Use new generated enums & query supported signing algs from the keystore

2025-11-20 12:02:22 +03:00 · 2022-01-11 18:46:26 +01:00
parent 0e70af0a75
commit 9003eaf0c2
11 changed files with 77 additions and 60 deletions
--- a/crates/handlers/src/oauth2/discovery.rs
+++ b/crates/handlers/src/oauth2/discovery.rs
@@ -15,15 +15,19 @@
 use std::collections::HashSet;

 use mas_config::OAuth2Config;
+use mas_jose::{JsonWebSignatureAlgorithm, SigningKeystore};
 use oauth2_types::{
-    oidc::{ClaimType, Metadata, SigningAlgorithm, SubjectType},
+    oidc::{ClaimType, Metadata, SubjectType},
    pkce::CodeChallengeMethod,
    requests::{ClientAuthenticationMethod, Display, GrantType, ResponseMode},
 };
 use warp::{filters::BoxedFilter, Filter, Reply};

 #[allow(clippy::too_many_lines)]
-pub(super) fn filter(config: &OAuth2Config) -> BoxedFilter<(Box<dyn Reply>,)> {
+pub(super) fn filter(
+    key_store: impl SigningKeystore,
+    config: &OAuth2Config,
+) -> BoxedFilter<(Box<dyn Reply>,)> {
    let base = config.issuer.clone();

    // This is how clients can authenticate
@@ -39,25 +43,17 @@ pub(super) fn filter(config: &OAuth2Config) -> BoxedFilter<(Box<dyn Reply>,)> {

    let client_auth_signing_alg_values_supported = Some({
        let mut s = HashSet::new();
-        s.insert(SigningAlgorithm::Hs256);
-        s.insert(SigningAlgorithm::Hs384);
-        s.insert(SigningAlgorithm::Hs512);
-        s.insert(SigningAlgorithm::Rs256);
-        s.insert(SigningAlgorithm::Rs384);
-        s.insert(SigningAlgorithm::Rs512);
+        s.insert(JsonWebSignatureAlgorithm::Hs256);
+        s.insert(JsonWebSignatureAlgorithm::Hs384);
+        s.insert(JsonWebSignatureAlgorithm::Hs512);
+        s.insert(JsonWebSignatureAlgorithm::Rs256);
+        s.insert(JsonWebSignatureAlgorithm::Rs384);
+        s.insert(JsonWebSignatureAlgorithm::Rs512);
        s
    });

    // This is how we can sign stuff
-    // TODO: query the signing store
-    let jwt_signing_alg_values_supported = Some({
-        let mut s = HashSet::new();
-        s.insert(SigningAlgorithm::Rs256);
-        s.insert(SigningAlgorithm::Rs384);
-        s.insert(SigningAlgorithm::Rs512);
-        s.insert(SigningAlgorithm::Es256);
-        s
-    });
+    let jwt_signing_alg_values_supported = Some(key_store.supported_algorithms());

    // Prepare all the endpoints
    let issuer = Some(base.clone());
--- a/crates/handlers/src/oauth2/mod.rs
+++ b/crates/handlers/src/oauth2/mod.rs
@@ -43,7 +43,7 @@ pub fn filter(
    oauth2_config: &OAuth2Config,
    cookies_config: &CookiesConfig,
 ) -> BoxedFilter<(impl Reply,)> {
-    let discovery = discovery(oauth2_config);
+    let discovery = discovery(key_store.as_ref(), oauth2_config);
    let keys = keys(key_store);
    let authorization = authorization(pool, templates, oauth2_config, cookies_config);
    let userinfo = userinfo(pool, oauth2_config);