Skip to content

#454: Add support for Hashicorp Vault through discovery #455

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: v3
Choose a base branch
from
Open

#454: Add support for Hashicorp Vault through discovery #455

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
/bin
/gopath

.idea/
36 changes: 28 additions & 8 deletions oidc/oidc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ var supportedAlgorithms = map[string]bool{
// parsing.
//
// // Directly fetch the metadata document.
// resp, err := http.Get("https://login.example.com/custom-metadata-path")
// resp, err := http.Get("https://login.example.com/custom-metadata-path")
// if err != nil {
// // ...
// }
Expand Down Expand Up @@ -236,7 +236,19 @@ func (p *ProviderConfig) NewProvider(ctx context.Context) *Provider {
//
// See: https://openid.net/specs/openid-connect-discovery-1_0.html
func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
wellKnown := strings.TrimSuffix(issuer, "/") + "/.well-known/openid-configuration"
return NewProviderWithBaseUrl(ctx, "", issuer)
}

// NewProviderWithBaseUrl uses the OpenID Connect discovery mechanism to construct a Provider.
//
// An identity provider may report its issuer as a path rather than a full URL. This is not spec
// conformant, but for example the case with Hashicorp Vault (e.g. /v1/identity/oidc/provider/default)
//
// With this constructor, discovery can still be used with a combination of baseUrl and issuer.
//
// See: https://openid.net/specs/openid-connect-discovery-1_0.html
func NewProviderWithBaseUrl(ctx context.Context, baseUrl, issuer string) (*Provider, error) {
wellKnown := baseUrl + strings.TrimSuffix(issuer, "/") + "/.well-known/openid-configuration"
req, err := http.NewRequest("GET", wellKnown, nil)
if err != nil {
return nil, err
Expand Down Expand Up @@ -275,20 +287,28 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
algs = append(algs, a)
}
}

withBaseUrl := func(val string) string {
if val != "" && !strings.HasPrefix(val, "http") {
val = baseUrl + val
}
return val
}

return &Provider{
issuer: issuerURL,
authURL: p.AuthURL,
tokenURL: p.TokenURL,
deviceAuthURL: p.DeviceAuthURL,
userInfoURL: p.UserInfoURL,
jwksURL: p.JWKSURL,
authURL: withBaseUrl(p.AuthURL),
tokenURL: withBaseUrl(p.TokenURL),
deviceAuthURL: withBaseUrl(p.DeviceAuthURL),
userInfoURL: withBaseUrl(p.UserInfoURL),
jwksURL: withBaseUrl(p.JWKSURL),
algorithms: algs,
rawClaims: body,
client: getClient(ctx),
}, nil
}

// Claims unmarshals raw fields returned by the server during discovery.
// Claims unmarshalls raw fields returned by the server during discovery.
//
// var claims struct {
// ScopesSupported []string `json:"scopes_supported"`
Expand Down