impl oidc

traPtitech · May 8, 2024 · 68c2454 · 68c2454
1 parent 8369db2
commit 68c2454
Show file tree

Hide file tree

Showing 27 changed files with 363 additions and 66 deletions.
diff --git a/cmd/config.go b/cmd/config.go
@@ -21,6 +21,8 @@ import (
 	"github.com/traPtitech/traQ/service/fcm"
 	"github.com/traPtitech/traQ/service/imaging"
 	"github.com/traPtitech/traQ/service/message"
+	"github.com/traPtitech/traQ/service/oidc"
+	"github.com/traPtitech/traQ/service/rbac"
 	"github.com/traPtitech/traQ/service/search"
 	"github.com/traPtitech/traQ/service/variable"
 	"github.com/traPtitech/traQ/utils/storage"
@@ -469,6 +471,10 @@ func provideImageProcessorConfig(c *Config) imaging.Config {
 	}
 }
 
+func provideOIDCService(c *Config, repo repository.Repository, rbac rbac.RBAC) *oidc.Service {
+	return oidc.NewOIDCService(repo, c.Origin, rbac)
+}
+
 func provideAuthGithubProviderConfig(c *Config) auth.GithubProviderConfig {
 	return auth.GithubProviderConfig{
 		ClientID:               c.ExternalAuth.GitHub.ClientID,
@@ -530,6 +536,7 @@ func provideRouterExternalAuthConfig(c *Config) router.ExternalAuthConfig {
 
 func provideRouterConfig(c *Config) *router.Config {
 	return &router.Config{
+		Origin:           c.Origin,
 		Development:      c.DevMode,
 		Version:          Version,
 		Revision:         Revision,

diff --git a/cmd/serve.go b/cmd/serve.go
@@ -81,7 +81,7 @@ func serveCommand() *cobra.Command {
 			}
 			logger.Info("repository was set up")
 
-			// JWT for QRCode
+			// JWT
 			if priv := c.JWT.Keys.Private; priv != "" {
 				privRaw, err := os.ReadFile(priv)
 				if err != nil {

diff --git a/cmd/serve_wire.go b/cmd/serve_wire.go
@@ -54,6 +54,7 @@ func newServer(hub *hub.Hub, db *gorm.DB, repo repository.Repository, fs storage
 		provideServerOriginString,
 		provideFirebaseCredentialsFilePathString,
 		provideImageProcessorConfig,
+		provideOIDCService,
 		provideRouterConfig,
 		provideESEngineConfig,
 		wire.Struct(new(service.Services), "*"),

diff --git a/cmd/wire_gen.go b/cmd/wire_gen.go
diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.22.2
 require (
 	cloud.google.com/go/profiler v0.4.0
 	firebase.google.com/go v3.13.0+incompatible
+	github.com/MicahParks/jwkset v0.3.1
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/aws/aws-sdk-go-v2 v1.26.1
 	github.com/aws/aws-sdk-go-v2/config v1.27.11
@@ -50,6 +51,7 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.18.2
 	github.com/stretchr/testify v1.9.0
+	github.com/zitadel/oidc v1.13.4
 	go.uber.org/zap v1.27.0
 	golang.org/x/crypto v0.23.0
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
@@ -127,6 +129,7 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.4 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hpcloud/tail v1.0.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
@@ -157,8 +160,8 @@ require (
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sanity-io/litter v1.5.5 // indirect
-	github.com/sergi/go-diff v1.0.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/sergi/go-diff v1.2.0 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
@@ -192,6 +195,7 @@ require (
 	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/fsnotify.v1 v1.4.7 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	moul.io/http2curl/v2 v2.3.0 // indirect

diff --git a/go.sum b/go.sum
@@ -24,6 +24,8 @@ firebase.google.com/go v3.13.0+incompatible/go.mod h1:xlah6XbEyW6tbfSklcfe5FHJIw
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/MicahParks/jwkset v0.3.1 h1:DIVazR/elD8CLWPblrVo610TzovIDYMcvlM4X0UT0vQ=
+github.com/MicahParks/jwkset v0.3.1/go.mod h1:Ob0sxSgMmQZFg4GO59PVBnfm+jtdQ1MJbfZDU90tEwM=
 github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
 github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
@@ -211,6 +213,8 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw=
 github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
 github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 h1:hR7/MlvK23p6+lIw9SN1TigNLn9ZnF3W4SYRKq2gAHs=
@@ -231,6 +235,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfF
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
 github.com/googleapis/gax-go/v2 v2.12.4 h1:9gWcmF85Wvq4ryPFvGFaOgPIs1AQX0d0bcbGw4Z96qg=
 github.com/googleapis/gax-go/v2 v2.12.4/go.mod h1:KYEYLorsnIGDi/rPC8b5TdlB9kbKoFubselGIoBMCwI=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
 github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
 github.com/guregu/null v4.0.0+incompatible h1:4zw0ckM7ECd6FNNddc3Fu4aty9nTlpkkzH7dPn4/4Gw=
@@ -366,11 +372,13 @@ github.com/sanity-io/litter v1.5.5/go.mod h1:9gzJgR2i4ZpjZHsKvUXIRQVk7P+yM3e+jAF
 github.com/sapphi-red/midec v0.5.2 h1:7R69uT6BMyWT+XGkBTI14TqgRNCBa5qo+bFgr5OSPIg=
 github.com/sapphi-red/midec v0.5.2/go.mod h1:LjZZZoars2NdhvLzAsC7MoGmxHzWUqiRY6r73gXqBmo=
 github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
-github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
+github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
+github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
@@ -393,6 +401,7 @@ github.com/stretchr/testify v0.0.0-20161117074351-18a02ba4a312/go.mod h1:a8OnRci
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
@@ -434,6 +443,8 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/zitadel/oidc v1.13.4 h1:+k2GKqP9Ld9S2MSFlj+KaNsoZ3J9oy+Ezw51EzSFuC8=
+github.com/zitadel/oidc v1.13.4/go.mod h1:3h2DhUcP02YV6q/CA/BG4yla0o6rXjK+DkJGK/dwJfw=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
@@ -555,6 +566,7 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220712014510-0a85c31ab51e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -649,16 +661,20 @@ google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFW
 google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
+gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

diff --git a/migration/current.go b/migration/current.go
@@ -45,6 +45,7 @@ func Migrations() []*gormigrate.Migration {
 		v32(), // ユーザーの表示名上限を32文字に
 		v33(), // 未読テーブルにチャンネルIDカラムを追加 / インデックス類の更新 / 不要なレコードの削除
 		v34(), // 未読テーブルのcreated_atカラムをメッセージテーブルを元に更新 / カラム名を変更
+		v35(), // OIDC実装のためProfileロールを追加
 	}
 }
 

diff --git a/migration/v35.go b/migration/v35.go
@@ -0,0 +1,48 @@
+package migration
+
+import (
+	"github.com/go-gormigrate/gormigrate/v2"
+	"gorm.io/gorm"
+)
+
+// v35  OIDC実装のためProfileロールを追加
+func v35() *gormigrate.Migration {
+	return &gormigrate.Migration{
+		ID: "35",
+		Migrate: func(db *gorm.DB) error {
+			v := v35UserRole{
+				Name:        "profile",
+				Oauth2Scope: true,
+				System:      true,
+				Permissions: []v35RolePermission{
+					{
+						Role:       "profile",
+						Permission: "get_me",
+					},
+				},
+			}
+			return db.Create(v).Error
+		},
+	}
+}
+
+type v35UserRole struct {
+	Name        string `gorm:"type:varchar(30);not null;primaryKey"`
+	Oauth2Scope bool   `gorm:"type:boolean;not null;default:false"`
+	System      bool   `gorm:"type:boolean;not null;default:false"`
+
+	Permissions []v35RolePermission `gorm:"constraint:user_role_permissions_role_user_roles_name_foreign,OnUpdate:CASCADE,OnDelete:CASCADE;foreignKey:Role;references:Name"`
+}
+
+func (*v35UserRole) TableName() string {
+	return "user_roles"
+}
+
+type v35RolePermission struct {
+	Role       string `gorm:"type:varchar(30);not null;primaryKey"`
+	Permission string `gorm:"type:varchar(30);not null;primaryKey"`
+}
+
+func (*v35RolePermission) TableName() string {
+	return "user_role_permissions"
+}
diff --git a/model/oauth2.go b/model/oauth2.go
@@ -11,6 +11,7 @@ import (
 
 	vd "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/gofrs/uuid"
+	"github.com/samber/lo"
 	"gorm.io/gorm"
 
 	"github.com/traPtitech/traQ/utils/validator"
@@ -28,6 +29,11 @@ type AccessScope string
 // AccessScopes AccessScopeのセット
 type AccessScopes map[AccessScope]struct{}
 
+// SupportedAccessScopes 対応するスコープ一覧を返します
+func SupportedAccessScopes() []string {
+	return []string{"read", "write", "manage_bot", "openid", "profile"}
+}
+
 // Value database/sql/driver.Valuer 実装
 func (arr AccessScopes) Value() (driver.Value, error) {
 	return arr.String(), nil
@@ -112,7 +118,8 @@ func (arr AccessScopes) StringArray() (r []string) {
 // Validate github.com/go-ozzo/ozzo-validation.Validatable 実装
 func (arr AccessScopes) Validate() error {
 	// TODO カスタムスコープに対応
-	return vd.Validate(arr.StringArray(), vd.Each(vd.Required, vd.In("read", "write", "manage_bot")))
+	scopes := lo.Map(SupportedAccessScopes(), func(s string, _ int) any { return s })
+	return vd.Validate(arr.StringArray(), vd.Each(vd.Required, vd.In(scopes...)))
 }
 
 // OAuth2Authorize OAuth2 認可データの構造体
@@ -226,9 +233,13 @@ func (t *OAuth2Token) GetAvailableScopes(request AccessScopes) (result AccessSco
 	return
 }
 
+func (t *OAuth2Token) Deadline() time.Time {
+	return t.CreatedAt.Add(time.Duration(t.ExpiresIn) * time.Second)
+}
+
 // IsExpired 有効期限が切れているかどうか
 func (t *OAuth2Token) IsExpired() bool {
-	return t.CreatedAt.Add(time.Duration(t.ExpiresIn) * time.Second).Before(time.Now())
+	return t.Deadline().Before(time.Now())
 }
 
 // IsRefreshEnabled リフレッシュトークンが有効かどうか

diff --git a/router/config.go b/router/config.go
@@ -8,6 +8,8 @@ import (
 
 // Config APIサーバー設定
 type Config struct {
+	// Origin サーバーオリジン (e.g. https://q.trap.jp)
+	Origin string
 	// 開発モードかどうか
 	Development bool
 	// Version サーバーバージョン
@@ -66,6 +68,7 @@ func (c ExternalAuthConfig) ValidProviders() map[string]bool {
 
 func provideOAuth2Config(c *Config) oauth2.Config {
 	return oauth2.Config{
+		Origin:           c.Origin,
 		AccessTokenExp:   c.AccessTokenExp,
 		IsRefreshEnabled: c.IsRefreshEnabled,
 	}

diff --git a/router/oauth2/authorization_endpoint.go b/router/oauth2/authorization_endpoint.go
@@ -11,6 +11,7 @@ import (
 	vd "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/google/go-querystring/query"
 	"github.com/labstack/echo/v4"
+	"github.com/samber/lo"
 	"go.uber.org/zap"
 
 	"github.com/traPtitech/traQ/model"
@@ -52,16 +53,17 @@ func (r authorizeRequest) Validate() error {
 }
 
 type responseType struct {
-	Code  bool
-	Token bool
-	None  bool
+	Code    bool
+	Token   bool
+	IDToken bool
+	None    bool
 }
 
 func (t responseType) valid() bool {
 	if t.None {
-		return !t.Code && !t.Token
+		return !t.Code && !t.Token && !t.IDToken
 	}
-	return t.Code || t.Token
+	return t.Code || t.Token || t.IDToken
 }
 
 // AuthorizationEndpointHandler 認可エンドポイントのハンドラ
@@ -102,7 +104,7 @@ func (h *Handler) AuthorizationEndpointHandler(c echo.Context) error {
 
 	// PKCE確認
 	if len(req.CodeChallengeMethod) > 0 {
-		if req.CodeChallengeMethod != "plain" && req.CodeChallengeMethod != "S256" {
+		if !lo.Contains(supportedCodeChallengeMethods, req.CodeChallengeMethod) {
 			q.Set("error", errInvalidRequest)
 			redirectURI.RawQuery = q.Encode()
 			return c.Redirect(http.StatusFound, redirectURI.String())
@@ -132,13 +134,15 @@ func (h *Handler) AuthorizationEndpointHandler(c echo.Context) error {
 	}
 
 	// ResponseType確認
-	types := responseType{false, false, false}
+	var types responseType
 	for _, v := range strings.Fields(req.ResponseType) {
 		switch v {
 		case "code":
 			types.Code = true
 		case "token":
 			types.Token = true
+		case "id_token":
+			types.IDToken = true
 		case "none":
 			types.None = true
 		default:

diff --git a/router/oauth2/authorization_endpoint_test.go b/router/oauth2/authorization_endpoint_test.go
@@ -530,7 +530,7 @@ func TestHandlers_AuthorizationDecideHandler(t *testing.T) {
 				Scopes:       scopesReadWrite,
 				ValidScopes:  scopesRead,
 				State:        "state",
-				Types:        responseType{true, false, false},
+				Types:        responseType{Code: true},
 				AccessTime:   time.Now(),
 				Nonce:        "nonce",
 			},