0f8a0585bf
* first draft of a new server interface * allow any response type * complete interface docs * refelct the format from the proposal * intermediate commit with some methods implemented * implement remaining token grant type methods * implement remaining server methods * error handling * rewrite auth request validation * define handlers, routes * input validation and concrete handlers * check if client credential client is authenticated * copy and modify the routes test for the legacy server * run integration tests against both Server and Provider * remove unuse ValidateAuthRequestV2 function * unit tests for error handling * cleanup tokenHandler * move server routest test * unit test authorize * handle client credentials in VerifyClient * change code exchange route test * finish http unit tests * review server interface docs and spelling * add withClient unit test * server options * cleanup unused GrantType method * resolve typo comments * make endpoints pointers to enable/disable them * jwt profile base work * jwt: correct the test expect --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
122 lines
3.2 KiB
Go
122 lines
3.2 KiB
Go
package op
|
|
|
|
import (
|
|
"errors"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"golang.org/x/text/language"
|
|
)
|
|
|
|
var (
|
|
ErrInvalidIssuerPath = errors.New("no fragments or query allowed for issuer")
|
|
ErrInvalidIssuerNoIssuer = errors.New("missing issuer")
|
|
ErrInvalidIssuerURL = errors.New("invalid url for issuer")
|
|
ErrInvalidIssuerMissingHost = errors.New("host for issuer missing")
|
|
ErrInvalidIssuerHTTPS = errors.New("scheme for issuer must be `https`")
|
|
)
|
|
|
|
type Configuration interface {
|
|
IssuerFromRequest(r *http.Request) string
|
|
Insecure() bool
|
|
AuthorizationEndpoint() *Endpoint
|
|
TokenEndpoint() *Endpoint
|
|
IntrospectionEndpoint() *Endpoint
|
|
UserinfoEndpoint() *Endpoint
|
|
RevocationEndpoint() *Endpoint
|
|
EndSessionEndpoint() *Endpoint
|
|
KeysEndpoint() *Endpoint
|
|
DeviceAuthorizationEndpoint() *Endpoint
|
|
|
|
AuthMethodPostSupported() bool
|
|
CodeMethodS256Supported() bool
|
|
AuthMethodPrivateKeyJWTSupported() bool
|
|
TokenEndpointSigningAlgorithmsSupported() []string
|
|
GrantTypeRefreshTokenSupported() bool
|
|
GrantTypeTokenExchangeSupported() bool
|
|
GrantTypeJWTAuthorizationSupported() bool
|
|
GrantTypeClientCredentialsSupported() bool
|
|
GrantTypeDeviceCodeSupported() bool
|
|
IntrospectionAuthMethodPrivateKeyJWTSupported() bool
|
|
IntrospectionEndpointSigningAlgorithmsSupported() []string
|
|
RevocationAuthMethodPrivateKeyJWTSupported() bool
|
|
RevocationEndpointSigningAlgorithmsSupported() []string
|
|
RequestObjectSupported() bool
|
|
RequestObjectSigningAlgorithmsSupported() []string
|
|
|
|
SupportedUILocales() []language.Tag
|
|
DeviceAuthorization() DeviceAuthorizationConfig
|
|
}
|
|
|
|
type IssuerFromRequest func(r *http.Request) string
|
|
|
|
func IssuerFromHost(path string) func(bool) (IssuerFromRequest, error) {
|
|
return func(allowInsecure bool) (IssuerFromRequest, error) {
|
|
issuerPath, err := url.Parse(path)
|
|
if err != nil {
|
|
return nil, ErrInvalidIssuerURL
|
|
}
|
|
if err := ValidateIssuerPath(issuerPath); err != nil {
|
|
return nil, err
|
|
}
|
|
return func(r *http.Request) string {
|
|
return dynamicIssuer(r.Host, path, allowInsecure)
|
|
}, nil
|
|
}
|
|
}
|
|
|
|
func StaticIssuer(issuer string) func(bool) (IssuerFromRequest, error) {
|
|
return func(allowInsecure bool) (IssuerFromRequest, error) {
|
|
if err := ValidateIssuer(issuer, allowInsecure); err != nil {
|
|
return nil, err
|
|
}
|
|
return func(_ *http.Request) string {
|
|
return issuer
|
|
}, nil
|
|
}
|
|
}
|
|
|
|
func ValidateIssuer(issuer string, allowInsecure bool) error {
|
|
if issuer == "" {
|
|
return ErrInvalidIssuerNoIssuer
|
|
}
|
|
u, err := url.Parse(issuer)
|
|
if err != nil {
|
|
return ErrInvalidIssuerURL
|
|
}
|
|
if u.Host == "" {
|
|
return ErrInvalidIssuerMissingHost
|
|
}
|
|
if u.Scheme != "https" {
|
|
if !devLocalAllowed(u, allowInsecure) {
|
|
return ErrInvalidIssuerHTTPS
|
|
}
|
|
}
|
|
return ValidateIssuerPath(u)
|
|
}
|
|
|
|
func ValidateIssuerPath(issuer *url.URL) error {
|
|
if issuer.Fragment != "" || len(issuer.Query()) > 0 {
|
|
return ErrInvalidIssuerPath
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func devLocalAllowed(url *url.URL, allowInsecure bool) bool {
|
|
if !allowInsecure {
|
|
return false
|
|
}
|
|
return url.Scheme == "http"
|
|
}
|
|
|
|
func dynamicIssuer(issuer, path string, allowInsecure bool) string {
|
|
schema := "https"
|
|
if allowInsecure {
|
|
schema = "http"
|
|
}
|
|
if len(path) > 0 && !strings.HasPrefix(path, "/") {
|
|
path = "/" + path
|
|
}
|
|
return schema + "://" + issuer + path
|
|
}
|