Exemple #1
0
func (op *OIDCProvider) FetchCustomProviderConfig(discoveryURL string) (*oidc.ProviderConfig, error) {

	var customConfig OidcProviderConfiguration

	// If discovery URL is empty, use the standard discovery URL
	if discoveryURL == "" {
		discoveryURL = strings.TrimSuffix(op.Issuer, "/") + discoveryConfigPath
	}

	base.LogTo("OIDC+", "Fetching custom provider config from %s", discoveryURL)
	req, err := http.NewRequest("GET", discoveryURL, nil)
	if err != nil {
		base.LogTo("OIDC+", "Error building new request for URL %s: %v", discoveryURL, err)
		return nil, err
	}
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		base.LogTo("OIDC+", "Error invoking calling discovery URL %s: %v", discoveryURL, err)
		return nil, err
	}
	defer resp.Body.Close()
	if err := json.NewDecoder(resp.Body).Decode(&customConfig); err != nil {
		base.LogTo("OIDC+", "Error parsing body %s: %v", discoveryURL, err)
		return nil, err
	}

	var oidcConfig oidc.ProviderConfig
	oidcConfig, err = customConfig.AsProviderConfig()
	if err != nil {
		base.LogTo("OIDC+", "Error invoking calling discovery URL %s: %v", discoveryURL, err)
		return nil, err
	}

	// Set expiry on config, if defined in response header
	var ttl time.Duration
	var ok bool
	ttl, ok, err = phttp.Cacheable(resp.Header)
	if err != nil {
		return nil, err
	} else if ok {
		oidcConfig.ExpiresAt = time.Now().UTC().Add(ttl)
	}

	base.LogTo("OIDC+", "Returning config: %v", oidcConfig)
	return &oidcConfig, nil

}
Exemple #2
0
func (s *Server) ProviderConfig() oidc.ProviderConfig {
	authEndpoint := s.absURL(httpPathAuth)
	tokenEndpoint := s.absURL(httpPathToken)
	keysEndpoint := s.absURL(httpPathKeys)
	cfg := oidc.ProviderConfig{
		Issuer:        &s.IssuerURL,
		AuthEndpoint:  &authEndpoint,
		TokenEndpoint: &tokenEndpoint,
		KeysEndpoint:  &keysEndpoint,

		GrantTypesSupported:               []string{oauth2.GrantTypeAuthCode, oauth2.GrantTypeClientCreds},
		ResponseTypesSupported:            []string{"code"},
		SubjectTypesSupported:             []string{"public"},
		IDTokenSigningAlgValues:           []string{"RS256"},
		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
	}

	if s.EnableClientRegistration {
		regEndpoint := s.absURL(httpPathClientRegistration)
		cfg.RegistrationEndpoint = &regEndpoint
	}

	return cfg
}