add oidc target

2024-11-11 07:11:00 +00:00 · 2023-05-04 14:39:45 +02:00 · 2023-05-04 14:39:45 +02:00 · 036a144e09
commit 036a144e09
parent 97002040a5
2 changed files with 13 additions and 4 deletions
--- a/acme/api/order.go
+++ b/acme/api/order.go
@ -275,10 +275,7 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
 			continue
 		}

-		targetTemplate := prov.GetOptions().GetDPOPOptions().DpopTarget
-
 		var target = ""
-
 		switch az.Identifier.Type {
 		case acme.WireID:
 			wireId, err := wire.ParseID([]byte(az.Identifier.Value))
@ -294,6 +291,16 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
 				return acme.NewError(acme.ErrorMalformedType, "DeviceId is not hexadecimal")
 			}
 			_ = decoded
+
+			var targetTemplate = ""
+			switch typ {
+			case acme.WIREOIDC01:
+				targetTemplate = prov.GetOptions().GetDPOPOptions().OidcTarget
+			case acme.WIREDPOP01:
+				targetTemplate = prov.GetOptions().GetDPOPOptions().DpopTarget
+			default:
+			}
+
 			tmpl, err := template.New("DeviceId").Parse(targetTemplate)
 			if err != nil {
 				return acme.NewError(acme.ErrorMalformedType, "Misconfigured target template configuration")
--- a/authority/provisioner/dpop_options.go
+++ b/authority/provisioner/dpop_options.go
@ -6,8 +6,10 @@ type DPOPOptions struct {
 	ValidationExecPath string `json:"validation-exec-path,omitempty"`
 	// Backend signing key for DPoP access token
 	SigningKey string `json:"key"`
-	// URI template acme client must call to fetch the challenge proof
+	// URI template acme client must call to fetch the DPoP challenge proof (an access token from wire-server)
 	DpopTarget string `json:"dpop-target"`
+	// URI template acme client must call to fetch the OIDC challenge proof (an Id token)
+	OidcTarget string `json:"oidc-target"`
 }

 func (o *DPOPOptions) GetValidationExecPath() string {