1/* Part of SWISH 2 3 Author: Jan Wielemaker 4 E-mail: J.Wielemaker@cs.vu.nl 5 WWW: http://www.swi-prolog.org 6 Copyright (C): 2017, VU University Amsterdam 7 CWI Amsterdam 8 All rights reserved. 9 10 Redistribution and use in source and binary forms, with or without 11 modification, are permitted provided that the following conditions 12 are met: 13 14 1. Redistributions of source code must retain the above copyright 15 notice, this list of conditions and the following disclaimer. 16 17 2. Redistributions in binary form must reproduce the above copyright 18 notice, this list of conditions and the following disclaimer in 19 the documentation and/or other materials provided with the 20 distribution. 21 22 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 23 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 24 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 25 FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 26 COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 27 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 28 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 29 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 30 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 32 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 POSSIBILITY OF SUCH DAMAGE. 34*/ 35 36:- module(config_auth_google, []). 37:- use_module(swish(lib/oauth2)). 38:- use_module(swish(lib/plugin/login)). 39:- use_module(library(http/http_dispatch)). 40:- use_module(library(http/http_session)). 41:- use_module(library(http/http_json)). 42:- use_module(library(http/http_path)). 43:- use_module(library(debug)). 44 45/** <module> Enable login with Google 46 47This module allows for configures _login with Google_. To enable this 48module: 49 50 1. Follow these 51 [steps](https://developers.google.com/accounts/docs/OpenIDConnect) to 52 create a Google project and get 53 54 - A client ID 55 - A client secret 56 - Register a redirect url. To test from localhost, this should be 57 `http://localhost:3050/oauth2/google/reply` 58 59 2. COPY this file to =config-enabled= 60 61 3. EDIT the following server attributes (near the end of this file) 62 - redirect_uri: the location of your swish server. 63 - client_id: the client id you obtained from Google. 64 - client_secret: the client secret you obtained from Google. 65*/ 66 67:- multifile 68 oauth2:login/3, 69 oauth2:server_attribute/3, 70 swish_config:login_item/2, % -Server, -HTML_DOM 71 swish_config:login/2, % +Server, +Request 72 swish_config:user_info/2. % +Request, ?Server, -Info 73 74:- http_set_session_options([create(noauto), timeout(3600)]). 75 76:- http_handler(swish(logout), google_logout, []). 77 78swish_configlogin_item(google, 10-Item) :- 79 http_absolute_location(icons('social_google_box.png'), Img, []), 80 Item = img([ src(Img), 81 class('login-with'), 82 'data-server'(google), 83 'data-frame'(popup), 84 title('Login with Google') 85 ]). 86 87swish_configlogin(google, Request) :- 88 oauth2_login(Request, [server(google)]). 89 90%! oauth2:login(+Request, +ServerID, +TokenInfo) 91% 92% Called after the identity provider behind ServerID verified the 93% user's identity. Now we have several options. If we do not have our 94% own user admin, we associate the session with the user and we are 95% done. If we have our own admin we have to check with our profile 96% database. For new users we may wish to complete the profile. We may 97% want to reject banned users or users that do not wish to complete 98% their profile. 99 100oauth2login(_Request, google, TokenInfo) :- 101 token_info_to_user_info(TokenInfo, UserInfo), 102 debug(oauth, 'UserInfo: ~p', [UserInfo]), 103 http_open_session(_SessionID, []), 104 http_session_assert(oauth2(google, TokenInfo)), 105 reply_logged_in([ identity_provider('Google'), 106 name(UserInfo.name), 107 user_info(UserInfo) 108 ]). 109 110%! google_logout(+Request) 111% 112% Logout by removing the session data 113 114google_logout(_Request) :- 115 catch(http_session_retractall(oauth2(_,_)), _, true), 116 reply_logged_out([]). 117 118 119%! swish_config:user_info(+Request, ?Server, -Info:dict) is semidet. 120% 121% True if Info represents describes the currently logged in user. 122 123swish_configuser_info(_Request, google, UserInfo) :- 124 http_in_session(_SessionID), 125 http_session_data(oauth2(google, TokenInfo)), 126 token_info_to_user_info(TokenInfo, UserInfo). 127 128token_info_to_user_info(TokenInfo, UserInfo) :- 129 oauth2_claim(TokenInfo, Claim), 130 map_user_info(Claim, Claim1), 131 http_link_to_id(google_logout, [], LogoutURL), 132 UserInfo = Claim1.put(_{ auth_method:oauth2, 133 logout_url:LogoutURL, 134 identity_provider:google 135 }). 136 137%! map_user_info(+OAuthInfo, -UserInfo) is det. 138% 139% u{user:User, group:Group, name:Name, email:Email} 140 141map_user_info(Dict, Dict) :- 142 debug(oauth, 'Got: ~p', [Dict]). 143 144%! oauth2:server_attribute(?ServerID, ?Attribute, ?Value) 145% 146% Declare properties of an oauth2 identity provider. The values below 147% are for a [Unity](http://www.unity-idm.eu/) server. 148% 149% @see swish(lib/oauth2) for a description of the attributes. 150 151% from https://accounts.google.com/.well-known/openid-configuration 152 153oauth2server_attribute(google, url, 154 'https://accounts.google.com'). 155oauth2server_attribute(google, redirect_uri, 156 'https://swish.swi-prolog.org/oauth2/google/reply'). 157oauth2server_attribute(google, client_id, 158 '962580012095-91omaabga3b4s3sk1c64vuj8013bnj97.apps.googleusercontent.com'). 159oauth2server_attribute(google, client_secret, 160 'dnPlexTcHECuTkkZYmdVGd_2'). 161oauth2server_attribute(google, scope, 162 profile)