1518c843de
* introspect * introspect and client assertion * introspect and client assertion * scopes * token introspection * introspect * refactoring * fixes * clenaup * Update example/internal/mock/storage.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * clenaup Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
60 lines
1.3 KiB
Go
60 lines
1.3 KiB
Go
package op
|
|
|
|
import (
|
|
"errors"
|
|
"net/url"
|
|
"os"
|
|
"strings"
|
|
)
|
|
|
|
const OidcDevMode = "CAOS_OIDC_DEV"
|
|
|
|
type Configuration interface {
|
|
Issuer() string
|
|
AuthorizationEndpoint() Endpoint
|
|
TokenEndpoint() Endpoint
|
|
IntrospectionEndpoint() Endpoint
|
|
UserinfoEndpoint() Endpoint
|
|
EndSessionEndpoint() Endpoint
|
|
KeysEndpoint() Endpoint
|
|
|
|
AuthMethodPostSupported() bool
|
|
CodeMethodS256Supported() bool
|
|
AuthMethodPrivateKeyJWTSupported() bool
|
|
GrantTypeTokenExchangeSupported() bool
|
|
GrantTypeJWTAuthorizationSupported() bool
|
|
}
|
|
|
|
func ValidateIssuer(issuer string) error {
|
|
if issuer == "" {
|
|
return errors.New("missing issuer")
|
|
}
|
|
u, err := url.Parse(issuer)
|
|
if err != nil {
|
|
return errors.New("invalid url for issuer")
|
|
}
|
|
if u.Host == "" {
|
|
return errors.New("host for issuer missing")
|
|
}
|
|
if u.Scheme != "https" {
|
|
if !devLocalAllowed(u) {
|
|
return errors.New("scheme for issuer must be `https`")
|
|
}
|
|
}
|
|
if u.Fragment != "" || len(u.Query()) > 0 {
|
|
return errors.New("no fragments or query allowed for issuer")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func devLocalAllowed(url *url.URL) bool {
|
|
_, b := os.LookupEnv(OidcDevMode)
|
|
if !b {
|
|
return b
|
|
}
|
|
return url.Scheme == "http" &&
|
|
url.Host == "localhost" ||
|
|
url.Host == "127.0.0.1" ||
|
|
url.Host == "::1" ||
|
|
strings.HasPrefix(url.Host, "localhost:")
|
|
}
|