introspect

2021-02-10 16:42:01 +01:00 · 2021-02-10 16:42:01 +01:00 · 138da8a208
commit 138da8a208
parent 134999bc33
13 changed files with 305 additions and 98 deletions
--- a/pkg/oidc/discovery.go
+++ b/pkg/oidc/discovery.go
@ -1,27 +1,56 @@
 package oidc

+import (
+	"golang.org/x/text/language"
+)
+
 const (
 	DiscoveryEndpoint = "/.well-known/openid-configuration"
 )

 type DiscoveryConfiguration struct {
-	Issuer                            string                `json:"issuer,omitempty"`
-	AuthorizationEndpoint             string                `json:"authorization_endpoint,omitempty"`
-	TokenEndpoint                     string                `json:"token_endpoint,omitempty"`
-	IntrospectionEndpoint             string                `json:"introspection_endpoint,omitempty"`
-	UserinfoEndpoint                  string                `json:"userinfo_endpoint,omitempty"`
-	EndSessionEndpoint                string                `json:"end_session_endpoint,omitempty"`
-	CheckSessionIframe                string                `json:"check_session_iframe,omitempty"`
-	JwksURI                           string                `json:"jwks_uri,omitempty"`
-	ScopesSupported                   []string              `json:"scopes_supported,omitempty"`
-	ResponseTypesSupported            []string              `json:"response_types_supported,omitempty"`
-	ResponseModesSupported            []string              `json:"response_modes_supported,omitempty"`
-	GrantTypesSupported               []string              `json:"grant_types_supported,omitempty"`
-	SubjectTypesSupported             []string              `json:"subject_types_supported,omitempty"`
-	IDTokenSigningAlgValuesSupported  []string              `json:"id_token_signing_alg_values_supported,omitempty"`
-	TokenEndpointAuthMethodsSupported []AuthMethod          `json:"token_endpoint_auth_methods_supported,omitempty"`
-	CodeChallengeMethodsSupported     []CodeChallengeMethod `json:"code_challenge_methods_supported,omitempty"`
-	ClaimsSupported                   []string              `json:"claims_supported,omitempty"`
+	Issuer                                             string                `json:"issuer,omitempty"`
+	AuthorizationEndpoint                              string                `json:"authorization_endpoint,omitempty"`
+	TokenEndpoint                                      string                `json:"token_endpoint,omitempty"`
+	IntrospectionEndpoint                              string                `json:"introspection_endpoint,omitempty"`
+	UserinfoEndpoint                                   string                `json:"userinfo_endpoint,omitempty"`
+	RevocationEndpoint                                 string                `json:"revocation_endpoint,omitempty"`
+	EndSessionEndpoint                                 string                `json:"end_session_endpoint,omitempty"`
+	CheckSessionIframe                                 string                `json:"check_session_iframe,omitempty"`
+	JwksURI                                            string                `json:"jwks_uri,omitempty"`
+	ScopesSupported                                    []string              `json:"scopes_supported,omitempty"`
+	ResponseTypesSupported                             []string              `json:"response_types_supported"`
+	ResponseModesSupported                             []string              `json:"response_modes_supported,omitempty"`
+	GrantTypesSupported                                []GrantType           `json:"grant_types_supported,omitempty"`
+	ACRValuesSupported                                 []string              `json:"acr_values_supported,omitempty"`
+	SubjectTypesSupported                              []string              `json:"subject_types_supported,omitempty"`
+	IDTokenSigningAlgValuesSupported                   []string              `json:"id_token_signing_alg_values_supported,omitempty"`
+	IDTokenEncryptionAlgValuesSupported                []string              `json:"id_token_encryption_alg_values_supported,omitempty"`
+	IDTokenEncryptionEncValuesSupported                []string              `json:"id_token_encryption_enc_values_supported,omitempty"`
+	UserinfoSigningAlgValuesSupported                  []string              `json:"userinfo_signing_alg_values_supported,omitempty"`
+	UserinfoEncryptionAlgValuesSupported               []string              `json:"userinfo_encryption_alg_values_supported,omitempty"`
+	UserinfoEncryptionEncValuesSupported               []string              `json:"userinfo_encryption_enc_values_supported,omitempty"`
+	RequestObjectSigningAlgValuesSupported             []string              `json:"request_object_signing_alg_values_supported,omitempty"`
+	RequestObjectEncryptionAlgValuesSupported          []string              `json:"request_object_encryption_alg_values_supported,omitempty"`
+	RequestObjectEncryptionEncValuesSupported          []string              `json:"request_object_encryption_enc_values_supported,omitempty"`
+	TokenEndpointAuthMethodsSupported                  []AuthMethod          `json:"token_endpoint_auth_methods_supported,omitempty"`
+	TokenEndpointAuthSigningAlgValuesSupported         []string              `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
+	RevocationEndpointAuthMethodsSupported             []AuthMethod          `json:"revocation_endpoint_auth_methods_supported,omitempty"`
+	RevocationEndpointAuthSigningAlgValuesSupported    []string              `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
+	IntrospectionEndpointAuthMethodsSupported          []AuthMethod          `json:"introspection_endpoint_auth_methods_supported,omitempty"`
+	IntrospectionEndpointAuthSigningAlgValuesSupported []string              `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
+	DisplayValuesSupported                             []Display             `json:"display_values_supported,omitempty"`
+	ClaimTypesSupported                                []string              `json:"claim_types_supported,omitempty"`
+	ClaimsSupported                                    []string              `json:"claims_supported,omitempty"`
+	CodeChallengeMethodsSupported                      []CodeChallengeMethod `json:"code_challenge_methods_supported,omitempty"`
+	ServiceDocumentation                               string                `json:"service_documentation,omitempty"`
+	ClaimsLocalesSupported                             []language.Tag        `json:"claims_locales_supported,omitempty"`
+	UILocalesSupported                                 []language.Tag        `json:"ui_locales_supported,omitempty"`
+	RequestParameterSupported                          bool                  `json:"request_parameter_supported,omitempty"`
+	RequestURIParameterSupported                       bool                  `json:"request_uri_parameter_supported"` //no omitempty because: If omitted, the default value is true
+	RequireRequestURIRegistration                      bool                  `json:"require_request_uri_registration,omitempty"`
+	OPPolicyURI                                        string                `json:"op_policy_uri,omitempty"`
+	OPTermsOfServiceURI                                string                `json:"op_tos_uri,omitempty"`
 }

 type AuthMethod string
@ -32,3 +61,7 @@ const (
 	AuthMethodNone          AuthMethod = "none"
 	AuthMethodPrivateKeyJWT AuthMethod = "private_key_jwt"
 )
+
+const (
+	GrantTypeImplicit GrantType = "implicit"
+)
--- a/pkg/oidc/introspection.go
+++ b/pkg/oidc/introspection.go
@ -12,10 +12,17 @@ type IntrospectionRequest struct {
 	Token string `schema:"token"`
 }

+type ClientAssertionParams struct {
+	ClientAssertion     string `schema:"client_assertion"`
+	ClientAssertionType string `schema:"client_assertion_type"`
+}
+
 type IntrospectionResponse interface {
 	UserInfoSetter
 	SetActive(bool)
 	IsActive() bool
+	SetScopes(scopes Scope)
+	SetClientID(id string)
 }

 func NewIntrospectionResponse() IntrospectionResponse {
@ -23,19 +30,30 @@ func NewIntrospectionResponse() IntrospectionResponse {
 }

 type introspectionResponse struct {
-	Active  bool   `json:"active"`
-	Subject string `json:"sub,omitempty"`
+	Active   bool   `json:"active"`
+	Scope    Scope  `json:"scope,omitempty"`
+	ClientID string `json:"client_id,omitempty"`
+	Subject  string `json:"sub,omitempty"`
 	userInfoProfile
 	userInfoEmail
 	userInfoPhone
-	Address UserInfoAddress `json:"address,omitempty"`

-	claims map[string]interface{}
+	Address UserInfoAddress `json:"address,omitempty"`
+	claims  map[string]interface{}
 }

 func (u *introspectionResponse) IsActive() bool {
 	return u.Active
 }
+
+func (u *introspectionResponse) SetScopes(scope Scope) {
+	u.Scope = scope
+}
+
+func (u *introspectionResponse) SetClientID(id string) {
+	u.ClientID = id
+}
+
 func (u *introspectionResponse) GetSubject() string {
 	return u.Subject
 }
--- a/pkg/oidc/token.go
+++ b/pkg/oidc/token.go
@ -427,7 +427,7 @@ func NewJWTProfileAssertionStringFromFileData(data []byte, audience []string) (s
 	if err != nil {
 		return "", err
 	}
-	return generateJWTProfileToken(NewJWTProfileAssertion(keyData.UserID, keyData.KeyID, audience, []byte(keyData.Key)))
+	return GenerateJWTProfileToken(NewJWTProfileAssertion(keyData.UserID, keyData.KeyID, audience, []byte(keyData.Key)))
 }

 func NewJWTProfileAssertionFromFileData(data []byte, audience []string) (*JWTProfileAssertion, error) {
@ -473,7 +473,7 @@ func AppendClientIDToAudience(clientID string, audience []string) []string {
 	return append(audience, clientID)
 }

-func generateJWTProfileToken(assertion *JWTProfileAssertion) (string, error) {
+func GenerateJWTProfileToken(assertion *JWTProfileAssertion) (string, error) {
 	privateKey, err := bytesToPrivateKey(assertion.PrivateKey)
 	if err != nil {
 		return "", err
--- a/pkg/oidc/types.go
+++ b/pkg/oidc/types.go
@ -59,6 +59,7 @@ type Prompt string
 type ResponseType string

 type Scopes []string
+type Scope []string //TODO: hurst?

 func (s Scopes) Encode() string {
 	return strings.Join(s, " ")
@ -73,6 +74,19 @@ func (s *Scopes) MarshalText() ([]byte, error) {
 	return []byte(s.Encode()), nil
 }

+func (s *Scope) MarshalJSON() ([]byte, error) {
+	return json.Marshal(Scopes(*s).Encode())
+}
+
+func (s *Scope) UnmarshalJSON(data []byte) error {
+	var str string
+	if err := json.Unmarshal(data, &str); err != nil {
+		return err
+	}
+	*s = Scope(strings.Split(str, " "))
+	return nil
+}
+
 type Time time.Time

 func (t *Time) UnmarshalJSON(data []byte) error {
--- a/pkg/oidc/userinfo.go
+++ b/pkg/oidc/userinfo.go
@ -6,8 +6,6 @@ import (
 	"time"

 	"golang.org/x/text/language"
-
-	"github.com/caos/oidc/pkg/utils"
 )

 type UserInfo interface {
@ -351,11 +349,17 @@ func (i *userinfo) MarshalJSON() ([]byte, error) {
 		return b, nil
 	}

-	claims, err := json.Marshal(i.claims)
+	err = json.Unmarshal(b, &i.claims)
 	if err != nil {
 		return nil, fmt.Errorf("jws: invalid map of custom claims %v", i.claims)
 	}
-	return utils.ConcatenateJSON(b, claims)
+
+	return json.Marshal(i.claims)
+	//claims, err := json.Marshal(i.claims)
+	//if err != nil {
+	//	return nil, fmt.Errorf("jws: invalid map of custom claims %v", i.claims)
+	//}
+	//return utils.ConcatenateJSON(b, claims)
 }

 func (i *userinfo) UnmarshalJSON(data []byte) error {
@ -372,6 +376,10 @@ func (i *userinfo) UnmarshalJSON(data []byte) error {

 	i.UpdatedAt = Time(time.Unix(a.UpdatedAt, 0).UTC())

+	if err := json.Unmarshal(data, &i.claims); err != nil {
+		return err
+	}
+
 	return nil
 }