authelia/internal/oidc/discovery.go

package oidc

import (
	"github.com/authelia/authelia/v4/internal/configuration/schema"
)

// NewOpenIDConnectWellKnownConfiguration generates a new OpenIDConnectWellKnownConfiguration.
func NewOpenIDConnectWellKnownConfiguration(c *schema.OpenIDConnectConfiguration, clients map[string]*Client) (config OpenIDConnectWellKnownConfiguration) {
	config = OpenIDConnectWellKnownConfiguration{
		CommonDiscoveryOptions: CommonDiscoveryOptions{
			SubjectTypesSupported: []string{
				SubjectTypePublic,
			},
			ResponseTypesSupported: []string{
				ResponseTypeAuthorizationCodeFlow,
				ResponseTypeImplicitFlowIDToken,
				ResponseTypeImplicitFlowToken,
				ResponseTypeImplicitFlowBoth,
				ResponseTypeHybridFlowIDToken,
				ResponseTypeHybridFlowToken,
				ResponseTypeHybridFlowBoth,
			},
			GrantTypesSupported: []string{
				GrantTypeAuthorizationCode,
				GrantTypeImplicit,
				GrantTypeRefreshToken,
			},
			ResponseModesSupported: []string{
				ResponseModeFormPost,
				ResponseModeQuery,
				ResponseModeFragment,
			},
			ScopesSupported: []string{
				ScopeOfflineAccess,
				ScopeOpenID,
				ScopeProfile,
				ScopeGroups,
				ScopeEmail,
			},
			ClaimsSupported: []string{
				ClaimAuthenticationMethodsReference,
				ClaimAudience,
				ClaimAuthorizedParty,
				ClaimClientIdentifier,
				ClaimExpirationTime,
				ClaimIssuedAt,
				ClaimIssuer,
				ClaimJWTID,
				ClaimRequestedAt,
				ClaimSubject,
				ClaimAuthenticationTime,
				ClaimNonce,
				ClaimPreferredEmail,
				ClaimEmailVerified,
				ClaimEmailAlts,
				ClaimGroups,
				ClaimPreferredUsername,
				ClaimFullName,
			},
			TokenEndpointAuthMethodsSupported: []string{
				ClientAuthMethodClientSecretBasic,
				ClientAuthMethodClientSecretPost,
				ClientAuthMethodClientSecretJWT,
				ClientAuthMethodNone,
			},
		},
		OAuth2DiscoveryOptions: OAuth2DiscoveryOptions{
			CodeChallengeMethodsSupported: []string{
				PKCEChallengeMethodSHA256,
			},
		},
		OpenIDConnectDiscoveryOptions: OpenIDConnectDiscoveryOptions{
			IDTokenSigningAlgValuesSupported: []string{
				SigningAlgorithmRSAWithSHA256,
			},
			UserinfoSigningAlgValuesSupported: []string{
				SigningAlgorithmNone,
				SigningAlgorithmRSAWithSHA256,
			},
			RequestObjectSigningAlgValuesSupported: []string{
				SigningAlgorithmNone,
				SigningAlgorithmRSAWithSHA256,
			},
		},
		PushedAuthorizationDiscoveryOptions: PushedAuthorizationDiscoveryOptions{
			RequirePushedAuthorizationRequests: c.PAR.Enforce,
		},
	}

	var pairwise, public bool

	for _, client := range clients {
		if pairwise && public {
			break
		}

		if client.SectorIdentifier != "" {
			pairwise = true
		}
	}

	if pairwise {
		config.SubjectTypesSupported = append(config.SubjectTypesSupported, SubjectTypePairwise)
	}

	if c.EnablePKCEPlainChallenge {
		config.CodeChallengeMethodsSupported = append(config.CodeChallengeMethodsSupported, PKCEChallengeMethodPlain)
	}

	return config
}
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`package oidc`

feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`import (`
			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
			`)`

feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`// NewOpenIDConnectWellKnownConfiguration generates a new OpenIDConnectWellKnownConfiguration.`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`func NewOpenIDConnectWellKnownConfiguration(c schema.OpenIDConnectConfiguration, clients map[string]Client) (config OpenIDConnectWellKnownConfiguration) {`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`config = OpenIDConnectWellKnownConfiguration{`
			`CommonDiscoveryOptions: CommonDiscoveryOptions{`
			`SubjectTypesSupported: []string{`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`SubjectTypePublic,`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`ResponseTypesSupported: []string{`
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt. 2023-03-06 02:35:58 +00:00			`ResponseTypeAuthorizationCodeFlow,`
			`ResponseTypeImplicitFlowIDToken,`
			`ResponseTypeImplicitFlowToken,`
			`ResponseTypeImplicitFlowBoth,`
			`ResponseTypeHybridFlowIDToken,`
			`ResponseTypeHybridFlowToken,`
			`ResponseTypeHybridFlowBoth,`
			`},`
			`GrantTypesSupported: []string{`
			`GrantTypeAuthorizationCode,`
			`GrantTypeImplicit,`
			`GrantTypeRefreshToken,`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`ResponseModesSupported: []string{`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`ResponseModeFormPost,`
			`ResponseModeQuery,`
			`ResponseModeFragment,`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`ScopesSupported: []string{`
			`ScopeOfflineAccess,`
			`ScopeOpenID,`
			`ScopeProfile,`
			`ScopeGroups,`
			`ScopeEmail,`
			`},`
			`ClaimsSupported: []string{`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`ClaimAuthenticationMethodsReference,`
			`ClaimAudience,`
			`ClaimAuthorizedParty,`
			`ClaimClientIdentifier,`
			`ClaimExpirationTime,`
			`ClaimIssuedAt,`
			`ClaimIssuer,`
			`ClaimJWTID,`
			`ClaimRequestedAt,`
			`ClaimSubject,`
			`ClaimAuthenticationTime,`
			`ClaimNonce,`
			`ClaimPreferredEmail,`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`ClaimEmailVerified,`
			`ClaimEmailAlts,`
			`ClaimGroups,`
			`ClaimPreferredUsername,`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`ClaimFullName,`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
feat(oidc): client_secret_jwt client auth (#5031) This theoretically adds support for client_secret_jwt. 2023-03-06 02:35:58 +00:00			`TokenEndpointAuthMethodsSupported: []string{`
			`ClientAuthMethodClientSecretBasic,`
			`ClientAuthMethodClientSecretPost,`
			`ClientAuthMethodClientSecretJWT,`
			`ClientAuthMethodNone,`
			`},`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`OAuth2DiscoveryOptions: OAuth2DiscoveryOptions{`
			`CodeChallengeMethodsSupported: []string{`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`PKCEChallengeMethodSHA256,`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`},`
			`OpenIDConnectDiscoveryOptions: OpenIDConnectDiscoveryOptions{`
			`IDTokenSigningAlgValuesSupported: []string{`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`SigningAlgorithmRSAWithSHA256,`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`UserinfoSigningAlgValuesSupported: []string{`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`SigningAlgorithmNone,`
			`SigningAlgorithmRSAWithSHA256,`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`RequestObjectSigningAlgValuesSupported: []string{`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`SigningAlgorithmNone,`
			`SigningAlgorithmRSAWithSHA256,`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`},`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`PushedAuthorizationDiscoveryOptions: PushedAuthorizationDiscoveryOptions{`
			`RequirePushedAuthorizationRequests: c.PAR.Enforce,`
			`},`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`}`

feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`var pairwise, public bool`

			`for _, client := range clients {`
			`if pairwise && public {`
			`break`
			`}`

			`if client.SectorIdentifier != "" {`
			`pairwise = true`
			`}`
			`}`

feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`if pairwise {`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`config.SubjectTypesSupported = append(config.SubjectTypesSupported, SubjectTypePairwise)`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`}`

feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`if c.EnablePKCEPlainChallenge {`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`config.CodeChallengeMethodsSupported = append(config.CodeChallengeMethodsSupported, PKCEChallengeMethodPlain)`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`}`

			`return config`
			`}`