Allow overriding usptream OAuth2 providers endpoints

Also have a way to disable OIDC discovery when all the endpoints are known.
2025-11-19 00:26:27 +03:00 · 2023-11-16 11:42:23 +01:00
parent 08d46a79a4
commit 364093f12f
8 changed files with 611 additions and 33 deletions
--- a/crates/data-model/src/upstream_oauth2/provider.rs
+++ b/crates/data-model/src/upstream_oauth2/provider.rs
@@ -17,11 +17,45 @@ use mas_iana::{jose::JsonWebSignatureAlg, oauth::OAuthClientAuthenticationMethod
 use oauth2_types::scope::Scope;
 use serde::{Deserialize, Serialize};
 use ulid::Ulid;
+use url::Url;
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum DiscoveryMode {
+    /// Use OIDC discovery to fetch and verify the provider metadata
+    #[default]
+    Oidc,
+
+    /// Use OIDC discovery to fetch the provider metadata, but don't verify it
+    Insecure,
+
+    /// Don't fetch the provider metadata
+    Disabled,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum PkceMode {
+    /// Use PKCE if the provider supports it
+    #[default]
+    Auto,
+
+    /// Always use PKCE with the S256 method
+    S256,
+
+    /// Don't use PKCE
+    Disabled,
+}

 #[derive(Debug, Clone, PartialEq, Eq, Serialize)]
 pub struct UpstreamOAuthProvider {
    pub id: Ulid,
    pub issuer: String,
+    pub discovery_mode: DiscoveryMode,
+    pub pkce_mode: PkceMode,
+    pub jwks_uri_override: Option<Url>,
+    pub authorization_endpoint_override: Option<Url>,
+    pub token_endpoint_override: Option<Url>,
    pub scope: Scope,
    pub client_id: String,
    pub encrypted_client_secret: Option<String>,