Merge branch 'main' into main-to-next

2023-04-18 12:32:04 +03:00 · 2023-04-18 12:32:04 +03:00 · 8dff7ddee0
commit 8dff7ddee0
parent 312c2a07e2 7aa96feb6a
27 changed files with 308 additions and 146 deletions
--- a/example/server/exampleop/op.go
+++ b/example/server/exampleop/op.go
@ -108,7 +108,7 @@ func newOP(storage op.Storage, issuer string, key [32]byte) (op.OpenIDProvider,
 		DeviceAuthorization: op.DeviceAuthorizationConfig{
 			Lifetime:     5 * time.Minute,
 			PollInterval: 5 * time.Second,
-			UserFormURL:  issuer + "device",
+			UserFormPath: "/device",
 			UserCode:     op.UserCodeBase20,
 		},
 	}
--- a/example/server/storage/client.go
+++ b/example/server/storage/client.go
@ -32,6 +32,8 @@ type Client struct {
 	devMode                        bool
 	idTokenUserinfoClaimsAssertion bool
 	clockSkew                      time.Duration
+	postLogoutRedirectURIGlobs     []string
+	redirectURIGlobs               []string
 }

 // GetID must return the client_id
@ -44,21 +46,11 @@ func (c *Client) RedirectURIs() []string {
 	return c.redirectURIs
 }

-// RedirectURIGlobs provide wildcarding for additional valid redirects
-func (c *Client) RedirectURIGlobs() []string {
-	return nil
-}
-
 // PostLogoutRedirectURIs must return the registered post_logout_redirect_uris for sign-outs
 func (c *Client) PostLogoutRedirectURIs() []string {
 	return []string{}
 }

-// PostLogoutRedirectURIGlobs provide extra wildcarding for additional valid redirects
-func (c *Client) PostLogoutRedirectURIGlobs() []string {
-	return nil
-}
-
 // ApplicationType must return the type of the client (app, native, user agent)
 func (c *Client) ApplicationType() op.ApplicationType {
 	return c.applicationType
@ -200,3 +192,26 @@ func WebClient(id, secret string, redirectURIs ...string) *Client {
 		clockSkew:                      0,
 	}
 }
+
+type hasRedirectGlobs struct {
+	*Client
+}
+
+// RedirectURIGlobs provide wildcarding for additional valid redirects
+func (c hasRedirectGlobs) RedirectURIGlobs() []string {
+	return c.redirectURIGlobs
+}
+
+// PostLogoutRedirectURIGlobs provide extra wildcarding for additional valid redirects
+func (c hasRedirectGlobs) PostLogoutRedirectURIGlobs() []string {
+	return c.postLogoutRedirectURIGlobs
+}
+
+// RedirectGlobsClient wraps the client in a op.HasRedirectGlobs
+// only if DevMode is enabled.
+func RedirectGlobsClient(client *Client) op.Client {
+	if client.devMode {
+		return hasRedirectGlobs{client}
+	}
+	return client
+}
--- a/example/server/storage/storage.go
+++ b/example/server/storage/storage.go
@ -418,7 +418,7 @@ func (s *Storage) GetClientByClientID(ctx context.Context, clientID string) (op.
 	if !ok {
 		return nil, fmt.Errorf("client not found")
 	}
-	return client, nil
+	return RedirectGlobsClient(client), nil
 }

 // AuthorizeClientIDSecret implements the op.Storage interface
@ -438,10 +438,17 @@ func (s *Storage) AuthorizeClientIDSecret(ctx context.Context, clientID, clientS
 	return nil
 }

-// SetUserinfoFromScopes implements the op.Storage interface
-// it will be called for the creation of an id_token, so we'll just pass it to the private function without any further check
+// SetUserinfoFromScopes implements the op.Storage interface.
+// Provide an empty implementation and use SetUserinfoFromRequest instead.
 func (s *Storage) SetUserinfoFromScopes(ctx context.Context, userinfo *oidc.UserInfo, userID, clientID string, scopes []string) error {
-	return s.setUserinfo(ctx, userinfo, userID, clientID, scopes)
+	return nil
+}
+
+// SetUserinfoFromRequests implements the op.CanSetUserinfoFromRequest interface.  In the
+// next major release, it will be required for op.Storage.
+// It will be called for the creation of an id_token, so we'll just pass it to the private function without any further check
+func (s *Storage) SetUserinfoFromRequest(ctx context.Context, userinfo *oidc.UserInfo, token op.IDTokenRequest, scopes []string) error {
+	return s.setUserinfo(ctx, userinfo, token.GetSubject(), token.GetClientID(), scopes)
 }

 // SetUserinfoFromToken implements the op.Storage interface
--- a/example/server/storage/storage_dynamic.go
+++ b/example/server/storage/storage_dynamic.go
@ -196,8 +196,8 @@ func (s *multiStorage) AuthorizeClientIDSecret(ctx context.Context, clientID, cl
 	return storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret)
 }

-// SetUserinfoFromScopes implements the op.Storage interface
-// it will be called for the creation of an id_token, so we'll just pass it to the private function without any further check
+// SetUserinfoFromScopes implements the op.Storage interface.
+// Provide an empty implementation and use SetUserinfoFromRequest instead.
 func (s *multiStorage) SetUserinfoFromScopes(ctx context.Context, userinfo *oidc.UserInfo, userID, clientID string, scopes []string) error {
 	storage, err := s.storageFromContext(ctx)
 	if err != nil {
@ -206,6 +206,17 @@ func (s *multiStorage) SetUserinfoFromScopes(ctx context.Context, userinfo *oidc
 	return storage.SetUserinfoFromScopes(ctx, userinfo, userID, clientID, scopes)
 }

+// SetUserinfoFromRequests implements the op.CanSetUserinfoFromRequest interface.  In the
+// next major release, it will be required for op.Storage.
+// It will be called for the creation of an id_token, so we'll just pass it to the private function without any further check
+func (s *multiStorage) SetUserinfoFromRequest(ctx context.Context, userinfo *oidc.UserInfo, token op.IDTokenRequest, scopes []string) error {
+	storage, err := s.storageFromContext(ctx)
+	if err != nil {
+		return err
+	}
+	return storage.SetUserinfoFromRequest(ctx, userinfo, token, scopes)
+}
+
 // SetUserinfoFromToken implements the op.Storage interface
 // it will be called for the userinfo endpoint, so we read the token and pass the information from that to the private function
 func (s *multiStorage) SetUserinfoFromToken(ctx context.Context, userinfo *oidc.UserInfo, tokenID, subject, origin string) error {