3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-20 12:37:16 +02:00
Code Issues Projects Releases Packages Wiki Activity

controlplane: move jwks.json endpoint to control plane (#3691)

Browse source
This commit is contained in:
Caleb Doxsey 2022-10-25 08:01:33 -06:00 committed by GitHub
parent 63b210e51d
commit b68dc1ff4f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 99 additions and 70 deletions
Download patch file Download diff file Expand all files Collapse all files

45
internal/httputil/handlers.go
View file

@ -2,10 +2,17 @@ package httputil
import (
"bytes"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"github.com/go-jose/go-jose/v3"
"github.com/pomerium/csrf"
"github.com/pomerium/pomerium/pkg/cryptutil"
)
// HealthCheck is a simple healthcheck handler that responds to GET and HEAD
@ -64,3 +71,41 @@ func (f HandlerFunc) ServeHTTP(w http.ResponseWriter, r *http.Request) {
e.ErrorResponse(r.Context(), w, r)
}
}
// JWKSHandler returns the /.well-known/pomerium/jwks.json handler.
func JWKSHandler(rawSigningKey string) http.Handler {
return HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
var jwks jose.JSONWebKeySet
if rawSigningKey != "" {
decodedCert, err := base64.StdEncoding.DecodeString(rawSigningKey)
if err != nil {
return NewError(http.StatusInternalServerError, errors.New("bad signing key"))
}
jwk, err := cryptutil.PublicJWKFromBytes(decodedCert)
if err != nil {
return NewError(http.StatusInternalServerError, errors.New("bad signing key"))
}
jwks.Keys = append(jwks.Keys, *jwk)
}
RenderJSON(w, http.StatusOK, jwks)
return nil
})
}
// WellKnownPomeriumHandler returns the /.well-known/pomerium handler.
func WellKnownPomeriumHandler(authenticateURL *url.URL) http.Handler {
return HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
wellKnownURLs := struct {
OAuth2Callback string `json:"authentication_callback_endpoint"` // RFC6749
JSONWebKeySetURL string `json:"jwks_uri"` // RFC7517
FrontchannelLogoutURI string `json:"frontchannel_logout_uri"` // https://openid.net/specs/openid-connect-frontchannel-1_0.html
}{
authenticateURL.ResolveReference(&url.URL{Path: "/oauth2/callback"}).String(),
authenticateURL.ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(),
authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/sign_out"}).String(),
}
w.Header().Set("X-CSRF-Token", csrf.Token(r))
RenderJSON(w, http.StatusOK, wellKnownURLs)
return nil
})
}