Add -skip-oidc-discovery option (#41)

* added karrieretutor go-oidc fork for using an AAD B2C Policy * added karrieretutor go-oidc fork for using an AAD B2C Policy * added --skip-oidc-discovery option * added --skip-oidc-discovery option * add simple test for skip-oidc-discovery option * revert Dockerfile to pusher upstream * revert Dockerfile to pusher upstream * remove karrieretutor b2c option leftover * remove karrieretutor b2c option leftover * Fix typo (missing letters) Co-Authored-By: marratj <marrat@marrat.de> * Fix typo (missing letters) Co-Authored-By: marratj <marrat@marrat.de> * replace fake http client with NewProvider() from go-oidc * remove OIDC UserInfo URL option (not required) * add info about -skip-oidc-discovery to README * add note to changelog * Update outdated comment
2025-06-27 00:51:33 +02:00 · 2019-03-04 14:54:22 +01:00
parent fb1614c873
commit 8816a2a972
5 changed files with 78 additions and 9 deletions
--- a/options.go
+++ b/options.go
@ -71,6 +71,8 @@ type Options struct {
 	// potential overrides.
 	Provider          string `flag:"provider" cfg:"provider"`
 	OIDCIssuerURL     string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url"`
+	SkipOIDCDiscovery bool   `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"`
+	OIDCJwksURL       string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url"`
 	LoginURL          string `flag:"login-url" cfg:"login_url"`
 	RedeemURL         string `flag:"redeem-url" cfg:"redeem_url"`
 	ProfileURL        string `flag:"profile-url" cfg:"profile_url"`
@ -121,6 +123,7 @@ func NewOptions() *Options {
 		PassAuthorization:    false,
 		ApprovalPrompt:       "force",
 		RequestLogging:       true,
+		SkipOIDCDiscovery:    false,
 		RequestLoggingFormat: defaultRequestLoggingFormat,
 	}
 }
@ -161,16 +164,40 @@ func (o *Options) Validate() error {
 	}

 	if o.OIDCIssuerURL != "" {
-		// Configure discoverable provider data.
-		provider, err := oidc.NewProvider(context.Background(), o.OIDCIssuerURL)
-		if err != nil {
-			return err
+
+		ctx := context.Background()
+
+		// Construct a manual IDTokenVerifier from issuer URL & JWKS URI
+		// instead of metadata discovery if we enable -skip-oidc-discovery.
+		// In this case we need to make sure the required endpoints for
+		// the provider are configured.
+		if o.SkipOIDCDiscovery {
+			if o.LoginURL == "" {
+				msgs = append(msgs, "missing setting: login-url")
+			}
+			if o.RedeemURL == "" {
+				msgs = append(msgs, "missing setting: redeem-url")
+			}
+			if o.OIDCJwksURL == "" {
+				msgs = append(msgs, "missing setting: oidc-jwks-url")
+			}
+			keySet := oidc.NewRemoteKeySet(ctx, o.OIDCJwksURL)
+			o.oidcVerifier = oidc.NewVerifier(o.OIDCIssuerURL, keySet, &oidc.Config{
+				ClientID: o.ClientID,
+			})
+		} else {
+			// Configure discoverable provider data.
+			provider, err := oidc.NewProvider(ctx, o.OIDCIssuerURL)
+			if err != nil {
+				return err
+			}
+			o.oidcVerifier = provider.Verifier(&oidc.Config{
+				ClientID: o.ClientID,
+			})
+
+			o.LoginURL = provider.Endpoint().AuthURL
+			o.RedeemURL = provider.Endpoint().TokenURL
 		}
-		o.oidcVerifier = provider.Verifier(&oidc.Config{
-			ClientID: o.ClientID,
-		})
-		o.LoginURL = provider.Endpoint().AuthURL
-		o.RedeemURL = provider.Endpoint().TokenURL
 		if o.Scope == "" {
 			o.Scope = "openid email profile"
 		}