silo/internal/auth/oidc.go

package auth

import (
	"context"
	"fmt"

	"github.com/coreos/go-oidc/v3/oidc"
	"golang.org/x/oauth2"
)

// OIDCConfig holds settings for the OIDC backend.
type OIDCConfig struct {
	IssuerURL    string
	ClientID     string
	ClientSecret string
	RedirectURL  string
	Scopes       []string
	AdminRole    string
	EditorRole   string
	DefaultRole  string
}

// OIDCBackend handles OIDC redirect-based authentication (e.g., Keycloak).
type OIDCBackend struct {
	cfg      OIDCConfig
	provider *oidc.Provider
	verifier *oidc.IDTokenVerifier
	oauth    oauth2.Config
}

// NewOIDCBackend creates and initializes an OIDC backend.
// Contacts the issuer URL to discover endpoints, so requires network access.
func NewOIDCBackend(ctx context.Context, cfg OIDCConfig) (*OIDCBackend, error) {
	provider, err := oidc.NewProvider(ctx, cfg.IssuerURL)
	if err != nil {
		return nil, fmt.Errorf("oidc provider discovery: %w", err)
	}

	scopes := cfg.Scopes
	if len(scopes) == 0 {
		scopes = []string{oidc.ScopeOpenID, "profile", "email"}
	}

	oauthConfig := oauth2.Config{
		ClientID:     cfg.ClientID,
		ClientSecret: cfg.ClientSecret,
		RedirectURL:  cfg.RedirectURL,
		Endpoint:     provider.Endpoint(),
		Scopes:       scopes,
	}

	return &OIDCBackend{
		cfg:      cfg,
		provider: provider,
		verifier: provider.Verifier(&oidc.Config{ClientID: cfg.ClientID}),
		oauth:    oauthConfig,
	}, nil
}

// Name returns "oidc".
func (b *OIDCBackend) Name() string { return "oidc" }

// Authenticate is not used for OIDC — the redirect flow is handled by
// AuthCodeURL and Exchange instead.
func (b *OIDCBackend) Authenticate(_ context.Context, _, _ string) (*User, error) {
	return nil, fmt.Errorf("OIDC requires redirect flow, not direct authentication")
}

// AuthCodeURL generates the OIDC authorization URL with the given state parameter.
func (b *OIDCBackend) AuthCodeURL(state string) string {
	return b.oauth.AuthCodeURL(state)
}

// Exchange handles the OIDC callback: exchanges the authorization code for tokens,
// verifies the ID token, and extracts user claims.
func (b *OIDCBackend) Exchange(ctx context.Context, code string) (*User, error) {
	token, err := b.oauth.Exchange(ctx, code)
	if err != nil {
		return nil, fmt.Errorf("oidc code exchange: %w", err)
	}

	rawIDToken, ok := token.Extra("id_token").(string)
	if !ok {
		return nil, fmt.Errorf("no id_token in oidc response")
	}

	idToken, err := b.verifier.Verify(ctx, rawIDToken)
	if err != nil {
		return nil, fmt.Errorf("oidc token verification: %w", err)
	}

	var claims struct {
		Subject          string `json:"sub"`
		PreferredUsername string `json:"preferred_username"`
		Email            string `json:"email"`
		Name             string `json:"name"`
		RealmAccess      struct {
			Roles []string `json:"roles"`
		} `json:"realm_access"`
	}
	if err := idToken.Claims(&claims); err != nil {
		return nil, fmt.Errorf("parsing oidc claims: %w", err)
	}

	username := claims.PreferredUsername
	if username == "" {
		username = claims.Subject
	}
	displayName := claims.Name
	if displayName == "" {
		displayName = username
	}

	role := b.resolveRole(claims.RealmAccess.Roles)

	return &User{
		ID:          claims.Subject, // Temporarily holds OIDC subject; replaced by DB ID after upsert
		Username:    username,
		DisplayName: displayName,
		Email:       claims.Email,
		Role:        role,
		AuthSource:  "oidc",
	}, nil
}

// resolveRole maps Keycloak realm roles to a Silo role.
func (b *OIDCBackend) resolveRole(roles []string) string {
	roleSet := make(map[string]struct{}, len(roles))
	for _, r := range roles {
		roleSet[r] = struct{}{}
	}

	if b.cfg.AdminRole != "" {
		if _, ok := roleSet[b.cfg.AdminRole]; ok {
			return RoleAdmin
		}
	}
	if b.cfg.EditorRole != "" {
		if _, ok := roleSet[b.cfg.EditorRole]; ok {
			return RoleEditor
		}
	}

	if b.cfg.DefaultRole != "" {
		return b.cfg.DefaultRole
	}
	return RoleViewer
}