From 72a982911722827363b94b3308bbd9ff01abe6e4 Mon Sep 17 00:00:00 2001 From: Livio Amstutz Date: Thu, 21 Oct 2021 14:36:55 +0200 Subject: [PATCH] document discovery configuration --- pkg/oidc/discovery.go | 181 ++++++++++++++++++++++++++++++++---------- 1 file changed, 138 insertions(+), 43 deletions(-) diff --git a/pkg/oidc/discovery.go b/pkg/oidc/discovery.go index acab578..4b2c232 100644 --- a/pkg/oidc/discovery.go +++ b/pkg/oidc/discovery.go @@ -9,49 +9,144 @@ const ( ) type DiscoveryConfiguration struct { - Issuer string `json:"issuer,omitempty"` - AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"` - TokenEndpoint string `json:"token_endpoint,omitempty"` - IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"` - UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"` - RevocationEndpoint string `json:"revocation_endpoint,omitempty"` - EndSessionEndpoint string `json:"end_session_endpoint,omitempty"` - CheckSessionIframe string `json:"check_session_iframe,omitempty"` - JwksURI string `json:"jwks_uri,omitempty"` - ScopesSupported []string `json:"scopes_supported,omitempty"` - ResponseTypesSupported []string `json:"response_types_supported,omitempty"` - ResponseModesSupported []string `json:"response_modes_supported,omitempty"` - GrantTypesSupported []GrantType `json:"grant_types_supported,omitempty"` - ACRValuesSupported []string `json:"acr_values_supported,omitempty"` - SubjectTypesSupported []string `json:"subject_types_supported,omitempty"` - IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"` - IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"` - IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"` - UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"` - UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"` - UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"` - RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"` - RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"` - RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"` - TokenEndpointAuthMethodsSupported []AuthMethod `json:"token_endpoint_auth_methods_supported,omitempty"` - TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"` - RevocationEndpointAuthMethodsSupported []AuthMethod `json:"revocation_endpoint_auth_methods_supported,omitempty"` - RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"` - IntrospectionEndpointAuthMethodsSupported []AuthMethod `json:"introspection_endpoint_auth_methods_supported,omitempty"` - IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"` - DisplayValuesSupported []Display `json:"display_values_supported,omitempty"` - ClaimTypesSupported []string `json:"claim_types_supported,omitempty"` - ClaimsSupported []string `json:"claims_supported,omitempty"` - ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"` - CodeChallengeMethodsSupported []CodeChallengeMethod `json:"code_challenge_methods_supported,omitempty"` - ServiceDocumentation string `json:"service_documentation,omitempty"` - ClaimsLocalesSupported []language.Tag `json:"claims_locales_supported,omitempty"` - UILocalesSupported []language.Tag `json:"ui_locales_supported,omitempty"` - RequestParameterSupported bool `json:"request_parameter_supported,omitempty"` - RequestURIParameterSupported bool `json:"request_uri_parameter_supported"` //no omitempty because: If omitted, the default value is true - RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"` - OPPolicyURI string `json:"op_policy_uri,omitempty"` - OPTermsOfServiceURI string `json:"op_tos_uri,omitempty"` + //Issuer is the identifier of the OP and is used in the tokens as `iss` claim. + Issuer string `json:"issuer,omitempty"` + + //AuthorizationEndpoint is the URL of the OAuth 2.0 Authorization Endpoint where all user interactive login start + AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"` + + //TokenEndpoint is the URL of the OAuth 2.0 Token Endpoint where all tokens are issued, except when using Implicit Flow + TokenEndpoint string `json:"token_endpoint,omitempty"` + + //IntrospectionEndpoint is the URL of the OAuth 2.0 Introspection Endpoint. + IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"` + + //UserinfoEndpoint is the URL where an access_token can be used to retrieve the Userinfo. + UserinfoEndpoint string `json:"userinfo_endpoint,omitempty"` + + //RevocationEndpoint is the URL of the OAuth 2.0 Revocation Endpoint. + RevocationEndpoint string `json:"revocation_endpoint,omitempty"` + + //EndSessionEndpoint is a URL where the RP can perform a redirect to request that the End-User be logged out at the OP. + EndSessionEndpoint string `json:"end_session_endpoint,omitempty"` + + //CheckSessionIframe is a URL where the OP provides an iframe that support cross-origin communications for session state information with the RP Client. + CheckSessionIframe string `json:"check_session_iframe,omitempty"` + + //JwksURI is the URL of the JSON Web Key Set. This site contains the signing keys that RPs can use to validate the signature. + //It may also contain the OP's encryption keys that RPs can use to encrypt request to the OP. + JwksURI string `json:"jwks_uri,omitempty"` + + //RegistrationEndpoint is the URL for the Dynamic Client Registration. + RegistrationEndpoint string `json:"registration_endpoint"` + + //ScopesSupported lists an array of supported scopes. This list must not include every supported scope by the OP. + ScopesSupported []string `json:"scopes_supported,omitempty"` + + //ResponseTypesSupported contains a list of the OAuth 2.0 response_type values that the OP supports (code, id_token, token id_token, ...). + ResponseTypesSupported []string `json:"response_types_supported,omitempty"` + + //ResponseModesSupported contains a list of the OAuth 2.0 response_mode values that the OP supports. If omitted, the default value is ["query", "fragment"]. + ResponseModesSupported []string `json:"response_modes_supported,omitempty"` + + //GrantTypesSupported contains a list of the OAuth 2.0 grant_type values that the OP supports. If omitted, the default value is ["authorization_code", "implicit"]. + GrantTypesSupported []GrantType `json:"grant_types_supported,omitempty"` + + //ACRValuesSupported contains a list of Authentication Context Class References that the OP supports. + ACRValuesSupported []string `json:"acr_values_supported,omitempty"` + + //SubjectTypesSupported contains a list of Subject Identifier types that the OP supports (pairwise, public). + SubjectTypesSupported []string `json:"subject_types_supported,omitempty"` + + //IDTokenSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for the ID Token. + IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"` + + //IDTokenEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the ID Token. + IDTokenEncryptionAlgValuesSupported []string `json:"id_token_encryption_alg_values_supported,omitempty"` + + //IDTokenEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the ID Token. + IDTokenEncryptionEncValuesSupported []string `json:"id_token_encryption_enc_values_supported,omitempty"` + + //UserinfoSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for UserInfo Endpoint. + UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported,omitempty"` + + //UserinfoEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for the UserInfo Endpoint. + UserinfoEncryptionAlgValuesSupported []string `json:"userinfo_encryption_alg_values_supported,omitempty"` + + //UserinfoEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for the UserInfo Endpoint. + UserinfoEncryptionEncValuesSupported []string `json:"userinfo_encryption_enc_values_supported,omitempty"` + + //RequestObjectSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the OP for Request Objects. + //These algorithms are used both then the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). + RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported,omitempty"` + + //RequestObjectEncryptionAlgValuesSupported contains a list of JWE encryption algorithms (alg values) supported by the OP for Request Objects. + //These algorithms are used both when the Request Object is passed by value and by reference. + RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported,omitempty"` + + //RequestObjectEncryptionEncValuesSupported contains a list of JWE encryption algorithms (enc values) supported by the OP for Request Objects. + //These algorithms are used both when the Request Object is passed by value and by reference. + RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported,omitempty"` + + //TokenEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Token Endpoint. If omitted, the default is client_secret_basic. + TokenEndpointAuthMethodsSupported []AuthMethod `json:"token_endpoint_auth_methods_supported,omitempty"` + + //TokenEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Token Endpoint + //for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt. + TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"` + + //RevocationEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Revocation Endpoint. If omitted, the default is client_secret_basic. + RevocationEndpointAuthMethodsSupported []AuthMethod `json:"revocation_endpoint_auth_methods_supported,omitempty"` + + //RevocationEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint + //for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt. + RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"` + + //IntrospectionEndpointAuthMethodsSupported contains a list of Client Authentication methods supported by the Introspection Endpoint. + IntrospectionEndpointAuthMethodsSupported []AuthMethod `json:"introspection_endpoint_auth_methods_supported,omitempty"` + + //IntrospectionEndpointAuthSigningAlgValuesSupported contains a list of JWS signing algorithms (alg values) supported by the Revocation Endpoint + //for the signature of the JWT used to authenticate the Client by private_key_jwt and client_secret_jwt. + IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"` + + //DisplayValuesSupported contains a list of display parameter values that the OP supports (page, popup, touch, wap). + DisplayValuesSupported []Display `json:"display_values_supported,omitempty"` + + //ClaimTypesSupported contains a list of Claim Types that the OP supports (normal, aggregated, distributed). If omitted, the default is normal Claims. + ClaimTypesSupported []string `json:"claim_types_supported,omitempty"` + + //ClaimsSupported contains a list of Claim Names the OP may be able to supply values for. This list might not be exhaustive. + ClaimsSupported []string `json:"claims_supported,omitempty"` + + //ClaimsParameterSupported specifies whether the OP supports use of the `claims` parameter. If omitted, the default is false. + ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"` + + //CodeChallengeMethodsSupported contains a list of Proof Key for Code Exchange (PKCE) code challenge methods supported by the OP. + CodeChallengeMethodsSupported []CodeChallengeMethod `json:"code_challenge_methods_supported,omitempty"` + + //ServiceDocumentation is a URL where developers can get information about the OP and its usage. + ServiceDocumentation string `json:"service_documentation,omitempty"` + + //ClaimsLocalesSupported contains a list of BCP47 language tag values that the OP supports for values of Claims returned. + ClaimsLocalesSupported []language.Tag `json:"claims_locales_supported,omitempty"` + + //UILocalesSupported contains a list of BCP47 language tag values that the OP supports for the user interface. + UILocalesSupported []language.Tag `json:"ui_locales_supported,omitempty"` + + //RequestParameterSupported specifies whether the OP supports use of the `request` parameter. If omitted, the default value is false. + RequestParameterSupported bool `json:"request_parameter_supported,omitempty"` + + //RequestURIParameterSupported specifies whether the OP supports use of the `request_uri` parameter. If omitted, the default value is true. (therefore no omitempty) + RequestURIParameterSupported bool `json:"request_uri_parameter_supported"` + + //RequireRequestURIRegistration specifies whether the OP requires any `request_uri` to be pre-registered using the request_uris registration parameter. If omitted, the default value is false. + RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"` + + //OPPolicyURI is a URL the OP provides to the person registering the Client to read about the OP's requirements on how the RP can use the data provided by the OP. + OPPolicyURI string `json:"op_policy_uri,omitempty"` + + //OPTermsOfServiceURI is a URL the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service. + OPTermsOfServiceURI string `json:"op_tos_uri,omitempty"` } type AuthMethod string