add idp hint flow (#3)

alirf81 · web-flow · commit 3c737c73f58c · 2022-10-02T13:16:47.000+08:00
diff --git a/pkg/authn/respond_http.go b/pkg/authn/respond_http.go
@@ -266,7 +266,7 @@ func (p *Portal) injectRedirectURL(ctx context.Context, w http.ResponseWriter, r
 	if r.Method == "GET" {
 		q := r.URL.Query()
 		if redirectURL, exists := q["redirect_url"]; exists {
-			c := p.cookie.GetCookie(addrutil.GetSourceHost(r), p.cookie.Referer, util.StripQueryParam(redirectURL[0], "login_hint"))
+			c := p.cookie.GetCookie(addrutil.GetSourceHost(r), p.cookie.Referer, util.StripQueryParam(util.StripQueryParam(redirectURL[0], "login_hint"), "idp_hint"))
 			p.logger.Debug(
 				"redirect recorded",
 				zap.String("session_id", rr.Upstream.SessionID),
diff --git a/pkg/authz/authenticate.go b/pkg/authz/authenticate.go
@@ -334,6 +334,9 @@ func (g *Gatekeeper) handleLoginHint(r *http.Request, ar *requests.Authorization
 			ar.Redirect.LoginHint = loginHint
 		}
 	}
+	if idpHint := r.URL.Query().Get("idp_hint"); idpHint != "" {
+		ar.Redirect.IDPHint = idpHint
+	}
 }
 
 func (g *Gatekeeper) handleAdditionalScopes(r *http.Request, ar *requests.AuthorizationRequest) {
diff --git a/pkg/authz/handlers/redirect.go b/pkg/authz/handlers/redirect.go
@@ -16,12 +16,13 @@ package handlers
 
 import (
 	"fmt"
-	"github.com/greenpau/go-authcrunch/pkg/requests"
-	addrutil "github.com/greenpau/go-authcrunch/pkg/util/addr"
 	"html/template"
 	"net/http"
 	"net/url"
 	"strings"
+
+	"github.com/greenpau/go-authcrunch/pkg/requests"
+	addrutil "github.com/greenpau/go-authcrunch/pkg/util/addr"
 )
 
 var jsRedirTmpl = template.Must(template.New("js_redir").Parse(`
@@ -132,6 +133,13 @@ func configureRedirect(w http.ResponseWriter, r *http.Request, rr *requests.Auth
 		rr.Redirect.Separator = "&"
 	}
 
+	if len(rr.Redirect.IDPHint) > 0 {
+		idpHint := rr.Redirect.IDPHint
+		escapedIDPHint := url.QueryEscape(idpHint)
+		rr.Redirect.AuthURL = fmt.Sprintf("%s%sidp_hint=%s", rr.Redirect.AuthURL, rr.Redirect.Separator, escapedIDPHint)
+		rr.Redirect.Separator = "&"
+	}
+
 	if len(rr.Redirect.AdditionalScopes) > 0 {
 		additionalScopes := rr.Redirect.AdditionalScopes
 		escapedAdditionalScopes := url.QueryEscape(additionalScopes)
diff --git a/pkg/idp/oauth/authenticate.go b/pkg/idp/oauth/authenticate.go
@@ -37,8 +37,8 @@ func (b *IdentityProvider) Authenticate(r *requests.Request) error {
 	reqPath := r.Upstream.BaseURL + path.Join(r.Upstream.BasePath, r.Upstream.Method, r.Upstream.Realm)
 	r.Response.Code = http.StatusBadRequest
 
-	var accessTokenExists, idTokenExists, codeExists, stateExists, errorExists, loginHintExists, additionalScopesExists bool
-	var reqParamsAccessToken, reqParamsIDToken, reqParamsState, reqParamsCode, reqParamsError, reqParamsLoginHint, additionalScopes string
+	var accessTokenExists, idTokenExists, codeExists, stateExists, errorExists, loginHintExists, idpHintExists, additionalScopesExists bool
+	var reqParamsAccessToken, reqParamsIDToken, reqParamsState, reqParamsCode, reqParamsError, reqParamsLoginHint, reqParamsIDPHint, additionalScopes string
 	reqParams := r.Upstream.Request.URL.Query()
 	if _, exists := reqParams["access_token"]; exists {
 		accessTokenExists = true
@@ -64,6 +64,10 @@ func (b *IdentityProvider) Authenticate(r *requests.Request) error {
 		loginHintExists = true
 		reqParamsLoginHint = reqParams["login_hint"][0]
 	}
+	if _, exists := reqParams["idp_hint"]; exists {
+		idpHintExists = true
+		reqParamsIDPHint = reqParams["idp_hint"][0]
+	}
 	if _, exists := reqParams["additional_scopes"]; exists {
 		additionalScopesExists = true
 		additionalScopes = reqParams["additional_scopes"][0]
@@ -238,6 +242,9 @@ func (b *IdentityProvider) Authenticate(r *requests.Request) error {
 	if loginHintExists {
 		params.Set("login_hint", reqParamsLoginHint)
 	}
+	if idpHintExists {
+		params.Set("kc_idp_hint", reqParamsIDPHint)
+	}
 
 	params.Set("client_id", b.config.ClientID)
 
diff --git a/pkg/requests/authz.go b/pkg/requests/authz.go
@@ -50,6 +50,7 @@ type RedirectResponse struct {
 	URL              string `json:"url,omitempty" xml:"url,omitempty" yaml:"url,omitempty"`
 	StatusCode       int    `json:"status_code,omitempty" xml:"status_code,omitempty" yaml:"status_code,omitempty"`
 	LoginHint        string `json:"login_hint,omitempty" xml:"login_hint,omitempty" yaml:"login_hint,omitempty"`
+	IDPHint          string `json:"idp_hint,omitempty" xml:"idp_hint,omitempty" yaml:"idp_hint,omitempty"`
 	AdditionalScopes string `json:"additional_scopes,omitempty" xml:"additional_scopes,omitempty" yaml:"additional_scopes,omitempty"`
 }
 

Original file line number	Diff line number	Diff line change
`@@ -334,6 +334,9 @@ func (g Gatekeeper) handleLoginHint(r http.Request, ar *requests.Authorization`
`334`	`334`	`ar.Redirect.LoginHint = loginHint`
`335`	`335`	`}`
`336`	`336`	`}`
	`337`	`+ if idpHint := r.URL.Query().Get("idp_hint"); idpHint != "" {`
	`338`	`+ ar.Redirect.IDPHint = idpHint`
	`339`	`+ }`
`337`	`340`	`}`
`338`	`341`
`339`	`342`	`func (g Gatekeeper) handleAdditionalScopes(r http.Request, ar *requests.AuthorizationRequest) {`
Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ type RedirectResponse struct {`
`50`	`50`	URL string `json:"url,omitempty" xml:"url,omitempty" yaml:"url,omitempty"`
`51`	`51`	StatusCode int `json:"status_code,omitempty" xml:"status_code,omitempty" yaml:"status_code,omitempty"`
`52`	`52`	LoginHint string `json:"login_hint,omitempty" xml:"login_hint,omitempty" yaml:"login_hint,omitempty"`
	`53`	+ IDPHint string `json:"idp_hint,omitempty" xml:"idp_hint,omitempty" yaml:"idp_hint,omitempty"`
`53`	`54`	AdditionalScopes string `json:"additional_scopes,omitempty" xml:"additional_scopes,omitempty" yaml:"additional_scopes,omitempty"`
`54`	`55`	`}`
`55`	`56`