authelia/internal/handlers/handler_oidc_wellknown.go

package handlers

import (
	"encoding/json"
	"fmt"

	"github.com/valyala/fasthttp"

	"github.com/authelia/authelia/internal/middlewares"
)

func oidcWellKnown(ctx *middlewares.AutheliaCtx) {
	var configuration WellKnownConfigurationJSON

	issuer, err := ctx.ForwardedProtoHost()
	if err != nil {
		ctx.Logger.Errorf("Error occurred in ForwardedProtoHost: %+v", err)
		ctx.Response.SetStatusCode(fasthttp.StatusBadRequest)

		return
	}

	configuration.Issuer = issuer
	configuration.AuthURL = fmt.Sprintf("%s%s", issuer, oidcAuthorizePath)
	configuration.TokenURL = fmt.Sprintf("%s%s", issuer, oidcTokenPath)
	configuration.RevocationEndpoint = fmt.Sprintf("%s%s", issuer, oidcRevokePath)
	configuration.JWKSURL = fmt.Sprintf("%s%s", issuer, oidcJWKsPath)
	configuration.Algorithms = []string{"RS256"}
	configuration.ScopesSupported = []string{
		"openid",
		"profile",
		"groups",
		"email",
		// Determine if this is really mandatory knowing the RP can request for a refresh token through the authorize
		// endpoint anyway.
		"offline_access",
	}
	configuration.ClaimsSupported = []string{
		"aud",
		"exp",
		"iat",
		"iss",
		"jti",
		"rat",
		"sub",
		"auth_time",
		"nonce",
		"email",
		"email_verified",
		"groups",
		"name",
	}
	configuration.SubjectTypesSupported = []string{
		"public",
	}
	configuration.ResponseTypesSupported = []string{
		"code",
		"token",
		"id_token",
		"code token",
		"code id_token",
		"token id_token",
		"code token id_token",
		"none",
	}

	ctx.SetContentType("application/json")

	if err := json.NewEncoder(ctx).Encode(configuration); err != nil {
		ctx.Logger.Errorf("Error occurred in json Encode: %+v", err)
		// TODO: Determine if this is the appropriate error code here.
		ctx.Response.SetStatusCode(fasthttp.StatusInternalServerError)

		return
	}
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`package handlers`

			`import (`
			`"encoding/json"`
			`"fmt"`

			`"github.com/valyala/fasthttp"`

			`"github.com/authelia/authelia/internal/middlewares"`
			`)`

			`func oidcWellKnown(ctx *middlewares.AutheliaCtx) {`
			`var configuration WellKnownConfigurationJSON`

			`issuer, err := ctx.ForwardedProtoHost()`
			`if err != nil {`
			`ctx.Logger.Errorf("Error occurred in ForwardedProtoHost: %+v", err)`
			`ctx.Response.SetStatusCode(fasthttp.StatusBadRequest)`

			`return`
			`}`

			`configuration.Issuer = issuer`
			`configuration.AuthURL = fmt.Sprintf("%s%s", issuer, oidcAuthorizePath)`
			`configuration.TokenURL = fmt.Sprintf("%s%s", issuer, oidcTokenPath)`
			`configuration.RevocationEndpoint = fmt.Sprintf("%s%s", issuer, oidcRevokePath)`
			`configuration.JWKSURL = fmt.Sprintf("%s%s", issuer, oidcJWKsPath)`
			`configuration.Algorithms = []string{"RS256"}`
			`configuration.ScopesSupported = []string{`
			`"openid",`
			`"profile",`
			`"groups",`
			`"email",`
			`// Determine if this is really mandatory knowing the RP can request for a refresh token through the authorize`
			`// endpoint anyway.`
			`"offline_access",`
			`}`
			`configuration.ClaimsSupported = []string{`
			`"aud",`
			`"exp",`
			`"iat",`
			`"iss",`
			`"jti",`
			`"rat",`
			`"sub",`
			`"auth_time",`
			`"nonce",`
			`"email",`
			`"email_verified",`
			`"groups",`
			`"name",`
			`}`
fix(oidc): implement required subject types supported meta (#1996) The well known openid-configuration should have the subject_types_supported meta values. 2021-05-11 01:00:29 +00:00			`configuration.SubjectTypesSupported = []string{`
			`"public",`
			`}`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`configuration.ResponseTypesSupported = []string{`
			`"code",`
			`"token",`
			`"id_token",`
			`"code token",`
			`"code id_token",`
			`"token id_token",`
			`"code token id_token",`
			`"none",`
			`}`

			`ctx.SetContentType("application/json")`

			`if err := json.NewEncoder(ctx).Encode(configuration); err != nil {`
			`ctx.Logger.Errorf("Error occurred in json Encode: %+v", err)`
			`// TODO: Determine if this is the appropriate error code here.`
			`ctx.Response.SetStatusCode(fasthttp.StatusInternalServerError)`

			`return`
			`}`
			`}`