chore: document standard deviation when using globs

add example on how to toggle the underlying
client implementation based on DevMode.
This commit is contained in:
Tim Möhlmann 2023-03-17 08:28:28 +02:00
parent b184713eb9
commit 82c1eefe72
3 changed files with 32 additions and 11 deletions

View file

@ -32,6 +32,8 @@ type Client struct {
devMode bool
idTokenUserinfoClaimsAssertion bool
clockSkew time.Duration
postLogoutRedirectURIGlobs []string
redirectURIGlobs []string
}
// GetID must return the client_id
@ -44,21 +46,11 @@ func (c *Client) RedirectURIs() []string {
return c.redirectURIs
}
// RedirectURIGlobs provide wildcarding for additional valid redirects
func (c *Client) RedirectURIGlobs() []string {
return nil
}
// PostLogoutRedirectURIs must return the registered post_logout_redirect_uris for sign-outs
func (c *Client) PostLogoutRedirectURIs() []string {
return []string{}
}
// PostLogoutRedirectURIGlobs provide extra wildcarding for additional valid redirects
func (c *Client) PostLogoutRedirectURIGlobs() []string {
return nil
}
// ApplicationType must return the type of the client (app, native, user agent)
func (c *Client) ApplicationType() op.ApplicationType {
return c.applicationType
@ -200,3 +192,26 @@ func WebClient(id, secret string, redirectURIs ...string) *Client {
clockSkew: 0,
}
}
type hasRedirectGlobs struct {
*Client
}
// RedirectURIGlobs provide wildcarding for additional valid redirects
func (c hasRedirectGlobs) RedirectURIGlobs() []string {
return c.redirectURIGlobs
}
// PostLogoutRedirectURIGlobs provide extra wildcarding for additional valid redirects
func (c hasRedirectGlobs) PostLogoutRedirectURIGlobs() []string {
return c.postLogoutRedirectURIGlobs
}
// RedirectGlobsClient wraps the client in a op.HasRedirectGlobs
// only if DevMode is enabled.
func RedirectGlobsClient(client *Client) op.Client {
if client.devMode {
return hasRedirectGlobs{client}
}
return client
}

View file

@ -418,7 +418,7 @@ func (s *Storage) GetClientByClientID(ctx context.Context, clientID string) (op.
if !ok {
return nil, fmt.Errorf("client not found")
}
return client, nil
return RedirectGlobsClient(client), nil
}
// AuthorizeClientIDSecret implements the op.Storage interface

View file

@ -56,6 +56,12 @@ type Client interface {
// interpretation. Redirect URIs that match either the non-glob version or the
// glob version will be accepted. Glob URIs are only partially supported for native
// clients: "http://" is not allowed except for loopback or in dev mode.
//
// Note that globbing / wildcards are not permitted by the oidc
// standard and implementing this interface can have security implications.
// It is advised to only return a client of this type in rare cases,
// such as DevMode for the client being enabled.
// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
type HasRedirectGlobs interface {
RedirectURIGlobs() []string
PostLogoutRedirectURIGlobs() []string