diff options
| author | James Elliott <james-d-elliott@users.noreply.github.com> | 2024-03-06 18:25:42 +1100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-06 17:25:42 +1000 |
| commit | 0299e8d6ce1c70d56d9320845d092e809cb90de9 (patch) | |
| tree | 4dc849df379603f282b7e1b11e61514c0255f85e /internal/configuration/schema | |
| parent | 648fdfe93b5ac24f49624c4c24fc1cee4bce398b (diff) | |
refactor(oidc): misc improvements (#6775)
Adds several refactored elements to many areas of OpenID Connect 1.0.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Diffstat (limited to 'internal/configuration/schema')
| -rw-r--r-- | internal/configuration/schema/identity_providers.go | 31 | ||||
| -rw-r--r-- | internal/configuration/schema/keys.go | 38 |
2 files changed, 32 insertions, 37 deletions
diff --git a/internal/configuration/schema/identity_providers.go b/internal/configuration/schema/identity_providers.go index 2d1f6fcad..d4aa36ff9 100644 --- a/internal/configuration/schema/identity_providers.go +++ b/internal/configuration/schema/identity_providers.go @@ -13,8 +13,8 @@ type IdentityProviders struct { // IdentityProvidersOpenIDConnect represents the configuration for OpenID Connect 1.0. type IdentityProvidersOpenIDConnect struct { - HMACSecret string `koanf:"hmac_secret" json:"hmac_secret" jsonschema:"title=HMAC Secret" jsonschema_description:"The HMAC Secret used to sign Access Tokens."` - IssuerPrivateKeys []JWK `koanf:"issuer_private_keys" json:"issuer_private_keys" jsonschema:"title=Issuer Private Keys" jsonschema_description:"The Private Keys used to sign ID Tokens."` + HMACSecret string `koanf:"hmac_secret" json:"hmac_secret" jsonschema:"title=HMAC Secret" jsonschema_description:"The HMAC Secret used to sign Access Tokens."` + JSONWebKeys []JWK `koanf:"jwks" json:"jwks" jsonschema:"title=Issuer JSON Web Keys" jsonschema_description:"The JWK's which are to be used to sign various objects like ID Tokens."` IssuerCertificateChain X509CertificateChain `koanf:"issuer_certificate_chain" json:"issuer_certificate_chain" jsonschema:"title=Issuer Certificate Chain,deprecated" jsonschema_description:"The Issuer Certificate Chain with an RSA Public Key used to sign ID Tokens."` IssuerPrivateKey *rsa.PrivateKey `koanf:"issuer_private_key" json:"issuer_private_key" jsonschema:"title=Issuer Private Key,deprecated" jsonschema_description:"The Issuer Private Key with an RSA Private Key used to sign ID Tokens."` @@ -103,19 +103,19 @@ type IdentityProvidersOpenIDConnectPAR struct { // IdentityProvidersOpenIDConnectCORS represents an OpenID Connect 1.0 CORS config. type IdentityProvidersOpenIDConnectCORS struct { - Endpoints []string `koanf:"endpoints" json:"endpoints" jsonschema:"uniqueItems,enum=authorization,enum=pushed-authorization-request,enum=token,enum=introspection,enum=revocation,enum=userinfo,title=Endpoints" jsonschema_description:"List of endpoints to enable CORS handling for."` - AllowedOrigins []url.URL `koanf:"allowed_origins" json:"allowed_origins" jsonschema:"format=uri,title=Allowed Origins" jsonschema_description:"List of arbitrary allowed origins for CORS requests."` + Endpoints []string `koanf:"endpoints" json:"endpoints" jsonschema:"uniqueItems,enum=authorization,enum=pushed-authorization-request,enum=token,enum=introspection,enum=revocation,enum=userinfo,title=Endpoints" jsonschema_description:"List of endpoints to enable CORS handling for."` + AllowedOrigins []*url.URL `koanf:"allowed_origins" json:"allowed_origins" jsonschema:"format=uri,title=Allowed Origins" jsonschema_description:"List of arbitrary allowed origins for CORS requests."` AllowedOriginsFromClientRedirectURIs bool `koanf:"allowed_origins_from_client_redirect_uris" json:"allowed_origins_from_client_redirect_uris" jsonschema:"default=false,title=Allowed Origins From Client Redirect URIs" jsonschema_description:"Automatically include the redirect URIs from the registered clients."` } // IdentityProvidersOpenIDConnectClient represents a configuration for an OpenID Connect 1.0 client. type IdentityProvidersOpenIDConnectClient struct { - ID string `koanf:"id" json:"id" jsonschema:"required,minLength=1,title=ID" jsonschema_description:"The Client ID."` - Description string `koanf:"description" json:"description" jsonschema:"title=Description" jsonschema_description:"The Client Description for End-Users."` - Secret *PasswordDigest `koanf:"secret" json:"secret" jsonschema:"title=Secret" jsonschema_description:"The Client Secret for Client Authentication."` - SectorIdentifier url.URL `koanf:"sector_identifier" json:"sector_identifier" jsonschema:"title=Sector Identifier" jsonschema_description:"The Client Sector Identifier for Privacy Isolation."` - Public bool `koanf:"public" json:"public" jsonschema:"default=false,title=Public" jsonschema_description:"Enables the Public Client Type."` + ID string `koanf:"client_id" json:"client_id" jsonschema:"required,minLength=1,title=Client ID" jsonschema_description:"The Client ID."` + Name string `koanf:"client_name" json:"client_name" jsonschema:"title=Client Name" jsonschema_description:"The Client Name displayed to End-Users."` + Secret *PasswordDigest `koanf:"client_secret" json:"client_secret" jsonschema:"title=Client Secret" jsonschema_description:"The Client Secret for Client Authentication."` + SectorIdentifierURI *url.URL `koanf:"sector_identifier_uri" json:"sector_identifier_uri" jsonschema:"title=Sector Identifier URI" jsonschema_description:"The Client Sector Identifier URI for Privacy Isolation via Pairwise subject types."` + Public bool `koanf:"public" json:"public" jsonschema:"default=false,title=Public" jsonschema_description:"Enables the Public Client Type."` RedirectURIs IdentityProvidersOpenIDConnectClientRedirectURIs `koanf:"redirect_uris" json:"redirect_uris" jsonschema:"required,title=Redirect URIs" jsonschema_description:"List of authorized redirect URIs."` @@ -132,8 +132,8 @@ type IdentityProvidersOpenIDConnectClient struct { ConsentMode string `koanf:"consent_mode" json:"consent_mode" jsonschema:"enum=auto,enum=explicit,enum=implicit,enum=pre-configured,title=Consent Mode" jsonschema_description:"The Consent Mode used for this client."` ConsentPreConfiguredDuration *time.Duration `koanf:"pre_configured_consent_duration" json:"pre_configured_consent_duration" jsonschema:"default=7 days,title=Pre-Configured Consent Duration" jsonschema_description:"The Pre-Configured Consent Duration when using Consent Mode pre-configured for this client."` - EnforcePAR bool `koanf:"enforce_par" json:"enforce_par" jsonschema:"default=false,title=Enforce PAR" jsonschema_description:"Enforces Pushed Authorization Requests for this client."` - EnforcePKCE bool `koanf:"enforce_pkce" json:"enforce_pkce" jsonschema:"default=false,title=Enforce PKCE" jsonschema_description:"Enforces Proof Key for Code Exchange for this client."` + RequirePushedAuthorizationRequests bool `koanf:"require_pushed_authorization_requests" json:"require_pushed_authorization_requests" jsonschema:"default=false,title=Require Pushed Authorization Requests" jsonschema_description:"Requires Pushed Authorization Requests for this client to perform an authorization."` + RequirePKCE bool `koanf:"require_pkce" json:"require_pkce" jsonschema:"default=false,title=Require PKCE" jsonschema_description:"Requires a Proof Key for this client to perform Code Exchange."` PKCEChallengeMethod string `koanf:"pkce_challenge_method" json:"pkce_challenge_method" jsonschema:"enum=plain,enum=S256,title=PKCE Challenge Method" jsonschema_description:"The PKCE Challenge Method enforced on this client."` @@ -152,17 +152,12 @@ type IdentityProvidersOpenIDConnectClient struct { TokenEndpointAuthMethod string `koanf:"token_endpoint_auth_method" json:"token_endpoint_auth_method" jsonschema:"enum=none,enum=client_secret_post,enum=client_secret_basic,enum=private_key_jwt,enum=client_secret_jwt,title=Token Endpoint Auth Method" jsonschema_description:"The Token Endpoint Auth Method enforced by the provider for this client."` - PublicKeys IdentityProvidersOpenIDConnectClientPublicKeys `koanf:"public_keys" json:"public_keys,omitempty" jsonschema:"title=Public Keys" jsonschema_description:"Public Key options used to validate request objects and the 'private_key_jwt' client authentication method for this client."` + JSONWebKeysURI *url.URL `koanf:"jwks_uri" json:"jwks_uri" jsonschema:"title=JSON Web Keys URI" jsonschema_description:"URI of the JWKS endpoint which contains the Public Keys used to validate request objects and the 'private_key_jwt' client authentication method for this client."` + JSONWebKeys []JWK `koanf:"jwks" json:"jwks" jsonschema:"title=JSON Web Keys" jsonschema_description:"List of arbitrary Public Keys used to validate request objects and the 'private_key_jwt' client authentication method for this client."` Discovery IdentityProvidersOpenIDConnectDiscovery `json:"-"` // MetaData value. Not configurable by users. } -// IdentityProvidersOpenIDConnectClientPublicKeys represents the Client Public Keys configuration for an OpenID Connect 1.0 client. -type IdentityProvidersOpenIDConnectClientPublicKeys struct { - URI *url.URL `koanf:"uri" json:"uri" jsonschema:"oneof_required=URI,title=URI" jsonschema_description:"URI of the JWKS endpoint which contains the Public Keys used to validate request objects and the 'private_key_jwt' client authentication method for this client."` - Values []JWK `koanf:"values" json:"values" jsonschema:"oneof_required=Values,title=Values" jsonschema_description:"List of arbitrary Public Keys used to validate request objects and the 'private_key_jwt' client authentication method for this client."` -} - // DefaultOpenIDConnectConfiguration contains defaults for OIDC. var DefaultOpenIDConnectConfiguration = IdentityProvidersOpenIDConnect{ Lifespans: IdentityProvidersOpenIDConnectLifespans{ diff --git a/internal/configuration/schema/keys.go b/internal/configuration/schema/keys.go index 52a5e5a4a..4938de6ac 100644 --- a/internal/configuration/schema/keys.go +++ b/internal/configuration/schema/keys.go @@ -16,12 +16,12 @@ var Keys = []string{ "log.file_path", "log.keep_stdout", "identity_providers.oidc.hmac_secret", - "identity_providers.oidc.issuer_private_keys", - "identity_providers.oidc.issuer_private_keys[].key_id", - "identity_providers.oidc.issuer_private_keys[].use", - "identity_providers.oidc.issuer_private_keys[].algorithm", - "identity_providers.oidc.issuer_private_keys[].key", - "identity_providers.oidc.issuer_private_keys[].certificate_chain", + "identity_providers.oidc.jwks", + "identity_providers.oidc.jwks[].key_id", + "identity_providers.oidc.jwks[].use", + "identity_providers.oidc.jwks[].algorithm", + "identity_providers.oidc.jwks[].key", + "identity_providers.oidc.jwks[].certificate_chain", "identity_providers.oidc.issuer_certificate_chain", "identity_providers.oidc.issuer_private_key", "identity_providers.oidc.enable_client_debug_messages", @@ -35,10 +35,10 @@ var Keys = []string{ "identity_providers.oidc.cors.allowed_origins", "identity_providers.oidc.cors.allowed_origins_from_client_redirect_uris", "identity_providers.oidc.clients", - "identity_providers.oidc.clients[].id", - "identity_providers.oidc.clients[].description", - "identity_providers.oidc.clients[].secret", - "identity_providers.oidc.clients[].sector_identifier", + "identity_providers.oidc.clients[].client_id", + "identity_providers.oidc.clients[].client_name", + "identity_providers.oidc.clients[].client_secret", + "identity_providers.oidc.clients[].sector_identifier_uri", "identity_providers.oidc.clients[].public", "identity_providers.oidc.clients[].redirect_uris", "identity_providers.oidc.clients[].audience", @@ -51,8 +51,8 @@ var Keys = []string{ "identity_providers.oidc.clients[].requested_audience_mode", "identity_providers.oidc.clients[].consent_mode", "identity_providers.oidc.clients[].pre_configured_consent_duration", - "identity_providers.oidc.clients[].enforce_par", - "identity_providers.oidc.clients[].enforce_pkce", + "identity_providers.oidc.clients[].require_pushed_authorization_requests", + "identity_providers.oidc.clients[].require_pkce", "identity_providers.oidc.clients[].pkce_challenge_method", "identity_providers.oidc.clients[].authorization_signed_response_alg", "identity_providers.oidc.clients[].authorization_signed_response_key_id", @@ -67,13 +67,13 @@ var Keys = []string{ "identity_providers.oidc.clients[].request_object_signing_alg", "identity_providers.oidc.clients[].token_endpoint_auth_signing_alg", "identity_providers.oidc.clients[].token_endpoint_auth_method", - "identity_providers.oidc.clients[].public_keys.uri", - "identity_providers.oidc.clients[].public_keys.values", - "identity_providers.oidc.clients[].public_keys.values[].key_id", - "identity_providers.oidc.clients[].public_keys.values[].use", - "identity_providers.oidc.clients[].public_keys.values[].algorithm", - "identity_providers.oidc.clients[].public_keys.values[].key", - "identity_providers.oidc.clients[].public_keys.values[].certificate_chain", + "identity_providers.oidc.clients[].jwks_uri", + "identity_providers.oidc.clients[].jwks", + "identity_providers.oidc.clients[].jwks[].key_id", + "identity_providers.oidc.clients[].jwks[].use", + "identity_providers.oidc.clients[].jwks[].algorithm", + "identity_providers.oidc.clients[].jwks[].key", + "identity_providers.oidc.clients[].jwks[].certificate_chain", "identity_providers.oidc.clients[]", "identity_providers.oidc.authorization_policies", "identity_providers.oidc.authorization_policies.*.default_policy", |