matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00
Code Activity

Add loads of server metadata in the discovery document

Browse Source
This commit is contained in:
Quentin Gliech
2022-01-11 12:54:26 +01:00
parent b4f0f0d0be
commit 97ab75fb15
2 changed files with 132 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
crates/handlers/src/oauth2/discovery.rs
View File

@ -16,20 +16,60 @@ use std::collections::HashSet;
use mas_config::OAuth2Config; use mas_config::OAuth2Config;
use oauth2_types::{ use oauth2_types::{
oidc::{Metadata, SigningAlgorithm}, oidc::{ClaimType, Metadata, SigningAlgorithm, SubjectType},
pkce::CodeChallengeMethod, pkce::CodeChallengeMethod,
requests::{ClientAuthenticationMethod, GrantType, ResponseMode}, requests::{ClientAuthenticationMethod, Display, GrantType, ResponseMode},
}; };
use warp::{filters::BoxedFilter, Filter, Reply}; use warp::{filters::BoxedFilter, Filter, Reply};
#[allow(clippy::too_many_lines)]
pub(super) fn filter(config: &OAuth2Config) -> BoxedFilter<(Box<dyn Reply>,)> { pub(super) fn filter(config: &OAuth2Config) -> BoxedFilter<(Box<dyn Reply>,)> {
let base = config.issuer.clone(); let base = config.issuer.clone();
let response_modes_supported = Some({ // This is how clients can authenticate
let client_auth_methods_supported = Some({
let mut s = HashSet::new(); let mut s = HashSet::new();
s.insert(ResponseMode::FormPost); s.insert(ClientAuthenticationMethod::ClientSecretBasic);
s.insert(ResponseMode::Query); s.insert(ClientAuthenticationMethod::ClientSecretPost);
s.insert(ResponseMode::Fragment); s.insert(ClientAuthenticationMethod::ClientSecretJwt);
s.insert(ClientAuthenticationMethod::PrivateKeyJwt);
s.insert(ClientAuthenticationMethod::None);
s
});
let client_auth_signing_alg_values_supported = Some({
let mut s = HashSet::new();
s.insert(SigningAlgorithm::Hs256);
s.insert(SigningAlgorithm::Hs384);
s.insert(SigningAlgorithm::Hs512);
s.insert(SigningAlgorithm::Rs256);
s.insert(SigningAlgorithm::Rs384);
s.insert(SigningAlgorithm::Rs512);
s
});
// This is how we can sign stuff
// TODO: query the signing store
let jwt_signing_alg_values_supported = Some({
let mut s = HashSet::new();
s.insert(SigningAlgorithm::Rs256);
s.insert(SigningAlgorithm::Rs384);
s.insert(SigningAlgorithm::Rs512);
s.insert(SigningAlgorithm::Es256);
s
});
// Prepare all the endpoints
let issuer = Some(base.clone());
let authorization_endpoint = base.join("oauth2/authorize").ok();
let token_endpoint = base.join("oauth2/token").ok();
let jwks_uri = base.join("oauth2/keys.json").ok();
let introspection_endpoint = base.join("oauth2/introspect").ok();
let userinfo_endpoint = base.join("oauth2/userinfo").ok();
let scopes_supported = Some({
let mut s = HashSet::new();
s.insert("openid".to_string());
s s
}); });
@ -45,6 +85,14 @@ pub(super) fn filter(config: &OAuth2Config) -> BoxedFilter<(Box<dyn Reply>,)> {
s s
}); });
let response_modes_supported = Some({
let mut s = HashSet::new();
s.insert(ResponseMode::FormPost);
s.insert(ResponseMode::Query);
s.insert(ResponseMode::Fragment);
s
});
let grant_types_supported = Some({ let grant_types_supported = Some({
let mut s = HashSet::new(); let mut s = HashSet::new();
s.insert(GrantType::AuthorizationCode); s.insert(GrantType::AuthorizationCode);
@ -52,22 +100,13 @@ pub(super) fn filter(config: &OAuth2Config) -> BoxedFilter<(Box<dyn Reply>,)> {
s s
}); });
let token_endpoint_auth_methods_supported = Some({ let token_endpoint_auth_methods_supported = client_auth_methods_supported.clone();
let mut s = HashSet::new(); let token_endpoint_auth_signing_alg_values_supported =
s.insert(ClientAuthenticationMethod::ClientSecretBasic); client_auth_signing_alg_values_supported.clone();
s.insert(ClientAuthenticationMethod::ClientSecretPost);
s.insert(ClientAuthenticationMethod::ClientSecretJwt);
s.insert(ClientAuthenticationMethod::None);
s
});
let token_endpoint_auth_signing_alg_values_supported = Some({ let introspection_endpoint_auth_methods_supported = client_auth_methods_supported;
let mut s = HashSet::new(); let introspection_endpoint_auth_signing_alg_values_supported =
s.insert(SigningAlgorithm::Hs256); client_auth_signing_alg_values_supported;
s.insert(SigningAlgorithm::Hs384);
s.insert(SigningAlgorithm::Hs512);
s
});
let code_challenge_methods_supported = Some({ let code_challenge_methods_supported = Some({
let mut s = HashSet::new(); let mut s = HashSet::new();
@ -76,19 +115,68 @@ pub(super) fn filter(config: &OAuth2Config) -> BoxedFilter<(Box<dyn Reply>,)> {
s s
}); });
let subject_types_supported = Some({
let mut s = HashSet::new();
s.insert(SubjectType::Public);
s
});
let id_token_signing_alg_values_supported = jwt_signing_alg_values_supported;
let display_values_supported = Some({
let mut s = HashSet::new();
s.insert(Display::Page);
s
});
let claim_types_supported = Some({
let mut s = HashSet::new();
s.insert(ClaimType::Normal);
s
});
let claims_supported = Some({
let mut s = HashSet::new();
s.insert("iss".to_string());
s.insert("sub".to_string());
s.insert("aud".to_string());
s.insert("iat".to_string());
s.insert("exp".to_string());
s.insert("nonce".to_string());
s.insert("auth_time".to_string());
s.insert("at_hash".to_string());
s.insert("c_hash".to_string());
s
});
let claims_parameter_supported = Some(false);
let request_parameter_supported = Some(false);
let request_uri_parameter_supported = Some(false);
let metadata = Metadata { let metadata = Metadata {
authorization_endpoint: base.join("oauth2/authorize").ok(), issuer,
token_endpoint: base.join("oauth2/token").ok(), authorization_endpoint,
jwks_uri: base.join("oauth2/keys.json").ok(), token_endpoint,
introspection_endpoint: base.join("oauth2/introspect").ok(), jwks_uri,
userinfo_endpoint: base.join("oauth2/userinfo").ok(), scopes_supported,
issuer: Some(base),
response_types_supported, response_types_supported,
response_modes_supported, response_modes_supported,
grant_types_supported, grant_types_supported,
token_endpoint_auth_methods_supported, token_endpoint_auth_methods_supported,
token_endpoint_auth_signing_alg_values_supported, token_endpoint_auth_signing_alg_values_supported,
introspection_endpoint,
introspection_endpoint_auth_methods_supported,
introspection_endpoint_auth_signing_alg_values_supported,
code_challenge_methods_supported, code_challenge_methods_supported,
userinfo_endpoint,
subject_types_supported,
id_token_signing_alg_values_supported,
display_values_supported,
claim_types_supported,
claims_supported,
claims_parameter_supported,
request_parameter_supported,
request_uri_parameter_supported,
..Metadata::default() ..Metadata::default()
}; };

20
crates/oauth2-types/src/oidc.rs
View File

@ -23,6 +23,21 @@ use crate::{
requests::{ClientAuthenticationMethod, Display, GrantType, ResponseMode}, requests::{ClientAuthenticationMethod, Display, GrantType, ResponseMode},
}; };
#[derive(Serialize, Clone, Copy, PartialEq, Eq, Hash)]
#[serde(rename_all = "lowercase")]
pub enum SubjectType {
Public,
Pairwise,
}
#[derive(Serialize, Clone, Copy, PartialEq, Eq, Hash)]
#[serde(rename_all = "lowercase")]
pub enum ClaimType {
Normal,
Aggregated,
Distributed,
}
#[derive(Serialize, Clone, Copy, PartialEq, Eq, Hash)] #[derive(Serialize, Clone, Copy, PartialEq, Eq, Hash)]
#[serde(rename_all = "UPPERCASE")] #[serde(rename_all = "UPPERCASE")]
pub enum SigningAlgorithm { pub enum SigningAlgorithm {
@ -146,7 +161,7 @@ pub struct Metadata {
/// JSON array containing a list of the Subject Identifier types that this /// JSON array containing a list of the Subject Identifier types that this
/// OP supports. /// OP supports.
pub subject_types_supported: Option<HashSet<String>>, pub subject_types_supported: Option<HashSet<SubjectType>>,
/// JSON array containing a list of the JWS "alg" values supported by the OP /// JSON array containing a list of the JWS "alg" values supported by the OP
/// for the ID Token. /// for the ID Token.
@ -194,10 +209,9 @@ pub struct Metadata {
/// OpenID Provider supports. /// OpenID Provider supports.
pub display_values_supported: Option<HashSet<Display>>, pub display_values_supported: Option<HashSet<Display>>,
// TODO: type
/// JSON array containing a list of the Claim Types that the OpenID Provider /// JSON array containing a list of the Claim Types that the OpenID Provider
/// supports. /// supports.
pub claim_types_supported: Option<HashSet<String>>, pub claim_types_supported: Option<HashSet<ClaimType>>,
/// JSON array containing a list of the Claim Names of the Claims that the /// JSON array containing a list of the Claim Names of the Claims that the
/// OpenID Provider MAY be able to supply values for. /// OpenID Provider MAY be able to supply values for.