feat: add oauth-authorization-server discovery endpoint

Signed-off-by: Giovanni Vella <giovanni.vella98@gmail.com>

feat: add oauth-authorization-server discovery handler

Signed-off-by: Giovanni Vella <giovanni.vella98@gmail.com>

feat: add oauth-authorization-server tests for endpoint

Signed-off-by: Giovanni Vella <giovanni.vella98@gmail.com>

Author: johnvan7

connector/oidc/oidc_test.go

@@ -862,6 +862,17 @@ func setupServer(tok map[string]interface{}, idTokenDesired bool) (*httptest.Ser
 		})
 	})
 
+	mux.HandleFunc("/.well-known/oauth-authorization-server", func(w http.ResponseWriter, r *http.Request) {
+		url := fmt.Sprintf("http://%s", r.Host)
+
+		json.NewEncoder(w).Encode(&map[string]string{
+			"issuer":                 url,
+			"token_endpoint":         fmt.Sprintf("%s/token", url),
+			"authorization_endpoint": fmt.Sprintf("%s/authorize", url),
+			"jwks_uri":               fmt.Sprintf("%s/keys", url),
+		})
+	})
+
 	return httptest.NewServer(mux), nil
 }
 

server/handlers.go

@@ -72,7 +72,7 @@ func (s *Server) handlePublicKeys(w http.ResponseWriter, r *http.Request) {
 	w.Write(data)
 }
 
-type discovery struct {
+type discoveryOIDC struct {
 	Issuer            string   `json:"issuer"`
 	Auth              string   `json:"authorization_endpoint"`
 	Token             string   `json:"token_endpoint"`
@@ -90,8 +90,36 @@ type discovery struct {
 	Claims            []string `json:"claims_supported"`
 }
 
-func (s *Server) discoveryHandler() (http.HandlerFunc, error) {
-	d := s.constructDiscovery()
+type discoveryOAuth2 struct {
+	Issuer            string   `json:"issuer"`
+	Auth              string   `json:"authorization_endpoint"`
+	Token             string   `json:"token_endpoint"`
+	Keys              string   `json:"jwks_uri"`
+	DeviceEndpoint    string   `json:"device_authorization_endpoint,omitempty"`
+	Introspect        string   `json:"introspection_endpoint,omitempty"`
+	GrantTypes        []string `json:"grant_types_supported"`
+	ResponseTypes     []string `json:"response_types_supported"`
+	CodeChallengeAlgs []string `json:"code_challenge_methods_supported,omitempty"`
+	Scopes            []string `json:"scopes_supported,omitempty"`
+	AuthMethods       []string `json:"token_endpoint_auth_methods_supported,omitempty"`
+}
+
+type DiscoveryType int
+
+const (
+	DiscoveryOIDC DiscoveryType = iota
+	DiscoveryOAuth2
+)
+
+func (s *Server) discoveryHandler(t DiscoveryType) (http.HandlerFunc, error) {
+	var d interface{}
+
+	switch t {
+	case DiscoveryOAuth2:
+		d = s.constructDiscoveryOAuth2()
+	default:
+		d = s.constructDiscoveryOIDC()
+	}
 
 	data, err := json.MarshalIndent(d, "", "  ")
 	if err != nil {
@@ -105,8 +133,8 @@ func (s *Server) discoveryHandler() (http.HandlerFunc, error) {
 	}), nil
 }
 
-func (s *Server) constructDiscovery() discovery {
-	d := discovery{
+func (s *Server) constructDiscoveryOIDC() discoveryOIDC {
+	d := discoveryOIDC{
 		Issuer:            s.issuerURL.String(),
 		Auth:              s.absURL("/auth"),
 		Token:             s.absURL("/token"),
@@ -134,6 +162,31 @@ func (s *Server) constructDiscovery() discovery {
 	return d
 }
 
+func (s *Server) constructDiscoveryOAuth2() discoveryOAuth2 {
+	d := discoveryOAuth2{
+		Issuer:            s.issuerURL.String(),
+		Auth:              s.absURL("/auth"),
+		Token:             s.absURL("/token"),
+		Keys:              s.absURL("/keys"),
+		DeviceEndpoint:    s.absURL("/device/code"),
+		Introspect:        s.absURL("/token/introspect"),
+		CodeChallengeAlgs: []string{codeChallengeMethodS256, codeChallengeMethodPlain},
+		Scopes:            []string{"offline_access"},
+		AuthMethods:       []string{"client_secret_basic", "client_secret_post"},
+	}
+
+	// response_types_supported
+	for responseType := range s.supportedResponseTypes {
+		d.ResponseTypes = append(d.ResponseTypes, responseType)
+	}
+	sort.Strings(d.ResponseTypes)
+
+	// grant_types_supported
+	d.GrantTypes = s.supportedGrantTypes
+
+	return d
+}
+
 // handleAuthorization handles the OAuth2 auth endpoint.
 func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

server/server.go

@@ -452,11 +452,17 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 	}
 	r.NotFoundHandler = http.NotFoundHandler()
 
-	discoveryHandler, err := s.discoveryHandler()
+	oidcHandler, err := s.discoveryHandler(DiscoveryOIDC)
 	if err != nil {
 		return nil, err
 	}
-	handleWithCORS("/.well-known/openid-configuration", discoveryHandler)
+	handleWithCORS("/.well-known/openid-configuration", oidcHandler)
+
+	oauthHandler, err := s.discoveryHandler(DiscoveryOAuth2)
+	if err != nil {
+		return nil, err
+	}
+	handleWithCORS("/.well-known/oauth-authorization-server", oauthHandler)
 	// Handle the root path for the better user experience.
 	handleWithCORS("/", func(w http.ResponseWriter, r *http.Request) {
 		_, err := fmt.Fprintf(w, `<!DOCTYPE html>