Commit af790e46 authored by Eric Chiang's avatar Eric Chiang

Merge pull request #267 from ericchiang/metadata

add dynamic client registration
parents 0ceecbaa 04cd1851
......@@ -14,7 +14,7 @@ We'll also start the example web app, so we can try registering and logging in.
Before continuing, you must have the following installed on your system:
* Go 1.4 or greater
* Postgres 9.0 or greater (this guide also assumes that Postgres is up and running)
* Postgres 9.4 or greater (this guide also assumes that Postgres is up and running)
In addition, if you wish to try out authenticating against Google's OIDC backend, you must have a new client registered with Google:
......
......@@ -16,23 +16,23 @@
},
{
"ImportPath": "github.com/coreos/go-oidc/http",
"Rev": "145916abb78708694762ff359ab1e34c47c7947f"
"Rev": "6039032c0b15517897116d333ead8edf38792437"
},
{
"ImportPath": "github.com/coreos/go-oidc/jose",
"Rev": "145916abb78708694762ff359ab1e34c47c7947f"
"Rev": "6039032c0b15517897116d333ead8edf38792437"
},
{
"ImportPath": "github.com/coreos/go-oidc/key",
"Rev": "145916abb78708694762ff359ab1e34c47c7947f"
"Rev": "6039032c0b15517897116d333ead8edf38792437"
},
{
"ImportPath": "github.com/coreos/go-oidc/oauth2",
"Rev": "145916abb78708694762ff359ab1e34c47c7947f"
"Rev": "6039032c0b15517897116d333ead8edf38792437"
},
{
"ImportPath": "github.com/coreos/go-oidc/oidc",
"Rev": "145916abb78708694762ff359ab1e34c47c7947f"
"Rev": "6039032c0b15517897116d333ead8edf38792437"
},
{
"ImportPath": "github.com/coreos/pkg/capnslog",
......
......@@ -13,6 +13,57 @@ const (
HeaderKeyID = "kid"
)
const (
// Encryption Algorithm Header Parameter Values for JWS
// See: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#page-6
AlgHS256 = "HS256"
AlgHS384 = "HS384"
AlgHS512 = "HS512"
AlgRS256 = "RS256"
AlgRS384 = "RS384"
AlgRS512 = "RS512"
AlgES256 = "ES256"
AlgES384 = "ES384"
AlgES512 = "ES512"
AlgPS256 = "PS256"
AlgPS384 = "PS384"
AlgPS512 = "PS512"
AlgNone = "none"
)
const (
// Algorithm Header Parameter Values for JWE
// See: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.1
AlgRSA15 = "RSA1_5"
AlgRSAOAEP = "RSA-OAEP"
AlgRSAOAEP256 = "RSA-OAEP-256"
AlgA128KW = "A128KW"
AlgA192KW = "A192KW"
AlgA256KW = "A256KW"
AlgDir = "dir"
AlgECDHES = "ECDH-ES"
AlgECDHESA128KW = "ECDH-ES+A128KW"
AlgECDHESA192KW = "ECDH-ES+A192KW"
AlgECDHESA256KW = "ECDH-ES+A256KW"
AlgA128GCMKW = "A128GCMKW"
AlgA192GCMKW = "A192GCMKW"
AlgA256GCMKW = "A256GCMKW"
AlgPBES2HS256A128KW = "PBES2-HS256+A128KW"
AlgPBES2HS384A192KW = "PBES2-HS384+A192KW"
AlgPBES2HS512A256KW = "PBES2-HS512+A256KW"
)
const (
// Encryption Algorithm Header Parameter Values for JWE
// See: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#page-22
EncA128CBCHS256 = "A128CBC-HS256"
EncA128CBCHS384 = "A128CBC-HS384"
EncA256CBCHS512 = "A256CBC-HS512"
EncA128GCM = "A128GCM"
EncA192GCM = "A192GCM"
EncA256GCM = "A256GCM"
)
type JOSEHeader map[string]string
func (j JOSEHeader) Validate() error {
......
......@@ -70,6 +70,10 @@ func (j *JWK) UnmarshalJSON(data []byte) error {
return nil
}
type JWKSet struct {
Keys []JWK `json:"keys"`
}
func decodeExponent(e string) (int, error) {
decE, err := decodeBase64URLPaddingOptional(e)
if err != nil {
......
......@@ -8,14 +8,49 @@ import (
"mime"
"net/http"
"net/url"
"sort"
"strconv"
"strings"
phttp "github.com/coreos/go-oidc/http"
)
// ResponseTypesEqual compares two response_type values. If either
// contains a space, it is treated as an unordered list. For example,
// comparing "code id_token" and "id_token code" would evaluate to true.
func ResponseTypesEqual(r1, r2 string) bool {
if !strings.Contains(r1, " ") || !strings.Contains(r2, " ") {
// fast route, no split needed
return r1 == r2
}
// split, sort, and compare
r1Fields := strings.Fields(r1)
r2Fields := strings.Fields(r2)
if len(r1Fields) != len(r2Fields) {
return false
}
sort.Strings(r1Fields)
sort.Strings(r2Fields)
for i, r1Field := range r1Fields {
if r1Field != r2Fields[i] {
return false
}
}
return true
}
const (
ResponseTypeCode = "code"
// OAuth2.0 response types registered by OIDC.
//
// See: https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#RegistryContents
ResponseTypeCode = "code"
ResponseTypeCodeIDToken = "code id_token"
ResponseTypeCodeIDTokenToken = "code id_token token"
ResponseTypeIDToken = "id_token"
ResponseTypeIDTokenToken = "id_token token"
ResponseTypeToken = "token"
ResponseTypeNone = "none"
)
const (
......
......@@ -26,7 +26,7 @@ dex consists of multiple components:
- configure identity provider connectors
- administer OIDC client identities
- **database**; a database is used to for persistent storage for keys, users,
OAuth sessions and other data. Currently Postgres is the only supported
OAuth sessions and other data. Currently Postgres (9.4+) is the only supported
database.
A typical dex deployment consists of N dex-workers behind a load balanacer, and one dex-overlord.
......
......@@ -172,7 +172,7 @@ func (ci *clientIdentity) UnmarshalJSON(data []byte) error {
Secret: c.Secret,
}
ci.Metadata = oidc.ClientMetadata{
RedirectURLs: make([]url.URL, len(c.RedirectURLs)),
RedirectURIs: make([]url.URL, len(c.RedirectURLs)),
}
for i, us := range c.RedirectURLs {
......@@ -180,7 +180,7 @@ func (ci *clientIdentity) UnmarshalJSON(data []byte) error {
if err != nil {
return err
}
ci.Metadata.RedirectURLs[i] = *up
ci.Metadata.RedirectURIs[i] = *up
}
return nil
......
......@@ -18,7 +18,7 @@ func TestMemClientIdentityRepoNew(t *testing.T) {
{
id: "foo",
meta: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{
Scheme: "https",
Host: "example.com",
......@@ -29,7 +29,7 @@ func TestMemClientIdentityRepoNew(t *testing.T) {
{
id: "bar",
meta: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "https", Host: "example.com/foo"},
url.URL{Scheme: "https", Host: "example.com/bar"},
},
......@@ -60,8 +60,8 @@ func TestMemClientIdentityRepoNew(t *testing.T) {
t.Errorf("case %d: expected repo to contain newly created Client", i)
}
wantURLs := tt.meta.RedirectURLs
gotURLs := all[0].Metadata.RedirectURLs
wantURLs := tt.meta.RedirectURIs
gotURLs := all[0].Metadata.RedirectURIs
if !reflect.DeepEqual(wantURLs, gotURLs) {
t.Errorf("case %d: redirect url mismatch, want=%v, got=%v", i, wantURLs, gotURLs)
}
......@@ -72,7 +72,7 @@ func TestMemClientIdentityRepoNewDuplicate(t *testing.T) {
cr := NewClientIdentityRepo(nil)
meta1 := oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "https", Host: "foo.example.com"},
},
}
......@@ -82,7 +82,7 @@ func TestMemClientIdentityRepoNewDuplicate(t *testing.T) {
}
meta2 := oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "https", Host: "bar.example.com"},
},
}
......@@ -174,7 +174,7 @@ func TestClientIdentityUnmarshalJSON(t *testing.T) {
sort.Strings(expectedURLs)
actualURLs := make([]string, 0)
for _, u := range actual.Metadata.RedirectURLs {
for _, u := range actual.Metadata.RedirectURIs {
actualURLs = append(actualURLs, u.String())
}
sort.Strings(actualURLs)
......
......@@ -45,6 +45,7 @@ func main() {
emailConfig := fs.String("email-cfg", "./static/fixtures/emailer.json", "configures emailer.")
enableRegistration := fs.Bool("enable-registration", false, "Allows users to self-register")
enableClientRegistration := fs.Bool("enable-client-registration", false, "Allow dynamic registration of clients")
noDB := fs.Bool("no-db", false, "manage entities in-process w/o any encryption, used only for single-node testing")
......@@ -117,14 +118,15 @@ func main() {
}
scfg := server.ServerConfig{
IssuerURL: *issuer,
TemplateDir: *templates,
EmailTemplateDirs: emailTemplateDirs,
EmailFromAddress: *emailFrom,
EmailerConfigFile: *emailConfig,
IssuerName: *issuerName,
IssuerLogoURL: *issuerLogoURL,
EnableRegistration: *enableRegistration,
IssuerURL: *issuer,
TemplateDir: *templates,
EmailTemplateDirs: emailTemplateDirs,
EmailFromAddress: *emailFrom,
EmailerConfigFile: *emailConfig,
IssuerName: *issuerName,
IssuerLogoURL: *issuerLogoURL,
EnableRegistration: *enableRegistration,
EnableClientRegistration: *enableClientRegistration,
}
if *noDB {
......
......@@ -37,7 +37,7 @@ func runNewClient(cmd *cobra.Command, args []string) int {
redirectURLs[i] = *u
}
cc, err := getDriver().NewClient(oidc.ClientMetadata{RedirectURLs: redirectURLs})
cc, err := getDriver().NewClient(oidc.ClientMetadata{RedirectURIs: redirectURLs})
if err != nil {
stderr("Failed creating new client: %v", err)
return 1
......
......@@ -21,13 +21,13 @@ func newAPIDriver(pcfg oidc.ProviderConfig, creds oidc.ClientCredentials) (drive
trans := &oidc.AuthenticatedTransport{
TokenRefresher: &oidc.ClientCredsTokenRefresher{
Issuer: pcfg.Issuer,
Issuer: pcfg.Issuer.String(),
OIDCClient: oc,
},
RoundTripper: http.DefaultTransport,
}
hc := &http.Client{Transport: trans}
svc, err := schema.NewWithBasePath(hc, pcfg.Issuer)
svc, err := schema.NewWithBasePath(hc, pcfg.Issuer.String())
if err != nil {
return nil, err
}
......@@ -41,10 +41,10 @@ type apiDriver struct {
func (d *apiDriver) NewClient(meta oidc.ClientMetadata) (*oidc.ClientCredentials, error) {
sc := &schema.Client{
RedirectURIs: make([]string, len(meta.RedirectURLs)),
RedirectURIs: make([]string, len(meta.RedirectURIs)),
}
for i, u := range meta.RedirectURLs {
for i, u := range meta.RedirectURIs {
sc.RedirectURIs[i] = u.String()
}
......
......@@ -31,7 +31,7 @@ func (d *dbDriver) NewClient(meta oidc.ClientMetadata) (*oidc.ClientCredentials,
return nil, err
}
clientID, err := oidc.GenClientID(meta.RedirectURLs[0].Host)
clientID, err := oidc.GenClientID(meta.RedirectURIs[0].Host)
if err != nil {
return nil, err
}
......
......@@ -89,8 +89,8 @@ func TestLoginURL(t *testing.T) {
Credentials: oidc.ClientCredentials{ID: tt.cid, Secret: "fake-client-secret"},
RedirectURL: tt.redir,
ProviderConfig: oidc.ProviderConfig{
AuthEndpoint: "http://example.com/authorize",
TokenEndpoint: "http://example.com/token",
AuthEndpoint: &url.URL{Scheme: "http", Host: "example.com", Path: "/authorize"},
TokenEndpoint: &url.URL{Scheme: "http", Host: "example.com", Path: "/token"},
},
Scope: tt.scope,
}
......
......@@ -6,7 +6,6 @@ import (
"encoding/json"
"errors"
"fmt"
"net/url"
"reflect"
"github.com/coreos/go-oidc/oidc"
......@@ -49,7 +48,7 @@ func newClientIdentityModel(id string, secret []byte, meta *oidc.ClientMetadata)
return nil, err
}
bmeta, err := json.Marshal(newClientMetadataJSON(meta))
bmeta, err := json.Marshal(meta)
if err != nil {
return nil, err
}
......@@ -70,38 +69,6 @@ type clientIdentityModel struct {
DexAdmin bool `db:"dex_admin"`
}
func newClientMetadataJSON(cm *oidc.ClientMetadata) *clientMetadataJSON {
cmj := clientMetadataJSON{
RedirectURLs: make([]string, len(cm.RedirectURLs)),
}
for i, u := range cm.RedirectURLs {
cmj.RedirectURLs[i] = (&u).String()
}
return &cmj
}
type clientMetadataJSON struct {
RedirectURLs []string `json:"redirectURLs"`
}
func (cmj clientMetadataJSON) ClientMetadata() (*oidc.ClientMetadata, error) {
cm := oidc.ClientMetadata{
RedirectURLs: make([]url.URL, len(cmj.RedirectURLs)),
}
for i, us := range cmj.RedirectURLs {
up, err := url.Parse(us)
if err != nil {
return nil, err
}
cm.RedirectURLs[i] = *up
}
return &cm, nil
}
func (m *clientIdentityModel) ClientIdentity() (*oidc.ClientIdentity, error) {
ci := oidc.ClientIdentity{
Credentials: oidc.ClientCredentials{
......@@ -110,18 +77,10 @@ func (m *clientIdentityModel) ClientIdentity() (*oidc.ClientIdentity, error) {
},
}
var cmj clientMetadataJSON
err := json.Unmarshal([]byte(m.Metadata), &cmj)
if err != nil {
return nil, err
}
cm, err := cmj.ClientMetadata()
if err != nil {
if err := json.Unmarshal([]byte(m.Metadata), &ci.Metadata); err != nil {
return nil, err
}
ci.Metadata = *cm
return &ci, nil
}
......
......@@ -3,6 +3,7 @@ package db
import (
"fmt"
"os"
"strconv"
"testing"
"github.com/go-gorp/gorp"
......@@ -25,7 +26,7 @@ func initDB(dsn string) *gorp.DbMap {
func TestGetPlannedMigrations(t *testing.T) {
dsn := os.Getenv("DEX_TEST_DSN")
if dsn == "" {
t.Logf("Test will not run without DEX_TEST_DSN environment variable.")
t.Skip("Test will not run without DEX_TEST_DSN environment variable.")
return
}
dbMap := initDB(dsn)
......@@ -40,3 +41,81 @@ func TestGetPlannedMigrations(t *testing.T) {
t.Fatalf("expected non-empty migrations")
}
}
func TestMigrateClientMetadata(t *testing.T) {
dsn := os.Getenv("DEX_TEST_DSN")
if dsn == "" {
t.Skip("Test will not run without DEX_TEST_DSN environment variable.")
return
}
dbMap := initDB(dsn)
nMigrations := 9
n, err := MigrateMaxMigrations(dbMap, nMigrations)
if err != nil {
t.Fatalf("failed to perform initial migration: %v", err)
}
if n != nMigrations {
t.Fatalf("expected to perform %d migrations, got %d", nMigrations, n)
}
tests := []struct {
before string
after string
}{
// only update rows without a "redirect_uris" key
{
`{"redirectURLs":["foo"]}`,
`{"redirectURLs" : ["foo"], "redirect_uris" : ["foo"]}`,
},
{
`{"redirectURLs":["foo","bar"]}`,
`{"redirectURLs" : ["foo","bar"], "redirect_uris" : ["foo","bar"]}`,
},
{
`{"redirect_uris":["foo"],"another_field":8}`,
`{"redirect_uris":["foo"],"another_field":8}`,
},
{
`{"redirectURLs" : ["foo"], "redirect_uris" : ["foo"]}`,
`{"redirectURLs" : ["foo"], "redirect_uris" : ["foo"]}`,
},
}
for i, tt := range tests {
model := &clientIdentityModel{
ID: strconv.Itoa(i),
Secret: []byte("verysecret"),
Metadata: tt.before,
}
if err := dbMap.Insert(model); err != nil {
t.Fatalf("could not insert model: %v", err)
}
}
n, err = MigrateMaxMigrations(dbMap, 1)
if err != nil {
t.Fatalf("failed to perform initial migration: %v", err)
}
if n != 1 {
t.Fatalf("expected to perform 1 migration, got %d", n)
}
for i, tt := range tests {
id := strconv.Itoa(i)
m, err := dbMap.Get(clientIdentityModel{}, id)
if err != nil {
t.Errorf("case %d: failed to get model: %err", i, err)
continue
}
cim, ok := m.(*clientIdentityModel)
if !ok {
t.Errorf("case %d: unrecognized model type: %T", i, m)
continue
}
if cim.Metadata != tt.after {
t.Errorf("case %d: want=%q, got=%q", i, tt.after, cim.Metadata)
}
}
}
-- +migrate Up
UPDATE client_identity
SET metadata = text(
json_build_object(
'redirectURLs', json(json(metadata)->>'redirectURLs'),
'redirect_uris', json(json(metadata)->>'redirectURLs')
)
)
WHERE (json(metadata)->>'redirect_uris') IS NULL;
......@@ -9,6 +9,7 @@
// 0007_session_scope.sql
// 0008_users_active_or_inactive.sql
// 0009_key_not_primary_key.sql
// 0010_client_metadata_field_changed.sql
// DO NOT EDIT!
package migrations
......@@ -91,7 +92,7 @@ func dbMigrations0001_initial_migrationSql() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "db/migrations/0001_initial_migration.sql", size: 1388, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
info := bindataFileInfo{name: "db/migrations/0001_initial_migration.sql", size: 1388, mode: os.FileMode(436), modTime: time.Unix(1, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
......@@ -111,7 +112,7 @@ func dbMigrations0002_dex_adminSql() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "db/migrations/0002_dex_admin.sql", size: 126, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
info := bindataFileInfo{name: "db/migrations/0002_dex_admin.sql", size: 126, mode: os.FileMode(436), modTime: time.Unix(1, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
......@@ -131,7 +132,7 @@ func dbMigrations0003_user_created_atSql() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "db/migrations/0003_user_created_at.sql", size: 111, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
info := bindataFileInfo{name: "db/migrations/0003_user_created_at.sql", size: 111, mode: os.FileMode(436), modTime: time.Unix(1, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
......@@ -151,7 +152,7 @@ func dbMigrations0004_session_nonceSql() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "db/migrations/0004_session_nonce.sql", size: 60, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
info := bindataFileInfo{name: "db/migrations/0004_session_nonce.sql", size: 60, mode: os.FileMode(436), modTime: time.Unix(1, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
......@@ -171,7 +172,7 @@ func dbMigrations0005_refresh_token_createSql() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "db/migrations/0005_refresh_token_create.sql", size: 506, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
info := bindataFileInfo{name: "db/migrations/0005_refresh_token_create.sql", size: 506, mode: os.FileMode(436), modTime: time.Unix(1, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
......@@ -191,7 +192,7 @@ func dbMigrations0006_user_email_uniqueSql() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "db/migrations/0006_user_email_unique.sql", size: 99, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
info := bindataFileInfo{name: "db/migrations/0006_user_email_unique.sql", size: 99, mode: os.FileMode(436), modTime: time.Unix(1, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
......@@ -211,7 +212,7 @@ func dbMigrations0007_session_scopeSql() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "db/migrations/0007_session_scope.sql", size: 60, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
info := bindataFileInfo{name: "db/migrations/0007_session_scope.sql", size: 60, mode: os.FileMode(436), modTime: time.Unix(1, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
......@@ -231,7 +232,7 @@ func dbMigrations0008_users_active_or_inactiveSql() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "db/migrations/0008_users_active_or_inactive.sql", size: 110, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
info := bindataFileInfo{name: "db/migrations/0008_users_active_or_inactive.sql", size: 110, mode: os.FileMode(436), modTime: time.Unix(1, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
......@@ -251,7 +252,27 @@ func dbMigrations0009_key_not_primary_keySql() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "db/migrations/0009_key_not_primary_key.sql", size: 182, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
info := bindataFileInfo{name: "db/migrations/0009_key_not_primary_key.sql", size: 182, mode: os.FileMode(436), modTime: time.Unix(1, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _dbMigrations0010_client_metadata_field_changedSql = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xd2\xd5\x55\xd0\xce\xcd\x4c\x2f\x4a\x2c\x49\x55\x08\x2d\xe0\x0a\x0d\x70\x71\x0c\x71\x55\x48\xce\xc9\x4c\xcd\x2b\x89\xcf\x4c\x01\x92\x99\x25\x95\x5c\xc1\xae\x21\x0a\xb9\xa9\x25\x89\x29\x89\x25\x89\x0a\xb6\x0a\x25\xa9\x15\x25\x1a\x5c\x0a\x40\x90\x55\x9c\x9f\x17\x9f\x54\x9a\x99\x93\x12\x9f\x9f\x94\x95\x9a\x0c\x15\x06\x01\xf5\xa2\xd4\x94\xcc\x22\xa0\x50\x68\x90\x4f\xb1\xba\x0e\x58\xa9\x06\x98\x80\x99\xa4\xa9\x6b\x67\x87\xaa\x4a\x53\x07\x53\x7b\x7c\x69\x51\x26\xd1\xfa\xc1\xda\x81\xa4\x26\x57\xb8\x87\x6b\x90\xab\x02\x1e\x0d\x10\x73\x35\x15\x3c\x83\x15\xfc\x42\x7d\x7c\xac\xb9\x00\x01\x00\x00\xff\xff\xeb\xe6\x9a\x19\x0b\x01\x00\x00")
func dbMigrations0010_client_metadata_field_changedSqlBytes() ([]byte, error) {
return bindataRead(
_dbMigrations0010_client_metadata_field_changedSql,
"db/migrations/0010_client_metadata_field_changed.sql",
)
}
func dbMigrations0010_client_metadata_field_changedSql() (*asset, error) {
bytes, err := dbMigrations0010_client_metadata_field_changedSqlBytes()
if err != nil {
return nil, err
}
info := bindataFileInfo{name: "db/migrations/0010_client_metadata_field_changed.sql", size: 267, mode: os.FileMode(436), modTime: time.Unix(1, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
......@@ -308,15 +329,16 @@ func AssetNames() []string {
// _bindata is a table, holding each asset generator, mapped to its name.
var _bindata = map[string]func() (*asset, error){
"db/migrations/0001_initial_migration.sql": dbMigrations0001_initial_migrationSql,
"db/migrations/0002_dex_admin.sql": dbMigrations0002_dex_adminSql,
"db/migrations/0003_user_created_at.sql": dbMigrations0003_user_created_atSql,
"db/migrations/0004_session_nonce.sql": dbMigrations0004_session_nonceSql,
"db/migrations/0005_refresh_token_create.sql": dbMigrations0005_refresh_token_createSql,
"db/migrations/0006_user_email_unique.sql": dbMigrations0006_user_email_uniqueSql,
"db/migrations/0007_session_scope.sql": dbMigrations0007_session_scopeSql,
"db/migrations/0008_users_active_or_inactive.sql": dbMigrations0008_users_active_or_inactiveSql,
"db/migrations/0009_key_not_primary_key.sql": dbMigrations0009_key_not_primary_keySql,
"db/migrations/0001_initial_migration.sql": dbMigrations0001_initial_migrationSql,
"db/migrations/0002_dex_admin.sql": dbMigrations0002_dex_adminSql,
"db/migrations/0003_user_created_at.sql": dbMigrations0003_user_created_atSql,
"db/migrations/0004_session_nonce.sql": dbMigrations0004_session_nonceSql,
"db/migrations/0005_refresh_token_create.sql": dbMigrations0005_refresh_token_createSql,
"db/migrations/0006_user_email_unique.sql": dbMigrations0006_user_email_uniqueSql,
"db/migrations/0007_session_scope.sql": dbMigrations0007_session_scopeSql,
"db/migrations/0008_users_active_or_inactive.sql": dbMigrations0008_users_active_or_inactiveSql,
"db/migrations/0009_key_not_primary_key.sql": dbMigrations0009_key_not_primary_keySql,
"db/migrations/0010_client_metadata_field_changed.sql": dbMigrations0010_client_metadata_field_changedSql,
}
// AssetDir returns the file names below a certain
......@@ -362,15 +384,16 @@ type bintree struct {
var _bintree = &bintree{nil, map[string]*bintree{
"db": &bintree{nil, map[string]*bintree{
"migrations": &bintree{nil, map[string]*bintree{
"0001_initial_migration.sql": &bintree{dbMigrations0001_initial_migrationSql, map[string]*bintree{}},
"0002_dex_admin.sql": &bintree{dbMigrations0002_dex_adminSql, map[string]*bintree{}},
"0003_user_created_at.sql": &bintree{dbMigrations0003_user_created_atSql, map[string]*bintree{}},
"0004_session_nonce.sql": &bintree{dbMigrations0004_session_nonceSql, map[string]*bintree{}},
"0005_refresh_token_create.sql": &bintree{dbMigrations0005_refresh_token_createSql, map[string]*bintree{}},
"0006_user_email_unique.sql": &bintree{dbMigrations0006_user_email_uniqueSql, map[string]*bintree{}},
"0007_session_scope.sql": &bintree{dbMigrations0007_session_scopeSql, map[string]*bintree{}},
"0008_users_active_or_inactive.sql": &bintree{dbMigrations0008_users_active_or_inactiveSql, map[string]*bintree{}},
"0009_key_not_primary_key.sql": &bintree{dbMigrations0009_key_not_primary_keySql, map[string]*bintree{}},
"0001_initial_migration.sql": &bintree{dbMigrations0001_initial_migrationSql, map[string]*bintree{}},
"0002_dex_admin.sql": &bintree{dbMigrations0002_dex_adminSql, map[string]*bintree{}},
"0003_user_created_at.sql": &bintree{dbMigrations0003_user_created_atSql, map[string]*bintree{}},
"0004_session_nonce.sql": &bintree{dbMigrations0004_session_nonceSql, map[string]*bintree{}},
"0005_refresh_token_create.sql": &bintree{dbMigrations0005_refresh_token_createSql, map[string]*bintree{}},
"0006_user_email_unique.sql": &bintree{dbMigrations0006_user_email_uniqueSql, map[string]*bintree{}},
"0007_session_scope.sql": &bintree{dbMigrations0007_session_scopeSql, map[string]*bintree{}},
"0008_users_active_or_inactive.sql": &bintree{dbMigrations0008_users_active_or_inactiveSql, map[string]*bintree{}},
"0009_key_not_primary_key.sql": &bintree{dbMigrations0009_key_not_primary_keySql, map[string]*bintree{}},
"0010_client_metadata_field_changed.sql": &bintree{dbMigrations0010_client_metadata_field_changedSql, map[string]*bintree{}},
}},
}},
}}
......
......@@ -193,7 +193,7 @@ func TestDBClientIdentityRepoMetadata(t *testing.T) {
r := db.NewClientIdentityRepo(connect(t))
cm := oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "http", Host: "127.0.0.1:5556", Path: "/cb"},
url.URL{Scheme: "https", Host: "example.com", Path: "/callback"},
},
......@@ -230,7 +230,7 @@ func TestDBClientIdentityRepoNewDuplicate(t *testing.T) {
r := db.NewClientIdentityRepo(connect(t))
meta1 := oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "http", Host: "foo.example.com"},
},
}
......@@ -240,7 +240,7 @@ func TestDBClientIdentityRepoNewDuplicate(t *testing.T) {
}
meta2 := oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "http", Host: "bar.example.com"},
},
}
......@@ -254,7 +254,7 @@ func TestDBClientIdentityRepoAuthenticate(t *testing.T) {
r := db.NewClientIdentityRepo(connect(t))
cm := oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "http", Host: "127.0.0.1:5556", Path: "/cb"},
},
}
......@@ -302,7 +302,7 @@ func TestDBClientIdentityAll(t *testing.T) {
r := db.NewClientIdentityRepo(connect(t))
cm := oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "http", Host: "127.0.0.1:5556", Path: "/cb"},
},
}
......@@ -326,7 +326,7 @@ func TestDBClientIdentityAll(t *testing.T) {
}
cm = oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "http", Host: "foo.com", Path: "/cb"},
},
}
......
......@@ -22,7 +22,7 @@ var (
Secret: "secret-1",
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{
Scheme: "https",
Host: "client1.example.com/callback",
......@@ -36,7 +36,7 @@ var (
Secret: "secret-2",
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{
Scheme: "https",
Host: "client2.example.com/callback",
......
......@@ -72,8 +72,8 @@ func TestClientCreate(t *testing.T) {
t.Error("Expected new client to exist in repo")
}
gotURLs := make([]string, len(meta.RedirectURLs))
for i, u := range meta.RedirectURLs {
gotURLs := make([]string, len(meta.RedirectURIs))
for i, u := range meta.RedirectURIs {
gotURLs[i] = u.String()
}
if !reflect.DeepEqual(newClientInput.RedirectURIs, gotURLs) {
......
......@@ -104,7 +104,7 @@ func makeUserAPITestFixtures() *userAPITestFixtures {
Secret: testClientSecret,
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
testRedirectURL,
},
},
......@@ -115,7 +115,7 @@ func makeUserAPITestFixtures() *userAPITestFixtures {
Secret: "secret",
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
testRedirectURL,
},
},
......
......@@ -13,7 +13,7 @@ func MapSchemaClientToClientIdentity(sc Client) (oidc.ClientIdentity, error) {
ID: sc.Id,
},
Metadata: oidc.ClientMetadata{
RedirectURLs: make([]url.URL, len(sc.RedirectURIs)),
RedirectURIs: make([]url.URL, len(sc.RedirectURIs)),
},
}
......@@ -27,7 +27,7 @@ func MapSchemaClientToClientIdentity(sc Client) (oidc.ClientIdentity, error) {
return oidc.ClientIdentity{}, errors.New("redirect URL invalid")
}
ci.Metadata.RedirectURLs[i] = *u
ci.Metadata.RedirectURIs[i] = *u
}
return ci, nil
......@@ -36,9 +36,9 @@ func MapSchemaClientToClientIdentity(sc Client) (oidc.ClientIdentity, error) {
func MapClientIdentityToSchemaClient(c oidc.ClientIdentity) Client {
cl := Client{
Id: c.Credentials.ID,
RedirectURIs: make([]string, len(c.Metadata.RedirectURLs)),
RedirectURIs: make([]string, len(c.Metadata.RedirectURIs)),
}
for i, u := range c.Metadata.RedirectURLs {
for i, u := range c.Metadata.RedirectURIs {
cl.RedirectURIs[i] = u.String()
}
return cl
......@@ -48,9 +48,9 @@ func MapClientIdentityToSchemaClientWithSecret(c oidc.ClientIdentity) ClientWith
cl := ClientWithSecret{
Id: c.Credentials.ID,
Secret: c.Credentials.Secret,
RedirectURIs: make([]string, len(c.Metadata.RedirectURLs)),
RedirectURIs: make([]string, len(c.Metadata.RedirectURIs)),
}
for i, u := range c.Metadata.RedirectURLs {
for i, u := range c.Metadata.RedirectURIs {
cl.RedirectURIs[i] = u.String()
}
return cl
......
package server
import (
"encoding/json"
"net/http"
"github.com/coreos/dex/pkg/log"
"github.com/coreos/go-oidc/oauth2"
"github.com/coreos/go-oidc/oidc"
)
const (
invalidRedirectURI = "invalid_redirect_uri"
invalidClientMetadata = "invalid_client_metadata"
)
func (s *Server) handleClientRegistration(w http.ResponseWriter, r *http.Request) {
resp, err := s.handleClientRegistrationRequest(r)
if err != nil {
code := http.StatusBadRequest
if err.Type == oauth2.ErrorServerError {
code = http.StatusInternalServerError
}
writeResponseWithBody(w, code, err)
} else {
writeResponseWithBody(w, http.StatusCreated, resp)
}
}
func (s *Server) handleClientRegistrationRequest(r *http.Request) (*oidc.ClientRegistrationResponse, *apiError) {
var clientMetadata oidc.ClientMetadata
if err := json.NewDecoder(r.Body).Decode(&clientMetadata); err != nil {
return nil, newAPIError(oauth2.ErrorInvalidRequest, err.Error())
}
if err := s.ProviderConfig().Supports(clientMetadata); err != nil {
return nil, newAPIError(invalidClientMetadata, err.Error())
}
// metadata is guarenteed to have at least one redirect_uri by earlier validation.
id, err := oidc.GenClientID(clientMetadata.RedirectURIs[0].Host)
if err != nil {
log.Errorf("Faild to create client ID: %v", err)
return nil, newAPIError(oauth2.ErrorServerError, "unable to save client metadata")
}
creds, err := s.ClientIdentityRepo.New(id, clientMetadata)
if err != nil {
log.Errorf("Failed to create new client identity: %v", err)
return nil, newAPIError(oauth2.ErrorServerError, "unable to save client metadata")
}
return &oidc.ClientRegistrationResponse{
ClientID: creds.ID,
ClientSecret: creds.Secret,
ClientMetadata: clientMetadata,
}, nil
}
package server
import (
"encoding/json"
"errors"
"fmt"
"net/http"
"net/http/httptest"
"net/url"
"strings"
"testing"
"github.com/coreos/go-oidc/oauth2"
"github.com/coreos/go-oidc/oidc"
"github.com/kylelemons/godebug/pretty"
)
func TestClientRegistration(t *testing.T) {
tests := []struct {
body string
code int
}{
{"", http.StatusBadRequest},
{
`{
"redirect_uris": [
"https://client.example.org/callback",
"https://client.example.org/callback2"
]
}`,
http.StatusCreated,
},
{
// Requesting unsupported client metadata fields (user_info_encrypted).
`{
"application_type": "web",
"redirect_uris":[
"https://client.example.org/callback",
"https://client.example.org/callback2"
],
"client_name": "My Example",
"logo_uri": "https://client.example.org/logo.png",
"subject_type": "pairwise",
"sector_identifier_uri": "https://other.example.net/file_of_redirect_uris.json",
"token_endpoint_auth_method": "client_secret_basic",
"jwks_uri": "https://client.example.org/my_public_keys.jwks",
"userinfo_encrypted_response_alg": "RSA1_5",
"userinfo_encrypted_response_enc": "A128CBC-HS256",
"contacts": ["ve7jtb@example.org", "mary@example.org"],
"request_uris": [
"https://client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA" ]
}`,
http.StatusBadRequest,
},
{
`{
"application_type": "web",
"redirect_uris":[
"https://client.example.org/callback",
"https://client.example.org/callback2"
],
"client_name": "My Example",
"logo_uri": "https://client.example.org/logo.png",
"subject_type": "pairwise",
"sector_identifier_uri": "https://other.example.net/file_of_redirect_uris.json",
"token_endpoint_auth_method": "client_secret_basic",
"jwks_uri": "https://client.example.org/my_public_keys.jwks",
"contacts": ["ve7jtb@example.org", "mary@example.org"],
"request_uris": [
"https://client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA" ]
}`,
http.StatusCreated,
},
}
var handler http.Handler
f := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handler.ServeHTTP(w, r)
})
testServer := httptest.NewServer(f)
issuerURL, err := url.Parse(testServer.URL)
if err != nil {
t.Fatal(err)
}
defer testServer.Close()
for i, tt := range tests {
fixtures, err := makeTestFixtures()
if err != nil {
t.Fatal(err)
}
fixtures.srv.IssuerURL = *issuerURL
fixtures.srv.EnableClientRegistration = true
handler = fixtures.srv.HTTPHandler()
err = func() error {
// GET provider config through discovery URL.
resp, err := http.Get(testServer.URL + "/.well-known/openid-configuration")
if err != nil {
return fmt.Errorf("GET config: %v", err)
}
var cfg oidc.ProviderConfig
err = json.NewDecoder(resp.Body).Decode(&cfg)
resp.Body.Close()
if err != nil {
return fmt.Errorf("decode resp: %v", err)
}
if cfg.RegistrationEndpoint == nil {
return errors.New("registration endpoint not available")
}
// POST registration request to registration endpoint.
body := strings.NewReader(tt.body)
resp, err = http.Post(cfg.RegistrationEndpoint.String(), "application/json", body)
if err != nil {
return fmt.Errorf("POSTing client metadata: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != tt.code {
return fmt.Errorf("expected status code=%d, got=%d", tt.code, resp.StatusCode)
}
if resp.StatusCode != http.StatusCreated {
var oauthErr oauth2.Error
if err := json.NewDecoder(resp.Body).Decode(&oauthErr); err != nil {
return fmt.Errorf("failed to decode oauth2 error: %v", err)
}
if oauthErr.Type == "" {
return fmt.Errorf("got oauth2 error with no 'error' field")
}
return nil
}
// Read registration response.
var r oidc.ClientRegistrationResponse
if err := json.NewDecoder(resp.Body).Decode(&r); err != nil {
return fmt.Errorf("decode response: %v", err)
}
if r.ClientID == "" {
return fmt.Errorf("no client id in registration response")
}
metadata, err := fixtures.clientIdentityRepo.Metadata(r.ClientID)
if err != nil {
return fmt.Errorf("failed to lookup client id after creation")
}
if diff := pretty.Compare(&metadata, &r.ClientMetadata); diff != "" {
return fmt.Errorf("metadata in response did not match metadata in db: %s", diff)
}
return nil
}()
if err != nil {
t.Errorf("case %d: %v", i, err)
}
}
}
......@@ -89,7 +89,7 @@ func (c *clientResource) create(w http.ResponseWriter, r *http.Request) {
return
}
clientID, err := oidc.GenClientID(ci.Metadata.RedirectURLs[0].Host)
clientID, err := oidc.GenClientID(ci.Metadata.RedirectURIs[0].Host)
if err != nil {
log.Errorf("Failed generating ID for new client: %v", err)
writeAPIError(w, http.StatusInternalServerError, newAPIError(errorServerError, "unable to generate client ID"))
......
......@@ -89,13 +89,13 @@ func TestCreateInvalidRequest(t *testing.T) {
{
req: &http.Request{Method: "POST", URL: u, Header: h, Body: makeBody(`{"redirectURIs":["asdf.com"]}`)},
wantCode: http.StatusBadRequest,
wantBody: `{"error":"invalid_client_metadata","error_description":"invalid redirect URL: scheme not http/https"}`,
wantBody: `{"error":"invalid_client_metadata","error_description":"no host for uri field redirect_uris"}`,
},
// uri missing host
{
req: &http.Request{Method: "POST", URL: u, Header: h, Body: makeBody(`{"redirectURIs":["http://"]}`)},
wantCode: http.StatusBadRequest,
wantBody: `{"error":"invalid_client_metadata","error_description":"invalid redirect URL: host empty"}`,
wantBody: `{"error":"invalid_client_metadata","error_description":"no host for uri field redirect_uris"}`,
},
}
......@@ -183,7 +183,7 @@ func TestList(t *testing.T) {
oidc.ClientIdentity{
Credentials: oidc.ClientCredentials{ID: "foo", Secret: "bar"},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "http", Host: "example.com"},
},
},
......@@ -202,7 +202,7 @@ func TestList(t *testing.T) {
oidc.ClientIdentity{
Credentials: oidc.ClientCredentials{ID: "foo", Secret: "bar"},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "http", Host: "example.com"},
},
},
......@@ -210,7 +210,7 @@ func TestList(t *testing.T) {
oidc.ClientIdentity{
Credentials: oidc.ClientCredentials{ID: "biz", Secret: "bang"},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "https", Host: "example.com", Path: "one/two/three"},
},
},
......
......@@ -26,15 +26,16 @@ import (
)
type ServerConfig struct {
IssuerURL string
IssuerName string
IssuerLogoURL string
TemplateDir string
EmailTemplateDirs []string
EmailFromAddress string
EmailerConfigFile string
StateConfig StateConfigurer
EnableRegistration bool
IssuerURL string
IssuerName string
IssuerLogoURL string
TemplateDir string
EmailTemplateDirs []string
EmailFromAddress string
EmailerConfigFile string
StateConfig StateConfigurer
EnableRegistration bool
EnableClientRegistration bool
}
type StateConfigurer interface {
......@@ -73,7 +74,8 @@ func (cfg *ServerConfig) Server() (*Server, error) {
HealthChecks: []health.Checkable{km},
Connectors: []connector.Connector{},
EnableRegistration: cfg.EnableRegistration,
EnableRegistration: cfg.EnableRegistration,
EnableClientRegistration: cfg.EnableClientRegistration,
}
err = cfg.StateConfig.Configure(&srv)
......
......@@ -158,7 +158,7 @@ func handleVerifyEmailResendFunc(
return
}
*redirectURL, err = client.ValidRedirectURL(redirectURL, cm.RedirectURLs)
*redirectURL, err = client.ValidRedirectURL(redirectURL, cm.RedirectURIs)
if err != nil {
switch err {
case (client.ErrorInvalidRedirectURL):
......
......@@ -29,19 +29,20 @@ const (
)
var (
httpPathDiscovery = "/.well-known/openid-configuration"
httpPathToken = "/token"
httpPathKeys = "/keys"
httpPathAuth = "/auth"
httpPathHealth = "/health"
httpPathAPI = "/api"
httpPathRegister = "/register"
httpPathEmailVerify = "/verify-email"
httpPathVerifyEmailResend = "/resend-verify-email"
httpPathSendResetPassword = "/send-reset-password"
httpPathResetPassword = "/reset-password"
httpPathAcceptInvitation = "/accept-invitation"
httpPathDebugVars = "/debug/vars"
httpPathDiscovery = "/.well-known/openid-configuration"
httpPathToken = "/token"
httpPathKeys = "/keys"
httpPathAuth = "/auth"
httpPathHealth = "/health"
httpPathAPI = "/api"
httpPathRegister = "/register"
httpPathEmailVerify = "/verify-email"
httpPathVerifyEmailResend = "/resend-verify-email"
httpPathSendResetPassword = "/send-reset-password"
httpPathResetPassword = "/reset-password"
httpPathAcceptInvitation = "/accept-invitation"
httpPathDebugVars = "/debug/vars"
httpPathClientRegistration = "/registration"
cookieLastSeen = "LastSeen"
cookieShowEmailVerifiedMessage = "ShowEmailVerifiedMessage"
......@@ -55,7 +56,7 @@ func handleDiscoveryFunc(cfg oidc.ProviderConfig) http.HandlerFunc {
return
}
b, err := json.Marshal(cfg)
b, err := json.Marshal(&cfg)
if err != nil {
log.Errorf("Unable to marshal %#v to JSON: %v", cfg, err)
}
......@@ -309,13 +310,13 @@ func handleAuthFunc(srv OIDCServer, idpcs []connector.Connector, tpl *template.T
return
}
if len(cm.RedirectURLs) == 0 {
if len(cm.RedirectURIs) == 0 {
log.Errorf("Client %q has no redirect URLs", acr.ClientID)
writeAuthError(w, oauth2.NewError(oauth2.ErrorServerError), acr.State)
return
}
redirectURL, err := client.ValidRedirectURL(acr.RedirectURL, cm.RedirectURLs)
redirectURL, err := client.ValidRedirectURL(acr.RedirectURL, cm.RedirectURIs)
if err != nil {
switch err {
case (client.ErrorCantChooseRedirectURL):
......
......@@ -83,7 +83,7 @@ func TestHandleAuthFuncResponsesSingleRedirectURL(t *testing.T) {
Secret: "secrete",
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "http", Host: "client.example.com", Path: "/callback"},
},
},
......@@ -206,7 +206,7 @@ func TestHandleAuthFuncResponsesMultipleRedirectURLs(t *testing.T) {
Secret: "secrete",
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{Scheme: "http", Host: "foo.example.com", Path: "/callback"},
url.URL{Scheme: "http", Host: "bar.example.com", Path: "/callback"},
},
......@@ -363,17 +363,22 @@ func TestHandleDiscoveryFuncMethodNotAllowed(t *testing.T) {
}
func TestHandleDiscoveryFunc(t *testing.T) {
u := "http://server.example.com"
u := url.URL{Scheme: "http", Host: "server.example.com"}
pathURL := func(path string) *url.URL {
ucopy := u
ucopy.Path = path
return &ucopy
}
cfg := oidc.ProviderConfig{
Issuer: u,
AuthEndpoint: u + httpPathAuth,
TokenEndpoint: u + httpPathToken,
KeysEndpoint: u + httpPathKeys,
Issuer: &u,
AuthEndpoint: pathURL(httpPathAuth),
TokenEndpoint: pathURL(httpPathToken),
KeysEndpoint: pathURL(httpPathKeys),
GrantTypesSupported: []string{oauth2.GrantTypeAuthCode},
ResponseTypesSupported: []string{"code"},
SubjectTypesSupported: []string{"public"},
IDTokenAlgValuesSupported: []string{"RS256"},
IDTokenSigningAlgValues: []string{"RS256"},
TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
}
......
......@@ -134,7 +134,7 @@ func (h *SendResetPasswordEmailHandler) validateRedirectURL(clientID string, red
return url.URL{}, false
}
validURL, err := client.ValidRedirectURL(parsed, cm.RedirectURLs)
validURL, err := client.ValidRedirectURL(parsed, cm.RedirectURIs)
if err != nil {
log.Errorf("Invalid redirectURL for clientID: redirectURL:%q, clientID:%q", redirectURL, clientID)
return url.URL{}, false
......
......@@ -74,6 +74,7 @@ type Server struct {
RefreshTokenRepo refresh.RefreshTokenRepo
UserEmailer *useremail.UserEmailer
EnableRegistration bool
EnableClientRegistration bool
localConnectorID string
}
......@@ -111,21 +112,27 @@ func (s *Server) KillSession(sessionKey string) error {
}
func (s *Server) ProviderConfig() oidc.ProviderConfig {
iss := s.IssuerURL.String()
authEndpoint := s.absURL(httpPathAuth)
tokenEndpoint := s.absURL(httpPathToken)
keysEndpoint := s.absURL(httpPathKeys)
cfg := oidc.ProviderConfig{
Issuer: iss,
AuthEndpoint: iss + httpPathAuth,
TokenEndpoint: iss + httpPathToken,
KeysEndpoint: iss + httpPathKeys,
Issuer: &s.IssuerURL,
AuthEndpoint: &authEndpoint,
TokenEndpoint: &tokenEndpoint,
KeysEndpoint: &keysEndpoint,
GrantTypesSupported: []string{oauth2.GrantTypeAuthCode, oauth2.GrantTypeClientCreds},
ResponseTypesSupported: []string{"code"},
SubjectTypesSupported: []string{"public"},
IDTokenAlgValuesSupported: []string{"RS256"},
IDTokenSigningAlgValues: []string{"RS256"},
TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
}
if s.EnableClientRegistration {
regEndpoint := s.absURL(httpPathClientRegistration)
cfg.RegistrationEndpoint = &regEndpoint
}
return cfg
}
......@@ -241,6 +248,10 @@ func (s *Server) HTTPHandler() http.Handler {
redirectValidityWindow: s.SessionManager.ValidityWindow,
})
if s.EnableClientRegistration {
mux.HandleFunc(httpPathClientRegistration, s.handleClientRegistration)
}
mux.HandleFunc(httpPathDebugVars, health.ExpvarHandler)
pcfg := s.ProviderConfig()
......
......@@ -17,6 +17,7 @@ import (
"github.com/coreos/go-oidc/key"
"github.com/coreos/go-oidc/oauth2"
"github.com/coreos/go-oidc/oidc"
"github.com/kylelemons/godebug/pretty"
)
type StaticKeyManager struct {
......@@ -100,20 +101,21 @@ func TestServerProviderConfig(t *testing.T) {
srv := &Server{IssuerURL: url.URL{Scheme: "http", Host: "server.example.com"}}
want := oidc.ProviderConfig{
Issuer: "http://server.example.com",
AuthEndpoint: "http://server.example.com/auth",
TokenEndpoint: "http://server.example.com/token",
KeysEndpoint: "http://server.example.com/keys",
Issuer: &url.URL{Scheme: "http", Host: "server.example.com"},
AuthEndpoint: &url.URL{Scheme: "http", Host: "server.example.com", Path: "/auth"},
TokenEndpoint: &url.URL{Scheme: "http", Host: "server.example.com", Path: "/token"},
KeysEndpoint: &url.URL{Scheme: "http", Host: "server.example.com", Path: "/keys"},
GrantTypesSupported: []string{oauth2.GrantTypeAuthCode, oauth2.GrantTypeClientCreds},
ResponseTypesSupported: []string{"code"},
SubjectTypesSupported: []string{"public"},
IDTokenAlgValuesSupported: []string{"RS256"},
IDTokenSigningAlgValues: []string{"RS256"},
TokenEndpointAuthMethodsSupported: []string{"client_secret_basic"},
}
got := srv.ProviderConfig()
if !reflect.DeepEqual(want, got) {
t.Fatalf("want=%#v, got=%#v", want, got)
if diff := pretty.Compare(want, got); diff != "" {
t.Fatalf("provider config did not match expected: %s", diff)
}
}
......@@ -131,7 +133,7 @@ func TestServerNewSession(t *testing.T) {
Secret: "secrete",
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{
Scheme: "http",
Host: "client.example.com",
......@@ -141,7 +143,7 @@ func TestServerNewSession(t *testing.T) {
},
}
key, err := srv.NewSession("bogus_idpc", ci.Credentials.ID, state, ci.Metadata.RedirectURLs[0], nonce, false, []string{"openid"})
key, err := srv.NewSession("bogus_idpc", ci.Credentials.ID, state, ci.Metadata.RedirectURIs[0], nonce, false, []string{"openid"})
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
......@@ -156,8 +158,8 @@ func TestServerNewSession(t *testing.T) {
t.Fatalf("Unable to add Identity to Session: %v", err)
}
if !reflect.DeepEqual(ci.Metadata.RedirectURLs[0], ses.RedirectURL) {
t.Fatalf("Session created with incorrect RedirectURL: want=%#v got=%#v", ci.Metadata.RedirectURLs[0], ses.RedirectURL)
if !reflect.DeepEqual(ci.Metadata.RedirectURIs[0], ses.RedirectURL) {
t.Fatalf("Session created with incorrect RedirectURL: want=%#v got=%#v", ci.Metadata.RedirectURIs[0], ses.RedirectURL)
}
if ci.Credentials.ID != ses.ClientID {
......@@ -180,7 +182,7 @@ func TestServerLogin(t *testing.T) {
Secret: "secrete",
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{
Scheme: "http",
Host: "client.example.com",
......@@ -197,7 +199,7 @@ func TestServerLogin(t *testing.T) {
sm := session.NewSessionManager(session.NewSessionRepo(), session.NewSessionKeyRepo())
sm.GenerateCode = staticGenerateCodeFunc("fakecode")
sessionID, err := sm.NewSession("test_connector_id", ci.Credentials.ID, "bogus", ci.Metadata.RedirectURLs[0], "", false, []string{"openid"})
sessionID, err := sm.NewSession("test_connector_id", ci.Credentials.ID, "bogus", ci.Metadata.RedirectURIs[0], "", false, []string{"openid"})
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
......@@ -269,7 +271,7 @@ func TestServerLoginDisabledUser(t *testing.T) {
Secret: "secrete",
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
url.URL{
Scheme: "http",
Host: "client.example.com",
......@@ -286,7 +288,7 @@ func TestServerLoginDisabledUser(t *testing.T) {
sm := session.NewSessionManager(session.NewSessionRepo(), session.NewSessionKeyRepo())
sm.GenerateCode = staticGenerateCodeFunc("fakecode")
sessionID, err := sm.NewSession("test_connector_id", ci.Credentials.ID, "bogus", ci.Metadata.RedirectURLs[0], "", false, []string{"openid"})
sessionID, err := sm.NewSession("test_connector_id", ci.Credentials.ID, "bogus", ci.Metadata.RedirectURIs[0], "", false, []string{"openid"})
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
......
......@@ -133,7 +133,7 @@ func makeTestFixtures() (*testFixtures, error) {
Secret: testClientSecret,
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
testRedirectURL,
},
},
......
......@@ -154,7 +154,7 @@ func (u *UsersAPI) CreateUser(creds Creds, usr schema.User, redirURL url.URL) (s
return schema.UserCreateResponse{}, mapError(err)
}
validRedirURL, err := client.ValidRedirectURL(&redirURL, metadata.RedirectURLs)
validRedirURL, err := client.ValidRedirectURL(&redirURL, metadata.RedirectURIs)
if err != nil {
return schema.UserCreateResponse{}, ErrorInvalidRedirectURL
}
......
......@@ -136,7 +136,7 @@ func makeTestFixtures() (*UsersAPI, *testEmailer) {
Secret: "secrete",
},
Metadata: oidc.ClientMetadata{
RedirectURLs: []url.URL{
RedirectURIs: []url.URL{
validRedirURL,
},
},
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment