mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
6ef6d0499a
Implements Proof Key for Code Exchange for OpenID Connect Authorization Code Flow. By default this is enabled for the public client type and requires the S256 challenge method. Closes #2921
110 lines
4.0 KiB
Go
110 lines
4.0 KiB
Go
package oidc
|
|
|
|
import (
|
|
"crypto/rsa"
|
|
|
|
"github.com/ory/fosite"
|
|
"github.com/ory/fosite/handler/openid"
|
|
"github.com/ory/fosite/storage"
|
|
"github.com/ory/herodot"
|
|
"gopkg.in/square/go-jose.v2"
|
|
|
|
"github.com/authelia/authelia/v4/internal/authorization"
|
|
)
|
|
|
|
// OpenIDConnectProvider for OpenID Connect.
|
|
type OpenIDConnectProvider struct {
|
|
Fosite fosite.OAuth2Provider
|
|
Store *OpenIDConnectStore
|
|
KeyManager *KeyManager
|
|
|
|
herodot *herodot.JSONWriter
|
|
}
|
|
|
|
// OpenIDConnectStore is Authelia's internal representation of the fosite.Storage interface.
|
|
//
|
|
// Currently it is mostly just implementing a decorator pattern other then GetInternalClient.
|
|
// The long term plan is to have these methods interact with the Authelia storage and
|
|
// session providers where applicable.
|
|
type OpenIDConnectStore struct {
|
|
clients map[string]*InternalClient
|
|
memory *storage.MemoryStore
|
|
}
|
|
|
|
// InternalClient represents the client internally.
|
|
type InternalClient struct {
|
|
ID string `json:"id"`
|
|
Description string `json:"-"`
|
|
Secret []byte `json:"client_secret,omitempty"`
|
|
Public bool `json:"public"`
|
|
|
|
Policy authorization.Level `json:"-"`
|
|
|
|
Audience []string `json:"audience"`
|
|
Scopes []string `json:"scopes"`
|
|
RedirectURIs []string `json:"redirect_uris"`
|
|
GrantTypes []string `json:"grant_types"`
|
|
ResponseTypes []string `json:"response_types"`
|
|
ResponseModes []fosite.ResponseModeType `json:"response_modes"`
|
|
|
|
UserinfoSigningAlgorithm string `json:"userinfo_signed_response_alg,omitempty"`
|
|
}
|
|
|
|
// KeyManager keeps track of all of the active/inactive rsa keys and provides them to services requiring them.
|
|
// It additionally allows us to add keys for the purpose of key rotation in the future.
|
|
type KeyManager struct {
|
|
activeKeyID string
|
|
keys map[string]*rsa.PrivateKey
|
|
keySet *jose.JSONWebKeySet
|
|
strategy *RS256JWTStrategy
|
|
}
|
|
|
|
// AutheliaHasher implements the fosite.Hasher interface without an actual hashing algo.
|
|
type AutheliaHasher struct{}
|
|
|
|
// ConsentGetResponseBody schema of the response body of the consent GET endpoint.
|
|
type ConsentGetResponseBody struct {
|
|
ClientID string `json:"client_id"`
|
|
ClientDescription string `json:"client_description"`
|
|
Scopes []string `json:"scopes"`
|
|
Audience []string `json:"audience"`
|
|
}
|
|
|
|
// WellKnownConfiguration is the OIDC well known config struct.
|
|
//
|
|
// See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
|
|
type WellKnownConfiguration struct {
|
|
Issuer string `json:"issuer"`
|
|
JWKSURI string `json:"jwks_uri"`
|
|
|
|
AuthorizationEndpoint string `json:"authorization_endpoint"`
|
|
TokenEndpoint string `json:"token_endpoint"`
|
|
RevocationEndpoint string `json:"revocation_endpoint"`
|
|
UserinfoEndpoint string `json:"userinfo_endpoint"`
|
|
IntrospectionEndpoint string `json:"introspection_endpoint"`
|
|
|
|
Algorithms []string `json:"id_token_signing_alg_values_supported"`
|
|
UserinfoAlgorithms []string `json:"userinfo_signing_alg_values_supported"`
|
|
|
|
SubjectTypesSupported []string `json:"subject_types_supported"`
|
|
ResponseTypesSupported []string `json:"response_types_supported"`
|
|
ResponseModesSupported []string `json:"response_modes_supported"`
|
|
ScopesSupported []string `json:"scopes_supported"`
|
|
ClaimsSupported []string `json:"claims_supported"`
|
|
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
|
|
|
|
RequestURIParameterSupported bool `json:"request_uri_parameter_supported"`
|
|
BackChannelLogoutSupported bool `json:"backchannel_logout_supported"`
|
|
FrontChannelLogoutSupported bool `json:"frontchannel_logout_supported"`
|
|
BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"`
|
|
FrontChannelLogoutSessionSupported bool `json:"frontchannel_logout_session_supported"`
|
|
}
|
|
|
|
// OpenIDSession holds OIDC Session information.
|
|
type OpenIDSession struct {
|
|
*openid.DefaultSession `json:"idToken"`
|
|
|
|
Extra map[string]interface{} `json:"extra"`
|
|
ClientID string
|
|
}
|