1 package oauth2 2 3 import ( 4 "net/http" 5 6 "edge-infra.dev/pkg/edge/iam/config" 7 8 "github.com/gin-gonic/gin" 9 ) 10 11 func (oauth2 *OAuth2) wellknown(ctx *gin.Context) { 12 ctx.JSON(http.StatusOK, &WellKnown{ 13 Issuer: config.Issuer(), 14 AuthURL: config.IssuerURL() + "/oauth2/auth", 15 TokenURL: config.IssuerURL() + "/oauth2/token", 16 JWKsURI: config.IssuerURL() + "/.well-known/jwks.json", 17 RevocationEndpoint: "", 18 RegistrationEndpoint: "", 19 SubjectTypes: []string{"public"}, 20 ResponseTypes: []string{"code", "code id_token", "id_token", "token id_token", "token", "token id_token code"}, 21 ClaimsSupported: []string{"sub"}, 22 ScopesSupported: []string{"openid", "offline", "barcode"}, 23 UserinfoEndpoint: config.IssuerURL() + "/userinfo", 24 TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"}, 25 IDTokenSigningAlgValuesSupported: []string{"RS256"}, 26 GrantTypesSupported: []string{"authorization_code", "client_credentials", "refresh_token", "barcode"}, //TODO:* implicit? 27 ResponseModesSupported: []string{"query", "fragment"}, 28 UserinfoSigningAlgValuesSupported: []string{"none", "RS256"}, 29 RequestParameterSupported: false, 30 RequestURIParameterSupported: true, 31 RequireRequestURIRegistration: true, 32 BackChannelLogoutSupported: false, 33 BackChannelLogoutSessionSupported: false, 34 FrontChannelLogoutSupported: false, 35 FrontChannelLogoutSessionSupported: false, 36 RequestObjectSigningAlgValuesSupported: []string{"RS256", "none"}, 37 CodeChallengeMethodsSupported: []string{"plain", "S256"}, 38 }) 39 } 40 41 // WellKnown represents important OpenID Connect discovery metadata 42 // 43 // It includes links to several endpoints (e.g. /oauth2/token) and exposes information on supported signature algorithms 44 // among others. 45 type WellKnown struct { 46 // URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier. 47 // If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned 48 // by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL. 49 // 50 // required: true 51 Issuer string `json:"issuer"` 52 53 // URL of the OP's OAuth 2.0 Authorization Endpoint. 54 // 55 // required: true 56 AuthURL string `json:"authorization_endpoint"` 57 58 // URL of the OP's Dynamic Client Registration Endpoint. 59 RegistrationEndpoint string `json:"registration_endpoint,omitempty"` 60 61 // URL of the OP's OAuth 2.0 Token Endpoint 62 // 63 // required: true 64 TokenURL string `json:"token_endpoint"` 65 66 // URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate 67 // signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs 68 // to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) 69 // parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. 70 // Although some algorithms allow the same key to be used for both signatures and encryption, doing so is 71 // NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of 72 // keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. 73 // 74 // required: true 75 JWKsURI string `json:"jwks_uri"` 76 77 // JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include 78 // pairwise and public. 79 // 80 // required: true 81 // example: 82 // - public 83 // - pairwise 84 SubjectTypes []string `json:"subject_types_supported"` 85 86 // JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID 87 // Providers MUST support the code, id_token, and the token id_token Response Type values. 88 // 89 // required: true 90 ResponseTypes []string `json:"response_types_supported"` 91 92 // JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply 93 // values for. Note that for privacy or other reasons, this might not be an exhaustive list. 94 ClaimsSupported []string `json:"claims_supported"` 95 96 // JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. 97 GrantTypesSupported []string `json:"grant_types_supported"` 98 99 // JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports. 100 ResponseModesSupported []string `json:"response_modes_supported"` 101 102 // URL of the OP's UserInfo Endpoint. 103 UserinfoEndpoint string `json:"userinfo_endpoint"` 104 105 // SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST 106 // support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used 107 ScopesSupported []string `json:"scopes_supported"` 108 109 // JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are 110 // client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 111 TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"` 112 113 // JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. 114 UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported"` 115 116 // JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token 117 // to encode the Claims in a JWT. 118 // 119 // required: true 120 IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"` 121 122 // Boolean value specifying whether the OP supports use of the request parameter, with true indicating support. 123 RequestParameterSupported bool `json:"request_parameter_supported"` 124 125 // Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. 126 RequestURIParameterSupported bool `json:"request_uri_parameter_supported"` 127 128 // Boolean value specifying whether the OP requires any request_uri values used to be pre-registered 129 // using the request_uris registration parameter. 130 RequireRequestURIRegistration bool `json:"require_request_uri_registration"` 131 132 // Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. 133 ClaimsParameterSupported bool `json:"claims_parameter_supported"` 134 135 // URL of the authorization server's OAuth 2.0 revocation endpoint. 136 RevocationEndpoint string `json:"revocation_endpoint"` 137 138 // Boolean value specifying whether the OP supports back-channel logout, with true indicating support. 139 BackChannelLogoutSupported bool `json:"backchannel_logout_supported"` 140 141 // Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP 142 // session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP 143 BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"` 144 145 // Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. 146 FrontChannelLogoutSupported bool `json:"frontchannel_logout_supported"` 147 148 // Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify 149 // the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also 150 // included in ID Tokens issued by the OP. 151 FrontChannelLogoutSessionSupported bool `json:"frontchannel_logout_session_supported"` 152 153 // URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. 154 EndSessionEndpoint string `json:"end_session_endpoint"` 155 156 // JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, 157 // which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when 158 // the Request Object is passed by value (using the request parameter) and when it is passed by reference 159 // (using the request_uri parameter). 160 RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"` 161 162 // JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported 163 // by this authorization server. 164 CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` 165 } 166