From b4f0f0d0be8ae69bb6177740f4fa603d634ab4d6 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Tue, 11 Jan 2022 11:20:17 +0100 Subject: [PATCH] Have all server metadata from the IANA registry --- crates/handlers/src/oauth2/discovery.rs | 5 +- crates/oauth2-types/src/errors.rs | 1 - crates/oauth2-types/src/oidc.rs | 161 +++++++++++++++++++++--- 3 files changed, 149 insertions(+), 18 deletions(-) diff --git a/crates/handlers/src/oauth2/discovery.rs b/crates/handlers/src/oauth2/discovery.rs index de36c479..e0cde5f4 100644 --- a/crates/handlers/src/oauth2/discovery.rs +++ b/crates/handlers/src/oauth2/discovery.rs @@ -82,15 +82,14 @@ pub(super) fn filter(config: &OAuth2Config) -> BoxedFilter<(Box,)> { jwks_uri: base.join("oauth2/keys.json").ok(), introspection_endpoint: base.join("oauth2/introspect").ok(), userinfo_endpoint: base.join("oauth2/userinfo").ok(), - issuer: base, - registration_endpoint: None, - scopes_supported: None, + issuer: Some(base), response_types_supported, response_modes_supported, grant_types_supported, token_endpoint_auth_methods_supported, token_endpoint_auth_signing_alg_values_supported, code_challenge_methods_supported, + ..Metadata::default() }; warp::path!(".well-known" / "openid-configuration") diff --git a/crates/oauth2-types/src/errors.rs b/crates/oauth2-types/src/errors.rs index 6d23c63f..4ba4692e 100644 --- a/crates/oauth2-types/src/errors.rs +++ b/crates/oauth2-types/src/errors.rs @@ -253,7 +253,6 @@ pub mod rfc6749 { } pub mod oidc_core { - oauth2_error! { InteractionRequired, "interaction_required" => diff --git a/crates/oauth2-types/src/oidc.rs b/crates/oauth2-types/src/oidc.rs index dc5c3a7e..394e6bcf 100644 --- a/crates/oauth2-types/src/oidc.rs +++ b/crates/oauth2-types/src/oidc.rs @@ -20,7 +20,7 @@ use url::Url; use crate::{ pkce::CodeChallengeMethod, - requests::{ClientAuthenticationMethod, GrantType, ResponseMode}, + requests::{ClientAuthenticationMethod, Display, GrantType, ResponseMode}, }; #[derive(Serialize, Clone, Copy, PartialEq, Eq, Hash)] @@ -45,13 +45,13 @@ pub enum SigningAlgorithm { EcDsa, } -// TODO: https://datatracker.ietf.org/doc/html/rfc8414#section-2 +/// Authorization server metadata, as described by the +/// [IANA registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata) #[skip_serializing_none] -#[derive(Serialize, Clone)] +#[derive(Serialize, Clone, Default)] pub struct Metadata { - /// The authorization server's issuer identifier, which is a URL that uses - /// the "https" scheme and has no query or fragment components. - pub issuer: Url, + /// Authorization server's issuer identifier URL. + pub issuer: Option, /// URL of the authorization server's authorization endpoint. pub authorization_endpoint: Option, @@ -75,8 +75,7 @@ pub struct Metadata { pub response_types_supported: Option>, /// JSON array containing a list of the OAuth 2.0 "response_mode" values - /// that this authorization server supports, as specified in "OAuth 2.0 - /// Multiple Response Type Encoding Practices". + /// that this authorization server supports. pub response_modes_supported: Option>, /// JSON array containing a list of the OAuth 2.0 grant type values that @@ -88,17 +87,151 @@ pub struct Metadata { pub token_endpoint_auth_methods_supported: Option>, /// JSON array containing a list of the JWS signing algorithms supported by - /// the Token Endpoint for the signature on the JWT used to authenticate - /// the Client at the Token Endpoint for the private_key_jwt and - /// client_secret_jwt authentication methods. Servers SHOULD support - /// RS256. The value none MUST NOT be used. + /// the token endpoint for the signature on the JWT used to authenticate the + /// client at the token endpoint. pub token_endpoint_auth_signing_alg_values_supported: Option>, - /// PKCE code challenge methods supported by this authorization server - pub code_challenge_methods_supported: Option>, + /// URL of a page containing human-readable information that developers + /// might want or need to know when using the authorization server. + pub service_documentation: Option, + + // TODO: type + /// Languages and scripts supported for the user interface, represented as a + /// JSON array of language tag values from BCP 47. If omitted, the set of + /// supported languages and scripts is unspecified. + pub ui_locales_supported: Option>, + + /// URL that the authorization server provides to the person registering the + /// client to read about the authorization server's requirements on how the + /// client can use the data provided by the authorization server. + pub op_policy_uri: Option, + + /// URL that the authorization server provides to the person registering the + /// client to read about the authorization server's terms of service. + pub op_tos_uri: Option, + + /// URL of the authorization server's OAuth 2.0 revocation endpoint. + pub revocation_endpoint: Option, + + /// JSON array containing a list of client authentication methods supported + /// by this revocation endpoint. + pub revocation_endpoint_auth_methods_supported: Option>, + + /// JSON array containing a list of the JWS signing algorithms supported by + /// the revocation endpoint for the signature on the JWT used to + /// authenticate the client at the revocation endpoint. + pub revocation_endpoint_auth_signing_alg_values_supported: Option>, /// URL of the authorization server's OAuth 2.0 introspection endpoint. pub introspection_endpoint: Option, + /// JSON array containing a list of client authentication methods supported + /// by this introspection endpoint. + pub introspection_endpoint_auth_methods_supported: Option>, + + /// JSON array containing a list of the JWS signing algorithms supported by + /// the introspection endpoint for the signature on the JWT used to + /// authenticate the client at the introspection endpoint. + pub introspection_endpoint_auth_signing_alg_values_supported: Option>, + + /// PKCE code challenge methods supported by this authorization server. + pub code_challenge_methods_supported: Option>, + + /// URL of the OP's UserInfo Endpoint. pub userinfo_endpoint: Option, + + /// JSON array containing a list of the Authentication Context Class + /// References that this OP supports. + pub acr_values_supported: Option>, + + /// JSON array containing a list of the Subject Identifier types that this + /// OP supports. + pub subject_types_supported: Option>, + + /// JSON array containing a list of the JWS "alg" values supported by the OP + /// for the ID Token. + pub id_token_signing_alg_values_supported: Option>, + + // TODO: type + /// JSON array containing a list of the JWE "alg" values supported by the OP + /// for the ID Token. + pub id_token_encryption_alg_values_supported: Option>, + + // TODO: type + /// JSON array containing a list of the JWE "enc" values supported by the OP + /// for the ID Token. + pub id_token_encryption_enc_values_supported: Option>, + + /// JSON array containing a list of the JWS "alg" values supported by the + /// UserInfo Endpoint. + pub userinfo_signing_alg_values_supported: Option>, + + // TODO: type + /// JSON array containing a list of the JWE "alg" values supported by the + /// UserInfo Endpoint. + pub userinfo_encryption_alg_values_supported: Option>, + + // TODO: type + /// JSON array containing a list of the JWE "enc" values supported by the + /// UserInfo Endpoint. + pub userinfo_encryption_enc_values_supported: Option>, + + /// JSON array containing a list of the JWS "alg" values supported by the OP + /// for Request Objects. + pub request_object_signing_alg_values_supported: Option>, + + // TODO: type + /// JSON array containing a list of the JWE "alg" values supported by the OP + /// for Request Objects. + pub request_object_encryption_alg_values_supported: Option>, + + // TODO: type + /// JSON array containing a list of the JWE "enc" values supported by the OP + /// for Request Objects. + pub request_object_encryption_enc_values_supported: Option>, + + /// JSON array containing a list of the "display" parameter values that the + /// OpenID Provider supports. + pub display_values_supported: Option>, + + // TODO: type + /// JSON array containing a list of the Claim Types that the OpenID Provider + /// supports. + pub claim_types_supported: Option>, + + /// JSON array containing a list of the Claim Names of the Claims that the + /// OpenID Provider MAY be able to supply values for. + pub claims_supported: Option>, + + // TODO: type + /// Languages and scripts supported for values in Claims being returned, + /// represented as a JSON array of BCP 47 [RFC5646] language tag values. + pub claims_locales_supported: Option>, + + /// Boolean value specifying whether the OP supports use of the "claims" + /// parameter. + pub claims_parameter_supported: Option, + + /// Boolean value specifying whether the OP supports use of the "request" + /// parameter. + pub request_parameter_supported: Option, + + /// Boolean value specifying whether the OP supports use of the + /// "request_uri" parameter. + pub request_uri_parameter_supported: Option, + + /// Boolean value specifying whether the OP requires any "request_uri" + /// values used to be pre-registered. + pub require_request_uri_registration: Option, + + /// Indicates where authorization request needs to be protected as Request + /// Object and provided through either request or request_uri parameter. + pub require_signed_request_object: Option, + + /// URL of the authorization server's pushed authorization request endpoint. + pub pushed_authorization_request_endpoint: Option, + + /// Indicates whether the authorization server accepts authorization + /// requests only via PAR. + pub require_pushed_authorization_requests: Option, }