@@ 17,6 17,26 @@ import (
)
func getOAuthServerMetadata(w http.ResponseWriter, req *http.Request) {
+ issuer := getIssuer(req)
+
+ w.Header().Set("Content-Type", "application/json")
+ json.NewEncoder(w).Encode(&oauth2.ServerMetadata{
+ Issuer: issuer,
+ AuthorizationEndpoint: issuer + "/authorize",
+ TokenEndpoint: issuer + "/token",
+ IntrospectionEndpoint: issuer + "/introspect",
+ RevocationEndpoint: issuer + "/revoke",
+ ResponseTypesSupported: []oauth2.ResponseType{oauth2.ResponseTypeCode},
+ ResponseModesSupported: []oauth2.ResponseMode{oauth2.ResponseModeQuery},
+ GrantTypesSupported: []oauth2.GrantType{oauth2.GrantTypeAuthorizationCode},
+ TokenEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
+ IntrospectionEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
+ RevocationEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
+ AuthorizationResponseIssParameterSupported: true,
+ })
+}
+
+func getIssuer(req *http.Request) string {
issuerURL := url.URL{
Scheme: "https",
Host: req.Host,
@@ 25,22 45,7 @@ func getOAuthServerMetadata(w http.ResponseWriter, req *http.Request) {
// TODO: add config option for allowed reverse proxy IPs
issuerURL.Scheme = "http"
}
- issuer := issuerURL.String()
-
- w.Header().Set("Content-Type", "application/json")
- json.NewEncoder(w).Encode(&oauth2.ServerMetadata{
- Issuer: issuer,
- AuthorizationEndpoint: issuer + "/authorize",
- TokenEndpoint: issuer + "/token",
- IntrospectionEndpoint: issuer + "/introspect",
- RevocationEndpoint: issuer + "/revoke",
- ResponseTypesSupported: []oauth2.ResponseType{oauth2.ResponseTypeCode},
- ResponseModesSupported: []oauth2.ResponseMode{oauth2.ResponseModeQuery},
- GrantTypesSupported: []oauth2.GrantType{oauth2.GrantTypeAuthorizationCode},
- TokenEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
- IntrospectionEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
- RevocationEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
- })
+ return issuerURL.String()
}
func isLoopback(req *http.Request) bool {
@@ 464,6 469,7 @@ func redirectClient(w http.ResponseWriter, req *http.Request, redirectURI *url.U
for k, v := range values {
q[k] = v
}
+ q.Set("iss", getIssuer(req))
u := *redirectURI
u.RawQuery = q.Encode()