Add generic OpenID Connect provider (OAuth2)

This adds the oauth2 provider `oidc`. It needs an additional argument, the OIDC discovery endpoint to figure out where the auth and token URLs are.

Configuration is similar to setting up the Google Authentication with these changes:

 * `OAUTH2_PROVIDER = oidc`
 * `OAUTH2_OIDC_DISCOVERY_ENDPOINT = https://auth.exampe.org/discovery`

oauth2/google.go

@@ -31,9 +31,8 @@ func (g googleProvider) GetRedirectURL(state string) string {
 	return g.config().AuthCodeURL(state)
 }
 
-func (g googleProvider) GetProfile(code string) (*Profile, error) {
+func (g googleProvider) GetProfile(ctx context.Context, code string) (*Profile, error) {
 	conf := g.config()
-	ctx := context.Background()
 	token, err := conf.Exchange(ctx, code)
 	if err != nil {
 		return nil, err

oauth2/manager.go

@@ -4,7 +4,11 @@
 
 package oauth2 // import "miniflux.app/oauth2"
 
-import "errors"
+import (
+	"context"
+	"errors"
+	"miniflux.app/logger"
+)
 
 // Manager handles OAuth2 providers.
 type Manager struct {
@@ -26,8 +30,17 @@ func (m *Manager) AddProvider(name string, provider Provider) {
 }
 
 // NewManager returns a new Manager.
-func NewManager(clientID, clientSecret, redirectURL string) *Manager {
+func NewManager(ctx context.Context, clientID, clientSecret, redirectURL, oidcDiscoveryEndpoint string) *Manager {
 	m := &Manager{providers: make(map[string]Provider)}
 	m.AddProvider("google", newGoogleProvider(clientID, clientSecret, redirectURL))
+
+	if oidcDiscoveryEndpoint != "" {
+		if genericOidcProvider, err := newOidcProvider(ctx, clientID, clientSecret, redirectURL, oidcDiscoveryEndpoint); err != nil {
+			logger.Error("[OAuth2] failed to initialize OIDC provider: %v", err)
+		} else {
+			m.AddProvider("oidc", genericOidcProvider)
+		}
+	}
+
 	return m
 }

oauth2/oidc.go

@@ -0,0 +1,61 @@
+// Copyright 2017 Frédéric Guillot. All rights reserved.
+// Use of this source code is governed by the Apache 2.0
+// license that can be found in the LICENSE file.
+
+package oauth2 // import "miniflux.app/oauth2"
+
+import (
+	"context"
+	"github.com/coreos/go-oidc"
+	"golang.org/x/oauth2"
+)
+
+type oidcProvider struct {
+	clientID     string
+	clientSecret string
+	redirectURL  string
+	provider     *oidc.Provider
+}
+
+func (o oidcProvider) GetUserExtraKey() string {
+	return "oidc_id" // FIXME? add extra options key to allow multiple OIDC providers each with their own extra key?
+}
+
+func (o oidcProvider) GetRedirectURL(state string) string {
+	return o.config().AuthCodeURL(state)
+}
+
+func (o oidcProvider) GetProfile(ctx context.Context, code string) (*Profile, error) {
+	conf := o.config()
+	token, err := conf.Exchange(ctx, code)
+	if err != nil {
+		return nil, err
+	}
+
+	userInfo, err := o.provider.UserInfo(ctx, oauth2.StaticTokenSource(token))
+	if err != nil {
+		return nil, err
+	}
+
+	profile := &Profile{Key: o.GetUserExtraKey(), ID: userInfo.Subject, Username: userInfo.Email}
+	return profile, nil
+}
+
+func (o oidcProvider) config() *oauth2.Config {
+	return &oauth2.Config{
+		RedirectURL:  o.redirectURL,
+		ClientID:     o.clientID,
+		ClientSecret: o.clientSecret,
+		Scopes:       []string{"openid", "email"},
+		Endpoint:     o.provider.Endpoint(),
+	}
+}
+
+func newOidcProvider(ctx context.Context, clientID, clientSecret, redirectURL, discoveryEndpoint string) (*oidcProvider, error) {
+	provider, err := oidc.NewProvider(ctx, discoveryEndpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	return &oidcProvider{clientID: clientID, clientSecret: clientSecret, redirectURL: redirectURL, provider: provider}, nil
+}

oauth2/provider.go

@@ -3,10 +3,11 @@
 // license that can be found in the LICENSE file.
 
 package oauth2 // import "miniflux.app/oauth2"
+import "context"
 
 // Provider is an interface for OAuth2 providers.
 type Provider interface {
 	GetUserExtraKey() string
 	GetRedirectURL(state string) string
-	GetProfile(code string) (*Profile, error)
+	GetProfile(ctx context.Context, code string) (*Profile, error)
 }