smallstep-certificates/authority/provisioner/oidc_options.go

package provisioner

import (
	"bytes"
	"context"
	"fmt"
	"text/template"
	"time"

	"github.com/coreos/go-oidc/v3/oidc"
)

type ProviderJSON struct {
	IssuerURL   string   `json:"issuer,omitempty"`
	AuthURL     string   `json:"authorization_endpoint,omitempty"`
	TokenURL    string   `json:"token_endpoint,omitempty"`
	JWKSURL     string   `json:"jwks_uri,omitempty"`
	UserInfoURL string   `json:"userinfo_endpoint,omitempty"`
	Algorithms  []string `json:"id_token_signing_alg_values_supported,omitempty"`
}

type ConfigJSON struct {
	ClientID                   string           `json:"client-id,omitempty"`
	SupportedSigningAlgs       []string         `json:"support-signing-algs,omitempty"`
	SkipClientIDCheck          bool             `json:"-"`
	SkipExpiryCheck            bool             `json:"-"`
	SkipIssuerCheck            bool             `json:"-"`
	Now                        func() time.Time `json:"-"`
	InsecureSkipSignatureCheck bool             `json:"-"`
}

type OIDCOptions struct {
	Provider ProviderJSON `json:"provider,omitempty"`
	Config   ConfigJSON   `json:"config,omitempty"`
}

func (o *OIDCOptions) GetProvider(ctx context.Context) *oidc.Provider {
	if o == nil {
		return nil
	}
	return toProviderConfig(o.Provider).NewProvider(ctx)
}

func (o *OIDCOptions) GetConfig() *oidc.Config {
	if o == nil {
		return &oidc.Config{}
	}
	config := oidc.Config(o.Config)
	return &config
}

func (o *OIDCOptions) GetTarget(deviceID string) (string, error) {
	if o == nil {
		return "", fmt.Errorf("Misconfigured target template configuration")
	}
	targetTemplate := o.Provider.IssuerURL
	tmpl, err := template.New("DeviceId").Parse(targetTemplate)
	buf := new(bytes.Buffer)
	err = tmpl.Execute(buf, struct{ DeviceId string }{deviceID})
	return buf.String(), err
}

func toProviderConfig(in ProviderJSON) *oidc.ProviderConfig {
	return &oidc.ProviderConfig{
		IssuerURL:   in.IssuerURL,
		AuthURL:     in.AuthURL,
		TokenURL:    in.TokenURL,
		UserInfoURL: in.UserInfoURL,
		JWKSURL:     in.JWKSURL,
		Algorithms:  in.Algorithms,
	}
}