Support https://SCITOKENS_SERVER_ADDRESS/.well-known URLs

[jbasney]

Currently the lightweight issuer responds at

• https://SCITOKENS_SERVER_ADDRESS/scitokens-server/.well-known/openid-configuration
• https://SCITOKENS_SERVER_ADDRESS/scitokens-server/.well-known/oauth-authorization-server

but not

• https://SCITOKENS_SERVER_ADDRESS/.well-known/openid-configuration/scitokens-server
• https://SCITOKENS_SERVER_ADDRESS/.well-known/oauth-authorization-server/scitokens-server

even though the latter is preferred according to https://datatracker.ietf.org/doc/html/rfc8414#section-5 .

@terrencegf knows the Tomcat configuration magic to add a rewrite rule for the latter URLs.

[jbasney]

For a discussion of the corresponding SciTokens library behavior, see: scitokens/scitokens#75

[terrencegf]

For the following example, I assume that the OA4MP WAR is oauth2.war which is deployed in Tomcat to https://SERVER/oauth2/.... I don't know enough about the SciTokens server to say if this example applies or not.

1. The RewriteValve must be added to the Tomcat configuration. I do this in the main server.xml file in the <Host> block. For example:

<Host name="localhost" appBase="webapps" unpackWARS="true" autoDeploy="true">
  <Valve className="org.apache.catalina.valves.rewrite.RewriteValve"/>
</Host>

2. A new file rewrite.config must be placed in the Host configuration folder. In this example, since the Host name is "localhost", the rewrite.config file would be in the $CATALINA_HOME/conf/Catalina/localhost/ directory. To get the missing rewrite behavior, add the following line to that file.

RewriteRule ^/\.well-known/(openid-configuration|oauth-authorization-server)/([^/]+)/? /oauth2/.well-known/$1/$2

For completeness, the rewrite rule I'm using for the first (already supported) redirect is:

RewriteRule ^/((?:(?!oauth2).)+)/\.well-known/(openid-configuration|oauth-authorization-server)/? /oauth2/.well-known/$2/$1

(EDIT: I changed the second RewriteRule to use a negative lookahead without the RewriteCond %{REQUEST_URI} !^/oauth2/ condition. In my testing I discovered that Tomcat was ignoring this negated condition, but a negative lookahead within the RewriteRule works just fine.)