proxy: add userinfo and webauthn endpoints (#3755)

* proxy: add userinfo and webauthn endpoints * use TLD for RP id * use EffectiveTLDPlusOne * upgrade webauthn * fix test * Update internal/handlers/jwks.go Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2025-05-28 08:27:26 +02:00 · 2022-11-22 10:26:35 -07:00 · 2022-11-22 10:26:35 -07:00 · c1a522cd82
commit c1a522cd82
parent 81053ac8ef
33 changed files with 498 additions and 216 deletions
--- a/internal/handlers/jwks.go
+++ b/internal/handlers/jwks.go
@ -0,0 +1,33 @@
+package handlers
+
+import (
+	"encoding/base64"
+	"errors"
+	"net/http"
+
+	"github.com/go-jose/go-jose/v3"
+	"github.com/rs/cors"
+
+	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/pkg/cryptutil"
+)
+
+// JWKSHandler returns the /.well-known/pomerium/jwks.json handler.
+func JWKSHandler(rawSigningKey string) http.Handler {
+	return cors.AllowAll().Handler(httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
+		var jwks jose.JSONWebKeySet
+		if rawSigningKey != "" {
+			decodedCert, err := base64.StdEncoding.DecodeString(rawSigningKey)
+			if err != nil {
+				return httputil.NewError(http.StatusInternalServerError, errors.New("bad base64 encoding for signing key"))
+			}
+			jwk, err := cryptutil.PublicJWKFromBytes(decodedCert)
+			if err != nil {
+				return httputil.NewError(http.StatusInternalServerError, errors.New("bad signing key"))
+			}
+			jwks.Keys = append(jwks.Keys, *jwk)
+		}
+		httputil.RenderJSON(w, http.StatusOK, jwks)
+		return nil
+	}))
+}