From bddd57cda814710dd4532b4c0535434624cd5355 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=A2=D0=BE=D0=B2=D0=B0=D1=80=D0=B8=D1=89=20=D0=BF=D1=80?=
 =?UTF-8?q?=D0=BE=D0=B3=D1=80=D0=B0=D0=BC=D0=BC=D0=B8=D1=81=D1=82?=
 <46831212+ComradeProgrammer@users.noreply.github.com>
Date: Mon, 22 Nov 2021 17:47:44 +0800
Subject: [PATCH] feat: implement jwks_uri handler in oidc discovery (#334)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Товарищ <2962928213@qq.com>
---
 authz/authz.go                |  1 +
 controllers/oidc_discovery.go | 10 ++++++++++
 go.mod                        |  2 +-
 go.sum                        |  2 ++
 object/oidc_discovery.go      | 21 +++++++++++++++++++++
 routers/router.go             |  1 +
 6 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/authz/authz.go b/authz/authz.go
index ea9fd134..e5d45030 100644
--- a/authz/authz.go
+++ b/authz/authz.go
@@ -94,6 +94,7 @@ p, *, *, GET, /api/get-human-check, *, *
 p, *, *, POST, /api/reset-email-or-phone, *, *
 p, *, *, POST, /api/upload-resource, *, *
 p, *, *, GET, /.well-known/openid-configuration, *, *
+p, *, *, *, /api/certs, *, *
 `
 
 		sa := stringadapter.NewAdapter(ruleText)
diff --git a/controllers/oidc_discovery.go b/controllers/oidc_discovery.go
index 560df801..cfb1177e 100644
--- a/controllers/oidc_discovery.go
+++ b/controllers/oidc_discovery.go
@@ -20,3 +20,13 @@ func (c *ApiController) GetOidcDiscovery() {
 	c.Data["json"] = object.GetOidcDiscovery()
 	c.ServeJSON()
 }
+
+func (c *ApiController) GetOidcCert() {
+	jwks, err := object.GetJSONWebKeySet()
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Data["json"] = jwks
+	c.ServeJSON()
+}
diff --git a/go.mod b/go.mod
index ecde7b42..c388a608 100644
--- a/go.mod
+++ b/go.mod
@@ -23,13 +23,13 @@ require (
 	github.com/satori/go.uuid v1.2.0 // indirect
 	github.com/smartystreets/goconvey v1.6.4 // indirect
 	github.com/thanhpk/randstr v1.0.4
-	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
 	golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4
 	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0
 	xorm.io/core v0.7.2
 	xorm.io/xorm v1.0.3
 )
diff --git a/go.sum b/go.sum
index 5286c54e..c7156846 100644
--- a/go.sum
+++ b/go.sum
@@ -597,6 +597,8 @@ gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU=
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
+gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
+gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/object/oidc_discovery.go b/object/oidc_discovery.go
index f7f42375..ef55b043 100644
--- a/object/oidc_discovery.go
+++ b/object/oidc_discovery.go
@@ -15,8 +15,12 @@
 package object
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 
+	jose "gopkg.in/square/go-jose.v2"
+
 	"github.com/astaxie/beego"
 )
 
@@ -68,3 +72,20 @@ func init() {
 func GetOidcDiscovery() OidcDiscovery {
 	return oidcDiscovery
 }
+
+func GetJSONWebKeySet() (jose.JSONWebKeySet, error) {
+	//follows the protocol rfc 7517(draft)
+	//link here: https://self-issued.info/docs/draft-ietf-jose-json-web-key.html
+	//or https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key
+	certPEMBlock := []byte(tokenJwtPublicKey)
+	certDERBlock, _ := pem.Decode(certPEMBlock)
+	x509Cert, _ := x509.ParseCertificate(certDERBlock.Bytes)
+
+	var jwk jose.JSONWebKey
+	jwk.Key = x509Cert.PublicKey
+	jwk.Certificates = []*x509.Certificate{x509Cert}
+
+	var jwks jose.JSONWebKeySet
+	jwks.Keys = []jose.JSONWebKey{jwk}
+	return jwks, nil
+}
diff --git a/routers/router.go b/routers/router.go
index fd447d23..a553d459 100644
--- a/routers/router.go
+++ b/routers/router.go
@@ -119,4 +119,5 @@ func initAPI() {
 	beego.Router("/api/send-sms", &controllers.ApiController{}, "POST:SendSms")
 
 	beego.Router("/.well-known/openid-configuration", &controllers.ApiController{}, "GET:GetOidcDiscovery")
+	beego.Router("/api/certs",&controllers.ApiController{},"*:GetOidcCert")
 }