Support Oauth2 discoveryHEAD master

author: Mike Crute <mike@crute.us> 2023-09-07 11:27:41 -0700
committer: Mike Crute <mike@crute.us> 2023-09-07 11:27:46 -0700
commit: 691d7abfdf5e8aa057483a1eb4340c71e45253de (patch)
tree: b816fa567344aaf9529cfaa24031502bb0fcad6f /app
parent: cc8afd651957d7409868fc1d7bde599af188d8cd (diff)
download: websocket_proxy-691d7abfdf5e8aa057483a1eb4340c71e45253de.tar.bz2
websocket_proxy-691d7abfdf5e8aa057483a1eb4340c71e45253de.tar.xz
websocket_proxy-691d7abfdf5e8aa057483a1eb4340c71e45253de.zip
2 files changed, 74 insertions, 0 deletions
diff --git a/app/controllers/oauth2_discovery.go b/app/controllers/oauth2_discovery.go
new file mode 100644
index 0000000..15528e6
--- /dev/null
+++ b/app/controllers/oauth2_discovery.go
@@ -0,0 +1,27 @@
+package controllers
+import (
+        "fmt"
+        "net/http"
+        "code.crute.us/mcrute/ssh-proxy/app/models"
+        "github.com/labstack/echo/v4"
+)
+type Oauth2DiscoveryController struct {
+        Hostname string
+}
+func (d *Oauth2DiscoveryController) Handle(c echo.Context) error {
+        return c.JSON(http.StatusOK, models.OauthDiscoveryMetadata{
+                Issuer:                        d.Hostname,
+                AuthorizationEndpoint:         fmt.Sprintf("%s/auth/login", d.Hostname), // Not really supported here
+                TokenEndpoint:                 fmt.Sprintf("%s/auth/token", d.Hostname),
+                DeviceAuthorizationEndpoint:   fmt.Sprintf("%s/auth/device", d.Hostname),
+                SupportedResponseTypes:        []string{models.ResponseTypeCode},
+                SupportedGrantTypes:           []string{models.GrantTypeDevice},
+                SupportedResponseModes:        []string{models.ResponseModeQuery},
+                SupportedUILocales:            []string{"en-us"},
+                SupportedChallengeCodeMethods: []string{models.ChallengeTypeSHA256},
+        })
+}
diff --git a/app/models/oauth2.go b/app/models/oauth2.go
index 9bfde0a..65d37d4 100644
--- a/app/models/oauth2.go
+++ b/app/models/oauth2.go
@@ -101,3 +101,50 @@ func (c *PKCEChallenge) Challenge() string {
 func (c *PKCEChallenge) EqualString(o string) bool {
        return subtle.ConstantTimeCompare([]byte(o), []byte(c.Challenge())) != 1
 }
+const (
+        GrantTypeAuthCode        = "authorization_code"                            // RFC7591
+        GrantTypeImplicit        = "implicit"                                      // RFC7591
+        GrantTypePassword        = "password"                                      // RFC7591
+        GrantTypeClientCreds     = "client_credentials"                            // RFC7591
+        GrantTypeRefreshToken    = "refresh_token"                                 // RFC7591
+        GrantTypeBearerJwt       = "urn:ietf:params:oauth:grant-type:jwt-bearer"   // RFC7591
+        GrantTypeBearerSaml      = "urn:ietf:params:oauth:grant-type:saml2-bearer" // RFC7591
+        GrantTypeDevice          = "urn:ietf:params:oauth:grant-type:device_code"  // RFC8628
+        ResponseTypeCode         = "code"                                          // RFC7591
+        ResponseTypeToken        = "token"                                         // RFC7591
+        ResponseModeQuery        = "query"                                         // RFC7591
+        ResponseModeFragment     = "fragment"                                      // RFC7591
+        ResponseModeFormPost     = "form_post"                                     // RFC7591
+        ChallengeTypePlain       = "plain"                                         // RFC7636
+        ChallengeTypeSHA256      = "S256"                                          // RFC7636
+        Oauth2MetadataPath       = "/.well-known/oauth-authorization-server"
+        Oauth2MetadataCompatPath = "/.well-known/openid-configuration"
+)
+// All options are required unless omitempty
+type OauthDiscoveryMetadata struct {
+        Issuer                            string   `json:"issuer"`                                                             // RFC88414, https url w/no query/fragment
+        AuthorizationEndpoint             string   `json:"authorization_endpoint"`                                             // RFC88414
+        TokenEndpoint                     string   `json:"token_endpoint"`                                                     // RFC88414
+        SupportedResponseTypes            []string `json:"response_types_supported"`                                           // RFC88414
+        JWKSUri                           string   `json:"jwks_uri,omitempty"`                                                 // RFC88414
+        RegistrationEndpoint              string   `json:"registration_endpoint,omitempty"`                                    // RFC88414
+        SupportedScopes                   []string `json:"scopes_supported,omitempty"`                                         // RFC88414
+        SupportedResponseModes            []string `json:"response_modes_supported,omitempty"`                                 // RFC88414
+        SupportedGrantTypes               []string `json:"grant_types_supported,omitempty"`                                    // RFC88414, default: authorization_code, implicit
+        SupportedAuthMethods              []string `json:"token_endpoint_auth_methods_supported,omitempty"`                    // RFC88414
+        SupportedSigningAlgs              []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`         // RFC88414
+        SupportedUILocales                []string `json:"ui_locales_supported,omitempty"`                                     // RFC88414, RFC5646 codes
+        PolicyUri                         string   `json:"op_policy_uri,omitempty"`                                            // RFC88414
+        TosUri                            string   `json:"op_tos_uri,omitempty"`                                               // RFC88414
+        RevocationEndpoint                string   `json:"revocation_endpoint,omitempty"`                                      // RFC88414
+        SupportedRevocationAuthMethods    []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`               // RFC88414
+        SupportedRevocationSigningAlgs    []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`    // RFC88414
+        IntrospectionEndpoint             string   `json:"introspection_endpoint,omitempty"`                                   // RFC88414
+        SupportedIntrospectionAuthMethods []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`            // RFC88414
+        SupportedIntrospectionSigningAlgs []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"` // RFC88414
+        SupportedChallengeCodeMethods     []string `json:"code_challenge_methods_supported,omitempty"`                         // RFC88414
+        ServiceDocumentation              string   `json:"service_documentation,omitempty"`                                    // RFC88414
+        DeviceAuthorizationEndpoint       string   `json:"device_authorization_endpoint,omitempty"`                            // RFC8628
+}
author	Mike Crute <mike@crute.us>	2023-09-07 11:27:41 -0700
committer	Mike Crute <mike@crute.us>	2023-09-07 11:27:46 -0700
commit	691d7abfdf5e8aa057483a1eb4340c71e45253de (patch)
tree	b816fa567344aaf9529cfaa24031502bb0fcad6f /app
parent	cc8afd651957d7409868fc1d7bde599af188d8cd (diff)
download	websocket_proxy-691d7abfdf5e8aa057483a1eb4340c71e45253de.tar.bz2 websocket_proxy-691d7abfdf5e8aa057483a1eb4340c71e45253de.tar.xz websocket_proxy-691d7abfdf5e8aa057483a1eb4340c71e45253de.zip

diff --git a/app/controllers/oauth2_discovery.go b/app/controllers/oauth2_discovery.go new file mode 100644 index 0000000..15528e6 --- /dev/null +++ b/app/controllers/oauth2_discovery.go
@@ -0,0 +1,27 @@
		1	package controllers
		2
		3	import (
		4	"fmt"
		5	"net/http"
		6
		7	"code.crute.us/mcrute/ssh-proxy/app/models"
		8	"github.com/labstack/echo/v4"
		9	)
		10
		11	type Oauth2DiscoveryController struct {
		12	Hostname string
		13	}
		14
		15	func (d *Oauth2DiscoveryController) Handle(c echo.Context) error {
		16	return c.JSON(http.StatusOK, models.OauthDiscoveryMetadata{
		17	Issuer: d.Hostname,
		18	AuthorizationEndpoint: fmt.Sprintf("%s/auth/login", d.Hostname), // Not really supported here
		19	TokenEndpoint: fmt.Sprintf("%s/auth/token", d.Hostname),
		20	DeviceAuthorizationEndpoint: fmt.Sprintf("%s/auth/device", d.Hostname),
		21	SupportedResponseTypes: []string{models.ResponseTypeCode},
		22	SupportedGrantTypes: []string{models.GrantTypeDevice},
		23	SupportedResponseModes: []string{models.ResponseModeQuery},
		24	SupportedUILocales: []string{"en-us"},
		25	SupportedChallengeCodeMethods: []string{models.ChallengeTypeSHA256},
		26	})
		27	}


diff --git a/app/models/oauth2.go b/app/models/oauth2.go index 9bfde0a..65d37d4 100644 --- a/app/models/oauth2.go +++ b/app/models/oauth2.go
@@ -101,3 +101,50 @@ func (c *PKCEChallenge) Challenge() string {
101	func (c *PKCEChallenge) EqualString(o string) bool {	101	func (c *PKCEChallenge) EqualString(o string) bool {
102	return subtle.ConstantTimeCompare([]byte(o), []byte(c.Challenge())) != 1	102	return subtle.ConstantTimeCompare([]byte(o), []byte(c.Challenge())) != 1
103	}	103	}
		104
		105	const (
		106	GrantTypeAuthCode = "authorization_code" // RFC7591
		107	GrantTypeImplicit = "implicit" // RFC7591
		108	GrantTypePassword = "password" // RFC7591
		109	GrantTypeClientCreds = "client_credentials" // RFC7591
		110	GrantTypeRefreshToken = "refresh_token" // RFC7591
		111	GrantTypeBearerJwt = "urn:ietf:params:oauth:grant-type:jwt-bearer" // RFC7591
		112	GrantTypeBearerSaml = "urn:ietf:params:oauth:grant-type:saml2-bearer" // RFC7591
		113	GrantTypeDevice = "urn:ietf:params:oauth:grant-type:device_code" // RFC8628
		114	ResponseTypeCode = "code" // RFC7591
		115	ResponseTypeToken = "token" // RFC7591
		116	ResponseModeQuery = "query" // RFC7591
		117	ResponseModeFragment = "fragment" // RFC7591
		118	ResponseModeFormPost = "form_post" // RFC7591
		119	ChallengeTypePlain = "plain" // RFC7636
		120	ChallengeTypeSHA256 = "S256" // RFC7636
		121	Oauth2MetadataPath = "/.well-known/oauth-authorization-server"
		122	Oauth2MetadataCompatPath = "/.well-known/openid-configuration"
		123	)
		124
		125	// All options are required unless omitempty
		126	type OauthDiscoveryMetadata struct {
		127	Issuer string `json:"issuer"` // RFC88414, https url w/no query/fragment
		128	AuthorizationEndpoint string `json:"authorization_endpoint"` // RFC88414
		129	TokenEndpoint string `json:"token_endpoint"` // RFC88414
		130	SupportedResponseTypes []string `json:"response_types_supported"` // RFC88414
		131	JWKSUri string `json:"jwks_uri,omitempty"` // RFC88414
		132	RegistrationEndpoint string `json:"registration_endpoint,omitempty"` // RFC88414
		133	SupportedScopes []string `json:"scopes_supported,omitempty"` // RFC88414
		134	SupportedResponseModes []string `json:"response_modes_supported,omitempty"` // RFC88414
		135	SupportedGrantTypes []string `json:"grant_types_supported,omitempty"` // RFC88414, default: authorization_code, implicit
		136	SupportedAuthMethods []string `json:"token_endpoint_auth_methods_supported,omitempty"` // RFC88414
		137	SupportedSigningAlgs []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"` // RFC88414
		138	SupportedUILocales []string `json:"ui_locales_supported,omitempty"` // RFC88414, RFC5646 codes
		139	PolicyUri string `json:"op_policy_uri,omitempty"` // RFC88414
		140	TosUri string `json:"op_tos_uri,omitempty"` // RFC88414
		141	RevocationEndpoint string `json:"revocation_endpoint,omitempty"` // RFC88414
		142	SupportedRevocationAuthMethods []string `json:"revocation_endpoint_auth_methods_supported,omitempty"` // RFC88414
		143	SupportedRevocationSigningAlgs []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"` // RFC88414
		144	IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"` // RFC88414
		145	SupportedIntrospectionAuthMethods []string `json:"introspection_endpoint_auth_methods_supported,omitempty"` // RFC88414
		146	SupportedIntrospectionSigningAlgs []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"` // RFC88414
		147	SupportedChallengeCodeMethods []string `json:"code_challenge_methods_supported,omitempty"` // RFC88414
		148	ServiceDocumentation string `json:"service_documentation,omitempty"` // RFC88414
		149	DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint,omitempty"` // RFC8628
		150	}