mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add CORS headers to jwks and userinfo (#3283)

Browse source 
When using jwks from a single page application, the keys and
userinfo were unable to be retrieved due to missing cors headers.
This commit is contained in:
Firstyear 2024-12-13 10:23:54 +10:00 committed by GitHub
parent 60cc830ebd
commit 5dfba2a0ef
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 18 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
server/core/src/https/oauth2.rs
View file

@ -20,7 +20,6 @@ use axum::{
Extension, Form, Json, Router, Extension, Form, Json, Router,
}; };
use axum_macros::debug_handler; use axum_macros::debug_handler;
use compact_jwt::{JwkKeySet, OidcToken};
use kanidm_proto::constants::uri::{ use kanidm_proto::constants::uri::{
OAUTH2_AUTHORISE, OAUTH2_AUTHORISE_PERMIT, OAUTH2_AUTHORISE_REJECT, OAUTH2_AUTHORISE, OAUTH2_AUTHORISE_PERMIT, OAUTH2_AUTHORISE_REJECT,
}; };
@ -587,13 +586,13 @@ pub async fn oauth2_openid_userinfo_get(
Path(client_id): Path<String>, Path(client_id): Path<String>,
Extension(kopid): Extension<KOpId>, Extension(kopid): Extension<KOpId>,
VerifiedClientInformation(client_auth_info): VerifiedClientInformation, VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
) -> Result<Json<OidcToken>, HTTPOauth2Error> { ) -> Response {
// The token we want to inspect is in the authorisation header. // The token we want to inspect is in the authorisation header.
let client_token = match client_auth_info.bearer_token { let client_token = match client_auth_info.bearer_token {
Some(val) => val, Some(val) => val,
None => { None => {
error!("Bearer Authentication Not Provided"); error!("Bearer Authentication Not Provided");
return Err(HTTPOauth2Error(Oauth2Error::AuthenticationRequired)); return HTTPOauth2Error(Oauth2Error::AuthenticationRequired).into_response();
} }
}; };
@ -603,8 +602,13 @@ pub async fn oauth2_openid_userinfo_get(
.await; .await;
match res { match res {
Ok(uir) => Ok(Json(uir)), Ok(uir) => (
Err(e) => Err(HTTPOauth2Error(e)), StatusCode::OK,
[(ACCESS_CONTROL_ALLOW_ORIGIN, "*")],
Json(uir),
)
.into_response(),
Err(e) => HTTPOauth2Error(e).into_response(),
} }
} }
@ -612,13 +616,18 @@ pub async fn oauth2_openid_publickey_get(
State(state): State<ServerState>, State(state): State<ServerState>,
Path(client_id): Path<String>, Path(client_id): Path<String>,
Extension(kopid): Extension<KOpId>, Extension(kopid): Extension<KOpId>,
) -> Result<Json<JwkKeySet>, WebError> { ) -> Response {
state let res = state
.qe_r_ref .qe_r_ref
.handle_oauth2_openid_publickey(client_id, kopid.eventid) .handle_oauth2_openid_publickey(client_id, kopid.eventid)
.await .await
.map(Json::from) .map(Json::from)
.map_err(WebError::from) .map_err(WebError::from);
match res {
Ok(jsn) => (StatusCode::OK, [(ACCESS_CONTROL_ALLOW_ORIGIN, "*")], jsn).into_response(),
Err(web_err) => web_err.response_with_access_control_origin_header(),
}
} }
/// This is called directly by the resource server, where we then issue /// This is called directly by the resource server, where we then issue
@ -789,7 +798,7 @@ pub fn route_setup(state: ServerState) -> Router<ServerState> {
// // IF YOU CHANGE THESE VALUES YOU MUST UPDATE OIDC DISCOVERY URLS // // IF YOU CHANGE THESE VALUES YOU MUST UPDATE OIDC DISCOVERY URLS
.route( .route(
"/oauth2/openid/:client_id/public_key.jwk", "/oauth2/openid/:client_id/public_key.jwk",
get(oauth2_openid_publickey_get), get(oauth2_openid_publickey_get).options(oauth2_preflight_options),
) )
// // ⚠️ ⚠️ WARNING ⚠️ ⚠️ // // ⚠️ ⚠️ WARNING ⚠️ ⚠️
// // IF YOU CHANGE THESE VALUES YOU MUST UPDATE OAUTH2 DISCOVERY URLS // // IF YOU CHANGE THESE VALUES YOU MUST UPDATE OAUTH2 DISCOVERY URLS