Adds additional OIDC discovery metadata (#12623)

2021-09-27 10:05:55 -07:00 · 2021-09-27 10:05:55 -07:00 · da394f34b1
parent 93f8d248d3
commit da394f34b1
2 changed files with 21 additions and 9 deletions
--- a/vault/identity_store_oidc_provider.go
+++ b/vault/identity_store_oidc_provider.go
@ -51,15 +51,18 @@ type provider struct {
 }
 type providerDiscovery struct {
 	AuthorizationEndpoint string   `json:"authorization_endpoint"`
 	IDTokenAlgs           []string `json:"id_token_signing_alg_values_supported"`
 	Issuer                string   `json:"issuer"`
 	Keys                  string   `json:"jwks_uri"`
 	AuthorizationEndpoint string   `json:"authorization_endpoint"`
 	TokenEndpoint         string   `json:"token_endpoint"`
 	UserinfoEndpoint      string   `json:"userinfo_endpoint"`
 	RequestURIParameter   bool     `json:"request_uri_parameter_supported"`
 	IDTokenAlgs           []string `json:"id_token_signing_alg_values_supported"`
 	ResponseTypes         []string `json:"response_types_supported"`
 	Scopes                []string `json:"scopes_supported"`
 	Subjects              []string `json:"subject_types_supported"`
-	TokenEndpoint         string   `json:"token_endpoint"`
+	GrantTypes            []string `json:"grant_types_supported"`
-	UserinfoEndpoint      string   `json:"userinfo_endpoint"`
+	AuthMethods           []string `json:"token_endpoint_auth_methods_supported"`
 }
 const (
@ -457,15 +460,18 @@ func (i *IdentityStore) pathOIDCProviderDiscovery(ctx context.Context, req *logi
 	scopes := append(p.Scopes, "openid")
 	disc := providerDiscovery{
 		AuthorizationEndpoint: strings.Replace(p.effectiveIssuer, "/v1/", "/ui/vault/", 1) + "/authorize",
 		IDTokenAlgs:           supportedAlgs,
 		Issuer:                p.effectiveIssuer,
 		Keys:                  p.effectiveIssuer + "/.well-known/keys",
-		ResponseTypes:         []string{"code"},
+		AuthorizationEndpoint: strings.Replace(p.effectiveIssuer, "/v1/", "/ui/vault/", 1) + "/authorize",
 		Scopes:                scopes,
 		Subjects:              []string{"public"},
 		TokenEndpoint:         p.effectiveIssuer + "/token",
 		UserinfoEndpoint:      p.effectiveIssuer + "/userinfo",
 		IDTokenAlgs:           supportedAlgs,
 		Scopes:                scopes,
 		RequestURIParameter:   false,
 		ResponseTypes:         []string{"code"},
 		Subjects:              []string{"public"},
 		GrantTypes:            []string{"authorization_code"},
 		AuthMethods:           []string{"client_secret_basic"},
 	}
 	data, err := json.Marshal(disc)
--- a/vault/identity_store_oidc_provider_test.go
+++ b/vault/identity_store_oidc_provider_test.go
@ -1810,6 +1810,9 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) {
 		AuthorizationEndpoint: "/ui/vault/identity/oidc/provider/test-provider/authorize",
 		TokenEndpoint:         basePath + "/token",
 		UserinfoEndpoint:      basePath + "/userinfo",
 		GrantTypes:            []string{"authorization_code"},
 		AuthMethods:           []string{"client_secret_basic"},
 		RequestURIParameter:   false,
 	}
 	discoveryResp := &providerDiscovery{}
 	json.Unmarshal(resp.Data["http_raw_body"].([]byte), discoveryResp)
@ -1861,6 +1864,9 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) {
 		AuthorizationEndpoint: testIssuer + "/ui/vault/identity/oidc/provider/test-provider/authorize",
 		TokenEndpoint:         basePath + "/token",
 		UserinfoEndpoint:      basePath + "/userinfo",
 		GrantTypes:            []string{"authorization_code"},
 		AuthMethods:           []string{"client_secret_basic"},
 		RequestURIParameter:   false,
 	}
 	discoveryResp = &providerDiscovery{}
 	json.Unmarshal(resp.Data["http_raw_body"].([]byte), discoveryResp)