Add basic support for OIDC provider instantiation through discovery

smallstep · Jan 31, 2024 · c579239 · c579239
1 parent cd21f8d
commit c579239
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 8 deletions.
diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go
@@ -244,6 +244,11 @@ func (p *ACME) initializeWireOptions() error {
 		return fmt.Errorf("failed validating Wire options: %w", err)
 	}
 
+	// at this point the Wire options have been validated, and (mostly)
+	// initialized. Remote keys will be loaded upon the first verification,
+	// currently.
+	// TODO(hs): can/should we "prime" the underlying remote keyset?
+
 	return nil
 }
 

diff --git a/authority/provisioner/wire/oidc_options.go b/authority/provisioner/wire/oidc_options.go
@@ -15,12 +15,13 @@ import (
 )
 
 type Provider struct {
-	IssuerURL   string   `json:"issuer,omitempty"`
-	AuthURL     string   `json:"authorization_endpoint,omitempty"`
-	TokenURL    string   `json:"token_endpoint,omitempty"`
-	JWKSURL     string   `json:"jwks_uri,omitempty"`
-	UserInfoURL string   `json:"userinfo_endpoint,omitempty"`
-	Algorithms  []string `json:"id_token_signing_alg_values_supported,omitempty"`
+	DiscoveryBaseURL string   `json:"discoveryBaseUrl,omitempty"` // TODO: probably safe to change to our usual configuration style
+	IssuerURL        string   `json:"issuer,omitempty"`
+	AuthURL          string   `json:"authorization_endpoint,omitempty"`
+	TokenURL         string   `json:"token_endpoint,omitempty"`
+	JWKSURL          string   `json:"jwks_uri,omitempty"`
+	UserInfoURL      string   `json:"userinfo_endpoint,omitempty"`
+	Algorithms       []string `json:"id_token_signing_alg_values_supported,omitempty"`
 }
 
 type Config struct {
@@ -43,13 +44,29 @@ type OIDCOptions struct {
 	target             *template.Template
 	transform          *template.Template
 	oidcProviderConfig *oidc.ProviderConfig
+	provider           *oidc.Provider
 	verifier           *oidc.IDTokenVerifier
 }
 
 func (o *OIDCOptions) GetVerifier(ctx context.Context) (*oidc.IDTokenVerifier, error) {
 	if o.verifier == nil {
-		provider := o.oidcProviderConfig.NewProvider(ctx) // TODO: support the OIDC discovery flow
-		o.verifier = provider.Verifier(o.getConfig())
+		switch {
+		case o.Provider.DiscoveryBaseURL != "":
+			// creates a new OIDC provider using automatic discovery and the default HTTP client
+			if provider, err := oidc.NewProvider(ctx, o.Provider.DiscoveryBaseURL); err != nil {
+				return nil, fmt.Errorf("failed creating new OIDC provider using discovery: %w", err)
+			} else {
+				o.provider = provider
+			}
+		default:
+			o.provider = o.oidcProviderConfig.NewProvider(ctx)
+		}
+
+		if o.provider == nil {
+			return nil, errors.New("no OIDC provider available")
+		}
+
+		o.verifier = o.provider.Verifier(o.getConfig())
 	}
 
 	return o.verifier, nil