From 0a7655cb399a61f0d8b05eda44569bc493a545cc Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Wed, 23 Mar 2022 19:32:39 -0700 Subject: [PATCH] oidc: support creating a provider directly without discovery --- oidc/oidc.go | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/oidc/oidc.go b/oidc/oidc.go index 3e1d80e0..ae73eb02 100644 --- a/oidc/oidc.go +++ b/oidc/oidc.go @@ -134,6 +134,48 @@ var supportedAlgorithms = map[string]bool{ PS512: true, } +// ProviderConfig allows creating providers when discovery isn't supported. It's +// generally easier to use NewProvider directly. +type ProviderConfig struct { + // IssuerURL is the identity of the provider, and the string it uses to sign + // ID tokens with. For example "https://accounts.google.com". This value MUST + // match ID tokens exactly. + IssuerURL string + // AuthURL is the endpoint used by the provider to support the OAuth 2.0 + // authorization endpoint. + AuthURL string + // TokenURL is the endpoint used by the provider to support the OAuth 2.0 + // token endpoint. + TokenURL string + // UserInfoURL is the endpoint used by the provider to support the OpenID + // Connect UserInfo flow. + // + // https://openid.net/specs/openid-connect-core-1_0.html#UserInfo + UserInfoURL string + // JWKSURL is the endpoint used by the provider to advertise public keys to + // verify issued ID tokens. This endpoint is polled as new keys are made + // available. + JWKSURL string + + // Algorithms, if provided, indicate a list of JWT algorithms allowed to sign + // ID tokens. If not provided, this defaults to the algorithms advertised by + // the JWK endpoint, then the set of algorithms supported by this package. + Algorithms []string +} + +// NewProvider initializes a provider from a set of endpoints, rather than +// through discovery. +func (p *ProviderConfig) NewProvider(ctx context.Context) *Provider { + return &Provider{ + issuer: p.IssuerURL, + authURL: p.AuthURL, + tokenURL: p.TokenURL, + userInfoURL: p.UserInfoURL, + algorithms: p.Algorithms, + remoteKeySet: NewRemoteKeySet(cloneContext(ctx), p.JWKSURL), + } +} + // NewProvider uses the OpenID Connect discovery mechanism to construct a Provider. // // The issuer is the URL identifier for the service. For example: "https://accounts.google.com"