feat: accept oidc token as authentication

internal/auth/providers/github.go

@@ -96,6 +96,14 @@ func (p *GitHubProvider) Exchange(redirectURI, code string) (*Identity, error) {
 	}, nil
 }
 
+func (p *GitHubProvider) ExchangeIDToken(rawIdToken string) (*Identity, error) {
+	return nil, fmt.Errorf("unsupported operation")
+}
+
+func (p *GitHubProvider) IsInteractive() bool {
+	return true
+}
+
 func (p *GitHubProvider) getTeams(ctx context.Context, client *github.Client) ([]string, error) {
 	var result []string
 	var page = 0

internal/auth/providers/oidc.go

@@ -25,7 +25,7 @@ func NewOIDCProvider(c *config.Provider) (*OIDCProvider, error) {
 		return nil, err
 	}
 
-	verifier := provider.Verifier(&oidc.Config{ClientID: c.ClientID})
+	verifier := provider.Verifier(&oidc.Config{ClientID: c.ClientID, SkipClientIDCheck: c.ClientID == ""})
 
 	return &OIDCProvider{
 		clientID:     c.ClientID,
@@ -48,6 +48,29 @@ func (p *OIDCProvider) GetLoginURL(redirectURI, state string) string {
 	return oauth2Config.AuthCodeURL(state)
 }
 
+func (p *OIDCProvider) ExchangeIDToken(rawIdToken string) (*Identity, error) {
+	// Parse and verify ID Token payload.
+	idToken, err := p.verifier.Verify(context.Background(), rawIdToken)
+	if err != nil {
+		return nil, err
+	}
+
+	sub, email, name, tokenClaims, err := p.getTokenClaims(idToken)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Identity{
+		UserID:   sub,
+		Username: name,
+		Email:    email,
+		Attr: map[string]interface{}{
+			"provider": "oidc",
+			"token":    tokenClaims,
+		},
+	}, nil
+}
+
 func (p *OIDCProvider) Exchange(redirectURI, code string) (*Identity, error) {
 	oauth2Config := oauth2.Config{
 		ClientID:     p.clientID,
@@ -97,6 +120,10 @@ func (p *OIDCProvider) Exchange(redirectURI, code string) (*Identity, error) {
 	}, nil
 }
 
+func (p *OIDCProvider) IsInteractive() bool {
+	return p.provider.Endpoint().AuthURL != ""
+}
+
 func (p *OIDCProvider) getTokenClaims(idToken *oidc.IDToken) (string, string, string, map[string]interface{}, error) {
 	var raw = make(map[string]interface{})
 	var claims struct {

internal/auth/providers/providers.go

@@ -19,6 +19,8 @@ func NewProvider(c *config.Provider) (AuthProvider, error) {
 type AuthProvider interface {
 	GetLoginURL(redirectURI, state string) string
 	Exchange(redirectURI, code string) (*Identity, error)
+	ExchangeIDToken(rawIdToken string) (*Identity, error)
+	IsInteractive() bool
 }
 
 type Identity struct {

internal/auth/server.go

@@ -156,6 +156,45 @@ func (s *Server) RegisterSession(req *api.RegisterSessionRequest) (*api.SessionT
 
 			return &response, nil
 		}
+
+		identity, err := s.provider.ExchangeIDToken(req.AuthToken)
+		if err == nil {
+			authorized, roles, err := s.evaluatePolicies(req.Policies, identity)
+			if err != nil {
+				return nil, err
+			}
+
+			if !authorized {
+				return nil, echo.NewHTTPError(http.StatusUnauthorized)
+			}
+
+			st := api.SessionToken{
+				UserID:         identity.UserID,
+				Username:       identity.Username,
+				Email:          identity.Email,
+				Roles:          roles,
+				Target:         req.Target,
+				ExpirationTime: now.Add(5 * time.Minute).UTC(),
+				Checksum:       req.Checksum,
+			}
+
+			sessionToken, err := s.privateKey.SealBase58(*publicKey, st)
+			if err != nil {
+				return nil, err
+			}
+
+			response := api.SessionTokenResponse{
+				SessionId:    req.SessionId,
+				SessionToken: sessionToken,
+				AuthToken:    req.AuthToken,
+			}
+
+			return &response, nil
+		}
+	}
+
+	if !s.provider.IsInteractive() {
+		return nil, echo.NewHTTPError(http.StatusUnauthorized)
 	}
 
 	if err := s.sessions.Set(req.SessionId, &session{PublicKey: *publicKey, Policies: req.Policies, Target: req.Target, Checksum: req.Checksum}); err != nil {