mirror of
https://github.com/smallstep/certificates.git
synced 2024-11-15 18:12:59 +00:00
Add basic support for OIDC provider instantiation through discovery
This commit is contained in:
Herman Slatman
parent
cd21f8d51f
commit
c5792392a7
@ -244,6 +244,11 @@ func (p *ACME) initializeWireOptions() error {
|
|||||||
return fmt.Errorf("failed validating Wire options: %w", err)
|
return fmt.Errorf("failed validating Wire options: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// at this point the Wire options have been validated, and (mostly)
|
||||||
|
// initialized. Remote keys will be loaded upon the first verification,
|
||||||
|
// currently.
|
||||||
|
// TODO(hs): can/should we "prime" the underlying remote keyset?
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -15,12 +15,13 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
type Provider struct {
|
type Provider struct {
|
||||||
IssuerURL string `json:"issuer,omitempty"`
|
DiscoveryBaseURL string `json:"discoveryBaseUrl,omitempty"` // TODO: probably safe to change to our usual configuration style
|
||||||
AuthURL string `json:"authorization_endpoint,omitempty"`
|
IssuerURL string `json:"issuer,omitempty"`
|
||||||
TokenURL string `json:"token_endpoint,omitempty"`
|
AuthURL string `json:"authorization_endpoint,omitempty"`
|
||||||
JWKSURL string `json:"jwks_uri,omitempty"`
|
TokenURL string `json:"token_endpoint,omitempty"`
|
||||||
UserInfoURL string `json:"userinfo_endpoint,omitempty"`
|
JWKSURL string `json:"jwks_uri,omitempty"`
|
||||||
Algorithms []string `json:"id_token_signing_alg_values_supported,omitempty"`
|
UserInfoURL string `json:"userinfo_endpoint,omitempty"`
|
||||||
|
Algorithms []string `json:"id_token_signing_alg_values_supported,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type Config struct {
|
type Config struct {
|
||||||
@ -43,13 +44,29 @@ type OIDCOptions struct {
|
|||||||
target *template.Template
|
target *template.Template
|
||||||
transform *template.Template
|
transform *template.Template
|
||||||
oidcProviderConfig *oidc.ProviderConfig
|
oidcProviderConfig *oidc.ProviderConfig
|
||||||
|
provider *oidc.Provider
|
||||||
verifier *oidc.IDTokenVerifier
|
verifier *oidc.IDTokenVerifier
|
||||||
}
|
}
|
||||||
|
|
||||||
func (o *OIDCOptions) GetVerifier(ctx context.Context) (*oidc.IDTokenVerifier, error) {
|
func (o *OIDCOptions) GetVerifier(ctx context.Context) (*oidc.IDTokenVerifier, error) {
|
||||||
if o.verifier == nil {
|
if o.verifier == nil {
|
||||||
provider := o.oidcProviderConfig.NewProvider(ctx) // TODO: support the OIDC discovery flow
|
switch {
|
||||||
o.verifier = provider.Verifier(o.getConfig())
|
case o.Provider.DiscoveryBaseURL != "":
|
||||||
|
// creates a new OIDC provider using automatic discovery and the default HTTP client
|
||||||
|
if provider, err := oidc.NewProvider(ctx, o.Provider.DiscoveryBaseURL); err != nil {
|
||||||
|
return nil, fmt.Errorf("failed creating new OIDC provider using discovery: %w", err)
|
||||||
|
} else {
|
||||||
|
o.provider = provider
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
o.provider = o.oidcProviderConfig.NewProvider(ctx)
|
||||||
|
}
|
||||||
|
|
||||||
|
if o.provider == nil {
|
||||||
|
return nil, errors.New("no OIDC provider available")
|
||||||
|
}
|
||||||
|
|
||||||
|
o.verifier = o.provider.Verifier(o.getConfig())
|
||||||
}
|
}
|
||||||
|
|
||||||
return o.verifier, nil
|
return o.verifier, nil
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user