From c5786cf571ef9031d9160d713f6381a8c9eddaf0 Mon Sep 17 00:00:00 2001 From: Simon Ser Date: Mon, 19 Feb 2024 15:33:01 +0100 Subject: [PATCH] Add server issuer information Closes: https://todo.sr.ht/~emersion/sinwon/11 --- oauth2.go | 38 ++++++++++++++++++++++---------------- diff --git a/oauth2.go b/oauth2.go index d057fb7d235c6e6c9ce2853c579bf1c8a61ca17a..d9926dd41e38d3b49ee5bc7e83951de823a9a766 100644 --- a/oauth2.go +++ b/oauth2.go @@ -17,6 +17,26 @@ "git.sr.ht/~emersion/go-oauth2" ) func getOAuthServerMetadata(w http.ResponseWriter, req *http.Request) { + issuer := getIssuer(req) + + w.Header().Set("Content-Type", "application/json") + json.NewEncoder(w).Encode(&oauth2.ServerMetadata{ + Issuer: issuer, + AuthorizationEndpoint: issuer + "/authorize", + TokenEndpoint: issuer + "/token", + IntrospectionEndpoint: issuer + "/introspect", + RevocationEndpoint: issuer + "/revoke", + ResponseTypesSupported: []oauth2.ResponseType{oauth2.ResponseTypeCode}, + ResponseModesSupported: []oauth2.ResponseMode{oauth2.ResponseModeQuery}, + GrantTypesSupported: []oauth2.GrantType{oauth2.GrantTypeAuthorizationCode}, + TokenEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic}, + IntrospectionEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic}, + RevocationEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic}, + AuthorizationResponseIssParameterSupported: true, + }) +} + +func getIssuer(req *http.Request) string { issuerURL := url.URL{ Scheme: "https", Host: req.Host, @@ -25,22 +45,7 @@ if !isForwardedHTTPS(req) && isLoopback(req) { // TODO: add config option for allowed reverse proxy IPs issuerURL.Scheme = "http" } - issuer := issuerURL.String() - - w.Header().Set("Content-Type", "application/json") - json.NewEncoder(w).Encode(&oauth2.ServerMetadata{ - Issuer: issuer, - AuthorizationEndpoint: issuer + "/authorize", - TokenEndpoint: issuer + "/token", - IntrospectionEndpoint: issuer + "/introspect", - RevocationEndpoint: issuer + "/revoke", - ResponseTypesSupported: []oauth2.ResponseType{oauth2.ResponseTypeCode}, - ResponseModesSupported: []oauth2.ResponseMode{oauth2.ResponseModeQuery}, - GrantTypesSupported: []oauth2.GrantType{oauth2.GrantTypeAuthorizationCode}, - TokenEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic}, - IntrospectionEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic}, - RevocationEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic}, - }) + return issuerURL.String() } func isLoopback(req *http.Request) bool { @@ -464,6 +469,7 @@ q := redirectURI.Query() for k, v := range values { q[k] = v } + q.Set("iss", getIssuer(req)) u := *redirectURI u.RawQuery = q.Encode() -- 2.48.1