mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add rfc7009 and rfc7662 metadata to oidc discovery (#3046)

Browse source
This commit is contained in:
Firstyear 2024-09-17 13:35:43 +10:00 committed by GitHub
parent 4cbec48307
commit 6065f2db60
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 64 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
proto/src/oauth2.rs
View file

@ -433,6 +433,21 @@ pub struct OidcDiscoveryResponse {
pub require_request_uri_registration: bool, pub require_request_uri_registration: bool,
pub code_challenge_methods_supported: Vec<PkceAlg>, pub code_challenge_methods_supported: Vec<PkceAlg>,
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
// "content type that contains a set of Claims as its members that are a subset of the Metadata
// values defined in Section 3. Other Claims MAY also be returned. "
//
// In addition, we also return the following claims in kanidm
// rfc7009
pub revocation_endpoint: Option<Url>,
pub revocation_endpoint_auth_methods_supported: Vec<TokenEndpointAuthMethod>,
// rfc7662
pub introspection_endpoint: Option<Url>,
pub introspection_endpoint_auth_methods_supported: Vec<TokenEndpointAuthMethod>,
pub introspection_endpoint_auth_signing_alg_values_supported: Option<Vec<IdTokenSignAlg>>,
} }
/// The response to an OAuth2 rfc8414 metadata request /// The response to an OAuth2 rfc8414 metadata request

50
server/lib/src/idm/oauth2.rs
View file

@ -2473,6 +2473,20 @@ impl<'a> IdmServerProxyReadTransaction<'a> {
Vec::with_capacity(0) Vec::with_capacity(0)
}; };
// The following are extensions allowed by the oidc specification.
let revocation_endpoint = Some(o2rs.revocation_endpoint.clone());
let revocation_endpoint_auth_methods_supported = vec![
TokenEndpointAuthMethod::ClientSecretBasic,
TokenEndpointAuthMethod::ClientSecretPost,
];
let introspection_endpoint = Some(o2rs.introspection_endpoint.clone());
let introspection_endpoint_auth_methods_supported = vec![
TokenEndpointAuthMethod::ClientSecretBasic,
TokenEndpointAuthMethod::ClientSecretPost,
];
Ok(OidcDiscoveryResponse { Ok(OidcDiscoveryResponse {
issuer, issuer,
authorization_endpoint, authorization_endpoint,
@ -2513,6 +2527,12 @@ impl<'a> IdmServerProxyReadTransaction<'a> {
op_policy_uri: None, op_policy_uri: None,
op_tos_uri: None, op_tos_uri: None,
code_challenge_methods_supported, code_challenge_methods_supported,
// Extensions
revocation_endpoint,
revocation_endpoint_auth_methods_supported,
introspection_endpoint,
introspection_endpoint_auth_methods_supported,
introspection_endpoint_auth_signing_alg_values_supported: None,
}) })
} }
@ -4481,7 +4501,35 @@ mod tests {
assert_eq!( assert_eq!(
discovery.code_challenge_methods_supported, discovery.code_challenge_methods_supported,
vec![PkceAlg::S256] vec![PkceAlg::S256]
) );
// Extensions
assert!(
discovery.revocation_endpoint
== Some(Url::parse("https://idm.example.com/oauth2/token/revoke").unwrap())
);
assert!(
discovery.revocation_endpoint_auth_methods_supported
== vec![
TokenEndpointAuthMethod::ClientSecretBasic,
TokenEndpointAuthMethod::ClientSecretPost
]
);
assert!(
discovery.introspection_endpoint
== Some(Url::parse("https://idm.example.com/oauth2/token/introspect").unwrap())
);
assert!(
discovery.introspection_endpoint_auth_methods_supported
== vec![
TokenEndpointAuthMethod::ClientSecretBasic,
TokenEndpointAuthMethod::ClientSecretPost
]
);
assert!(discovery
.introspection_endpoint_auth_signing_alg_values_supported
.is_none());
} }
#[idm_test] #[idm_test]