OIDC metadata (#595)

9 years ago · 4fc1f6afa2
parent 294945917e
commit 4fc1f6afa2
2 changed files with 149 additions and 2 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
@ -1,6 +1,7 @@
 package Lemonldap::NG::Portal::Issuer::OpenIDConnect;

 use strict;
+use JSON;
 use Mouse;
 use Lemonldap::NG::Portal::Main::Constants qw(
  PE_CONFIRM
@ -28,6 +29,8 @@ extends 'Lemonldap::NG::Portal::Main::Issuer',
 #  - register    : => registration()   for unauth users (RP)
 #
 # Other paths will be handle by run() and return PE_ERROR
+#
+# .well-known/openid-configuration is handled by metadata()

 sub init {
    my ($self) = @_;
@ -57,6 +60,16 @@ sub init {
        oidcServiceMetaDataJWKSURI         => 'badAuthRequest',
        oidcServiceMetaDataRegistrationURI => 'badAuthRequest',
    );
+
+    # Metadata (.well-known/openid-configuration)
+    $self->addUnauthRoute(
+        '.well-known' => { 'openid-configuration' => 'metadata' },
+        ['GET']
+    );
+    $self->addAuthRoute(
+        '.well-known' => { 'openid-configuration' => 'metadata' },
+        ['GET']
+    );
    return 1;
 }

@ -1262,6 +1275,96 @@ sub addRouteFromConf {
    }
 }

+sub metadata {
+    my ( $self, $req ) = @_;
+    my $issuerDBOpenIDConnectPath = $self->conf->{issuerDBOpenIDConnectPath};
+    my $authorize_uri    = $self->conf->{oidcServiceMetaDataAuthorizeURI};
+    my $token_uri        = $self->conf->{oidcServiceMetaDataTokenURI};
+    my $userinfo_uri     = $self->conf->{oidcServiceMetaDataUserInfoURI};
+    my $jwks_uri         = $self->conf->{oidcServiceMetaDataJWKSURI};
+    my $registration_uri = $self->conf->{oidcServiceMetaDataRegistrationURI};
+    my $endsession_uri   = $self->conf->{oidcServiceMetaDataEndSessionURI};
+    my $checksession_uri = $self->conf->{oidcServiceMetaDataCheckSessionURI};
+
+    my $path   = $self->path . '/';
+    my $issuer = $self->conf->{oidcServiceMetaDataIssuer};
+    $path = "/" . $path unless ( $issuer =~ /\/$/ );
+    my $baseUrl = $issuer . $path;
+
+    my @acr = keys %{ $self->conf->{oidcServiceMetaDataAuthnContext} };
+
+    # Add a slash to path value if issuer has no trailing slash
+
+    # Create OpenID configuration hash;
+    return $self->p->sendJSONresponse(
+        $req,
+        {
+            issuer => $issuer,
+
+            # Endpoints
+            token_endpoint         => $baseUrl . $token_uri,
+            userinfo_endpoint      => $baseUrl . $userinfo_uri,
+            jwks_uri               => $baseUrl . $jwks_uri,
+            authorization_endpoint => $baseUrl . $authorize_uri,
+            end_session_endpoint   => $baseUrl . $endsession_uri,
+            check_session_iframe   => $baseUrl . $checksession_uri,
+            (
+                $self->conf->{oidcServiceAllowDynamicRegistration}
+                ? ( registration_endpoint => $baseUrl . $registration_uri )
+                : ()
+            ),
+
+            # Scopes
+            scopes_supported => [qw/openid profile email address phone/],
+            response_types_supported => [
+                "code",
+                "id_token",
+                "id_token token",
+                "code id_token",
+                "code token",
+                "code id_token token"
+            ],
+            grant_types_supported   => [qw/authorization_code implicit hybrid/],
+            acr_values_supported    => \@acr,
+            subject_types_supported => ["public"],
+            token_endpoint_auth_methods_supported =>
+              [qw/client_secret_post client_secret_basic/],
+            request_parameter_supported      => JSON::true,
+            request_uri_parameter_supported  => JSON::true,
+            require_request_uri_registration => JSON::false,
+
+            # Algorithms
+            id_token_signing_alg_values_supported =>
+              [qw/none HS256 HS384 HS512 RS256 RS384 RS512/],
+            userinfo_signing_alg_values_supported =>
+              [qw/none HS256 HS384 HS512 RS256 RS384 RS512/],
+        }
+    );
+
+    # response_modes_supported}
+
+    # id_token_encryption_alg_values_supported
+    # id_token_encryption_enc_values_supported
+
+    # userinfo_encryption_alg_values_supported
+    # userinfo_encryption_enc_values_supported
+    # request_object_signing_alg_values_supported
+    # request_object_encryption_alg_values_supported
+    # request_object_encryption_enc_values_supported
+
+    # token_endpoint_auth_signing_alg_values_supported
+    # display_values_supported
+    # claim_types_supported
+    # RECOMMENDED # claims_supported
+    # service_documentation
+    # claims_locales_supported
+    # ui_locales_supported
+    # claims_parameter_supported
+
+    # op_policy_uri
+    # op_tos_uri
+}
+
 1;
 __END__

--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC.t
@ -15,6 +15,14 @@ my %handlerOR = ( issuer => [], sp => [] );
 ok( $issuer = issuer(), 'Issuer portal' );
 count(1);

+ok($res=$issuer->_get('/oauth2/jwks'),'Get JWKS');
+count(1);
+
+ok($res=$issuer->_get('/.well-known/openid-configuration'),'Get metadata');
+count(1);
+
+print STDERR Dumper($res);
+
 clean_sessions();
 done_testing( count() );

@ -71,9 +79,45 @@ sub issuer {
                    'loa-3' => 3
                },
                oidcServicePrivateKeySig =>
-"-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAs2jsmIoFuWzMkilJaA8//5/T30cnuzX9GImXUrFR2k9EKTMt\nGMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8TrH1PHFmHpy8/qE/S5OhinIpIi7eb\nABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH1caJ8lmiERFj7IvNKqEhzAk0pyDr\n8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdykX5rx0h5SslG3jVWYhZ/SOb2aIzO\nr0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO8093X5VVk9vaPRg0zxJQ0Do0YLyzkR\nisSAIFb0tdKuDnjRGK6y/N2j6At2HjkxntbtGQIDAQABAoIBADYq6LxJd977LWy3\n0HT9nboFPIf+SM2qSEc/S5Po+6ipJBA4ZlZCMf7dHa6znet1TDpqA9iQ4YcqIHMH\n6xZNQ7hhgSAzG9TrXBHqP+djDlrrGWotvjuy0IfS9ixFnnLWjrtAH9afRWLuG+a/\nNHNC1M6DiiTE0TzL/lpt/zzut3CNmWzH+t19X6UsxUg95AzooEeewEYkv25eumWD\nmfQZfCtSlIw1sp/QwxeJa/6LJw7KcPZ1wXUm1BN0b9eiKt9Cmni1MS7elgpZlgGt\nxtfGTZtNLQ7bgDiM8MHzUfPBhbceNSIx2BeCuOCs/7eaqgpyYHBbAbuBQex2H61l\nLcc3Tz0CgYEA4Kx/avpCPxnvsJ+nHVQm5d/WERuDxk4vH1DNuCYBvXTdVCGADf6a\nF5No1JcTH3nPTyPWazOyGdT9LcsEJicLyD8vCM6hBFstG4XjqcAuqG/9DRsElpHQ\nyi1zc5DNP7Vxmiz9wII0Mjy0abYKtxnXh9YK4a9g6wrcTpvShhIcIb8CgYEAzGzG\nlorVCfX9jXULIznnR/uuP5aSnTEsn0xJeqTlbW0RFWLdj8aIL1peirh1X89HroB9\nGeTNqEJXD+3CVL2cx+BRggMDUmEz4hR59meZCDGUyT5fex4LIsceb/ESUl2jo6Sw\nHXwWbN67rQ55N4oiOcOppsGxzOHkl5HdExKidycCgYEAr5Qev2tz+fw65LzfzHvH\nKj4S/KuT/5V6He731cFd+sEpdmX3vPgLVAFPG1Q1DZQT/rTzDDQKK0XX1cGiLG63\nNnaqOye/jbfzOF8Z277kt51NFMDYhRLPKDD82IOA4xjY/rPKWndmcxwdob8yAIWh\nefY76sMz6ntCT+xWSZA9i+ECgYBWMZM2TIlxLsBfEbfFfZewOUWKWEGvd9l5vV/K\nD5cRIYivfMUw5yPq2267jPUolayCvniBH4E7beVpuPVUZ7KgcEvNxtlytbt7muil\n5Z6X3tf+VodJ0Swe2NhTmNEB26uwxzLe68BE3VFCsbSYn2y48HAq+MawPZr18bHG\nZfgMxwKBgHHRg6HYqF5Pegzk1746uH2G+OoCovk5ylGGYzcH2ghWTK4agCHfBcDt\nEYqYAev/l82wi+OZ5O8U+qjFUpT1CVeUJdDs0o5u19v0UJjunU1cwh9jsxBZAWLy\nPAGd6SWf4S3uQCTw6dLeMna25YIlPh5qPA6I/pAahe8e3nSu2ckl\n-----END RSA PRIVATE KEY-----\n",
+"-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAs2jsmIoFuWzMkilJaA8//5/T30cnuzX9GImXUrFR2k9EKTMt
+GMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8TrH1PHFmHpy8/qE/S5OhinIpIi7eb
+ABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH1caJ8lmiERFj7IvNKqEhzAk0pyDr
+8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdykX5rx0h5SslG3jVWYhZ/SOb2aIzO
+r0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO8093X5VVk9vaPRg0zxJQ0Do0YLyzkR
+isSAIFb0tdKuDnjRGK6y/N2j6At2HjkxntbtGQIDAQABAoIBADYq6LxJd977LWy3
+0HT9nboFPIf+SM2qSEc/S5Po+6ipJBA4ZlZCMf7dHa6znet1TDpqA9iQ4YcqIHMH
+6xZNQ7hhgSAzG9TrXBHqP+djDlrrGWotvjuy0IfS9ixFnnLWjrtAH9afRWLuG+a/
+NHNC1M6DiiTE0TzL/lpt/zzut3CNmWzH+t19X6UsxUg95AzooEeewEYkv25eumWD
+mfQZfCtSlIw1sp/QwxeJa/6LJw7KcPZ1wXUm1BN0b9eiKt9Cmni1MS7elgpZlgGt
+xtfGTZtNLQ7bgDiM8MHzUfPBhbceNSIx2BeCuOCs/7eaqgpyYHBbAbuBQex2H61l
+Lcc3Tz0CgYEA4Kx/avpCPxnvsJ+nHVQm5d/WERuDxk4vH1DNuCYBvXTdVCGADf6a
+F5No1JcTH3nPTyPWazOyGdT9LcsEJicLyD8vCM6hBFstG4XjqcAuqG/9DRsElpHQ
+yi1zc5DNP7Vxmiz9wII0Mjy0abYKtxnXh9YK4a9g6wrcTpvShhIcIb8CgYEAzGzG
+lorVCfX9jXULIznnR/uuP5aSnTEsn0xJeqTlbW0RFWLdj8aIL1peirh1X89HroB9
+GeTNqEJXD+3CVL2cx+BRggMDUmEz4hR59meZCDGUyT5fex4LIsceb/ESUl2jo6Sw
+HXwWbN67rQ55N4oiOcOppsGxzOHkl5HdExKidycCgYEAr5Qev2tz+fw65LzfzHvH
+Kj4S/KuT/5V6He731cFd+sEpdmX3vPgLVAFPG1Q1DZQT/rTzDDQKK0XX1cGiLG63
+NnaqOye/jbfzOF8Z277kt51NFMDYhRLPKDD82IOA4xjY/rPKWndmcxwdob8yAIWh
+efY76sMz6ntCT+xWSZA9i+ECgYBWMZM2TIlxLsBfEbfFfZewOUWKWEGvd9l5vV/K
+D5cRIYivfMUw5yPq2267jPUolayCvniBH4E7beVpuPVUZ7KgcEvNxtlytbt7muil
+5Z6X3tf+VodJ0Swe2NhTmNEB26uwxzLe68BE3VFCsbSYn2y48HAq+MawPZr18bHG
+ZfgMxwKBgHHRg6HYqF5Pegzk1746uH2G+OoCovk5ylGGYzcH2ghWTK4agCHfBcDt
+EYqYAev/l82wi+OZ5O8U+qjFUpT1CVeUJdDs0o5u19v0UJjunU1cwh9jsxBZAWLy
+PAGd6SWf4S3uQCTw6dLeMna25YIlPh5qPA6I/pAahe8e3nSu2ckl
+-----END RSA PRIVATE KEY-----
+",
                oidcServicePublicKeySig =>
-"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2jsmIoFuWzMkilJaA8/\n/5/T30cnuzX9GImXUrFR2k9EKTMtGMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8T\nrH1PHFmHpy8/qE/S5OhinIpIi7ebABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH\n1caJ8lmiERFj7IvNKqEhzAk0pyDr8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdy\nkX5rx0h5SslG3jVWYhZ/SOb2aIzOr0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO80\n93X5VVk9vaPRg0zxJQ0Do0YLyzkRisSAIFb0tdKuDnjRGK6y/N2j6At2Hjkxntbt\nGQIDAQAB\n-----END PUBLIC KEY-----\n",
+"-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2jsmIoFuWzMkilJaA8/
+/5/T30cnuzX9GImXUrFR2k9EKTMtGMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8T
+rH1PHFmHpy8/qE/S5OhinIpIi7ebABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH
+1caJ8lmiERFj7IvNKqEhzAk0pyDr8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdy
+kX5rx0h5SslG3jVWYhZ/SOb2aIzOr0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO80
+93X5VVk9vaPRg0zxJQ0Do0YLyzkRisSAIFb0tdKuDnjRGK6y/N2j6At2Hjkxntbt
+GQIDAQAB
+-----END PUBLIC KEY-----
+",
            }
        }
    );