From 5464cda90e043e7e7452eb512727129785fa7659 Mon Sep 17 00:00:00 2001 From: Joe Kralicky Date: Fri, 25 Oct 2024 13:07:57 -0400 Subject: [PATCH] Add an 'issuer' field to the /.well-known/pomerium endpoint (#5344) The field contains the route's base uri, including the https:// scheme and ending with a trailing slash. --- internal/controlplane/server_test.go | 1 + internal/handlers/well_known_pomerium.go | 2 ++ internal/handlers/well_known_pomerium_test.go | 1 + 3 files changed, 4 insertions(+) diff --git a/internal/controlplane/server_test.go b/internal/controlplane/server_test.go index 0b1bd0fff..792e661b3 100644 --- a/internal/controlplane/server_test.go +++ b/internal/controlplane/server_test.go @@ -52,6 +52,7 @@ func TestServerHTTP(t *testing.T) { require.NoError(t, err) expect := map[string]any{ + "issuer": fmt.Sprintf("https://localhost:%s/", src.GetConfig().HTTPPort), "authentication_callback_endpoint": "https://authenticate.localhost.pomerium.io/oauth2/callback", "frontchannel_logout_uri": fmt.Sprintf("https://localhost:%s/.pomerium/sign_out", src.GetConfig().HTTPPort), "jwks_uri": fmt.Sprintf("https://localhost:%s/.well-known/pomerium/jwks.json", src.GetConfig().HTTPPort), diff --git a/internal/handlers/well_known_pomerium.go b/internal/handlers/well_known_pomerium.go index 30dab5a05..ebd0e2f89 100644 --- a/internal/handlers/well_known_pomerium.go +++ b/internal/handlers/well_known_pomerium.go @@ -15,10 +15,12 @@ import ( func WellKnownPomerium(authenticateURL *url.URL) http.Handler { return cors.AllowAll().Handler(httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { wellKnownURLs := struct { + Issuer string `json:"issuer"` OAuth2Callback string `json:"authentication_callback_endpoint"` // RFC6749 JSONWebKeySetURL string `json:"jwks_uri"` // RFC7517 FrontchannelLogoutURI string `json:"frontchannel_logout_uri"` // https://openid.net/specs/openid-connect-frontchannel-1_0.html }{ + urlutil.GetAbsoluteURL(r).ResolveReference(&url.URL{Path: "/"}).String(), authenticateURL.ResolveReference(&url.URL{Path: "/oauth2/callback"}).String(), urlutil.GetAbsoluteURL(r).ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(), urlutil.GetAbsoluteURL(r).ResolveReference(&url.URL{Path: "/.pomerium/sign_out"}).String(), diff --git a/internal/handlers/well_known_pomerium_test.go b/internal/handlers/well_known_pomerium_test.go index b4db777ea..7a00a3f32 100644 --- a/internal/handlers/well_known_pomerium_test.go +++ b/internal/handlers/well_known_pomerium_test.go @@ -27,6 +27,7 @@ func TestWellKnownPomeriumHandler(t *testing.T) { r := httptest.NewRequest(http.MethodGet, "https://route.example.com", nil) WellKnownPomerium(authenticateURL).ServeHTTP(w, r) assert.JSONEq(t, `{ + "issuer": "https://route.example.com/", "authentication_callback_endpoint": "https://authenticate.example.com/oauth2/callback", "frontchannel_logout_uri": "https://route.example.com/.pomerium/sign_out", "jwks_uri": "https://route.example.com/.well-known/pomerium/jwks.json"