introspect and client assertion

pkg/op/authrequest.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/gorilla/mux"
 
@@ -12,6 +13,23 @@ import (
 	"github.com/caos/oidc/pkg/utils"
 )
 
+type AuthRequest interface {
+	GetID() string
+	GetACR() string
+	GetAMR() []string
+	GetAudience() []string
+	GetAuthTime() time.Time
+	GetClientID() string
+	GetCodeChallenge() *oidc.CodeChallenge
+	GetNonce() string
+	GetRedirectURI() string
+	GetResponseType() oidc.ResponseType
+	GetScopes() []string
+	GetState() string
+	GetSubject() string
+	Done() bool
+}
+
 type Authorizer interface {
 	Storage() Storage
 	Decoder() utils.Decoder

pkg/op/discovery.go

@@ -122,10 +122,10 @@ func AuthMethods(c Configuration) []oidc.AuthMethod {
 	return authMethods
 }
 
-func CodeChallengeMethods(c Configuration) []string {
-	codeMethods := make([]string, 0, 1)
+func CodeChallengeMethods(c Configuration) []oidc.CodeChallengeMethod {
+	codeMethods := make([]oidc.CodeChallengeMethod, 0, 1)
 	if c.CodeMethodS256Supported() {
-		codeMethods = append(codeMethods, CodeMethodS256)
+		codeMethods = append(codeMethods, oidc.CodeChallengeMethodS256)
 	}
 	return codeMethods
 }

pkg/op/discovery_test.go

@@ -215,7 +215,7 @@ func Test_AuthMethods(t *testing.T) {
 				m.EXPECT().AuthMethodPostSupported().Return(false)
 				return m
 			}()},
-			[]string{string(op.AuthMethodBasic)},
+			[]string{string(oidc.AuthMethodBasic)},
 		},
 		{
 			"basic and post",
@@ -223,7 +223,7 @@ func Test_AuthMethods(t *testing.T) {
 				m.EXPECT().AuthMethodPostSupported().Return(true)
 				return m
 			}()},
-			[]string{string(op.AuthMethodBasic), string(op.AuthMethodPost)},
+			[]string{string(oidc.AuthMethodBasic), string(oidc.AuthMethodPost)},
 		},
 	}
 	for _, tt := range tests {

pkg/op/op.go

@@ -17,27 +17,27 @@ import (
 )
 
 const (
-	healthzEndpoint              = "/healthz"
+	healthEndpoint               = "/healthz"
 	readinessEndpoint            = "/ready"
 	defaultAuthorizationEndpoint = "authorize"
-	defaulTokenEndpoint          = "oauth/token"
+	defaultTokenEndpoint         = "oauth/token"
 	defaultIntrospectEndpoint    = "oauth/introspect"
 	defaultUserinfoEndpoint      = "userinfo"
 	defaultEndSessionEndpoint    = "end_session"
 	defaultKeysEndpoint          = "keys"
 
-	AuthMethodBasic         AuthMethod = "client_secret_basic"
-	AuthMethodPost          AuthMethod = "client_secret_post"
-	AuthMethodNone          AuthMethod = "none"
-	AuthMethodPrivateKeyJWT AuthMethod = "private_key_jwt"
+	//AuthMethodBasic         AuthMethod = "client_secret_basic"
+	//AuthMethodPost          AuthMethod = "client_secret_post"
+	//AuthMethodNone          AuthMethod = "none"
+	//AuthMethodPrivateKeyJWT AuthMethod = "private_key_jwt"
 
-	CodeMethodS256 = "S256"
+	//CodeMethodS256 = "S256"
 )
 
 var (
 	DefaultEndpoints = &endpoints{
 		Authorization: NewEndpoint(defaultAuthorizationEndpoint),
-		Token:         NewEndpoint(defaulTokenEndpoint),
+		Token:         NewEndpoint(defaultTokenEndpoint),
 		Introspection: NewEndpoint(defaultIntrospectEndpoint),
 		Userinfo:      NewEndpoint(defaultUserinfoEndpoint),
 		EndSession:    NewEndpoint(defaultEndSessionEndpoint),
@@ -73,7 +73,7 @@ func CreateRouter(o OpenIDProvider, interceptors ...HttpInterceptor) *mux.Router
 		handlers.AllowedHeaders([]string{"authorization", "content-type"}),
 		handlers.AllowedOriginValidator(allowAllOrigins),
 	))
-	router.HandleFunc(healthzEndpoint, healthzHandler)
+	router.HandleFunc(healthEndpoint, healthHandler)
 	router.HandleFunc(readinessEndpoint, readyHandler(o.Probes()))
 	router.HandleFunc(oidc.DiscoveryEndpoint, discoveryHandler(o, o.Signer()))
 	router.Handle(o.AuthorizationEndpoint().Relative(), intercept(authorizeHandler(o)))

pkg/op/probes.go

@@ -10,7 +10,7 @@ import (
 
 type ProbesFn func(context.Context) error
 
-func healthzHandler(w http.ResponseWriter, r *http.Request) {
+func healthHandler(w http.ResponseWriter, r *http.Request) {
 	ok(w)
 }
 

pkg/op/storage.go

@@ -50,23 +50,6 @@ type StorageNotFoundError interface {
 	IsNotFound()
 }
 
-type AuthRequest interface {
-	GetID() string
-	GetACR() string
-	GetAMR() []string
-	GetAudience() []string
-	GetAuthTime() time.Time
-	GetClientID() string
-	GetCodeChallenge() *oidc.CodeChallenge
-	GetNonce() string
-	GetRedirectURI() string
-	GetResponseType() oidc.ResponseType
-	GetScopes() []string
-	GetState() string
-	GetSubject() string
-	Done() bool
-}
-
 type EndSessionRequest struct {
 	UserID      string
 	Client      Client

pkg/op/tokenrequest.go

@@ -7,7 +7,6 @@ import (
 	"net/url"
 
 	"github.com/caos/oidc/pkg/oidc"
-	"github.com/caos/oidc/pkg/oidc/grants/tokenexchange"
 	"github.com/caos/oidc/pkg/utils"
 )
 
@@ -203,12 +202,12 @@ func JWTProfile(w http.ResponseWriter, r *http.Request, exchanger JWTAuthorizati
 	utils.MarshalJSON(w, resp)
 }
 
-func ParseJWTProfileRequest(r *http.Request, decoder utils.Decoder) (*tokenexchange.JWTProfileRequest, error) {
+func ParseJWTProfileRequest(r *http.Request, decoder utils.Decoder) (*oidc.JWTProfileGrantRequest, error) {
 	err := r.ParseForm()
 	if err != nil {
 		return nil, ErrInvalidRequest("error parsing form")
 	}
-	tokenReq := new(tokenexchange.JWTProfileRequest)
+	tokenReq := new(oidc.JWTProfileGrantRequest)
 	err = decoder.Decode(tokenReq, r.Form)
 	if err != nil {
 		return nil, ErrInvalidRequest("error decoding form")

pkg/op/verifier_jwt_profile.go

@@ -70,7 +70,7 @@ func VerifyJWTAssertion(ctx context.Context, assertion string, v JWTProfileVerif
 		//TODO: implement delegation (openid core / oauth rfc)
 	}
 
-	keySet := &jwtProfileKeySet{v.Storage(), request.Subject}
+	keySet := &jwtProfileKeySet{v.Storage(), request.Issuer}
 
 	if err = oidc.CheckSignature(ctx, assertion, payload, request, nil, keySet); err != nil {
 		return nil, err