authelia/internal/handlers/handler_oidc_wellknown.go

package handlers

import (
	"github.com/valyala/fasthttp"

	"github.com/authelia/authelia/v4/internal/middlewares"
)

// OpenIDConnectConfigurationWellKnownGET handles requests to a .well-known endpoint (RFC5785) which returns the
// OpenID Connect Discovery 1.0 metadata.
//
// https://datatracker.ietf.org/doc/html/rfc5785
//
// https://openid.net/specs/openid-connect-discovery-1_0.html
func OpenIDConnectConfigurationWellKnownGET(ctx *middlewares.AutheliaCtx) {
	issuer, err := ctx.ExternalRootURL()
	if err != nil {
		ctx.Logger.Errorf("Error occurred determining OpenID Connect issuer details: %+v", err)

		ctx.ReplyStatusCode(fasthttp.StatusBadRequest)

		return
	}

	wellKnown := ctx.Providers.OpenIDConnect.GetOpenIDConnectWellKnownConfiguration(issuer)

	if err = ctx.ReplyJSON(wellKnown, fasthttp.StatusOK); err != nil {
		ctx.Logger.Errorf("Error occurred in JSON encode: %+v", err)

		// TODO: Determine if this is the appropriate error code here.
		ctx.ReplyStatusCode(fasthttp.StatusInternalServerError)

		return
	}
}

// OAuthAuthorizationServerWellKnownGET handles requests to a .well-known endpoint (RFC5785) which returns the
// OAuth 2.0 Authorization Server Metadata (RFC8414).
//
// https://datatracker.ietf.org/doc/html/rfc5785
//
// https://datatracker.ietf.org/doc/html/rfc8414
func OAuthAuthorizationServerWellKnownGET(ctx *middlewares.AutheliaCtx) {
	issuer, err := ctx.ExternalRootURL()
	if err != nil {
		ctx.Logger.Errorf("Error occurred determining OpenID Connect issuer details: %+v", err)

		ctx.ReplyStatusCode(fasthttp.StatusBadRequest)

		return
	}

	wellKnown := ctx.Providers.OpenIDConnect.GetOAuth2WellKnownConfiguration(issuer)

	if err = ctx.ReplyJSON(wellKnown, fasthttp.StatusOK); err != nil {
		ctx.Logger.Errorf("Error occurred in JSON encode: %+v", err)

		// TODO: Determine if this is the appropriate error code here.
		ctx.ReplyStatusCode(fasthttp.StatusInternalServerError)

		return
	}
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`package handlers`

			`import (`
			`"github.com/valyala/fasthttp"`

fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/middlewares"`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`)`

feat(oidc): provide cors config including options handlers (#3005) This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins. 2022-04-07 00:58:51 +00:00			`// OpenIDConnectConfigurationWellKnownGET handles requests to a .well-known endpoint (RFC5785) which returns the`
			`// OpenID Connect Discovery 1.0 metadata.`
			`//`
			`// https://datatracker.ietf.org/doc/html/rfc5785`
			`//`
			`// https://openid.net/specs/openid-connect-discovery-1_0.html`
			`func OpenIDConnectConfigurationWellKnownGET(ctx *middlewares.AutheliaCtx) {`
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2021-08-10 00:31:08 +00:00			`issuer, err := ctx.ExternalRootURL()`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`if err != nil {`
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2021-08-10 00:31:08 +00:00			`ctx.Logger.Errorf("Error occurred determining OpenID Connect issuer details: %+v", err)`
refactor(middlewares): factorize responses (#3628) 2022-07-08 12:18:52 +00:00
			`ctx.ReplyStatusCode(fasthttp.StatusBadRequest)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
			`return`
			`}`

feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform. 2022-03-04 03:09:27 +00:00			`wellKnown := ctx.Providers.OpenIDConnect.GetOpenIDConnectWellKnownConfiguration(issuer)`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00
refactor(middlewares): factorize responses (#3628) 2022-07-08 12:18:52 +00:00			`if err = ctx.ReplyJSON(wellKnown, fasthttp.StatusOK); err != nil {`
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform. 2022-03-04 03:09:27 +00:00			`ctx.Logger.Errorf("Error occurred in JSON encode: %+v", err)`
refactor(middlewares): factorize responses (#3628) 2022-07-08 12:18:52 +00:00
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform. 2022-03-04 03:09:27 +00:00			`// TODO: Determine if this is the appropriate error code here.`
refactor(middlewares): factorize responses (#3628) 2022-07-08 12:18:52 +00:00			`ctx.ReplyStatusCode(fasthttp.StatusInternalServerError)`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform. 2022-03-04 03:09:27 +00:00			`return`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`}`
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform. 2022-03-04 03:09:27 +00:00			`}`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
feat(oidc): provide cors config including options handlers (#3005) This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins. 2022-04-07 00:58:51 +00:00			`// OAuthAuthorizationServerWellKnownGET handles requests to a .well-known endpoint (RFC5785) which returns the`
			`// OAuth 2.0 Authorization Server Metadata (RFC8414).`
			`//`
			`// https://datatracker.ietf.org/doc/html/rfc5785`
			`//`
			`// https://datatracker.ietf.org/doc/html/rfc8414`
			`func OAuthAuthorizationServerWellKnownGET(ctx *middlewares.AutheliaCtx) {`
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform. 2022-03-04 03:09:27 +00:00			`issuer, err := ctx.ExternalRootURL()`
			`if err != nil {`
			`ctx.Logger.Errorf("Error occurred determining OpenID Connect issuer details: %+v", err)`
refactor(middlewares): factorize responses (#3628) 2022-07-08 12:18:52 +00:00
			`ctx.ReplyStatusCode(fasthttp.StatusBadRequest)`
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform. 2022-03-04 03:09:27 +00:00
			`return`
feat(oidc): add pkce support (#2924) Implements Proof Key for Code Exchange for OpenID Connect Authorization Code Flow. By default this is enabled for the public client type and requires the S256 challenge method. Closes #2921 2022-03-02 04:44:05 +00:00			`}`

feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform. 2022-03-04 03:09:27 +00:00			`wellKnown := ctx.Providers.OpenIDConnect.GetOAuth2WellKnownConfiguration(issuer)`

refactor(middlewares): factorize responses (#3628) 2022-07-08 12:18:52 +00:00			`if err = ctx.ReplyJSON(wellKnown, fasthttp.StatusOK); err != nil {`
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2021-08-10 00:31:08 +00:00			`ctx.Logger.Errorf("Error occurred in JSON encode: %+v", err)`
refactor(middlewares): factorize responses (#3628) 2022-07-08 12:18:52 +00:00
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`// TODO: Determine if this is the appropriate error code here.`
refactor(middlewares): factorize responses (#3628) 2022-07-08 12:18:52 +00:00			`ctx.ReplyStatusCode(fasthttp.StatusInternalServerError)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
			`return`
			`}`
			`}`