Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add basic support for OIDC provider instantiation through discovery

Browse Source
pull/1691/head
Herman Slatman 4 months ago
parent cd21f8d51f
commit c5792392a7
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F
2 changed files with 30 additions and 8 deletions
Show Stats Download Patch File Download Diff File

5
authority/provisioner/acme.go
Unescape Escape View File

@ -244,6 +244,11 @@ func (p *ACME) initializeWireOptions() error {
return fmt.Errorf("failed validating Wire options: %w", err)
}
// at this point the Wire options have been validated, and (mostly)
// initialized. Remote keys will be loaded upon the first verification,
// currently.
// TODO(hs): can/should we "prime" the underlying remote keyset?
return nil
}

33
authority/provisioner/wire/oidc_options.go
Unescape Escape View File

@ -15,12 +15,13 @@ import (
)
type Provider struct {
IssuerURL string `json:"issuer,omitempty"`
AuthURL string `json:"authorization_endpoint,omitempty"`
TokenURL string `json:"token_endpoint,omitempty"`
JWKSURL string `json:"jwks_uri,omitempty"`
UserInfoURL string `json:"userinfo_endpoint,omitempty"`
Algorithms []string `json:"id_token_signing_alg_values_supported,omitempty"`
DiscoveryBaseURL string `json:"discoveryBaseUrl,omitempty"` // TODO: probably safe to change to our usual configuration style
IssuerURL string `json:"issuer,omitempty"`
AuthURL string `json:"authorization_endpoint,omitempty"`
TokenURL string `json:"token_endpoint,omitempty"`
JWKSURL string `json:"jwks_uri,omitempty"`
UserInfoURL string `json:"userinfo_endpoint,omitempty"`
Algorithms []string `json:"id_token_signing_alg_values_supported,omitempty"`
}
type Config struct {
@ -43,13 +44,29 @@ type OIDCOptions struct {
target *template.Template
transform *template.Template
oidcProviderConfig *oidc.ProviderConfig
provider *oidc.Provider
verifier *oidc.IDTokenVerifier
}
func (o *OIDCOptions) GetVerifier(ctx context.Context) (*oidc.IDTokenVerifier, error) {
if o.verifier == nil {
provider := o.oidcProviderConfig.NewProvider(ctx) // TODO: support the OIDC discovery flow
o.verifier = provider.Verifier(o.getConfig())
switch {
case o.Provider.DiscoveryBaseURL != "":
// creates a new OIDC provider using automatic discovery and the default HTTP client
if provider, err := oidc.NewProvider(ctx, o.Provider.DiscoveryBaseURL); err != nil {
return nil, fmt.Errorf("failed creating new OIDC provider using discovery: %w", err)
} else {
o.provider = provider
}
default:
o.provider = o.oidcProviderConfig.NewProvider(ctx)
}
if o.provider == nil {
return nil, errors.New("no OIDC provider available")
}
o.verifier = o.provider.Verifier(o.getConfig())
}
return o.verifier, nil

Write Preview
Loading…
Cancel
Save