fix token revocation authentication and discovery config

2021-11-02 09:43:14 +01:00 · 2021-11-02 09:43:14 +01:00 · 4ddf7c7764
commit 4ddf7c7764
parent 162990f974
4 changed files with 74 additions and 13 deletions
--- a/pkg/op/discovery.go
+++ b/pkg/op/discovery.go
@ -37,10 +37,12 @@ func CreateDiscoveryConfig(c Configuration, s Signer) *oidc.DiscoveryConfigurati
 		TokenEndpointAuthSigningAlgValuesSupported: TokenSigAlgorithms(c),
 		IntrospectionEndpointAuthSigningAlgValuesSupported: IntrospectionSigAlgorithms(c),
 		IntrospectionEndpointAuthMethodsSupported:          AuthMethodsIntrospectionEndpoint(c),
-		ClaimsSupported:               SupportedClaims(c),
-		CodeChallengeMethodsSupported: CodeChallengeMethods(c),
-		UILocalesSupported:            c.SupportedUILocales(),
-		RequestParameterSupported:     c.RequestObjectSupported(),
+		RevocationEndpointAuthSigningAlgValuesSupported:    RevocationSigAlgorithms(c),
+		RevocationEndpointAuthMethodsSupported:             AuthMethodsRevocationEndpoint(c),
+		ClaimsSupported:                                    SupportedClaims(c),
+		CodeChallengeMethodsSupported:                      CodeChallengeMethods(c),
+		UILocalesSupported:                                 c.SupportedUILocales(),
+		RequestParameterSupported:                          c.RequestObjectSupported(),
 	}
 }

@ -150,6 +152,20 @@ func AuthMethodsIntrospectionEndpoint(c Configuration) []oidc.AuthMethod {
 	return authMethods
 }

+func AuthMethodsRevocationEndpoint(c Configuration) []oidc.AuthMethod {
+	authMethods := []oidc.AuthMethod{
+		oidc.AuthMethodNone,
+		oidc.AuthMethodBasic,
+	}
+	if c.AuthMethodPostSupported() {
+		authMethods = append(authMethods, oidc.AuthMethodPost)
+	}
+	if c.AuthMethodPrivateKeyJWTSupported() {
+		authMethods = append(authMethods, oidc.AuthMethodPrivateKeyJWT)
+	}
+	return authMethods
+}
+
 func CodeChallengeMethods(c Configuration) []oidc.CodeChallengeMethod {
 	codeMethods := make([]oidc.CodeChallengeMethod, 0, 1)
 	if c.CodeMethodS256Supported() {
@ -165,6 +181,13 @@ func IntrospectionSigAlgorithms(c Configuration) []string {
 	return c.IntrospectionEndpointSigningAlgorithmsSupported()
 }

+func RevocationSigAlgorithms(c Configuration) []string {
+	if !c.RevocationAuthMethodPrivateKeyJWTSupported() {
+		return nil
+	}
+	return c.RevocationEndpointSigningAlgorithmsSupported()
+}
+
 func RequestObjectSigAlgorithms(c Configuration) []string {
 	if !c.RequestObjectSupported() {
 		return nil