Add OIDC Example

Author: system

Cargo.lock

@@ -18,6 +18,6 @@ members = [
     "examples/request-tracking",
     "examples/engine",
     "rwf-admin",
-    "examples/files", "examples/users", "examples/openapi",
+    "examples/files", "examples/users", "examples/openapi", "examples/oidc",
 ]
 exclude = ["examples/rails", "rwf-ruby", "examples/django", "rwf-fuzz"]

Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "oidc"
+version = "0.1.0"
+edition = "2024"
+
+[dependencies]
+rwf = {path = "../../rwf"}
+tokio = {version = "1.49.0", features = ["full"]}
+serde = {version = "1.0.228", features = ["derive"]}
+serde_json = "1.0.149"

examples/oidc/Cargo.toml

@@ -0,0 +1,110 @@
+# OIDC
+
+Rwf comes with an OIDC Integration. One only need to implement a User struct with the `OidcUser` trait implemented.
+
+```rust
+#[derive(macros::Model, Clone, Serialize, Deserialize)]
+struct User {
+    id: Option<i64>,
+    name: String,
+    email: String,
+    token: serde_json::Value,
+    expire: OffsetDateTime,
+}
+
+#[async_trait]
+impl OidcUser for User {
+    async fn from_token(
+        token: StandardTokenResponse<CoreIdTokenFields, CoreTokenType>,
+        userinfo: UserInfoClaims<EmptyAdditionalClaims, CoreGenderClaim>,
+    ) -> Result<Self, rwf::model::Error> {
+        let name = userinfo
+            .standard_claims()
+            .preferred_username()
+            .unwrap()
+            .to_string();
+        let email = userinfo.standard_claims().email().unwrap().to_string();
+        let expire = OffsetDateTime::now_utc()
+            .checked_add(Duration::nanoseconds(
+                token.expires_in().unwrap().as_nanos() as i64,
+            ))
+            .unwrap();
+        let token = serde_json::json!({"access": token.access_token(), "refresh": token.refresh_token().unwrap()});
+        let mut conn = get_connection().await?;
+        User::create(&[
+            ("name", name.to_value()),
+            ("email", email.to_value()),
+            ("expire", expire.to_value()),
+            ("token", token.to_value()),
+        ])
+            .unique_by(&["email"])
+            .fetch(&mut conn)
+            .await
+    }
+
+    fn access_token(&self) -> AccessToken {
+        serde_json::from_value(self.token.get("access").unwrap().clone()).unwrap()
+    }
+
+    fn refresh_token(&self) -> RefreshToken {
+        serde_json::from_value(self.token.get("refresh").unwrap().clone()).unwrap()
+    }
+
+    fn expire(&self) -> &OffsetDateTime {
+        &self.expire
+    }
+
+    fn update_token(
+        mut self,
+        token: StandardTokenResponse<CoreIdTokenFields, CoreTokenType>,
+    ) -> Self {
+        self.token = serde_json::json!({"access": token.access_token(), "refresh": token.refresh_token().unwrap()});
+        self
+    }
+}
+```
+
+## Login
+
+To protect a Route with the OIDC Login, one have to set the `OidcAuthentication` handler as the `AuthHandler` for Controller.
+```rust
+struct TestController {
+    auth: AuthHandler,
+}
+
+impl Default for TestController {
+    fn default() -> Self {
+        Self {
+            auth: OidcAuthentication::<User>::default().handler(),
+        }
+    }
+}
+
+#[async_trait]
+impl Controller for TestController {
+    fn auth(&self) -> &AuthHandler {
+        &self.auth
+    }
+
+    async fn handle(&self, request: &Request) -> Result<Response, Error> {
+        Ok(Respnse::not_implemented())    
+    }
+}
+```
+
+## OIDC Response Handler
+
+The AuthHandler is only responsible for issue a Request to the OIDC Provider. A Endpoint to handle the OIDC Response is required also.
+
+```rust
+#[tokio::main]
+async fn main() -> Result<(), rwf::http::Error> {
+    migrate().await?;
+    rwf::http::Server::new(vec![
+        route!("/" => TestController),
+        route!("/oidc" => OidcController::<User>),
+    ])
+    .launch()
+    .await
+}
+```

examples/oidc/README.md

@@ -0,0 +1 @@
+DROP TABLE users;

examples/oidc/migrations/1_User.down.sql

@@ -0,0 +1,7 @@
+CREATE TABLE users (
+	id bigserial primary key,
+	name varchar(255) not null,
+	email varchar(255) not null unique,
+	expire timestamptz not null,
+	token json not null
+);

examples/oidc/migrations/1_User.up.sql

@@ -0,0 +1,11 @@
+[general]
+secret_key = "WcPlOPnQzEJ/yPI4VCFhpofKnTE1uNbvl2tQsyAyz1g="
+
+[database]
+name = "rwf_oidc"
+
+[oidc]
+client_id="rwf_oidc_client"
+client_secret="rwf_oidc_secret"
+redirect_url="http://127.0.0.1:8000/oidc"
+discovery_url="https://oidc.rwf.tld/"

examples/oidc/rwf.toml

@@ -0,0 +1,98 @@
+use rwf::controller::oidc::*;
+use rwf::model::{get_connection, migrate};
+use rwf::prelude::*;
+#[derive(macros::Model, Clone, Serialize, Deserialize)]
+struct User {
+    id: Option<i64>,
+    name: String,
+    email: String,
+    token: serde_json::Value,
+    expire: OffsetDateTime,
+}
+#[async_trait]
+impl OidcUser for User {
+    async fn from_token(
+        token: StandardTokenResponse<CoreIdTokenFields, CoreTokenType>,
+        userinfo: UserInfoClaims<EmptyAdditionalClaims, CoreGenderClaim>,
+    ) -> Result<Self, rwf::model::Error> {
+        let name = userinfo
+            .standard_claims()
+            .preferred_username()
+            .unwrap()
+            .to_string();
+        let email = userinfo.standard_claims().email().unwrap().to_string();
+        let expire = OffsetDateTime::now_utc()
+            .checked_add(Duration::nanoseconds(
+                token.expires_in().unwrap().as_nanos() as i64,
+            ))
+            .unwrap();
+        let token = serde_json::json!({"access": token.access_token(), "refresh": token.refresh_token().unwrap()});
+        let mut conn = get_connection().await?;
+        User::create(&[
+            ("name", name.to_value()),
+            ("email", email.to_value()),
+            ("expire", expire.to_value()),
+            ("token", token.to_value()),
+        ])
+        .unique_by(&["email"])
+        .fetch(&mut conn)
+        .await
+    }
+
+    fn access_token(&self) -> AccessToken {
+        serde_json::from_value(self.token.get("access").unwrap().clone()).unwrap()
+    }
+
+    fn refresh_token(&self) -> RefreshToken {
+        serde_json::from_value(self.token.get("refresh").unwrap().clone()).unwrap()
+    }
+
+    fn expire(&self) -> &OffsetDateTime {
+        &self.expire
+    }
+
+    fn update_token(
+        mut self,
+        token: StandardTokenResponse<CoreIdTokenFields, CoreTokenType>,
+    ) -> Self {
+        self.token = serde_json::json!({"access": token.access_token(), "refresh": token.refresh_token().unwrap()});
+        self
+    }
+}
+
+struct TestController {
+    auth: AuthHandler,
+}
+
+impl Default for TestController {
+    fn default() -> Self {
+        Self {
+            auth: OidcAuthentication::<User>::default().handler(),
+        }
+    }
+}
+
+#[async_trait]
+impl Controller for TestController {
+    fn auth(&self) -> &AuthHandler {
+        &self.auth
+    }
+
+    async fn handle(&self, request: &Request) -> Result<Response, Error> {
+        let mut conn = get_connection().await?;
+        let user: User = request.user_required(&mut conn).await?;
+        Ok(Response::new().html(format!("<h1>Hello {}</h1>", user.name)))
+    }
+}
+
+#[tokio::main]
+async fn main() -> Result<(), rwf::http::Error> {
+    migrate().await?;
+    rwf::http::Server::new(vec![
+        route!("/" => TestController),
+        // Take OIDC Config from rwf.toml (or Env).
+        route!("/oidc" => OidcController::<User>),
+    ])
+    .launch()
+    .await
+}