From 6b4d04c525e00920dc8ae73b03cfb5c4089993f5 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Mon, 14 Apr 2025 17:38:57 -0600
Subject: feat: exchange an authorization code grant for an access and id token

---
 app/controllers/sessions/controller.go | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

(limited to 'app/controllers/sessions/controller.go')

diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go
index 7b6c871..a4ba092 100644
--- a/app/controllers/sessions/controller.go
+++ b/app/controllers/sessions/controller.go
@@ -1,8 +1,10 @@
 package sessions
 
 import (
+	"fmt"
 	"net/http"
 
+	"github.com/xlgmokha/x/pkg/serde"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"golang.org/x/oauth2"
 )
@@ -17,6 +19,7 @@ func New(cfg *oidc.OpenID) *Controller {
 
 func (c *Controller) MountTo(mux *http.ServeMux) {
 	mux.HandleFunc("GET /session/new", c.New)
+	mux.HandleFunc("GET /session/callback", c.Create)
 }
 
 func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
@@ -24,3 +27,29 @@ func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
 	url := c.cfg.Config.AuthCodeURL("todo-csrf-token", oauth2.SetAuthURLParam("audience", "todo"))
 	http.Redirect(w, r, url, http.StatusFound)
 }
+
+func (c *Controller) Create(w http.ResponseWriter, r *http.Request) {
+	token, err := c.cfg.Config.Exchange(r.Context(), r.URL.Query().Get("code"))
+	if err != nil {
+		fmt.Printf("%v\n", err)
+	}
+
+	err = serde.ToJSON(w, token)
+	if err != nil {
+		fmt.Printf("%v\n", err)
+		return
+	}
+
+	if rawIDToken, ok := token.Extra("id_token").(string); ok {
+		idToken, err := oidc.NewIDToken(rawIDToken)
+		if err != nil {
+			fmt.Printf("%v\n", err)
+			return
+		}
+		err = serde.ToJSON(w, idToken)
+		if err != nil {
+			fmt.Printf("%v\n", err)
+			return
+		}
+	}
+}
-- 
cgit v1.2.3