casdoor/object/oidc_discovery.go

// Copyright 2021 The Casdoor Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package object

import (
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"strings"

	"github.com/casdoor/casdoor/conf"
	"gopkg.in/square/go-jose.v2"
)

type OidcDiscovery struct {
	Issuer                                 string   `json:"issuer"`
	AuthorizationEndpoint                  string   `json:"authorization_endpoint"`
	TokenEndpoint                          string   `json:"token_endpoint"`
	UserinfoEndpoint                       string   `json:"userinfo_endpoint"`
	JwksUri                                string   `json:"jwks_uri"`
	IntrospectionEndpoint                  string   `json:"introspection_endpoint"`
	ResponseTypesSupported                 []string `json:"response_types_supported"`
	ResponseModesSupported                 []string `json:"response_modes_supported"`
	GrantTypesSupported                    []string `json:"grant_types_supported"`
	SubjectTypesSupported                  []string `json:"subject_types_supported"`
	IdTokenSigningAlgValuesSupported       []string `json:"id_token_signing_alg_values_supported"`
	ScopesSupported                        []string `json:"scopes_supported"`
	ClaimsSupported                        []string `json:"claims_supported"`
	RequestParameterSupported              bool     `json:"request_parameter_supported"`
	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
}

func getOriginFromHost(host string) (string, string) {
	protocol := "https://"
	if strings.HasPrefix(host, "localhost") {
		protocol = "http://"
	}

	if host == "localhost:8000" {
		return fmt.Sprintf("%s%s", protocol, "localhost:7001"), fmt.Sprintf("%s%s", protocol, "localhost:8000")
	} else {
		return fmt.Sprintf("%s%s", protocol, host), fmt.Sprintf("%s%s", protocol, host)
	}
}

func GetOidcDiscovery(host string) OidcDiscovery {
	originFrontend, originBackend := getOriginFromHost(host)

	origin := conf.GetConfigString("origin")
	if origin != "" {
		originFrontend = origin
		originBackend = origin
	}

	// Examples:
	// https://login.okta.com/.well-known/openid-configuration
	// https://auth0.auth0.com/.well-known/openid-configuration
	// https://accounts.google.com/.well-known/openid-configuration
	// https://access.line.me/.well-known/openid-configuration
	oidcDiscovery := OidcDiscovery{
		Issuer:                                 originBackend,
		AuthorizationEndpoint:                  fmt.Sprintf("%s/login/oauth/authorize", originFrontend),
		TokenEndpoint:                          fmt.Sprintf("%s/api/login/oauth/access_token", originBackend),
		UserinfoEndpoint:                       fmt.Sprintf("%s/api/userinfo", originBackend),
		JwksUri:                                fmt.Sprintf("%s/.well-known/jwks", originBackend),
		IntrospectionEndpoint:                  fmt.Sprintf("%s/api/login/oauth/introspect", originBackend),
		ResponseTypesSupported:                 []string{"code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token", "none"},
		ResponseModesSupported:                 []string{"login", "code", "link"},
		GrantTypesSupported:                    []string{"password", "authorization_code"},
		SubjectTypesSupported:                  []string{"public"},
		IdTokenSigningAlgValuesSupported:       []string{"RS256"},
		ScopesSupported:                        []string{"openid", "email", "profile", "address", "phone", "offline_access"},
		ClaimsSupported:                        []string{"iss", "ver", "sub", "aud", "iat", "exp", "id", "type", "displayName", "avatar", "permanentAvatar", "email", "phone", "location", "affiliation", "title", "homepage", "bio", "tag", "region", "language", "score", "ranking", "isOnline", "isAdmin", "isGlobalAdmin", "isForbidden", "signupApplication", "ldap"},
		RequestParameterSupported:              true,
		RequestObjectSigningAlgValuesSupported: []string{"HS256", "HS384", "HS512"},
	}

	return oidcDiscovery
}

func GetJsonWebKeySet() (jose.JSONWebKeySet, error) {
	certs := GetCerts("admin")
	jwks := jose.JSONWebKeySet{}
	// follows the protocol rfc 7517(draft)
	// link here: https://self-issued.info/docs/draft-ietf-jose-json-web-key.html
	// or https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key
	for _, cert := range certs {
		certPemBlock := []byte(cert.Certificate)
		certDerBlock, _ := pem.Decode(certPemBlock)
		x509Cert, _ := x509.ParseCertificate(certDerBlock.Bytes)

		var jwk jose.JSONWebKey
		jwk.Key = x509Cert.PublicKey
		jwk.Certificates = []*x509.Certificate{x509Cert}
		jwk.KeyID = cert.Name
		jwk.Algorithm = cert.CryptoAlgorithm
		jwk.Use = "sig"
		jwks.Keys = append(jwks.Keys, jwk)
	}

	return jwks, nil
}
Update license headers. 2022-02-13 23:39:27 +08:00			`// Copyright 2021 The Casdoor Authors. All Rights Reserved.`
Add /.well-known/openid-configuration route. 2021-09-25 14:54:13 +08:00			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package object`

Add data to oidcDiscovery. 2021-09-25 15:09:50 +08:00			`import (`
feat: implement jwks_uri handler in oidc discovery (#334) Signed-off-by: Товарищ <2962928213@qq.com> 2021-11-22 17:47:44 +08:00			`"crypto/x509"`
			`"encoding/pem"`
Add data to oidcDiscovery. 2021-09-25 15:09:50 +08:00			`"fmt"`
Add getOriginFromHost(). 2022-01-29 23:43:25 +08:00			`"strings"`
Add data to oidcDiscovery. 2021-09-25 15:09:50 +08:00
feat: support overriding configuration with env (#590) 2022-03-20 23:21:09 +08:00			`"github.com/casdoor/casdoor/conf"`
Merge into one origin config. 2021-12-12 19:26:06 +08:00			`"gopkg.in/square/go-jose.v2"`
Add data to oidcDiscovery. 2021-09-25 15:09:50 +08:00			`)`

Add /.well-known/openid-configuration route. 2021-09-25 14:54:13 +08:00			`type OidcDiscovery struct {`
			Issuer string `json:"issuer"`
			AuthorizationEndpoint string `json:"authorization_endpoint"`
Add data to oidcDiscovery. 2021-09-25 15:09:50 +08:00			TokenEndpoint string `json:"token_endpoint"`
			UserinfoEndpoint string `json:"userinfo_endpoint"`
Add /.well-known/openid-configuration route. 2021-09-25 14:54:13 +08:00			JwksUri string `json:"jwks_uri"`
feat: improve token introspection endpoint (#534) * feat: add introspection endpoint to oidc discovery endpoint * fix: let introspect endpoint handle formData as spec define. Signed-off-by: Leon <leondevlifelog@gmail.com> 2022-03-04 08:54:33 +08:00			IntrospectionEndpoint string `json:"introspection_endpoint"`
Add /.well-known/openid-configuration route. 2021-09-25 14:54:13 +08:00			ResponseTypesSupported []string `json:"response_types_supported"`
			ResponseModesSupported []string `json:"response_modes_supported"`
			GrantTypesSupported []string `json:"grant_types_supported"`
			SubjectTypesSupported []string `json:"subject_types_supported"`
			IdTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
			ScopesSupported []string `json:"scopes_supported"`
			ClaimsSupported []string `json:"claims_supported"`
			RequestParameterSupported bool `json:"request_parameter_supported"`
			RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
			`}`

Add getOriginFromHost(). 2022-01-29 23:43:25 +08:00			`func getOriginFromHost(host string) (string, string) {`
			`protocol := "https://"`
			`if strings.HasPrefix(host, "localhost") {`
			`protocol = "http://"`
			`}`

			`if host == "localhost:8000" {`
			`return fmt.Sprintf("%s%s", protocol, "localhost:7001"), fmt.Sprintf("%s%s", protocol, "localhost:8000")`
			`} else {`
			`return fmt.Sprintf("%s%s", protocol, host), fmt.Sprintf("%s%s", protocol, host)`
			`}`
			`}`

			`func GetOidcDiscovery(host string) OidcDiscovery {`
			`originFrontend, originBackend := getOriginFromHost(host)`
Add /.well-known/openid-configuration route. 2021-09-25 14:54:13 +08:00
feat: support overriding configuration with env (#590) 2022-03-20 23:21:09 +08:00			`origin := conf.GetConfigString("origin")`
Add getOriginFromHost(). 2022-01-29 23:43:25 +08:00			`if origin != "" {`
			`originFrontend = origin`
			`originBackend = origin`
			`}`
Add data to oidcDiscovery. 2021-09-25 15:09:50 +08:00
			`// Examples:`
			`// https://login.okta.com/.well-known/openid-configuration`
			`// https://auth0.auth0.com/.well-known/openid-configuration`
			`// https://accounts.google.com/.well-known/openid-configuration`
			`// https://access.line.me/.well-known/openid-configuration`
Add getOriginFromHost(). 2022-01-29 23:43:25 +08:00			`oidcDiscovery := OidcDiscovery{`
fix: empty iss return (#503) Signed-off-by: Steve0x2a <stevesough@gmail.com> 2022-02-18 12:36:11 +08:00			`Issuer: originBackend,`
Add getOriginFromHost(). 2022-01-29 23:43:25 +08:00			`AuthorizationEndpoint: fmt.Sprintf("%s/login/oauth/authorize", originFrontend),`
			`TokenEndpoint: fmt.Sprintf("%s/api/login/oauth/access_token", originBackend),`
			`UserinfoEndpoint: fmt.Sprintf("%s/api/userinfo", originBackend),`
fix: oidc jwks endpoint only return default cert (#506) Signed-off-by: Steve0x2a <stevesough@gmail.com> 2022-02-21 23:17:16 +08:00			`JwksUri: fmt.Sprintf("%s/.well-known/jwks", originBackend),`
feat: improve token introspection endpoint (#534) * feat: add introspection endpoint to oidc discovery endpoint * fix: let introspect endpoint handle formData as spec define. Signed-off-by: Leon <leondevlifelog@gmail.com> 2022-03-04 08:54:33 +08:00			`IntrospectionEndpoint: fmt.Sprintf("%s/api/login/oauth/introspect", originBackend),`
Fix missing OIDC response_types_supported. 2022-05-07 09:36:20 +08:00			`ResponseTypesSupported: []string{"code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token", "none"},`
Add data to oidcDiscovery. 2021-09-25 15:09:50 +08:00			`ResponseModesSupported: []string{"login", "code", "link"},`
			`GrantTypesSupported: []string{"password", "authorization_code"},`
			`SubjectTypesSupported: []string{"public"},`
			`IdTokenSigningAlgValuesSupported: []string{"RS256"},`
			`ScopesSupported: []string{"openid", "email", "profile", "address", "phone", "offline_access"},`
			`ClaimsSupported: []string{"iss", "ver", "sub", "aud", "iat", "exp", "id", "type", "displayName", "avatar", "permanentAvatar", "email", "phone", "location", "affiliation", "title", "homepage", "bio", "tag", "region", "language", "score", "ranking", "isOnline", "isAdmin", "isGlobalAdmin", "isForbidden", "signupApplication", "ldap"},`
			`RequestParameterSupported: true,`
			`RequestObjectSigningAlgValuesSupported: []string{"HS256", "HS384", "HS512"},`
Add /.well-known/openid-configuration route. 2021-09-25 14:54:13 +08:00			`}`

			`return oidcDiscovery`
			`}`
feat: implement jwks_uri handler in oidc discovery (#334) Signed-off-by: Товарищ <2962928213@qq.com> 2021-11-22 17:47:44 +08:00
Make cert work. 2021-12-31 09:36:48 +08:00			`func GetJsonWebKeySet() (jose.JSONWebKeySet, error) {`
fix: oidc jwks endpoint only return default cert (#506) Signed-off-by: Steve0x2a <stevesough@gmail.com> 2022-02-21 23:17:16 +08:00			`certs := GetCerts("admin")`
			`jwks := jose.JSONWebKeySet{}`
chore(style): use `gofumpt` to fmt go code (#967) 2022-08-07 12:26:14 +08:00			`// follows the protocol rfc 7517(draft)`
			`// link here: https://self-issued.info/docs/draft-ietf-jose-json-web-key.html`
			`// or https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key`
fix: oidc jwks endpoint only return default cert (#506) Signed-off-by: Steve0x2a <stevesough@gmail.com> 2022-02-21 23:17:16 +08:00			`for _, cert := range certs {`
feat: rename all publicKey occurrences to certificate (#894) * fix:The certs page is displayed incorrectly * Translations for each language are added * Replace the variables certificat with Certificat with certificate and Certificate * Replace the variables certificat with Certificat with certificate and Certificate * Variable names are more accurate * Variable names are more accurate * Modify the variable name 2022-07-23 09:40:51 +08:00			`certPemBlock := []byte(cert.Certificate)`
fix: oidc jwks endpoint only return default cert (#506) Signed-off-by: Steve0x2a <stevesough@gmail.com> 2022-02-21 23:17:16 +08:00			`certDerBlock, _ := pem.Decode(certPemBlock)`
			`x509Cert, _ := x509.ParseCertificate(certDerBlock.Bytes)`
feat: implement jwks_uri handler in oidc discovery (#334) Signed-off-by: Товарищ <2962928213@qq.com> 2021-11-22 17:47:44 +08:00
fix: oidc jwks endpoint only return default cert (#506) Signed-off-by: Steve0x2a <stevesough@gmail.com> 2022-02-21 23:17:16 +08:00			`var jwk jose.JSONWebKey`
			`jwk.Key = x509Cert.PublicKey`
			`jwk.Certificates = []*x509.Certificate{x509Cert}`
			`jwk.KeyID = cert.Name`
fix: add 'use' and 'alg' in .well-known/jwks (#708) * fix: add 'use' and 'alg' in .well-known/jwks * fix: dynamically assign value to 'alg' param 2022-04-26 21:53:05 +08:00			`jwk.Algorithm = cert.CryptoAlgorithm`
			`jwk.Use = "sig"`
fix: oidc jwks endpoint only return default cert (#506) Signed-off-by: Steve0x2a <stevesough@gmail.com> 2022-02-21 23:17:16 +08:00			`jwks.Keys = append(jwks.Keys, jwk)`
			`}`
feat: implement jwks_uri handler in oidc discovery (#334) Signed-off-by: Товарищ <2962928213@qq.com> 2021-11-22 17:47:44 +08:00
			`return jwks, nil`
			`}`