matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00
Code Activity

Allow access token types in introspection auth methods

Browse Source
This commit is contained in:
Kévin Commaille
2022-09-14 18:08:44 +02:00
committed by Quentin Gliech
parent 26681b36fc
commit 1bbd2c2970
2 changed files with 67 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
crates/handlers/src/oauth2/discovery.rs
View File

@ -75,7 +75,8 @@ pub(crate) async fn get(
let token_endpoint_auth_signing_alg_values_supported = let token_endpoint_auth_signing_alg_values_supported =
client_auth_signing_alg_values_supported.clone(); client_auth_signing_alg_values_supported.clone();
let introspection_endpoint_auth_methods_supported = client_auth_methods_supported; let introspection_endpoint_auth_methods_supported =
client_auth_methods_supported.map(|v| v.into_iter().map(Into::into).collect());
let introspection_endpoint_auth_signing_alg_values_supported = let introspection_endpoint_auth_signing_alg_values_supported =
client_auth_signing_alg_values_supported; client_auth_signing_alg_values_supported;

70
crates/oauth2-types/src/oidc.rs
View File

@ -17,7 +17,7 @@ use std::ops::Deref;
use language_tags::LanguageTag; use language_tags::LanguageTag;
use mas_iana::{ use mas_iana::{
jose::{JsonWebEncryptionAlg, JsonWebEncryptionEnc, JsonWebSignatureAlg}, jose::{JsonWebEncryptionAlg, JsonWebEncryptionEnc, JsonWebSignatureAlg},
oauth::{OAuthClientAuthenticationMethod, PkceCodeChallengeMethod}, oauth::{OAuthAccessTokenType, OAuthClientAuthenticationMethod, PkceCodeChallengeMethod},
}; };
use parse_display::{Display, FromStr}; use parse_display::{Display, FromStr};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
@ -30,6 +30,55 @@ use crate::{
response_type::ResponseType, response_type::ResponseType,
}; };
/// An enum for types that accept either an [`OAuthClientAuthenticationMethod`]
/// or an [`OAuthAccessTokenType`].
#[derive(
SerializeDisplay, DeserializeFromStr, Clone, Copy, PartialEq, Eq, Hash, Debug, Display, FromStr,
)]
pub enum AuthenticationMethodOrAccessTokenType {
/// An authentication method.
#[display("{0}")]
AuthenticationMethod(OAuthClientAuthenticationMethod),
/// An access token type.
#[display("{0}")]
AccessTokenType(OAuthAccessTokenType),
}
impl AuthenticationMethodOrAccessTokenType {
/// Get the authentication method of this
/// `AuthenticationMethodOrAccessTokenType`.
#[must_use]
pub fn authentication_method(&self) -> Option<OAuthClientAuthenticationMethod> {
match self {
Self::AuthenticationMethod(m) => Some(*m),
Self::AccessTokenType(_) => None,
}
}
/// Get the access token type of this
/// `AuthenticationMethodOrAccessTokenType`.
#[must_use]
pub fn access_token_type(&self) -> Option<OAuthAccessTokenType> {
match self {
Self::AuthenticationMethod(_) => None,
Self::AccessTokenType(t) => Some(*t),
}
}
}
impl From<OAuthClientAuthenticationMethod> for AuthenticationMethodOrAccessTokenType {
fn from(t: OAuthClientAuthenticationMethod) -> Self {
Self::AuthenticationMethod(t)
}
}
impl From<OAuthAccessTokenType> for AuthenticationMethodOrAccessTokenType {
fn from(t: OAuthAccessTokenType) -> Self {
Self::AccessTokenType(t)
}
}
#[derive( #[derive(
SerializeDisplay, DeserializeFromStr, Clone, Copy, PartialEq, Eq, Hash, Debug, Display, FromStr, SerializeDisplay, DeserializeFromStr, Clone, Copy, PartialEq, Eq, Hash, Debug, Display, FromStr,
)] )]
@ -214,9 +263,10 @@ pub struct ProviderMetadata {
/// [OAuth 2.0 introspection endpoint]: https://www.rfc-editor.org/rfc/rfc7662 /// [OAuth 2.0 introspection endpoint]: https://www.rfc-editor.org/rfc/rfc7662
pub introspection_endpoint: Option<Url>, pub introspection_endpoint: Option<Url>,
/// JSON array containing a list of client authentication methods supported /// JSON array containing a list of client authentication methods or token
/// by this introspection endpoint. /// types supported by this introspection endpoint.
pub introspection_endpoint_auth_methods_supported: Option<Vec<OAuthClientAuthenticationMethod>>, pub introspection_endpoint_auth_methods_supported:
Option<Vec<AuthenticationMethodOrAccessTokenType>>,
/// JSON array containing a list of the JWS signing algorithms supported by /// JSON array containing a list of the JWS signing algorithms supported by
/// the introspection endpoint for the signature on the JWT used to /// the introspection endpoint for the signature on the JWT used to
@ -438,10 +488,20 @@ impl ProviderMetadata {
validate_url("introspection_endpoint", url, ExtraUrlRestrictions::None)?; validate_url("introspection_endpoint", url, ExtraUrlRestrictions::None)?;
} }
// The list can also contain token types so remove them as we don't need to
// check them.
let introspection_methods = metadata
.introspection_endpoint_auth_methods_supported
.as_ref()
.map(|v| {
v.iter()
.filter_map(AuthenticationMethodOrAccessTokenType::authentication_method)
.collect::<Vec<_>>()
});
validate_signing_alg_values_supported( validate_signing_alg_values_supported(
"introspection_endpoint", "introspection_endpoint",
&metadata.introspection_endpoint_auth_signing_alg_values_supported, &metadata.introspection_endpoint_auth_signing_alg_values_supported,
&metadata.introspection_endpoint_auth_methods_supported, &introspection_methods,
)?; )?;
if let Some(url) = &metadata.userinfo_endpoint { if let Some(url) = &metadata.userinfo_endpoint {