authelia/internal/oidc/types.go

package oidc

import (
	"crypto/rsa"

	"github.com/ory/fosite"
	"github.com/ory/fosite/handler/openid"
	"github.com/ory/fosite/storage"
	"github.com/ory/herodot"
	"gopkg.in/square/go-jose.v2"

	"github.com/authelia/authelia/v4/internal/authorization"
)

// OpenIDConnectProvider for OpenID Connect.
type OpenIDConnectProvider struct {
	Fosite     fosite.OAuth2Provider
	Store      *OpenIDConnectStore
	KeyManager *KeyManager

	herodot *herodot.JSONWriter
}

// OpenIDConnectStore is Authelia's internal representation of the fosite.Storage interface.
//
//	Currently it is mostly just implementing a decorator pattern other then GetInternalClient.
//	The long term plan is to have these methods interact with the Authelia storage and
//	session providers where applicable.
type OpenIDConnectStore struct {
	clients map[string]*InternalClient
	memory  *storage.MemoryStore
}

// InternalClient represents the client internally.
type InternalClient struct {
	ID          string `json:"id"`
	Description string `json:"-"`
	Secret      []byte `json:"client_secret,omitempty"`
	Public      bool   `json:"public"`

	Policy authorization.Level `json:"-"`

	Audience      []string                  `json:"audience"`
	Scopes        []string                  `json:"scopes"`
	RedirectURIs  []string                  `json:"redirect_uris"`
	GrantTypes    []string                  `json:"grant_types"`
	ResponseTypes []string                  `json:"response_types"`
	ResponseModes []fosite.ResponseModeType `json:"response_modes"`

	UserinfoSigningAlgorithm string `json:"userinfo_signed_response_alg,omitempty"`
}

// KeyManager keeps track of all of the active/inactive rsa keys and provides them to services requiring them.
// It additionally allows us to add keys for the purpose of key rotation in the future.
type KeyManager struct {
	activeKeyID string
	keys        map[string]*rsa.PrivateKey
	keySet      *jose.JSONWebKeySet
	strategy    *RS256JWTStrategy
}

// AutheliaHasher implements the fosite.Hasher interface without an actual hashing algo.
type AutheliaHasher struct{}

// ConsentGetResponseBody schema of the response body of the consent GET endpoint.
type ConsentGetResponseBody struct {
	ClientID          string   `json:"client_id"`
	ClientDescription string   `json:"client_description"`
	Scopes            []string `json:"scopes"`
	Audience          []string `json:"audience"`
}

// WellKnownConfiguration is the OIDC well known config struct.
//
// See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
type WellKnownConfiguration struct {
	Issuer  string `json:"issuer"`
	JWKSURI string `json:"jwks_uri"`

	AuthorizationEndpoint string `json:"authorization_endpoint"`
	TokenEndpoint         string `json:"token_endpoint"`
	RevocationEndpoint    string `json:"revocation_endpoint"`
	UserinfoEndpoint      string `json:"userinfo_endpoint"`
	IntrospectionEndpoint string `json:"introspection_endpoint"`

	Algorithms         []string `json:"id_token_signing_alg_values_supported"`
	UserinfoAlgorithms []string `json:"userinfo_signing_alg_values_supported"`

	SubjectTypesSupported         []string `json:"subject_types_supported"`
	ResponseTypesSupported        []string `json:"response_types_supported"`
	ResponseModesSupported        []string `json:"response_modes_supported"`
	ScopesSupported               []string `json:"scopes_supported"`
	ClaimsSupported               []string `json:"claims_supported"`
	CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`

	RequestURIParameterSupported       bool `json:"request_uri_parameter_supported"`
	BackChannelLogoutSupported         bool `json:"backchannel_logout_supported"`
	FrontChannelLogoutSupported        bool `json:"frontchannel_logout_supported"`
	BackChannelLogoutSessionSupported  bool `json:"backchannel_logout_session_supported"`
	FrontChannelLogoutSessionSupported bool `json:"frontchannel_logout_session_supported"`
}

// OpenIDSession holds OIDC Session information.
type OpenIDSession struct {
	*openid.DefaultSession `json:"idToken"`

	Extra    map[string]interface{} `json:"extra"`
	ClientID string
}
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00			`package oidc`

			`import (`
			`"crypto/rsa"`

			`"github.com/ory/fosite"`
			`"github.com/ory/fosite/handler/openid"`
			`"github.com/ory/fosite/storage"`
feat(oidc): userinfo endpoint (#2146) This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints. 2021-07-10 04:56:33 +00:00			`"github.com/ory/herodot"`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00			`"gopkg.in/square/go-jose.v2"`

fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/authorization"`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00			`)`

			`// OpenIDConnectProvider for OpenID Connect.`
			`type OpenIDConnectProvider struct {`
			`Fosite fosite.OAuth2Provider`
			`Store *OpenIDConnectStore`
			`KeyManager *KeyManager`
feat(oidc): userinfo endpoint (#2146) This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints. 2021-07-10 04:56:33 +00:00
			`herodot *herodot.JSONWriter`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00			`}`

			`// OpenIDConnectStore is Authelia's internal representation of the fosite.Storage interface.`
			`//`
			`// Currently it is mostly just implementing a decorator pattern other then GetInternalClient.`
			`// The long term plan is to have these methods interact with the Authelia storage and`
			`// session providers where applicable.`
			`type OpenIDConnectStore struct {`
			`clients map[string]*InternalClient`
			`memory *storage.MemoryStore`
			`}`

			`// InternalClient represents the client internally.`
			`type InternalClient struct {`
feat(oidc): implement client type public (#2171) This implements the public option for clients which allows using Authelia as an OpenID Connect Provider for cli applications and SPA's where the client secret cannot be considered secure. 2021-07-15 11:02:03 +00:00			ID string `json:"id"`
			Description string `json:"-"`
			Secret []byte `json:"client_secret,omitempty"`
			Public bool `json:"public"`
feat(oidc): userinfo endpoint (#2146) This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints. 2021-07-10 04:56:33 +00:00
feat(oidc): implement client type public (#2171) This implements the public option for clients which allows using Authelia as an OpenID Connect Provider for cli applications and SPA's where the client secret cannot be considered secure. 2021-07-15 11:02:03 +00:00			Policy authorization.Level `json:"-"`

			Audience []string `json:"audience"`
			Scopes []string `json:"scopes"`
			RedirectURIs []string `json:"redirect_uris"`
			GrantTypes []string `json:"grant_types"`
			ResponseTypes []string `json:"response_types"`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00			ResponseModes []fosite.ResponseModeType `json:"response_modes"`
feat(oidc): userinfo endpoint (#2146) This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints. 2021-07-10 04:56:33 +00:00
			UserinfoSigningAlgorithm string `json:"userinfo_signed_response_alg,omitempty"`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00			`}`

			`// KeyManager keeps track of all of the active/inactive rsa keys and provides them to services requiring them.`
			`// It additionally allows us to add keys for the purpose of key rotation in the future.`
			`type KeyManager struct {`
			`activeKeyID string`
			`keys map[string]*rsa.PrivateKey`
			`keySet *jose.JSONWebKeySet`
			`strategy *RS256JWTStrategy`
			`}`

			`// AutheliaHasher implements the fosite.Hasher interface without an actual hashing algo.`
			`type AutheliaHasher struct{}`

			`// ConsentGetResponseBody schema of the response body of the consent GET endpoint.`
			`type ConsentGetResponseBody struct {`
feat: oidc scope i18n (#2799) This adds i18n for the OIDC scope descriptsions descriptions. 2022-02-07 14:18:16 +00:00			ClientID string `json:"client_id"`
			ClientDescription string `json:"client_description"`
			Scopes []string `json:"scopes"`
			Audience []string `json:"audience"`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00			`}`

			`// WellKnownConfiguration is the OIDC well known config struct.`
			`//`
			`// See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`
			`type WellKnownConfiguration struct {`
			Issuer string `json:"issuer"`
			JWKSURI string `json:"jwks_uri"`

			AuthorizationEndpoint string `json:"authorization_endpoint"`
			TokenEndpoint string `json:"token_endpoint"`
			RevocationEndpoint string `json:"revocation_endpoint"`
feat(oidc): userinfo endpoint (#2146) This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints. 2021-07-10 04:56:33 +00:00			UserinfoEndpoint string `json:"userinfo_endpoint"`
feat(oidc): include introspection_endpoint in .well-known/openid-configuration This adds the OAuth 2.0 introspection endpoint to the OpenID Connect discovery document. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10 2021-11-11 03:41:49 +00:00			IntrospectionEndpoint string `json:"introspection_endpoint"`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00
feat(oidc): userinfo endpoint (#2146) This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints. 2021-07-10 04:56:33 +00:00			Algorithms []string `json:"id_token_signing_alg_values_supported"`
			UserinfoAlgorithms []string `json:"userinfo_signing_alg_values_supported"`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00
feat(oidc): add pkce support (#2924) Implements Proof Key for Code Exchange for OpenID Connect Authorization Code Flow. By default this is enabled for the public client type and requires the S256 challenge method. Closes #2921 2022-03-02 04:44:05 +00:00			SubjectTypesSupported []string `json:"subject_types_supported"`
			ResponseTypesSupported []string `json:"response_types_supported"`
			ResponseModesSupported []string `json:"response_modes_supported"`
			ScopesSupported []string `json:"scopes_supported"`
			ClaimsSupported []string `json:"claims_supported"`
			CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00
			RequestURIParameterSupported bool `json:"request_uri_parameter_supported"`
			BackChannelLogoutSupported bool `json:"backchannel_logout_supported"`
			FrontChannelLogoutSupported bool `json:"frontchannel_logout_supported"`
			BackChannelLogoutSessionSupported bool `json:"backchannel_logout_session_supported"`
			FrontChannelLogoutSessionSupported bool `json:"frontchannel_logout_session_supported"`
			`}`

			`// OpenIDSession holds OIDC Session information.`
			`type OpenIDSession struct {`
			*openid.DefaultSession `json:"idToken"`

			Extra map[string]interface{} `json:"extra"`
			`ClientID string`
			`}`