mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-28 18:06:34 +02:00
129 lines
6.6 KiB
Go
129 lines
6.6 KiB
Go
package mcp
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/url"
|
|
"path"
|
|
|
|
"github.com/gorilla/mux"
|
|
"github.com/rs/cors"
|
|
)
|
|
|
|
// AuthorizationServerMetadata represents the OAuth 2.0 Authorization Server Metadata (RFC 8414).
|
|
// https://datatracker.ietf.org/doc/html/rfc8414#section-2
|
|
type AuthorizationServerMetadata struct {
|
|
// Issuer is REQUIRED. The authorization server's issuer identifier, a URL using the "https" scheme with no query or fragment.
|
|
Issuer string `json:"issuer"`
|
|
|
|
// AuthorizationEndpoint is the URL of the authorization server's authorization endpoint. REQUIRED unless no grant types use the authorization endpoint.
|
|
AuthorizationEndpoint string `json:"authorization_endpoint,omitempty"`
|
|
|
|
// TokenEndpoint is the URL of the authorization server's token endpoint. REQUIRED unless only the implicit grant type is supported.
|
|
TokenEndpoint string `json:"token_endpoint,omitempty"`
|
|
|
|
// JwksURI is OPTIONAL. URL of the authorization server's JWK Set document.
|
|
JwksURI string `json:"jwks_uri,omitempty"`
|
|
|
|
// RegistrationEndpoint is OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint.
|
|
RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
|
|
|
|
// ScopesSupported is RECOMMENDED. JSON array of supported OAuth 2.0 "scope" values.
|
|
ScopesSupported []string `json:"scopes_supported,omitempty"`
|
|
|
|
// ResponseTypesSupported is REQUIRED. JSON array of supported OAuth 2.0 "response_type" values.
|
|
ResponseTypesSupported []string `json:"response_types_supported"`
|
|
|
|
// ResponseModesSupported is OPTIONAL. JSON array of supported OAuth 2.0 "response_mode" values. Default: ["query", "fragment"].
|
|
ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
|
|
|
|
// GrantTypesSupported is OPTIONAL. JSON array of supported OAuth 2.0 grant type values. Default: ["authorization_code", "implicit"].
|
|
GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
|
|
|
|
// TokenEndpointAuthMethodsSupported is OPTIONAL. JSON array of client authentication methods supported by the token endpoint. Default: "client_secret_basic".
|
|
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
|
|
|
|
// TokenEndpointAuthSigningAlgValuesSupported is OPTIONAL. JSON array of JWS signing algorithms supported by the token endpoint for JWT client authentication.
|
|
TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
|
|
|
|
// ServiceDocumentation is OPTIONAL. URL of a page with human-readable information for developers.
|
|
ServiceDocumentation string `json:"service_documentation,omitempty"`
|
|
|
|
// UILocalesSupported is OPTIONAL. JSON array of supported languages and scripts for the UI, as BCP 47 language tags.
|
|
UILocalesSupported []string `json:"ui_locales_supported,omitempty"`
|
|
|
|
// OpPolicyURI is OPTIONAL. URL for the authorization server's policy on client data usage.
|
|
OpPolicyURI string `json:"op_policy_uri,omitempty"`
|
|
|
|
// OpTosURI is OPTIONAL. URL for the authorization server's terms of service.
|
|
OpTosURI string `json:"op_tos_uri,omitempty"`
|
|
|
|
// RevocationEndpoint is OPTIONAL. URL of the authorization server's OAuth 2.0 revocation endpoint.
|
|
RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
|
|
|
|
// RevocationEndpointAuthMethodsSupported is OPTIONAL. JSON array of client authentication methods supported by the revocation endpoint. Default: "client_secret_basic".
|
|
RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"`
|
|
|
|
// RevocationEndpointAuthSigningAlgValuesSupported is OPTIONAL. JSON array of JWS signing algorithms supported by the revocation endpoint for JWT client authentication.
|
|
RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"`
|
|
|
|
// IntrospectionEndpoint is OPTIONAL. URL of the authorization server's OAuth 2.0 introspection endpoint.
|
|
IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"`
|
|
|
|
// IntrospectionEndpointAuthMethodsSupported is OPTIONAL. JSON array of client authentication methods supported by the introspection endpoint.
|
|
IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"`
|
|
|
|
// IntrospectionEndpointAuthSigningAlgValuesSupported is OPTIONAL. JSON array of JWS signing algorithms supported by the introspection endpoint for JWT client authentication.
|
|
IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"`
|
|
|
|
// CodeChallengeMethodsSupported is OPTIONAL. JSON array of PKCE code challenge methods supported by this authorization server.
|
|
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
|
|
}
|
|
|
|
func AuthorizationServerMetadataHandler(prefix string) http.HandlerFunc {
|
|
c := cors.New(cors.Options{
|
|
AllowedMethods: []string{http.MethodGet, http.MethodOptions},
|
|
AllowedOrigins: []string{"*"},
|
|
AllowedHeaders: []string{"mcp-protocol-version"},
|
|
})
|
|
r := mux.NewRouter()
|
|
r.Use(c.Handler)
|
|
r.Methods(http.MethodGet).HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
meta := getAuthorizationServerMetadata(r.Host, prefix)
|
|
_ = json.NewEncoder(w).Encode(meta)
|
|
})
|
|
r.Methods(http.MethodOptions).HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
})
|
|
return http.HandlerFunc(r.ServeHTTP)
|
|
}
|
|
|
|
func getAuthorizationServerMetadata(host, prefix string) AuthorizationServerMetadata {
|
|
baseURL := url.URL{
|
|
Scheme: "https",
|
|
Host: host,
|
|
}
|
|
P := func(path string) string {
|
|
u := baseURL
|
|
u.Path = path
|
|
return u.String()
|
|
}
|
|
|
|
return AuthorizationServerMetadata{
|
|
Issuer: P("/"),
|
|
ServiceDocumentation: "https://pomerium.com/docs",
|
|
AuthorizationEndpoint: P(path.Join(prefix, authorizationEndpoint)),
|
|
ResponseTypesSupported: []string{"code"},
|
|
CodeChallengeMethodsSupported: []string{"S256"},
|
|
TokenEndpoint: P(path.Join(prefix, tokenEndpoint)),
|
|
TokenEndpointAuthMethodsSupported: []string{"none"},
|
|
GrantTypesSupported: []string{"authorization_code", "refresh_token"},
|
|
RevocationEndpoint: P(path.Join(prefix, revocationEndpoint)),
|
|
RevocationEndpointAuthMethodsSupported: []string{"client_secret_post"},
|
|
RegistrationEndpoint: P(path.Join(prefix, registerEndpoint)),
|
|
ScopesSupported: []string{"openid", "offline"},
|
|
}
|
|
}
|