From c5792392a76b99ae8691bf3d77d8a7ae20c0710e Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Wed, 31 Jan 2024 16:27:42 +0100
Subject: [PATCH] Add basic support for OIDC provider instantiation through
 discovery

---
 authority/provisioner/acme.go              |  5 ++++
 authority/provisioner/wire/oidc_options.go | 33 ++++++++++++++++------
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go
index 36b38dc8..0532af15 100644
--- a/authority/provisioner/acme.go
+++ b/authority/provisioner/acme.go
@@ -244,6 +244,11 @@ func (p *ACME) initializeWireOptions() error {
 		return fmt.Errorf("failed validating Wire options: %w", err)
 	}
 
+	// at this point the Wire options have been validated, and (mostly)
+	// initialized. Remote keys will be loaded upon the first verification,
+	// currently.
+	// TODO(hs): can/should we "prime" the underlying remote keyset?
+
 	return nil
 }
 
diff --git a/authority/provisioner/wire/oidc_options.go b/authority/provisioner/wire/oidc_options.go
index 22a09943..302e8f2b 100644
--- a/authority/provisioner/wire/oidc_options.go
+++ b/authority/provisioner/wire/oidc_options.go
@@ -15,12 +15,13 @@ import (
 )
 
 type Provider struct {
-	IssuerURL   string   `json:"issuer,omitempty"`
-	AuthURL     string   `json:"authorization_endpoint,omitempty"`
-	TokenURL    string   `json:"token_endpoint,omitempty"`
-	JWKSURL     string   `json:"jwks_uri,omitempty"`
-	UserInfoURL string   `json:"userinfo_endpoint,omitempty"`
-	Algorithms  []string `json:"id_token_signing_alg_values_supported,omitempty"`
+	DiscoveryBaseURL string   `json:"discoveryBaseUrl,omitempty"` // TODO: probably safe to change to our usual configuration style
+	IssuerURL        string   `json:"issuer,omitempty"`
+	AuthURL          string   `json:"authorization_endpoint,omitempty"`
+	TokenURL         string   `json:"token_endpoint,omitempty"`
+	JWKSURL          string   `json:"jwks_uri,omitempty"`
+	UserInfoURL      string   `json:"userinfo_endpoint,omitempty"`
+	Algorithms       []string `json:"id_token_signing_alg_values_supported,omitempty"`
 }
 
 type Config struct {
@@ -43,13 +44,29 @@ type OIDCOptions struct {
 	target             *template.Template
 	transform          *template.Template
 	oidcProviderConfig *oidc.ProviderConfig
+	provider           *oidc.Provider
 	verifier           *oidc.IDTokenVerifier
 }
 
 func (o *OIDCOptions) GetVerifier(ctx context.Context) (*oidc.IDTokenVerifier, error) {
 	if o.verifier == nil {
-		provider := o.oidcProviderConfig.NewProvider(ctx) // TODO: support the OIDC discovery flow
-		o.verifier = provider.Verifier(o.getConfig())
+		switch {
+		case o.Provider.DiscoveryBaseURL != "":
+			// creates a new OIDC provider using automatic discovery and the default HTTP client
+			if provider, err := oidc.NewProvider(ctx, o.Provider.DiscoveryBaseURL); err != nil {
+				return nil, fmt.Errorf("failed creating new OIDC provider using discovery: %w", err)
+			} else {
+				o.provider = provider
+			}
+		default:
+			o.provider = o.oidcProviderConfig.NewProvider(ctx)
+		}
+
+		if o.provider == nil {
+			return nil, errors.New("no OIDC provider available")
+		}
+
+		o.verifier = o.provider.Verifier(o.getConfig())
 	}
 
 	return o.verifier, nil