Split oidc/client.go (#1371)

* Split oidc/client.go * Refactor * Fix * Improve comment Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-02-14 16:39:51 +00:00 · 2025-07-13 13:23:33 +09:00
parent 3981c78387
commit fd9d3a8e9d
5 changed files with 193 additions and 155 deletions
--- a/pkg/oidc/client/authcode.go
+++ b/pkg/oidc/client/authcode.go
@@ -0,0 +1,102 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	gooidc "github.com/coreos/go-oidc/v3/oidc"
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/pkce"
+	"github.com/int128/oauth2cli"
+	"golang.org/x/oauth2"
+)
+
+type AuthCodeURLInput struct {
+	State                  string
+	Nonce                  string
+	PKCEParams             pkce.Params
+	AuthRequestExtraParams map[string]string
+}
+
+type ExchangeAuthCodeInput struct {
+	Code       string
+	PKCEParams pkce.Params
+	Nonce      string
+}
+
+type GetTokenByAuthCodeInput struct {
+	BindAddress            []string
+	State                  string
+	Nonce                  string
+	PKCEParams             pkce.Params
+	RedirectURLHostname    string // DEPRECATED
+	AuthRequestExtraParams map[string]string
+	LocalServerSuccessHTML string
+	LocalServerCertFile    string
+	LocalServerKeyFile     string
+}
+
+func (c *client) NegotiatedPKCEMethod() pkce.Method {
+	return c.negotiatedPKCEMethod
+}
+
+// GetTokenByAuthCode performs the authorization code flow.
+func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	config := oauth2cli.Config{
+		OAuth2Config:           c.oauth2Config,
+		State:                  in.State,
+		AuthCodeOptions:        authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams),
+		TokenRequestOptions:    tokenRequestOptions(in.PKCEParams),
+		LocalServerBindAddress: in.BindAddress,
+		LocalServerReadyChan:   localServerReadyChan,
+		RedirectURLHostname:    in.RedirectURLHostname,
+		LocalServerSuccessHTML: in.LocalServerSuccessHTML,
+		LocalServerCertFile:    in.LocalServerCertFile,
+		LocalServerKeyFile:     in.LocalServerKeyFile,
+		Logf:                   c.logger.V(1).Infof,
+	}
+	token, err := oauth2cli.GetToken(ctx, config)
+	if err != nil {
+		return nil, fmt.Errorf("oauth2 error: %w", err)
+	}
+	return c.verifyToken(ctx, token, in.Nonce)
+}
+
+// GetAuthCodeURL returns the URL of authentication request for the authorization code flow.
+func (c *client) GetAuthCodeURL(in AuthCodeURLInput) string {
+	opts := authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams)
+	return c.oauth2Config.AuthCodeURL(in.State, opts...)
+}
+
+// ExchangeAuthCode exchanges the authorization code and token.
+func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	opts := tokenRequestOptions(in.PKCEParams)
+	token, err := c.oauth2Config.Exchange(ctx, in.Code, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("exchange error: %w", err)
+	}
+	return c.verifyToken(ctx, token, in.Nonce)
+}
+
+func authorizationRequestOptions(nonce string, pkceParams pkce.Params, extraParams map[string]string) []oauth2.AuthCodeOption {
+	opts := []oauth2.AuthCodeOption{
+		oauth2.AccessTypeOffline,
+		gooidc.Nonce(nonce),
+	}
+	if pkceOpt := pkceParams.AuthCodeOption(); pkceOpt != nil {
+		opts = append(opts, pkceOpt)
+	}
+	for key, value := range extraParams {
+		opts = append(opts, oauth2.SetAuthURLParam(key, value))
+	}
+	return opts
+}
+
+func tokenRequestOptions(pkceParams pkce.Params) []oauth2.AuthCodeOption {
+	if pkceOpt := pkceParams.TokenRequestOption(); pkceOpt != nil {
+		return []oauth2.AuthCodeOption{pkceOpt}
+	}
+	return nil
+}
--- a/pkg/oidc/client/client.go
+++ b/pkg/oidc/client/client.go
@@ -7,15 +7,12 @@ import (
 	"time"

 	gooidc "github.com/coreos/go-oidc/v3/oidc"
-	"github.com/int128/oauth2cli"
-	"github.com/int128/oauth2dev"
-	"golang.org/x/oauth2"
-	"golang.org/x/oauth2/clientcredentials"
-
 	"github.com/int128/kubelogin/pkg/infrastructure/clock"
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/pkce"
+	"github.com/int128/oauth2dev"
+	"golang.org/x/oauth2"
 )

 type Interface interface {
@@ -30,35 +27,6 @@ type Interface interface {
 	Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error)
 }

-type AuthCodeURLInput struct {
-	State                  string
-	Nonce                  string
-	PKCEParams             pkce.Params
-	AuthRequestExtraParams map[string]string
-}
-
-type ExchangeAuthCodeInput struct {
-	Code       string
-	PKCEParams pkce.Params
-	Nonce      string
-}
-
-type GetTokenByAuthCodeInput struct {
-	BindAddress            []string
-	State                  string
-	Nonce                  string
-	PKCEParams             pkce.Params
-	RedirectURLHostname    string // DEPRECATED
-	AuthRequestExtraParams map[string]string
-	LocalServerSuccessHTML string
-	LocalServerCertFile    string
-	LocalServerKeyFile     string
-}
-
-type GetTokenByClientCredentialsInput struct {
-	EndpointParams map[string][]string
-}
-
 type client struct {
 	httpClient                  *http.Client
 	provider                    *gooidc.Provider
@@ -77,127 +45,6 @@ func (c *client) wrapContext(ctx context.Context) context.Context {
 	return ctx
 }

-// GetTokenByAuthCode performs the authorization code flow.
-func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	config := oauth2cli.Config{
-		OAuth2Config:           c.oauth2Config,
-		State:                  in.State,
-		AuthCodeOptions:        authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams),
-		TokenRequestOptions:    tokenRequestOptions(in.PKCEParams),
-		LocalServerBindAddress: in.BindAddress,
-		LocalServerReadyChan:   localServerReadyChan,
-		RedirectURLHostname:    in.RedirectURLHostname,
-		LocalServerSuccessHTML: in.LocalServerSuccessHTML,
-		LocalServerCertFile:    in.LocalServerCertFile,
-		LocalServerKeyFile:     in.LocalServerKeyFile,
-		Logf:                   c.logger.V(1).Infof,
-	}
-	token, err := oauth2cli.GetToken(ctx, config)
-	if err != nil {
-		return nil, fmt.Errorf("oauth2 error: %w", err)
-	}
-	return c.verifyToken(ctx, token, in.Nonce)
-}
-
-// GetAuthCodeURL returns the URL of authentication request for the authorization code flow.
-func (c *client) GetAuthCodeURL(in AuthCodeURLInput) string {
-	opts := authorizationRequestOptions(in.Nonce, in.PKCEParams, in.AuthRequestExtraParams)
-	return c.oauth2Config.AuthCodeURL(in.State, opts...)
-}
-
-// ExchangeAuthCode exchanges the authorization code and token.
-func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	opts := tokenRequestOptions(in.PKCEParams)
-	token, err := c.oauth2Config.Exchange(ctx, in.Code, opts...)
-	if err != nil {
-		return nil, fmt.Errorf("exchange error: %w", err)
-	}
-	return c.verifyToken(ctx, token, in.Nonce)
-}
-
-func authorizationRequestOptions(nonce string, pkceParams pkce.Params, extraParams map[string]string) []oauth2.AuthCodeOption {
-	opts := []oauth2.AuthCodeOption{
-		oauth2.AccessTypeOffline,
-		gooidc.Nonce(nonce),
-	}
-	if pkceOpt := pkceParams.AuthCodeOption(); pkceOpt != nil {
-		opts = append(opts, pkceOpt)
-	}
-	for key, value := range extraParams {
-		opts = append(opts, oauth2.SetAuthURLParam(key, value))
-	}
-	return opts
-}
-
-func tokenRequestOptions(pkceParams pkce.Params) []oauth2.AuthCodeOption {
-	if pkceOpt := pkceParams.TokenRequestOption(); pkceOpt != nil {
-		return []oauth2.AuthCodeOption{pkceOpt}
-	}
-	return nil
-}
-
-func (c *client) NegotiatedPKCEMethod() pkce.Method {
-	return c.negotiatedPKCEMethod
-}
-
-// GetTokenByROPC performs the resource owner password credentials flow.
-func (c *client) GetTokenByROPC(ctx context.Context, username, password string) (*oidc.TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
-	if err != nil {
-		return nil, fmt.Errorf("resource owner password credentials flow error: %w", err)
-	}
-	return c.verifyToken(ctx, token, "")
-}
-
-// GetTokenByClientCredentials performs the client credentials flow.
-func (c *client) GetTokenByClientCredentials(ctx context.Context, in GetTokenByClientCredentialsInput) (*oidc.TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	c.logger.V(1).Infof("%s, %s, %v", c.oauth2Config.ClientID, c.oauth2Config.Endpoint.AuthURL, c.oauth2Config.Scopes)
-
-	config := clientcredentials.Config{
-		ClientID:       c.oauth2Config.ClientID,
-		ClientSecret:   c.oauth2Config.ClientSecret,
-		TokenURL:       c.oauth2Config.Endpoint.TokenURL,
-		Scopes:         c.oauth2Config.Scopes,
-		EndpointParams: in.EndpointParams,
-		AuthStyle:      oauth2.AuthStyleInHeader,
-	}
-	source := config.TokenSource(ctx)
-	token, err := source.Token()
-	if err != nil {
-		return nil, fmt.Errorf("could not acquire token: %w", err)
-	}
-	if c.useAccessToken {
-		return &oidc.TokenSet{
-			IDToken:      token.AccessToken,
-			RefreshToken: token.RefreshToken}, nil
-	}
-	return c.verifyToken(ctx, token, "")
-}
-
-// GetDeviceAuthorization initializes the device authorization code challenge
-func (c *client) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
-	ctx = c.wrapContext(ctx)
-	config := c.oauth2Config
-	config.Endpoint = oauth2.Endpoint{
-		AuthURL: c.deviceAuthorizationEndpoint,
-	}
-	return oauth2dev.RetrieveCode(ctx, config)
-}
-
-// ExchangeDeviceCode exchanges the device to an oidc.TokenSet
-func (c *client) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	tokenResponse, err := oauth2dev.PollToken(ctx, c.oauth2Config, *authResponse)
-	if err != nil {
-		return nil, fmt.Errorf("device-code: exchange failed: %w", err)
-	}
-	return c.verifyToken(ctx, tokenResponse, "")
-}
-
 // Refresh sends a refresh token request and returns a token set.
 func (c *client) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
 	ctx = c.wrapContext(ctx)
--- a/pkg/oidc/client/clientcredentials.go
+++ b/pkg/oidc/client/clientcredentials.go
@@ -0,0 +1,41 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/clientcredentials"
+)
+
+type GetTokenByClientCredentialsInput struct {
+	EndpointParams map[string][]string
+}
+
+// GetTokenByClientCredentials performs the client credentials flow.
+func (c *client) GetTokenByClientCredentials(ctx context.Context, in GetTokenByClientCredentialsInput) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	c.logger.V(1).Infof("%s, %s, %v", c.oauth2Config.ClientID, c.oauth2Config.Endpoint.AuthURL, c.oauth2Config.Scopes)
+
+	config := clientcredentials.Config{
+		ClientID:       c.oauth2Config.ClientID,
+		ClientSecret:   c.oauth2Config.ClientSecret,
+		TokenURL:       c.oauth2Config.Endpoint.TokenURL,
+		Scopes:         c.oauth2Config.Scopes,
+		EndpointParams: in.EndpointParams,
+		AuthStyle:      oauth2.AuthStyleInHeader,
+	}
+	source := config.TokenSource(ctx)
+	token, err := source.Token()
+	if err != nil {
+		return nil, fmt.Errorf("could not acquire token: %w", err)
+	}
+	if c.useAccessToken {
+		return &oidc.TokenSet{
+			IDToken:      token.AccessToken,
+			RefreshToken: token.RefreshToken,
+		}, nil
+	}
+	return c.verifyToken(ctx, token, "")
+}
--- a/pkg/oidc/client/devicecode.go
+++ b/pkg/oidc/client/devicecode.go
@@ -0,0 +1,30 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/oauth2dev"
+	"golang.org/x/oauth2"
+)
+
+// GetDeviceAuthorization initializes the device authorization code challenge
+func (c *client) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
+	ctx = c.wrapContext(ctx)
+	config := c.oauth2Config
+	config.Endpoint = oauth2.Endpoint{
+		AuthURL: c.deviceAuthorizationEndpoint,
+	}
+	return oauth2dev.RetrieveCode(ctx, config)
+}
+
+// ExchangeDeviceCode exchanges the device authorization code for an oidc.TokenSet
+func (c *client) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	tokenResponse, err := oauth2dev.PollToken(ctx, c.oauth2Config, *authResponse)
+	if err != nil {
+		return nil, fmt.Errorf("device-code: exchange failed: %w", err)
+	}
+	return c.verifyToken(ctx, tokenResponse, "")
+}
--- a/pkg/oidc/client/ropc.go
+++ b/pkg/oidc/client/ropc.go
@@ -0,0 +1,18 @@
+package client
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/int128/kubelogin/pkg/oidc"
+)
+
+// GetTokenByROPC performs the resource owner password credentials flow.
+func (c *client) GetTokenByROPC(ctx context.Context, username, password string) (*oidc.TokenSet, error) {
+	ctx = c.wrapContext(ctx)
+	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
+	if err != nil {
+		return nil, fmt.Errorf("resource owner password credentials flow error: %w", err)
+	}
+	return c.verifyToken(ctx, token, "")
+}