User-configurable claims_supported

2023-12-03 15:19:29 -08:00 · 2023-12-03 15:19:29 -08:00 · 3bb48f7cba
commit 3bb48f7cba
parent 4d05eade5e
6 changed files with 60 additions and 29 deletions
--- a/pkg/op/config.go
+++ b/pkg/op/config.go
@ -47,6 +47,7 @@ type Configuration interface {
 	RequestObjectSupported() bool
 	RequestObjectSigningAlgorithmsSupported() []string

+	SupportedClaims() []string
 	SupportedUILocales() []language.Tag
 	DeviceAuthorization() DeviceAuthorizationConfig
 }
--- a/pkg/op/discovery.go
+++ b/pkg/op/discovery.go
@ -57,7 +57,7 @@ func CreateDiscoveryConfig(ctx context.Context, config Configuration, storage Di
 		IntrospectionEndpointAuthMethodsSupported:          AuthMethodsIntrospectionEndpoint(config),
 		RevocationEndpointAuthSigningAlgValuesSupported:    RevocationSigAlgorithms(config),
 		RevocationEndpointAuthMethodsSupported:             AuthMethodsRevocationEndpoint(config),
-		ClaimsSupported:                                    SupportedClaims(config),
+		ClaimsSupported:                                    config.SupportedClaims(),
 		CodeChallengeMethodsSupported:                      CodeChallengeMethods(config),
 		UILocalesSupported:                                 config.SupportedUILocales(),
 		RequestParameterSupported:                          config.RequestObjectSupported(),
@ -88,7 +88,7 @@ func createDiscoveryConfigV2(ctx context.Context, config Configuration, storage
 		IntrospectionEndpointAuthMethodsSupported:          AuthMethodsIntrospectionEndpoint(config),
 		RevocationEndpointAuthSigningAlgValuesSupported:    RevocationSigAlgorithms(config),
 		RevocationEndpointAuthMethodsSupported:             AuthMethodsRevocationEndpoint(config),
-		ClaimsSupported:                                    SupportedClaims(config),
+		ClaimsSupported:                                    config.SupportedClaims(),
 		CodeChallengeMethodsSupported:                      CodeChallengeMethods(config),
 		UILocalesSupported:                                 config.SupportedUILocales(),
 		RequestParameterSupported:                          config.RequestObjectSupported(),
@ -213,32 +213,7 @@ func AuthMethodsRevocationEndpoint(c Configuration) []oidc.AuthMethod {
 }

 func SupportedClaims(c Configuration) []string {
-	return []string{ // TODO: config
-		"sub",
-		"aud",
-		"exp",
-		"iat",
-		"iss",
-		"auth_time",
-		"nonce",
-		"acr",
-		"amr",
-		"c_hash",
-		"at_hash",
-		"act",
-		"scopes",
-		"client_id",
-		"azp",
-		"preferred_username",
-		"name",
-		"family_name",
-		"given_name",
-		"locale",
-		"email",
-		"email_verified",
-		"phone_number",
-		"phone_number_verified",
-	}
+	return c.SupportedClaims()
 }

 func CodeChallengeMethods(c Configuration) []oidc.CodeChallengeMethod {
--- a/pkg/op/discovery_test.go
+++ b/pkg/op/discovery_test.go
@ -544,7 +544,11 @@ func TestSupportedClaims(t *testing.T) {
 	}{
 		{
 			"scopes",
-			args{},
+			args{func() op.Configuration {
+				m := mock.NewMockConfiguration(gomock.NewController(t))
+				m.EXPECT().SupportedClaims().Return(op.DefaultSupportedClaims)
+				return m
+			}()},
 			[]string{
 				"sub",
 				"aud",
--- a/pkg/op/mock/configuration.mock.go
+++ b/pkg/op/mock/configuration.mock.go
@ -358,6 +358,20 @@ func (mr *MockConfigurationMockRecorder) RevocationEndpointSigningAlgorithmsSupp
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RevocationEndpointSigningAlgorithmsSupported", reflect.TypeOf((*MockConfiguration)(nil).RevocationEndpointSigningAlgorithmsSupported))
 }

+// SupportedClaims mocks base method.
+func (m *MockConfiguration) SupportedClaims() []string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SupportedClaims")
+	ret0, _ := ret[0].([]string)
+	return ret0
+}
+
+// SupportedClaims indicates an expected call of SupportedClaims.
+func (mr *MockConfigurationMockRecorder) SupportedClaims() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SupportedClaims", reflect.TypeOf((*MockConfiguration)(nil).SupportedClaims))
+}
+
 // SupportedUILocales mocks base method.
 func (m *MockConfiguration) SupportedUILocales() []language.Tag {
 	m.ctrl.T.Helper()
--- a/pkg/op/op.go
+++ b/pkg/op/op.go
@ -45,6 +45,33 @@ var (
 		DeviceAuthorization: NewEndpoint(defaultDeviceAuthzEndpoint),
 	}

+	DefaultSupportedClaims = []string{
+		"sub",
+		"aud",
+		"exp",
+		"iat",
+		"iss",
+		"auth_time",
+		"nonce",
+		"acr",
+		"amr",
+		"c_hash",
+		"at_hash",
+		"act",
+		"scopes",
+		"client_id",
+		"azp",
+		"preferred_username",
+		"name",
+		"family_name",
+		"given_name",
+		"locale",
+		"email",
+		"email_verified",
+		"phone_number",
+		"phone_number_verified",
+	}
+
 	defaultCORSOptions = cors.Options{
 		AllowCredentials: true,
 		AllowedHeaders: []string{
@ -146,6 +173,7 @@ type Config struct {
 	GrantTypeRefreshToken    bool
 	RequestObjectSupported   bool
 	SupportedUILocales       []language.Tag
+	SupportedClaims          []string
 	DeviceAuthorization      DeviceAuthorizationConfig
 }

@ -386,6 +414,14 @@ func (o *Provider) RequestObjectSigningAlgorithmsSupported() []string {
 	return []string{"RS256"}
 }

+func (o *Provider) SupportedClaims() []string {
+	if o.config.SupportedClaims == nil {
+		return DefaultSupportedClaims
+	} else {
+		return o.config.SupportedClaims
+	}
+}
+
 func (o *Provider) SupportedUILocales() []language.Tag {
 	return o.config.SupportedUILocales
 }
--- a/pkg/op/op_test.go
+++ b/pkg/op/op_test.go
@ -30,6 +30,7 @@ var (
 		AuthMethodPrivateKeyJWT:  true,
 		GrantTypeRefreshToken:    true,
 		RequestObjectSupported:   true,
+		SupportedClaims:          op.DefaultSupportedClaims,
 		SupportedUILocales:       []language.Tag{language.English},
 		DeviceAuthorization: op.DeviceAuthorizationConfig{
 			Lifetime:     5 * time.Minute,