forked from ory/oathkeeper
-
Notifications
You must be signed in to change notification settings - Fork 0
/
credential.go
115 lines (99 loc) · 2.44 KB
/
credential.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package api
import (
"context"
"net/http"
"net/url"
"github.com/tidwall/gjson"
"github.com/ory/oathkeeper/credentials"
"github.com/ory/oathkeeper/driver/configuration"
"github.com/ory/oathkeeper/pipeline/mutate"
"github.com/ory/oathkeeper/rule"
"github.com/ory/oathkeeper/x"
"github.com/ory/x/urlx"
"github.com/julienschmidt/httprouter"
"gopkg.in/square/go-jose.v2"
)
const (
CredentialsPath = "/.well-known/jwks.json"
)
type credentialHandlerRegistry interface {
x.RegistryWriter
credentials.FetcherRegistry
rule.Registry
}
type CredentialsHandler struct {
c configuration.Provider
r credentialHandlerRegistry
}
func NewCredentialHandler(c configuration.Provider, r credentialHandlerRegistry) *CredentialsHandler {
return &CredentialsHandler{c: c, r: r}
}
func (h *CredentialsHandler) SetRoutes(r *x.RouterAPI) {
r.GET("/.well-known/jwks.json", h.wellKnown)
}
// swagger:route GET /.well-known/jwks.json api getWellKnownJSONWebKeys
//
// Lists cryptographic keys
//
// This endpoint returns cryptographic keys that are required to, for example, verify signatures of ID Tokens.
//
// Produces:
// - application/json
//
// Schemes: http, https
//
// Responses:
// 200: jsonWebKeySet
// 500: genericError
func (h *CredentialsHandler) wellKnown(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
urls, err := h.jwksURLs()
if err != nil {
h.r.Writer().WriteError(w, r, err)
return
}
sets, err := h.r.CredentialsFetcher().ResolveSets(r.Context(), urls)
if err != nil {
h.r.Writer().WriteError(w, r, err)
return
}
keys := make([]jose.JSONWebKey, 0)
for _, set := range sets {
for _, key := range set.Keys {
if p := key.Public(); p.Key != nil {
keys = append(keys, p)
}
}
}
h.r.Writer().Write(w, r, &jose.JSONWebKeySet{Keys: keys})
}
func (h *CredentialsHandler) jwksURLs() ([]url.URL, error) {
t := map[string]bool{}
for _, u := range h.c.JSONWebKeyURLs() {
t[u] = true
}
rules, err := h.r.RuleRepository().List(context.Background(), 2147483647, 0)
if err != nil {
return nil, err
}
for _, r := range rules {
for _, m := range r.Mutators {
if m.Handler == new(mutate.MutatorIDToken).GetID() {
u := gjson.GetBytes(m.Config, "jwks_url").String()
if len(u) > 0 {
t[u] = true
}
}
}
}
result := make([]url.URL, len(t))
i := 0
for u := range t {
uu, err := urlx.Parse(u)
if err != nil {
return nil, err
}
result[i] = *uu
i++
}
return result, nil
}