添加OIDC支持 (#387)

* add general OIDC * use "github.com/coreos/go-oidc/v3/oidc" to simplify oidc config * fix: check if https by X-Forwarded-Proto * recovery config.yaml
2026-02-04 12:40:07 +00:00 · 2024-07-13 06:51:59 +02:00
parent 17373e2dee
commit e1513203b4
7 changed files with 204 additions and 35 deletions
--- a/cmd/dashboard/controller/guest_page.go
+++ b/cmd/dashboard/controller/guest_page.go
@@ -35,6 +35,10 @@ func (gp *guestPage) serve() {
 }

 func (gp *guestPage) login(c *gin.Context) {
+	if singleton.Conf.Oauth2.OidcAutoLogin {
+		c.Redirect(http.StatusFound, "/oauth2/login")
+		return
+	}
 	LoginType := "GitHub"
 	RegistrationLink := "https://github.com/join"
 	if singleton.Conf.Oauth2.Type == model.ConfigTypeGitee {
@@ -52,6 +56,9 @@ func (gp *guestPage) login(c *gin.Context) {
 	} else if singleton.Conf.Oauth2.Type == model.ConfigTypeCloudflare {
 		LoginType = "Cloudflare"
 		RegistrationLink = "https://dash.cloudflare.com/sign-up/teams"
+	} else if singleton.Conf.Oauth2.Type == model.ConfigTypeOidc {
+		LoginType = singleton.Conf.Oauth2.OidcDisplayName
+		RegistrationLink = singleton.Conf.Oauth2.OidcRegisterURL
 	}
 	c.HTML(http.StatusOK, "dashboard-"+singleton.Conf.Site.DashboardTheme+"/login", mygin.CommonEnvironment(c, gin.H{
 		"Title":            singleton.Localizer.MustLocalize(&i18n.LocalizeConfig{MessageID: "Login"}),
--- a/cmd/dashboard/controller/member_api.go
+++ b/cmd/dashboard/controller/member_api.go
@@ -847,6 +847,11 @@ func (ma *memberAPI) logout(c *gin.Context) {
 	c.JSON(http.StatusOK, model.Response{
 		Code: http.StatusOK,
 	})
+
+	if oidcLogoutUrl := singleton.Conf.Oauth2.OidcLogoutURL; oidcLogoutUrl != "" {
+		// 重定向到 OIDC 退出登录地址。不知道为什么，这里的重定向不生效
+		c.Redirect(http.StatusOK, oidcLogoutUrl)
+	}
 }

 type settingForm struct {
--- a/cmd/dashboard/controller/oauth2.go
+++ b/cmd/dashboard/controller/oauth2.go
@@ -10,25 +10,27 @@ import (
 	"strings"
 	"time"

+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/naiba/nezha/pkg/oidc/cloudflare"
+	myOidc "github.com/naiba/nezha/pkg/oidc/general"

 	"code.gitea.io/sdk/gitea"
 	"github.com/gin-gonic/gin"
 	GitHubAPI "github.com/google/go-github/v47/github"
+	"github.com/naiba/nezha/model"
+	"github.com/naiba/nezha/pkg/mygin"
+	"github.com/naiba/nezha/pkg/utils"
+	"github.com/naiba/nezha/service/singleton"
 	"github.com/patrickmn/go-cache"
 	"github.com/xanzy/go-gitlab"
 	"golang.org/x/oauth2"
 	GitHubOauth2 "golang.org/x/oauth2/github"
 	GitlabOauth2 "golang.org/x/oauth2/gitlab"
-
-	"github.com/naiba/nezha/model"
-	"github.com/naiba/nezha/pkg/mygin"
-	"github.com/naiba/nezha/pkg/utils"
-	"github.com/naiba/nezha/service/singleton"
 )

 type oauth2controller struct {
-	r gin.IRoutes
+	r            gin.IRoutes
+	oidcProvider *oidc.Provider
 }

 func (oa *oauth2controller) serve() {
@@ -88,6 +90,27 @@ func (oa *oauth2controller) getCommonOauth2Config(c *gin.Context) *oauth2.Config
 			},
 			RedirectURL: oa.getRedirectURL(c),
 		}
+	} else if singleton.Conf.Oauth2.Type == model.ConfigTypeOidc {
+		var err error
+		oa.oidcProvider, err = oidc.NewProvider(c.Request.Context(), singleton.Conf.Oauth2.OidcIssuer)
+		if err != nil {
+			mygin.ShowErrorPage(c, mygin.ErrInfo{
+				Code:  http.StatusBadRequest,
+				Title: fmt.Sprintf("Cannot get OIDC infomaion from issuer from %s", singleton.Conf.Oauth2.OidcIssuer),
+				Msg:   err.Error(),
+			}, true)
+			return nil
+		}
+		scopes := strings.Split(singleton.Conf.Oauth2.OidcScopes, ",")
+		scopes = append(scopes, oidc.ScopeOpenID)
+		uniqueScopes := removeDuplicates(scopes)
+		return &oauth2.Config{
+			ClientID:     singleton.Conf.Oauth2.ClientID,
+			ClientSecret: singleton.Conf.Oauth2.ClientSecret,
+			Scopes:       uniqueScopes,
+			Endpoint:     oa.oidcProvider.Endpoint(),
+			RedirectURL:  oa.getRedirectURL(c),
+		}
 	} else {
 		return &oauth2.Config{
 			ClientID:     singleton.Conf.Oauth2.ClientID,
@@ -100,7 +123,8 @@ func (oa *oauth2controller) getCommonOauth2Config(c *gin.Context) *oauth2.Config

 func (oa *oauth2controller) getRedirectURL(c *gin.Context) string {
 	scheme := "http://"
-	if strings.HasPrefix(c.Request.Referer(), "https://") {
+	referer := c.Request.Referer()
+	if forwardedProto := c.Request.Header.Get("X-Forwarded-Proto"); forwardedProto == "https" || strings.HasPrefix(referer, "https://") {
 		scheme = "https://"
 	}
 	return scheme + c.Request.Host + "/oauth2/callback"
@@ -179,7 +203,18 @@ func (oa *oauth2controller) callback(c *gin.Context) {
 					user = cloudflareUserInfo.MapToNezhaUser()
 				}
 			}
-
+		} else if singleton.Conf.Oauth2.Type == model.ConfigTypeOidc {
+			userInfo, err := oa.oidcProvider.UserInfo(c.Request.Context(), oauth2.StaticTokenSource(otk))
+			if err == nil {
+				loginClaim := singleton.Conf.Oauth2.OidcLoginClaim
+				groupClain := singleton.Conf.Oauth2.OidcGroupClaim
+				adminGroups := strings.Split(singleton.Conf.Oauth2.AdminGroups, ",")
+				autoCreate := singleton.Conf.Oauth2.OidcAutoCreate
+				var oidceUserInfo *myOidc.UserInfo
+				if err := userInfo.Claims(&oidceUserInfo); err == nil {
+					user = oidceUserInfo.MapToNezhaUser(loginClaim, groupClain, adminGroups, autoCreate)
+				}
+			}
 		} else {
 			var client *GitHubAPI.Client
 			oc := oauth2Config.Client(ctx, otk)
@@ -212,10 +247,15 @@ func (oa *oauth2controller) callback(c *gin.Context) {
 		return
 	}
 	var isAdmin bool
-	for _, admin := range strings.Split(singleton.Conf.Oauth2.Admin, ",") {
-		if admin != "" && strings.EqualFold(user.Login, admin) {
-			isAdmin = true
-			break
+
+	if user.SuperAdmin {
+		isAdmin = true
+	} else {
+		for _, admin := range strings.Split(singleton.Conf.Oauth2.Admin, ",") {
+			if admin != "" && strings.EqualFold(user.Login, admin) {
+				isAdmin = true
+				break
+			}
 		}
 	}
 	if !isAdmin {
@@ -242,3 +282,16 @@ func (oa *oauth2controller) callback(c *gin.Context) {
 		"URL": "/",
 	}))
 }
+
+func removeDuplicates(elements []string) []string {
+	encountered := map[string]bool{}
+	result := []string{}
+
+	for _, v := range elements {
+		if !encountered[v] {
+			encountered[v] = true
+			result = append(result, v)
+		}
+	}
+	return result
+}