this repo has no description
hailey.at
1package oauth
2
3import (
4 "encoding/json"
5 "fmt"
6 "net/url"
7)
8
9type OauthProtectedResource struct {
10 Resource string `json:"resource"`
11 AuthorizationServers []string `json:"authorization_servers"`
12 ScopesSupported []string `json:"scopes_supported"`
13 BearerMethodsSupported []string `json:"bearer_methods_supported"`
14 ResourceDocumentation string `json:"resource_documentation"`
15}
16
17func (opr *OauthProtectedResource) UnmarshalJSON(b []byte) error {
18 type Tmp OauthProtectedResource
19 var tmp Tmp
20
21 if err := json.Unmarshal(b, &tmp); err != nil {
22 return err
23 }
24
25 *opr = OauthProtectedResource(tmp)
26
27 return nil
28}
29
30type OauthAuthorizationMetadata struct {
31 Issuer string `json:"issuer"`
32 RequestParameterSupported bool `json:"request_parameter_supported"`
33 RequestUriParameterSupported bool `json:"request_uri_parameter_supported"`
34 RequireRequestUriRegistration *bool `json:"require_request_uri_registration,omitempty"`
35 ScopesSupported []string `json:"scopes_supported"`
36 SubjectTypesSupported []string `json:"subject_types_supported"`
37 ResponseTypesSupported []string `json:"response_types_supported"`
38 ResponseModesSupported []string `json:"response_modes_supported"`
39 GrantTypesSupported []string `json:"grant_types_supported"`
40 CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
41 UILocalesSupported []string `json:"ui_locales_supported"`
42 DisplayValuesSupported []string `json:"display_values_supported"`
43 RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
44 AuthorizationResponseISSParameterSupported bool `json:"authorization_response_iss_parameter_supported"`
45 RequestObjectEncryptionAlgValuesSupported []string `json:"request_object_encryption_alg_values_supported"`
46 RequestObjectEncryptionEncValuesSupported []string `json:"request_object_encryption_enc_values_supported"`
47 JwksUri string `json:"jwks_uri"`
48 AuthorizationEndpoint string `json:"authorization_endpoint"`
49 TokenEndpoint string `json:"token_endpoint"`
50 TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
51 TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"`
52 RevocationEndpoint string `json:"revocation_endpoint"`
53 IntrospectionEndpoint string `json:"introspection_endpoint"`
54 PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint"`
55 RequirePushedAuthorizationRequests bool `json:"require_pushed_authorization_requests"`
56 DpopSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported"`
57 ProtectedResources []string `json:"protected_resources"`
58 ClientIDMetadataDocumentSupported bool `json:"client_id_metadata_document_supported"`
59}
60
61func (oam *OauthAuthorizationMetadata) Validate(fetch_url *url.URL) error {
62 if fetch_url == nil {
63 return fmt.Errorf("fetch_url was nil")
64 }
65
66 iu, err := url.Parse(oam.Issuer)
67 if err != nil {
68 return err
69 }
70
71 if iu.Hostname() != fetch_url.Hostname() {
72 return fmt.Errorf("issuer hostname does not match fetch url hostname")
73 }
74
75 if iu.Scheme != "https" {
76 return fmt.Errorf("issuer url is not https")
77 }
78
79 if iu.Port() != "" {
80 return fmt.Errorf("issuer port is not empty")
81 }
82
83 if iu.Path != "" && iu.Path != "/" {
84 return fmt.Errorf("issuer path is not /")
85 }
86
87 if iu.RawQuery != "" {
88 return fmt.Errorf("issuer url params are not empty")
89 }
90
91 if !tokenInSet("code", oam.ResponseTypesSupported) {
92 return fmt.Errorf("`code` is not in response_types_supported")
93 }
94
95 if !tokenInSet("authorization_code", oam.GrantTypesSupported) {
96 return fmt.Errorf("`authorization_code` is not in grant_types_supported")
97 }
98
99 if !tokenInSet("refresh_token", oam.GrantTypesSupported) {
100 return fmt.Errorf("`refresh_token` is not in grant_types_supported")
101 }
102
103 if !tokenInSet("S256", oam.CodeChallengeMethodsSupported) {
104 return fmt.Errorf("`S256` is not in code_challenge_methods_supported")
105 }
106
107 if !tokenInSet("none", oam.TokenEndpointAuthMethodsSupported) {
108 return fmt.Errorf("`none` is not in token_endpoint_auth_methods_supported")
109 }
110
111 if !tokenInSet("private_key_jwt", oam.TokenEndpointAuthMethodsSupported) {
112 return fmt.Errorf("`private_key_jwt` is not in token_endpoint_auth_methods_supported")
113 }
114
115 if !tokenInSet("ES256", oam.TokenEndpointAuthSigningAlgValuesSupported) {
116 return fmt.Errorf("`ES256` is not in token_endpoint_auth_signing_alg_values_supported")
117 }
118
119 if !tokenInSet("atproto", oam.ScopesSupported) {
120 return fmt.Errorf("`atproto` is not in scopes_supported")
121 }
122
123 if oam.AuthorizationResponseISSParameterSupported != true {
124 return fmt.Errorf("authorization_response_iss_parameter_supported is not true")
125 }
126
127 if oam.PushedAuthorizationRequestEndpoint == "" {
128 return fmt.Errorf("pushed_authorization_request_endpoint is empty")
129 }
130
131 if oam.RequirePushedAuthorizationRequests == false {
132 return fmt.Errorf("require_pushed_authorization_requests is false")
133 }
134
135 if !tokenInSet("ES256", oam.DpopSigningAlgValuesSupported) {
136 return fmt.Errorf("`ES256` is not in dpop_signing_alg_values_supported")
137 }
138
139 if oam.RequireRequestUriRegistration != nil && *oam.RequireRequestUriRegistration == false {
140 return fmt.Errorf("require_request_uri_registration present in metadata and was false")
141 }
142
143 if oam.ClientIDMetadataDocumentSupported == false {
144 return fmt.Errorf("client_id_metadata_document_supported was false")
145 }
146
147 return nil
148}
149
150func (oam *OauthAuthorizationMetadata) UnmarshalJSON(b []byte) error {
151 type Tmp OauthAuthorizationMetadata
152 var tmp Tmp
153
154 if err := json.Unmarshal(b, &tmp); err != nil {
155 return err
156 }
157
158 *oam = OauthAuthorizationMetadata(tmp)
159
160 return nil
161}