mirror of
https://github.com/xslasd/x-oidc.git
synced 2024-07-25 12:21:00 +08:00
178 lines
7.1 KiB
Go
178 lines
7.1 KiB
Go
package oidc
|
|
|
|
import (
|
|
"github.com/xslasd/x-oidc/constant"
|
|
"github.com/xslasd/x-oidc/log"
|
|
"golang.org/x/text/language"
|
|
"net/url"
|
|
"os"
|
|
)
|
|
|
|
type OpenIDOption struct {
|
|
allowInsecure bool
|
|
logger log.Logger
|
|
|
|
scopesSupported []string
|
|
responseTypesSupported []string
|
|
responseModesSupported []string
|
|
grantTypesSupported []string
|
|
subjectTypesSupported []string
|
|
requestObjectSigningAlgValuesSupported []string
|
|
|
|
tokenEndpointAuthMethodsSupported []string
|
|
tokenEndpointAuthSigningAlgValuesSupported []string
|
|
|
|
revocationEndpointAuthMethodsSupported []string
|
|
revocationEndpointAuthSigningAlgValuesSupported []string
|
|
|
|
introspectionEndpointAuthMethodsSupported []string
|
|
introspectionEndpointAuthSigningAlgValuesSupported []string
|
|
|
|
displayValuesSupported []string
|
|
|
|
claimTypesSupported []string
|
|
claimsSupported []string
|
|
|
|
codeChallengeMethodsSupported []string
|
|
|
|
claimsLocalesSupported []language.Tag
|
|
uILocalesSupported []language.Tag
|
|
|
|
requestParameterSupported bool
|
|
|
|
Endpoint
|
|
|
|
authRequestPromptSupported []string
|
|
idTokenSigningAlgValuesSupported []string
|
|
}
|
|
|
|
type Option func(*OpenIDOption)
|
|
|
|
func defaultOption(issuer string) *OpenIDOption {
|
|
discoveryEndpoint, _ := url.JoinPath(issuer, constant.DiscoveryEndpoint)
|
|
defaultAuthorizationEndpoint, _ := url.JoinPath(issuer, constant.DefaultAuthorizationEndpoint)
|
|
defaultTokenEndpoint, _ := url.JoinPath(issuer, constant.DefaultTokenEndpoint)
|
|
defaultIntrospectEndpoint, _ := url.JoinPath(issuer, constant.DefaultIntrospectEndpoint)
|
|
defaultUserinfoEndpoint, _ := url.JoinPath(issuer, constant.DefaultUserinfoEndpoint)
|
|
defaultRevocationEndpoint, _ := url.JoinPath(issuer, constant.DefaultRevocationEndpoint)
|
|
defaultEndSessionEndpoint, _ := url.JoinPath(issuer, constant.DefaultEndSessionEndpoint)
|
|
defaultJwksEndpoint, _ := url.JoinPath(issuer, constant.DefaultJwksEndpoint)
|
|
defaultDeviceAuthorizationEndpoint, _ := url.JoinPath(issuer, constant.DefaultDeviceAuthorizationEndpoint)
|
|
defaultAuthorizeCallbackEndpoint, _ := url.JoinPath(issuer, constant.DefaultAuthorizeCallbackEndpoint)
|
|
|
|
return &OpenIDOption{
|
|
allowInsecure: false,
|
|
logger: log.NewSimpleLogger(os.Stdout),
|
|
|
|
scopesSupported: []string{constant.ScopeOpenID, constant.ScopeProfile, constant.ScopeOfflineAccess},
|
|
grantTypesSupported: []string{constant.GrantTypeCode, constant.GrantTypeImplicit},
|
|
subjectTypesSupported: []string{"public"},
|
|
requestObjectSigningAlgValuesSupported: []string{"RS256"},
|
|
|
|
tokenEndpointAuthMethodsSupported: []string{constant.AuthMethodNone, constant.AuthMethodBasic},
|
|
tokenEndpointAuthSigningAlgValuesSupported: []string{"RS256"},
|
|
revocationEndpointAuthMethodsSupported: []string{constant.AuthMethodNone, constant.AuthMethodBasic},
|
|
revocationEndpointAuthSigningAlgValuesSupported: []string{"RS256"},
|
|
introspectionEndpointAuthMethodsSupported: []string{constant.AuthMethodNone, constant.AuthMethodBasic},
|
|
introspectionEndpointAuthSigningAlgValuesSupported: []string{"RS256"},
|
|
|
|
displayValuesSupported: []string{constant.DisplayPage}, //all DisplayPage, DisplayPopup, DisplayTouch, DisplayWAP
|
|
|
|
codeChallengeMethodsSupported: []string{constant.CodeChallengeMethodPlain, constant.CodeChallengeMethodS256},
|
|
|
|
claimTypesSupported: []string{"normal", "aggregated", "distributed"},
|
|
claimsSupported: []string{
|
|
"sub",
|
|
"aud",
|
|
"exp",
|
|
"iat",
|
|
"iss",
|
|
"auth_time",
|
|
"nonce",
|
|
"acr",
|
|
"amr",
|
|
"c_hash",
|
|
"at_hash",
|
|
"act",
|
|
"scopes",
|
|
"client_id",
|
|
"azp",
|
|
"name",
|
|
"locale",
|
|
"email",
|
|
"email_verified",
|
|
"phone_number",
|
|
"phone_number_verified",
|
|
},
|
|
requestParameterSupported: true,
|
|
authRequestPromptSupported: []string{constant.PromptNone, constant.PromptLogin},
|
|
|
|
Endpoint: Endpoint{
|
|
discoveryEndpoint: discoveryEndpoint,
|
|
discoveryPath: constant.DiscoveryEndpoint,
|
|
jwksEndpoint: defaultJwksEndpoint,
|
|
jwksPath: constant.DefaultJwksEndpoint,
|
|
deviceAuthorizationEndpoint: defaultDeviceAuthorizationEndpoint,
|
|
deviceAuthorizationPath: constant.DefaultDeviceAuthorizationEndpoint,
|
|
authorizationEndpoint: defaultAuthorizationEndpoint,
|
|
authorizationPath: constant.DefaultAuthorizationEndpoint,
|
|
tokenExchangeEndpoint: defaultTokenEndpoint,
|
|
tokenExchangePath: constant.DefaultTokenEndpoint,
|
|
introspectionEndpoint: defaultIntrospectEndpoint,
|
|
introspectionPath: constant.DefaultIntrospectEndpoint,
|
|
userinfoEndpoint: defaultUserinfoEndpoint,
|
|
userinfoPath: constant.DefaultUserinfoEndpoint,
|
|
revocationEndpoint: defaultRevocationEndpoint,
|
|
revocationPath: constant.DefaultRevocationEndpoint,
|
|
endSessionEndpoint: defaultEndSessionEndpoint,
|
|
endSessionPath: constant.DefaultEndSessionEndpoint,
|
|
authorizeCallbackEndpoint: defaultAuthorizeCallbackEndpoint,
|
|
authorizeCallbackPath: constant.DefaultAuthorizeCallbackEndpoint,
|
|
},
|
|
}
|
|
}
|
|
|
|
type Endpoint struct {
|
|
// discoveryEndpoint is an API endpoint that provides information about available resources and services in a web application or service.
|
|
discoveryEndpoint string
|
|
discoveryPath string
|
|
// jwksEndpoint is the URL of the JSON Web Key Set. This site contains the signing keys that RPs can use to validate the signature.
|
|
jwksEndpoint string
|
|
jwksPath string
|
|
// deviceAuthorizationEndpoint The Device Authorization Endpoint is an OAuth 2.0 endpoint that enables devices with limited input capabilities, such as smart TVs, gaming consoles, and IoT devices, to obtain user authorization to access protected resources.
|
|
deviceAuthorizationEndpoint string
|
|
deviceAuthorizationPath string
|
|
// authorizationEndpoint is the URL of the OAuth 2.0 Authorization Endpoint where all user interactive login start
|
|
authorizationEndpoint string
|
|
authorizationPath string
|
|
// tokenExchangeEndpoint is the URL of the OAuth 2.0 Token Endpoint where all tokens are issued, except when using Implicit Flow
|
|
tokenExchangeEndpoint string
|
|
tokenExchangePath string
|
|
// introspectionEndpoint is the URL of the OAuth 2.0 Introspection Endpoint.
|
|
introspectionEndpoint string
|
|
introspectionPath string
|
|
// userinfoEndpoint is the URL where an access_token can be used to retrieve the userinfo.
|
|
userinfoEndpoint string
|
|
userinfoPath string
|
|
// revocationEndpoint is the URL of the OAuth 2.0 Revocation Endpoint.
|
|
revocationEndpoint string
|
|
revocationPath string
|
|
// endSessionEndpoint is a URL where the RP can perform a redirect to request that the End-User be logged out at the OP.
|
|
endSessionEndpoint string
|
|
endSessionPath string
|
|
// authorizeCallbackEndpoint Provide binding routing for users and requests, for internal use only. Require security certification.
|
|
authorizeCallbackEndpoint string
|
|
authorizeCallbackPath string
|
|
}
|
|
|
|
func WithAllowInsecure(allow bool) Option {
|
|
return func(o *OpenIDOption) {
|
|
o.allowInsecure = allow
|
|
}
|
|
}
|
|
func WithLogger(logger log.Logger) Option {
|
|
return func(o *OpenIDOption) {
|
|
o.logger = logger
|
|
}
|
|
}
|