("OIDC_CLIENT_SECRET")
+	redirectURL := os.Getenv("OIDC_REDIRECT_URL")
+
+	if providerURL == "" || clientID == "" || clientSecret == "" {
+		logrus.Warn("OIDC credentials are not set. OIDC authentication routes will not work.")
+		return
+	}
+
+	var err error
+	oidcProvider, err = oidc.NewProvider(context.Background(), providerURL)
+	if err != nil {
+		logrus.Errorf("Failed to create OIDC provider: %s", err.Error())
+		return
+	}
+
+	oidcOauthConfig = &oauth2.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectURL,
+		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
+		Endpoint:     oidcProvider.Endpoint(),
+	}
+
+	logrus.Info("OIDC provider initialized")
+
+	verifier = oidcProvider.Verifier(&oidc.Config{
+		ClientID: clientID,
+	})
+}
+
+func HandleOIDCLogin(w http.ResponseWriter, r *http.Request) {
+	if oidcOauthConfig == nil {
+		http.Error(w, "OIDC is not configured", http.StatusInternalServerError)
+		return
+	}
+
+	url := oidcOauthConfig.AuthCodeURL("random", oauth2.AccessTypeOffline)
+	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
+}
+
+func HandleOIDCCallback(w http.ResponseWriter, r *http.Request) {
+	if oidcOauthConfig == nil {
+		http.Error(w, "OIDC is not configured", http.StatusInternalServerError)
+		return
+	}
+
+	code := r.FormValue("code")
+	if code == "" {
+		logrus.Error("no code in callback")
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+
+	token, err := oidcOauthConfig.Exchange(context.Background(), code)
+	if err != nil {
+		logrus.Errorf("failed to exchange token: %s", err.Error())
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+
+	rawIDToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		logrus.Error("no id_token in token response")
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+
+	idToken, err := verifier.Verify(context.Background(), rawIDToken)
+	if err != nil {
+		logrus.Errorf("failed to verify ID token: %s", err.Error())
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+
+	var claims OIDCClaims
+	if err := idToken.Claims(&claims); err != nil {
+		logrus.Errorf("failed to extract claims from ID token: %s", err.Error())
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+
+	// Create user from OIDC claims
+	user := &core.User{
+		Subject:   claims.Sub,
+		Login:     claims.PreferredUsername,
+		Email:     claims.Email,
+		AvatarURL: claims.Picture,
+		Name:      claims.Name,
+	}
+
+	// If preferred_username is not available, use email
+	if user.Login == "" && user.Email != "" {
+		user.Login = user.Email
+	}
+
+	jwtToken, err := createOIDCJWT(user)
+	if err != nil {
+		logrus.Errorf("failed to create JWT: %s", err.Error())
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+
+	// Redirect to frontend with token
+	http.Redirect(w, r, fmt.Sprintf("/?token=%s", jwtToken), http.StatusTemporaryRedirect)
+}
+
+func createOIDCJWT(user *core.User) (string, error) {
+	claims := AppClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			Subject:   user.Subject,
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24 * 7)), // 1 week
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+		},
+		Login:     user.Login,
+		AvatarURL: user.AvatarURL,
+		Name:      user.Name,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return token.SignedString(jwtSecret)
+}
@@ -23,7 +23,6 @@ var (
 	jwtSecret         []byte
 )

-const oauthStateString = "random"

 // AppClaims represents the custom claims for the JWT.
 type AppClaims struct {
@@ -124,10 +123,9 @@ func HandleGitHubCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// For now we don't have a user database, so we create a user object on the fly.
-	// In phase 3, we will save/get the user from the database here.
+	// Create user object using Subject instead of GitHubID
 	user := &core.User{
-		GitHubID:  githubUser.ID,
+		Subject:   fmt.Sprintf("github:%d", githubUser.ID),
 		Login:     githubUser.Login,
 		AvatarURL: githubUser.AvatarURL,
 		Name:      githubUser.Name,
@@ -147,7 +145,7 @@ func HandleGitHubCallback(w http.ResponseWriter, r *http.Request) {
 func createJWT(user *core.User) (string, error) {
 	claims := AppClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
-			Subject:   fmt.Sprintf("%d", user.GitHubID),
+			Subject:   user.Subject,
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24 * 7)), // 1 week
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 		},