diff options
author | Mike Crute <mike@crute.us> | 2023-09-07 11:27:41 -0700 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2023-09-07 11:27:46 -0700 |
commit | 691d7abfdf5e8aa057483a1eb4340c71e45253de (patch) | |
tree | b816fa567344aaf9529cfaa24031502bb0fcad6f /app | |
parent | cc8afd651957d7409868fc1d7bde599af188d8cd (diff) | |
download | websocket_proxy-691d7abfdf5e8aa057483a1eb4340c71e45253de.tar.bz2 websocket_proxy-691d7abfdf5e8aa057483a1eb4340c71e45253de.tar.xz websocket_proxy-691d7abfdf5e8aa057483a1eb4340c71e45253de.zip |
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/oauth2_discovery.go | 27 | ||||
-rw-r--r-- | app/models/oauth2.go | 47 |
2 files changed, 74 insertions, 0 deletions
diff --git a/app/controllers/oauth2_discovery.go b/app/controllers/oauth2_discovery.go new file mode 100644 index 0000000..15528e6 --- /dev/null +++ b/app/controllers/oauth2_discovery.go | |||
@@ -0,0 +1,27 @@ | |||
1 | package controllers | ||
2 | |||
3 | import ( | ||
4 | "fmt" | ||
5 | "net/http" | ||
6 | |||
7 | "code.crute.us/mcrute/ssh-proxy/app/models" | ||
8 | "github.com/labstack/echo/v4" | ||
9 | ) | ||
10 | |||
11 | type Oauth2DiscoveryController struct { | ||
12 | Hostname string | ||
13 | } | ||
14 | |||
15 | func (d *Oauth2DiscoveryController) Handle(c echo.Context) error { | ||
16 | return c.JSON(http.StatusOK, models.OauthDiscoveryMetadata{ | ||
17 | Issuer: d.Hostname, | ||
18 | AuthorizationEndpoint: fmt.Sprintf("%s/auth/login", d.Hostname), // Not really supported here | ||
19 | TokenEndpoint: fmt.Sprintf("%s/auth/token", d.Hostname), | ||
20 | DeviceAuthorizationEndpoint: fmt.Sprintf("%s/auth/device", d.Hostname), | ||
21 | SupportedResponseTypes: []string{models.ResponseTypeCode}, | ||
22 | SupportedGrantTypes: []string{models.GrantTypeDevice}, | ||
23 | SupportedResponseModes: []string{models.ResponseModeQuery}, | ||
24 | SupportedUILocales: []string{"en-us"}, | ||
25 | SupportedChallengeCodeMethods: []string{models.ChallengeTypeSHA256}, | ||
26 | }) | ||
27 | } | ||
diff --git a/app/models/oauth2.go b/app/models/oauth2.go index 9bfde0a..65d37d4 100644 --- a/app/models/oauth2.go +++ b/app/models/oauth2.go | |||
@@ -101,3 +101,50 @@ func (c *PKCEChallenge) Challenge() string { | |||
101 | func (c *PKCEChallenge) EqualString(o string) bool { | 101 | func (c *PKCEChallenge) EqualString(o string) bool { |
102 | return subtle.ConstantTimeCompare([]byte(o), []byte(c.Challenge())) != 1 | 102 | return subtle.ConstantTimeCompare([]byte(o), []byte(c.Challenge())) != 1 |
103 | } | 103 | } |
104 | |||
105 | const ( | ||
106 | GrantTypeAuthCode = "authorization_code" // RFC7591 | ||
107 | GrantTypeImplicit = "implicit" // RFC7591 | ||
108 | GrantTypePassword = "password" // RFC7591 | ||
109 | GrantTypeClientCreds = "client_credentials" // RFC7591 | ||
110 | GrantTypeRefreshToken = "refresh_token" // RFC7591 | ||
111 | GrantTypeBearerJwt = "urn:ietf:params:oauth:grant-type:jwt-bearer" // RFC7591 | ||
112 | GrantTypeBearerSaml = "urn:ietf:params:oauth:grant-type:saml2-bearer" // RFC7591 | ||
113 | GrantTypeDevice = "urn:ietf:params:oauth:grant-type:device_code" // RFC8628 | ||
114 | ResponseTypeCode = "code" // RFC7591 | ||
115 | ResponseTypeToken = "token" // RFC7591 | ||
116 | ResponseModeQuery = "query" // RFC7591 | ||
117 | ResponseModeFragment = "fragment" // RFC7591 | ||
118 | ResponseModeFormPost = "form_post" // RFC7591 | ||
119 | ChallengeTypePlain = "plain" // RFC7636 | ||
120 | ChallengeTypeSHA256 = "S256" // RFC7636 | ||
121 | Oauth2MetadataPath = "/.well-known/oauth-authorization-server" | ||
122 | Oauth2MetadataCompatPath = "/.well-known/openid-configuration" | ||
123 | ) | ||
124 | |||
125 | // All options are required unless omitempty | ||
126 | type OauthDiscoveryMetadata struct { | ||
127 | Issuer string `json:"issuer"` // RFC88414, https url w/no query/fragment | ||
128 | AuthorizationEndpoint string `json:"authorization_endpoint"` // RFC88414 | ||
129 | TokenEndpoint string `json:"token_endpoint"` // RFC88414 | ||
130 | SupportedResponseTypes []string `json:"response_types_supported"` // RFC88414 | ||
131 | JWKSUri string `json:"jwks_uri,omitempty"` // RFC88414 | ||
132 | RegistrationEndpoint string `json:"registration_endpoint,omitempty"` // RFC88414 | ||
133 | SupportedScopes []string `json:"scopes_supported,omitempty"` // RFC88414 | ||
134 | SupportedResponseModes []string `json:"response_modes_supported,omitempty"` // RFC88414 | ||
135 | SupportedGrantTypes []string `json:"grant_types_supported,omitempty"` // RFC88414, default: authorization_code, implicit | ||
136 | SupportedAuthMethods []string `json:"token_endpoint_auth_methods_supported,omitempty"` // RFC88414 | ||
137 | SupportedSigningAlgs []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"` // RFC88414 | ||
138 | SupportedUILocales []string `json:"ui_locales_supported,omitempty"` // RFC88414, RFC5646 codes | ||
139 | PolicyUri string `json:"op_policy_uri,omitempty"` // RFC88414 | ||
140 | TosUri string `json:"op_tos_uri,omitempty"` // RFC88414 | ||
141 | RevocationEndpoint string `json:"revocation_endpoint,omitempty"` // RFC88414 | ||
142 | SupportedRevocationAuthMethods []string `json:"revocation_endpoint_auth_methods_supported,omitempty"` // RFC88414 | ||
143 | SupportedRevocationSigningAlgs []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"` // RFC88414 | ||
144 | IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"` // RFC88414 | ||
145 | SupportedIntrospectionAuthMethods []string `json:"introspection_endpoint_auth_methods_supported,omitempty"` // RFC88414 | ||
146 | SupportedIntrospectionSigningAlgs []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"` // RFC88414 | ||
147 | SupportedChallengeCodeMethods []string `json:"code_challenge_methods_supported,omitempty"` // RFC88414 | ||
148 | ServiceDocumentation string `json:"service_documentation,omitempty"` // RFC88414 | ||
149 | DeviceAuthorizationEndpoint string `json:"device_authorization_endpoint,omitempty"` // RFC8628 | ||
150 | } | ||