Allow overriding usptream OAuth2 providers endpoints

Also have a way to disable OIDC discovery when all the endpoints are known.
2025-07-29 22:01:14 +03:00 · 2023-11-16 11:42:23 +01:00
parent 08d46a79a4
commit 364093f12f
8 changed files with 611 additions and 33 deletions
--- a/crates/data-model/src/lib.rs
+++ b/crates/data-model/src/lib.rs
@ -48,8 +48,9 @@ pub use self::{
    upstream_oauth2::{
        UpsreamOAuthProviderSetEmailVerification, UpstreamOAuthAuthorizationSession,
        UpstreamOAuthAuthorizationSessionState, UpstreamOAuthLink, UpstreamOAuthProvider,
-        UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderImportAction,
-        UpstreamOAuthProviderImportPreference, UpstreamOAuthProviderSubjectPreference,
+        UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderDiscoveryMode,
+        UpstreamOAuthProviderImportAction, UpstreamOAuthProviderImportPreference,
+        UpstreamOAuthProviderPkceMode, UpstreamOAuthProviderSubjectPreference,
    },
    users::{
        Authentication, AuthenticationMethod, BrowserSession, Password, User, UserEmail,
--- a/crates/data-model/src/upstream_oauth2/mod.rs
+++ b/crates/data-model/src/upstream_oauth2/mod.rs
@ -20,8 +20,10 @@ pub use self::{
    link::UpstreamOAuthLink,
    provider::{
        ClaimsImports as UpstreamOAuthProviderClaimsImports,
+        DiscoveryMode as UpstreamOAuthProviderDiscoveryMode,
        ImportAction as UpstreamOAuthProviderImportAction,
        ImportPreference as UpstreamOAuthProviderImportPreference,
+        PkceMode as UpstreamOAuthProviderPkceMode,
        SetEmailVerification as UpsreamOAuthProviderSetEmailVerification,
        SubjectPreference as UpstreamOAuthProviderSubjectPreference, UpstreamOAuthProvider,
    },
--- a/crates/data-model/src/upstream_oauth2/provider.rs
+++ b/crates/data-model/src/upstream_oauth2/provider.rs
@ -17,11 +17,45 @@ use mas_iana::{jose::JsonWebSignatureAlg, oauth::OAuthClientAuthenticationMethod
 use oauth2_types::scope::Scope;
 use serde::{Deserialize, Serialize};
 use ulid::Ulid;
+use url::Url;
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum DiscoveryMode {
+    /// Use OIDC discovery to fetch and verify the provider metadata
+    #[default]
+    Oidc,
+
+    /// Use OIDC discovery to fetch the provider metadata, but don't verify it
+    Insecure,
+
+    /// Don't fetch the provider metadata
+    Disabled,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum PkceMode {
+    /// Use PKCE if the provider supports it
+    #[default]
+    Auto,
+
+    /// Always use PKCE with the S256 method
+    S256,
+
+    /// Don't use PKCE
+    Disabled,
+}

 #[derive(Debug, Clone, PartialEq, Eq, Serialize)]
 pub struct UpstreamOAuthProvider {
    pub id: Ulid,
    pub issuer: String,
+    pub discovery_mode: DiscoveryMode,
+    pub pkce_mode: PkceMode,
+    pub jwks_uri_override: Option<Url>,
+    pub authorization_endpoint_override: Option<Url>,
+    pub token_endpoint_override: Option<Url>,
    pub scope: Scope,
    pub client_id: String,
    pub encrypted_client_secret: Option<String>,