feat(oidc): provide cors config including options handlers (#3005)

This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins.

10 files changed, 41 insertions, 58 deletions

diff --git a/internal/handlers/const.go b/internal/handlers/const.go
index 64c174034..a43fa75b9 100644
--- a/internal/handlers/const.go
+++ b/internal/handlers/const.go
@@ -72,16 +72,6 @@ const (
 	auth   = "auth"
 )
 
-// OIDC constants.
-const (
-	pathLegacyOpenIDConnectAuthorization = "/api/oidc/authorize"
-	pathLegacyOpenIDConnectIntrospection = "/api/oidc/introspect"
-	pathLegacyOpenIDConnectRevocation    = "/api/oidc/revoke"
-
-	// Note: If you change this const you must also do so in the frontend at web/src/services/Api.ts.
-	pathOpenIDConnectConsent = "/api/oidc/consent"
-)
-
 const (
 	accept = "accept"
 	reject = "reject"
diff --git a/internal/handlers/handler_oidc_jwks.go b/internal/handlers/handler_jwks.go
index 37e926345..14f680711 100644
--- a/internal/handlers/handler_oidc_jwks.go
+++ b/internal/handlers/handler_jwks.go
@@ -6,7 +6,8 @@ import (
 	"github.com/authelia/authelia/v4/internal/middlewares"
 )
 
-func oidcJWKs(ctx *middlewares.AutheliaCtx) {
+// JSONWebKeySetGET returns the JSON Web Key Set. Used in OAuth 2.0 and OpenID Connect 1.0.
+func JSONWebKeySetGET(ctx *middlewares.AutheliaCtx) {
 	ctx.SetContentType("application/json")
 
 	if err := json.NewEncoder(ctx).Encode(ctx.Providers.OpenIDConnect.KeyManager.GetKeySet()); err != nil {
diff --git a/internal/handlers/handler_oidc_introspection.go b/internal/handlers/handler_oauth_introspection.go
index ddc898103..331ce201d 100644
--- a/internal/handlers/handler_oidc_introspection.go
+++ b/internal/handlers/handler_oauth_introspection.go
@@ -9,7 +9,10 @@ import (
 	"github.com/authelia/authelia/v4/internal/oidc"
 )
 
-func oidcIntrospection(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request) {
+// OAuthIntrospectionPOST handles POST requests to the OAuth 2.0 Introspection endpoint.
+//
+// https://datatracker.ietf.org/doc/html/rfc7662
+func OAuthIntrospectionPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request) {
 	var (
 		responder fosite.IntrospectionResponder
 		err       error
diff --git a/internal/handlers/handler_oidc_revocation.go b/internal/handlers/handler_oauth_revocation.go
index 84b4700cf..1dad867bc 100644
--- a/internal/handlers/handler_oidc_revocation.go
+++ b/internal/handlers/handler_oauth_revocation.go
@@ -8,7 +8,10 @@ import (
 	"github.com/authelia/authelia/v4/internal/middlewares"
 )
 
-func oidcRevocation(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request) {
+// OAuthRevocationPOST handles POST requests to the OAuth 2.0 Revocation endpoint.
+//
+// https://datatracker.ietf.org/doc/html/rfc7009
+func OAuthRevocationPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request) {
 	var err error
 
 	if err = ctx.Providers.OpenIDConnect.Fosite.NewRevocationRequest(ctx, req); err != nil {
diff --git a/internal/handlers/handler_oidc_authorization.go b/internal/handlers/handler_oidc_authorization.go
index 88f407568..c5940410f 100644
--- a/internal/handlers/handler_oidc_authorization.go
+++ b/internal/handlers/handler_oidc_authorization.go
@@ -16,7 +16,10 @@ import (
 	"github.com/authelia/authelia/v4/internal/session"
 )
 
-func oidcAuthorization(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, r *http.Request) {
+// OpenIDConnectAuthorizationGET handles GET requests to the OpenID Connect 1.0 Authorization endpoint.
+//
+// https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
+func OpenIDConnectAuthorizationGET(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, r *http.Request) {
 	var (
 		requester fosite.AuthorizeRequester
 		responder fosite.AuthorizeResponder
diff --git a/internal/handlers/handler_oidc_consent.go b/internal/handlers/handler_oidc_consent.go
index f07b52e47..b403ecb01 100644
--- a/internal/handlers/handler_oidc_consent.go
+++ b/internal/handlers/handler_oidc_consent.go
@@ -7,7 +7,8 @@ import (
 	"github.com/authelia/authelia/v4/internal/middlewares"
 )
 
-func oidcConsent(ctx *middlewares.AutheliaCtx) {
+// OpenIDConnectConsentGET handles requests to provide consent for OpenID Connect.
+func OpenIDConnectConsentGET(ctx *middlewares.AutheliaCtx) {
 	userSession := ctx.GetSession()
 
 	if userSession.OIDCWorkflowSession == nil {
@@ -39,7 +40,8 @@ func oidcConsent(ctx *middlewares.AutheliaCtx) {
 	}
 }
 
-func oidcConsentPOST(ctx *middlewares.AutheliaCtx) {
+// OpenIDConnectConsentPOST handles consent responses for OpenID Connect.
+func OpenIDConnectConsentPOST(ctx *middlewares.AutheliaCtx) {
 	userSession := ctx.GetSession()
 
 	if userSession.OIDCWorkflowSession == nil {
diff --git a/internal/handlers/handler_oidc_token.go b/internal/handlers/handler_oidc_token.go
index 714fcb555..59a9a55eb 100644
--- a/internal/handlers/handler_oidc_token.go
+++ b/internal/handlers/handler_oidc_token.go
@@ -9,7 +9,10 @@ import (
 	"github.com/authelia/authelia/v4/internal/oidc"
 )
 
-func oidcToken(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request) {
+// OpenIDConnectTokenPOST handles POST requests to the OpenID Connect 1.0 Token endpoint.
+//
+// https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
+func OpenIDConnectTokenPOST(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request) {
 	var (
 		requester fosite.AccessRequester
 		responder fosite.AccessResponder
diff --git a/internal/handlers/handler_oidc_userinfo.go b/internal/handlers/handler_oidc_userinfo.go
index 6cc2a90df..1a46ec39f 100644
--- a/internal/handlers/handler_oidc_userinfo.go
+++ b/internal/handlers/handler_oidc_userinfo.go
@@ -14,7 +14,10 @@ import (
 	"github.com/authelia/authelia/v4/internal/oidc"
 )
 
-func oidcUserinfo(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request) {
+// OpenIDConnectUserinfo handles GET/POST requests to the OpenID Connect 1.0 UserInfo endpoint.
+//
+// https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+func OpenIDConnectUserinfo(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request) {
 	var (
 		tokenType fosite.TokenType
 		requester fosite.AccessRequester
@@ -97,7 +100,7 @@ func oidcUserinfo(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *htt
 		var jti uuid.UUID
 
 		if jti, err = uuid.NewRandom(); err != nil {
-			ctx.Providers.OpenIDConnect.WriteError(rw, req, fosite.ErrServerError.WithHintf("Could not generate JWT ID."))
+			ctx.Providers.OpenIDConnect.WriteError(rw, req, fosite.ErrServerError.WithHintf("Could not generate JTI."))
 
 			return
 		}
diff --git a/internal/handlers/handler_oidc_wellknown.go b/internal/handlers/handler_oidc_wellknown.go
index 3a5196c23..0efd5387c 100644
--- a/internal/handlers/handler_oidc_wellknown.go
+++ b/internal/handlers/handler_oidc_wellknown.go
@@ -8,7 +8,13 @@ import (
 	"github.com/authelia/authelia/v4/internal/middlewares"
 )
 
-func wellKnownOpenIDConnectConfigurationGET(ctx *middlewares.AutheliaCtx) {
+// OpenIDConnectConfigurationWellKnownGET handles requests to a .well-known endpoint (RFC5785) which returns the
+// OpenID Connect Discovery 1.0 metadata.
+//
+// https://datatracker.ietf.org/doc/html/rfc5785
+//
+// https://openid.net/specs/openid-connect-discovery-1_0.html
+func OpenIDConnectConfigurationWellKnownGET(ctx *middlewares.AutheliaCtx) {
 	issuer, err := ctx.ExternalRootURL()
 	if err != nil {
 		ctx.Logger.Errorf("Error occurred determining OpenID Connect issuer details: %+v", err)
@@ -30,7 +36,13 @@ func wellKnownOpenIDConnectConfigurationGET(ctx *middlewares.AutheliaCtx) {
 	}
 }
 
-func wellKnownOAuthAuthorizationServerGET(ctx *middlewares.AutheliaCtx) {
+// OAuthAuthorizationServerWellKnownGET handles requests to a .well-known endpoint (RFC5785) which returns the
+// OAuth 2.0 Authorization Server Metadata (RFC8414).
+//
+// https://datatracker.ietf.org/doc/html/rfc5785
+//
+// https://datatracker.ietf.org/doc/html/rfc8414
+func OAuthAuthorizationServerWellKnownGET(ctx *middlewares.AutheliaCtx) {
 	issuer, err := ctx.ExternalRootURL()
 	if err != nil {
 		ctx.Logger.Errorf("Error occurred determining OpenID Connect issuer details: %+v", err)
diff --git a/internal/handlers/oidc_register.go b/internal/handlers/oidc_register.go
deleted file mode 100644
index 58646da7d..000000000
--- a/internal/handlers/oidc_register.go
+++ /dev/null
@@ -1,37 +0,0 @@
-package handlers
-
-import (
-	"github.com/fasthttp/router"
-
-	"github.com/authelia/authelia/v4/internal/middlewares"
-	"github.com/authelia/authelia/v4/internal/oidc"
-)
-
-// RegisterOIDC registers the handlers with the fasthttp *router.Router. TODO: Add paths for Flush, Logout.
-func RegisterOIDC(router *router.Router, middleware middlewares.RequestHandlerBridge) {
-	// TODO: Add OPTIONS handler.
-	router.GET(oidc.WellKnownOpenIDConfigurationPath, middleware(middlewares.CORSApplyAutomaticAllowAllPolicy(wellKnownOpenIDConnectConfigurationGET)))
-	router.GET(oidc.WellKnownOAuthAuthorizationServerPath, middleware(middlewares.CORSApplyAutomaticAllowAllPolicy(wellKnownOAuthAuthorizationServerGET)))
-
-	router.GET(pathOpenIDConnectConsent, middleware(oidcConsent))
-
-	router.POST(pathOpenIDConnectConsent, middleware(oidcConsentPOST))
-
-	router.GET(oidc.JWKsPath, middleware(oidcJWKs))
-
-	router.GET(oidc.AuthorizationPath, middleware(middlewares.NewHTTPToAutheliaHandlerAdaptor(oidcAuthorization)))
-	router.GET(pathLegacyOpenIDConnectAuthorization, middleware(middlewares.NewHTTPToAutheliaHandlerAdaptor(oidcAuthorization)))
-
-	// TODO: Add OPTIONS handler.
-	router.POST(oidc.TokenPath, middleware(middlewares.NewHTTPToAutheliaHandlerAdaptor(oidcToken)))
-
-	router.POST(oidc.IntrospectionPath, middleware(middlewares.NewHTTPToAutheliaHandlerAdaptor(oidcIntrospection)))
-	router.GET(pathLegacyOpenIDConnectIntrospection, middleware(middlewares.NewHTTPToAutheliaHandlerAdaptor(oidcIntrospection)))
-
-	router.GET(oidc.UserinfoPath, middleware(middlewares.NewHTTPToAutheliaHandlerAdaptor(oidcUserinfo)))
-	router.POST(oidc.UserinfoPath, middleware(middlewares.NewHTTPToAutheliaHandlerAdaptor(oidcUserinfo)))
-
-	// TODO: Add OPTIONS handler.
-	router.POST(oidc.RevocationPath, middleware(middlewares.NewHTTPToAutheliaHandlerAdaptor(oidcRevocation)))
-	router.POST(pathLegacyOpenIDConnectRevocation, middleware(middlewares.NewHTTPToAutheliaHandlerAdaptor(oidcRevocation)))
-}