feat: Added webfinger implementation (#3410)

Adds WebFinger endpoints to every oauth2 client Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2025-02-23 04:27:02 +01:00 · 2025-02-10 06:10:12 +00:00 · 2025-02-10 06:10:12 +00:00 · ccde675cd2
parent b96fe49b99
commit ccde675cd2
5 changed files with 168 additions and 2 deletions
--- a/book/src/integrations/oauth2.md
+++ b/book/src/integrations/oauth2.md
@ -70,6 +70,31 @@ anything special for Kanidm (or another provider).
 **Note:** some apps automatically append `/.well-known/openid-configuration` to
 the end of an OIDC Discovery URL, so you may need to omit that.

+
+<dl>
+<dt>[Webfinger](https://datatracker.ietf.org/doc/html/rfc7033) URL</dt>
+
+<dd>
+
+`https://idm.example.com/oauth2/openid/:client_id:/.well-known/webfinger`
+
+The webfinger URL is implemented for each OpenID client, under its specific endpoint, giving full control to the administrator regarding which to use.
+
+To make this compliant with the standard, it must be made available under the correct [well-known endpoint](https://datatracker.ietf.org/doc/html/rfc7033#section-10.1) (e.g `example.com/.well-known/webfinger`), typically via a reverse proxy or similar. Kanidm doesn't currently provide a mechanism for this URI rewrite.
+
+One example would be dedicating one client as the "primary" or "default" and redirecting all requests to that. Alternatively, source IP or other request metadata could be used to decide which client to forward the request to.
+
+### Caddy
+`Caddyfile`
+```caddy
+# assuming a kanidm service with domain "example.com"
+example.com {
+  redir /.well-known/webfinger https://idm.example.com/oauth2/openid/:client_id:{uri} 307
+}
+```
+**Note:** the `{uri}` is important as it preserves the original request past the redirect.
+
+
 </dd>

 <dt>
--- a/proto/src/oauth2.rs
+++ b/proto/src/oauth2.rs
@ -443,6 +443,21 @@ fn require_request_uri_parameter_supported_default() -> bool {
    false
 }

+#[derive(Serialize, Deserialize, Debug)]
+pub struct OidcWebfingerRel {
+    pub rel: String,
+    pub href: String,
+}
+
+/// The response to an Webfinger request. Only a subset of the body is defined here.
+/// <https://datatracker.ietf.org/doc/html/rfc7033#section-4.4>
+#[skip_serializing_none]
+#[derive(Serialize, Deserialize, Debug)]
+pub struct OidcWebfingerResponse {
+    pub subject: String,
+    pub links: Vec<OidcWebfingerRel>,
+}
+
 /// The response to an OpenID connect discovery request
 /// <https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata>
 #[skip_serializing_none]
--- a/server/core/src/actors/v1_read.rs
+++ b/server/core/src/actors/v1_read.rs
@ -9,6 +9,7 @@ use kanidm_proto::internal::{
    IdentifyUserRequest, IdentifyUserResponse, ImageValue, OperationError, RadiusAuthToken,
    SearchRequest, SearchResponse, UserAuthToken,
 };
+use kanidm_proto::oauth2::OidcWebfingerResponse;
 use kanidm_proto::v1::{
    AuthIssueSession, AuthRequest, Entry as ProtoEntry, UatStatus, UnixGroupToken, UnixUserToken,
    WhoamiResponse,
@ -1509,6 +1510,21 @@ impl QueryServerReadV1 {
        idms_prox_read.oauth2_openid_discovery(&client_id)
    }

+    #[instrument(
+        level = "info",
+        skip_all,
+        fields(uuid = ?eventid)
+    )]
+    pub async fn handle_oauth2_webfinger_discovery(
+        &self,
+        client_id: &str,
+        resource_id: &str,
+        eventid: Uuid,
+    ) -> Result<OidcWebfingerResponse, OperationError> {
+        let mut idms_prox_read = self.idms.proxy_read().await?;
+        idms_prox_read.oauth2_openid_webfinger(client_id, resource_id)
+    }
+
    #[instrument(
        level = "info",
        skip_all,
--- a/server/core/src/https/oauth2.rs
+++ b/server/core/src/https/oauth2.rs
@ -513,7 +513,7 @@ pub async fn oauth2_token_post(
    }
 }

-// // For future openid integration
+// For future openid integration
 pub async fn oauth2_openid_discovery_get(
    State(state): State<ServerState>,
    Path(client_id): Path<String>,
@ -538,6 +538,46 @@ pub async fn oauth2_openid_discovery_get(
    }
 }

+#[derive(Deserialize)]
+pub struct Oauth2OpenIdWebfingerQuery {
+    resource: String,
+}
+
+pub async fn oauth2_openid_webfinger_get(
+    State(state): State<ServerState>,
+    Path(client_id): Path<String>,
+    Query(query): Query<Oauth2OpenIdWebfingerQuery>,
+    Extension(kopid): Extension<KOpId>,
+) -> impl IntoResponse {
+    let Oauth2OpenIdWebfingerQuery { resource } = query;
+
+    let cleaned_resource = resource.strip_prefix("acct:").unwrap_or(&resource);
+
+    let res = state
+        .qe_r_ref
+        .handle_oauth2_webfinger_discovery(&client_id, cleaned_resource, kopid.eventid)
+        .await;
+
+    match res {
+        Ok(mut dsc) => (
+            StatusCode::OK,
+            [
+                (ACCESS_CONTROL_ALLOW_ORIGIN, "*"),
+                (CONTENT_TYPE, "application/jrd+json"),
+            ],
+            Json({
+                dsc.subject = resource;
+                dsc
+            }),
+        )
+            .into_response(),
+        Err(e) => {
+            error!(err = ?e, "Unable to access discovery info");
+            WebError::from(e).response_with_access_control_origin_header()
+        }
+    }
+}
+
 pub async fn oauth2_rfc8414_metadata_get(
    State(state): State<ServerState>,
    Path(client_id): Path<String>,
@ -770,6 +810,10 @@ pub fn route_setup(state: ServerState) -> Router<ServerState> {
            "/oauth2/openid/:client_id/.well-known/openid-configuration",
            get(oauth2_openid_discovery_get).options(oauth2_preflight_options),
        )
+        .route(
+            "/oauth2/openid/:client_id/.well-known/webfinger",
+            get(oauth2_openid_webfinger_get).options(oauth2_preflight_options),
+        )
        // // ⚠️  ⚠️   WARNING  ⚠️  ⚠️
        // // IF YOU CHANGE THESE VALUES YOU MUST UPDATE OIDC DISCOVERY URLS
        .route(
--- a/server/lib/src/idm/oauth2.rs
+++ b/server/lib/src/idm/oauth2.rs
@ -32,7 +32,7 @@ pub use kanidm_proto::oauth2::{
    AccessTokenIntrospectRequest, AccessTokenIntrospectResponse, AccessTokenRequest,
    AccessTokenResponse, AuthorisationRequest, CodeChallengeMethod, ErrorResponse, GrantTypeReq,
    OAuth2RFC9068Token, OAuth2RFC9068TokenExtensions, Oauth2Rfc8414MetadataResponse,
-    OidcDiscoveryResponse, PkceAlg, TokenRevokeRequest,
+    OidcDiscoveryResponse, OidcWebfingerRel, OidcWebfingerResponse, PkceAlg, TokenRevokeRequest,
 };

 use kanidm_proto::oauth2::{
@ -2742,6 +2742,44 @@ impl IdmServerProxyReadTransaction<'_> {
        })
    }

+    #[instrument(level = "debug", skip_all)]
+    pub fn oauth2_openid_webfinger(
+        &mut self,
+        client_id: &str,
+        resource_id: &str,
+    ) -> Result<OidcWebfingerResponse, OperationError> {
+        let o2rs = self.oauth2rs.inner.rs_set.get(client_id).ok_or_else(|| {
+            admin_warn!(
+                "Invalid OAuth2 client_id (have you configured the OAuth2 resource server?)"
+            );
+            OperationError::NoMatchingEntries
+        })?;
+
+        let Some(spn) = PartialValue::new_spn_s(resource_id) else {
+            return Err(OperationError::NoMatchingEntries);
+        };
+
+        // Ensure that the account exists.
+        if !self
+            .qs_read
+            .internal_exists(Filter::new(f_eq(Attribute::Spn, spn)))?
+        {
+            return Err(OperationError::NoMatchingEntries);
+        }
+
+        let issuer = o2rs.iss.clone();
+
+        Ok(OidcWebfingerResponse {
+            // we set the subject to the resource_id to ensure we always send something valid back
+            // but realistically this will be overwritten on at the API layer
+            subject: resource_id.to_string(),
+            links: vec![OidcWebfingerRel {
+                rel: "http://openid.net/specs/connect/1.0/issuer".into(),
+                href: issuer.into(),
+            }],
+        })
+    }
+
    #[instrument(level = "debug", skip_all)]
    pub fn oauth2_openid_publickey(&self, client_id: &str) -> Result<JwkKeySet, OperationError> {
        let o2rs = self.oauth2rs.inner.rs_set.get(client_id).ok_or_else(|| {
@ -5434,6 +5472,34 @@ mod tests {
            .expect("Oauth2 authorisation failed");
    }

+    #[idm_test]
+    async fn test_idm_oauth2_webfinger(idms: &IdmServer, _idms_delayed: &mut IdmServerDelayed) {
+        let ct = Duration::from_secs(TEST_CURRENT_TIME);
+        let (_secret, _uat, _ident, _) =
+            setup_oauth2_resource_server_basic(idms, ct, true, false, true).await;
+        let mut idms_prox_read = idms.proxy_read().await.unwrap();
+
+        let user = "testperson1@example.com";
+
+        let webfinger = idms_prox_read
+            .oauth2_openid_webfinger("test_resource_server", user)
+            .expect("Failed to get webfinger");
+
+        assert_eq!(webfinger.subject, user);
+        assert_eq!(webfinger.links.len(), 1);
+
+        let link = &webfinger.links[0];
+        assert_eq!(link.rel, "http://openid.net/specs/connect/1.0/issuer");
+        assert_eq!(
+            link.href,
+            "https://idm.example.com/oauth2/openid/test_resource_server"
+        );
+
+        let failed_webfinger = idms_prox_read
+            .oauth2_openid_webfinger("test_resource_server", "someone@another.domain");
+        assert!(failed_webfinger.is_err());
+    }
+
    #[idm_test]
    async fn test_idm_oauth2_openid_legacy_crypto(
        idms: &IdmServer,