~emersion/sinwon

c5786cf571ef9031d9160d713f6381a8c9eddaf0 — Simon Ser 7 months ago 54fa344
Add server issuer information

Closes: https://todo.sr.ht/~emersion/sinwon/11
1 files changed, 22 insertions(+), 16 deletions(-)

M oauth2.go
M oauth2.go => oauth2.go +22 -16
@@ 17,6 17,26 @@ import (
)

func getOAuthServerMetadata(w http.ResponseWriter, req *http.Request) {
	issuer := getIssuer(req)

	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(&oauth2.ServerMetadata{
		Issuer:                                     issuer,
		AuthorizationEndpoint:                      issuer + "/authorize",
		TokenEndpoint:                              issuer + "/token",
		IntrospectionEndpoint:                      issuer + "/introspect",
		RevocationEndpoint:                         issuer + "/revoke",
		ResponseTypesSupported:                     []oauth2.ResponseType{oauth2.ResponseTypeCode},
		ResponseModesSupported:                     []oauth2.ResponseMode{oauth2.ResponseModeQuery},
		GrantTypesSupported:                        []oauth2.GrantType{oauth2.GrantTypeAuthorizationCode},
		TokenEndpointAuthMethodsSupported:          []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
		IntrospectionEndpointAuthMethodsSupported:  []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
		RevocationEndpointAuthMethodsSupported:     []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
		AuthorizationResponseIssParameterSupported: true,
	})
}

func getIssuer(req *http.Request) string {
	issuerURL := url.URL{
		Scheme: "https",
		Host:   req.Host,


@@ 25,22 45,7 @@ func getOAuthServerMetadata(w http.ResponseWriter, req *http.Request) {
		// TODO: add config option for allowed reverse proxy IPs
		issuerURL.Scheme = "http"
	}
	issuer := issuerURL.String()

	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(&oauth2.ServerMetadata{
		Issuer:                                    issuer,
		AuthorizationEndpoint:                     issuer + "/authorize",
		TokenEndpoint:                             issuer + "/token",
		IntrospectionEndpoint:                     issuer + "/introspect",
		RevocationEndpoint:                        issuer + "/revoke",
		ResponseTypesSupported:                    []oauth2.ResponseType{oauth2.ResponseTypeCode},
		ResponseModesSupported:                    []oauth2.ResponseMode{oauth2.ResponseModeQuery},
		GrantTypesSupported:                       []oauth2.GrantType{oauth2.GrantTypeAuthorizationCode},
		TokenEndpointAuthMethodsSupported:         []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
		IntrospectionEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
		RevocationEndpointAuthMethodsSupported:    []oauth2.AuthMethod{oauth2.AuthMethodNone, oauth2.AuthMethodClientSecretBasic},
	})
	return issuerURL.String()
}

func isLoopback(req *http.Request) bool {


@@ 464,6 469,7 @@ func redirectClient(w http.ResponseWriter, req *http.Request, redirectURI *url.U
	for k, v := range values {
		q[k] = v
	}
	q.Set("iss", getIssuer(req))

	u := *redirectURI
	u.RawQuery = q.Encode()