fix: grant_types_supported in discovery
This commit is contained in:
Livio Amstutz
parent
4390119d1d
commit
2ebbd7a2e0
5 changed files with 45 additions and 31 deletions
|
|
@ -9,8 +9,12 @@ import (
|
||||||
const (
|
const (
|
||||||
//GrantTypeCode defines the grant_type `authorization_code` used for the Token Request in the Authorization Code Flow
|
//GrantTypeCode defines the grant_type `authorization_code` used for the Token Request in the Authorization Code Flow
|
||||||
GrantTypeCode GrantType = "authorization_code"
|
GrantTypeCode GrantType = "authorization_code"
|
||||||
//GrantTypeBearer define the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant
|
|
||||||
|
//GrantTypeBearer defines the grant_type `urn:ietf:params:oauth:grant-type:jwt-bearer` used for the JWT Authorization Grant
|
||||||
GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
|
GrantTypeBearer GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
|
||||||
|
|
||||||
|
//GrantTypeTokenExchange defines the grant_type `urn:ietf:params:oauth:grant-type:token-exchange` used for the OAuth Token Exchange Grant
|
||||||
|
GrantTypeTokenExchange GrantType = "urn:ietf:params:oauth:grant-type:token-exchange"
|
||||||
)
|
)
|
||||||
|
|
||||||
type GrantType string
|
type GrantType string
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,8 @@ type Configuration interface {
|
||||||
|
|
||||||
AuthMethodPostSupported() bool
|
AuthMethodPostSupported() bool
|
||||||
CodeMethodS256Supported() bool
|
CodeMethodS256Supported() bool
|
||||||
|
GrantTypeTokenExchangeSupported() bool
|
||||||
|
GrantTypeJWTAuthorizationSupported() bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func ValidateIssuer(issuer string) error {
|
func ValidateIssuer(issuer string) error {
|
||||||
|
|
|
||||||
|
|
@ -52,22 +52,23 @@ func Scopes(c Configuration) []string {
|
||||||
|
|
||||||
func ResponseTypes(c Configuration) []string {
|
func ResponseTypes(c Configuration) []string {
|
||||||
return []string{
|
return []string{
|
||||||
"code",
|
string(oidc.ResponseTypeCode),
|
||||||
"id_token",
|
string(oidc.ResponseTypeIDTokenOnly),
|
||||||
// "code token",
|
string(oidc.ResponseTypeIDToken),
|
||||||
// "code id_token",
|
} //TODO: ok for now, check later if dynamic needed
|
||||||
"id_token token",
|
|
||||||
// "code id_token token"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func GrantTypes(c Configuration) []string {
|
func GrantTypes(c Configuration) []string {
|
||||||
return []string{
|
grantTypes := []string{
|
||||||
"client_credentials",
|
string(oidc.GrantTypeCode),
|
||||||
"authorization_code",
|
|
||||||
// "password",
|
|
||||||
"urn:ietf:params:oauth:grant-type:token-exchange",
|
|
||||||
}
|
}
|
||||||
|
if c.GrantTypeTokenExchangeSupported() {
|
||||||
|
grantTypes = append(grantTypes, string(oidc.GrantTypeTokenExchange))
|
||||||
|
}
|
||||||
|
if c.GrantTypeJWTAuthorizationSupported() {
|
||||||
|
grantTypes = append(grantTypes, string(oidc.GrantTypeBearer))
|
||||||
|
}
|
||||||
|
return grantTypes
|
||||||
}
|
}
|
||||||
|
|
||||||
func SupportedClaims(c Configuration) []string {
|
func SupportedClaims(c Configuration) []string {
|
||||||
|
|
|
||||||
18
pkg/op/op.go
18
pkg/op/op.go
|
|
@ -50,7 +50,6 @@ type OpenIDProvider interface {
|
||||||
Decoder() utils.Decoder
|
Decoder() utils.Decoder
|
||||||
Encoder() utils.Encoder
|
Encoder() utils.Encoder
|
||||||
IDTokenHintVerifier() IDTokenHintVerifier
|
IDTokenHintVerifier() IDTokenHintVerifier
|
||||||
JWTProfileVerifier() JWTProfileVerifier
|
|
||||||
AccessTokenVerifier() AccessTokenVerifier
|
AccessTokenVerifier() AccessTokenVerifier
|
||||||
Crypto() Crypto
|
Crypto() Crypto
|
||||||
DefaultLogoutRedirectURI() string
|
DefaultLogoutRedirectURI() string
|
||||||
|
|
@ -90,15 +89,6 @@ type Config struct {
|
||||||
CryptoKey [32]byte
|
CryptoKey [32]byte
|
||||||
DefaultLogoutRedirectURI string
|
DefaultLogoutRedirectURI string
|
||||||
CodeMethodS256 bool
|
CodeMethodS256 bool
|
||||||
|
|
||||||
//TODO: add to config after updating Configuration interface for DiscoveryConfig
|
|
||||||
// ScopesSupported: oidc.SupportedScopes,
|
|
||||||
// ResponseTypesSupported: responseTypes,
|
|
||||||
// GrantTypesSupported: oidc.SupportedGrantTypes,
|
|
||||||
// ClaimsSupported: oidc.SupportedClaims,
|
|
||||||
// IdTokenSigningAlgValuesSupported: []string{keys.SigningAlgorithm},
|
|
||||||
// SubjectTypesSupported: []string{"public"},
|
|
||||||
// TokenEndpointAuthMethodsSupported:
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type endpoints struct {
|
type endpoints struct {
|
||||||
|
|
@ -196,6 +186,14 @@ func (o *openidProvider) CodeMethodS256Supported() bool {
|
||||||
return o.config.CodeMethodS256
|
return o.config.CodeMethodS256
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (o *openidProvider) GrantTypeTokenExchangeSupported() bool {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func (o *openidProvider) GrantTypeJWTAuthorizationSupported() bool {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
func (o *openidProvider) Storage() Storage {
|
func (o *openidProvider) Storage() Storage {
|
||||||
return o.storage
|
return o.storage
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,12 @@ type Exchanger interface {
|
||||||
Signer() Signer
|
Signer() Signer
|
||||||
Crypto() Crypto
|
Crypto() Crypto
|
||||||
AuthMethodPostSupported() bool
|
AuthMethodPostSupported() bool
|
||||||
|
GrantTypeTokenExchangeSupported() bool
|
||||||
|
GrantTypeJWTAuthorizationSupported() bool
|
||||||
|
}
|
||||||
|
|
||||||
|
type JWTAuthorizationGrantExchanger interface {
|
||||||
|
Exchanger
|
||||||
JWTProfileVerifier() JWTProfileVerifier
|
JWTProfileVerifier() JWTProfileVerifier
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -27,17 +33,20 @@ func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Reque
|
||||||
CodeExchange(w, r, exchanger)
|
CodeExchange(w, r, exchanger)
|
||||||
return
|
return
|
||||||
case string(oidc.GrantTypeBearer):
|
case string(oidc.GrantTypeBearer):
|
||||||
JWTProfile(w, r, exchanger)
|
if ex, ok := exchanger.(JWTAuthorizationGrantExchanger); ok && exchanger.GrantTypeJWTAuthorizationSupported() {
|
||||||
|
JWTProfile(w, r, ex)
|
||||||
return
|
return
|
||||||
case "exchange":
|
}
|
||||||
|
case string(oidc.GrantTypeTokenExchange):
|
||||||
|
if exchanger.GrantTypeTokenExchangeSupported() {
|
||||||
TokenExchange(w, r, exchanger)
|
TokenExchange(w, r, exchanger)
|
||||||
|
return
|
||||||
|
}
|
||||||
case "":
|
case "":
|
||||||
RequestError(w, r, ErrInvalidRequest("grant_type missing"))
|
RequestError(w, r, ErrInvalidRequest("grant_type missing"))
|
||||||
return
|
return
|
||||||
default:
|
|
||||||
RequestError(w, r, ErrInvalidRequest("grant_type not supported"))
|
|
||||||
return
|
|
||||||
}
|
}
|
||||||
|
RequestError(w, r, ErrInvalidRequest("grant_type not supported"))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -137,7 +146,7 @@ func AuthorizeCodeChallenge(ctx context.Context, tokenReq *oidc.AccessTokenReque
|
||||||
return authReq, nil
|
return authReq, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
|
func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizationGrantExchanger) {
|
||||||
profileRequest, err := ParseJWTProfileRequest(r, exchanger.Decoder())
|
profileRequest, err := ParseJWTProfileRequest(r, exchanger.Decoder())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
RequestError(w, r, err)
|
RequestError(w, r, err)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue