Start implementation of individual claim handling

2021-01-03 11:43:41 +01:00 · 2021-01-03 11:43:41 +01:00 · 744440ee54
commit 744440ee54
parent e9c34a2337
6 changed files with 243 additions and 12 deletions
--- a/common/models/oidc.go
+++ b/common/models/oidc.go
@ -0,0 +1,158 @@
+/*
+This package contains data models.
+*/
+package models
+
+// An individual claim request.
+//
+// Specification
+//
+// https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
+type IndividualClaimRequest map[string]interface{}
+
+// ClaimElement represents a claim element
+type ClaimElement map[string]*IndividualClaimRequest
+
+// OIDCClaimsRequest the claims request parameter sent with the authorization request.
+//
+// Specification
+//
+// https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
+type OIDCClaimsRequest map[string]ClaimElement
+
+// GetUserInfo extracts the userinfo claim element from the request.
+//
+// Specification
+//
+// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
+//
+// Requests that the listed individual Claims be returned from the UserInfo
+// Endpoint. If present, the listed Claims are being requested to be added to
+// any Claims that are being requested using scope values. If not present, the
+// Claims being requested from the UserInfo Endpoint are only those requested
+// using scope values.
+//
+// When the userinfo member is used, the request MUST also use a response_type
+// value that results in an Access Token being issued to the Client for use at
+// the UserInfo Endpoint.
+func (r OIDCClaimsRequest) GetUserInfo() *ClaimElement {
+	if userInfo, ok := r["userinfo"]; ok {
+		return &userInfo
+	}
+	return nil
+}
+
+// GetIDToken extracts the id_token claim element from the request.
+//
+// Specification
+//
+// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
+//
+// Requests that the listed individual Claims be returned in the ID Token. If
+// present, the listed Claims are being requested to be added to the default
+// Claims in the ID Token. If not present, the default ID Token Claims are
+// requested, as per the ID Token definition in Section 2 and per the
+// additional per-flow ID Token requirements in Sections 3.1.3.6, 3.2.2.10,
+// 3.3.2.11, and 3.3.3.6.
+func (r OIDCClaimsRequest) GetIDToken() *ClaimElement {
+	if idToken, ok := r["id_token"]; ok {
+		return &idToken
+	}
+	return nil
+}
+
+// Checks whether the individual claim is an essential claim.
+//
+// Specification
+//
+// https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
+//
+// Indicates whether the Claim being requested is an Essential Claim. If the
+// value is true, this indicates that the Claim is an Essential Claim. For
+// instance, the Claim request:
+//
+//   "auth_time": {"essential": true}
+//
+// can be used to specify that it is Essential to return an auth_time Claim
+// Value. If the value is false, it indicates that it is a Voluntary Claim.
+// The default is false.
+//
+// By requesting Claims as Essential Claims, the RP indicates to the End-User
+// that releasing these Claims will ensure a smooth authorization for the
+// specific task requested by the End-User.
+//
+// Note that even if the Claims are not available because the End-User did not
+// authorize their release or they are not present, the Authorization Server
+// MUST NOT generate an error when Claims are not returned, whether they are
+// Essential or Voluntary, unless otherwise specified in the description of
+// the specific claim.
+func (i IndividualClaimRequest) IsEssential() bool {
+	if essential, ok := i["essential"]; ok {
+		return essential.(bool)
+	}
+	return false
+}
+
+// Returns the wanted value for an individual claim request.
+//
+// Specification
+//
+// https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
+//
+// Requests that the Claim be returned with a particular value. For instance
+// the Claim request:
+//
+//   "sub": {"value": "248289761001"}
+//
+// can be used to specify that the request apply to the End-User with Subject
+// Identifier 248289761001. The value of the value member MUST be a valid
+// value for the Claim being requested. Definitions of individual Claims can
+// include requirements on how and whether the value qualifier is to be used
+// when requesting that Claim.
+func (i IndividualClaimRequest) WantedValue() *string {
+	if value, ok := i["value"]; ok {
+		valueString := value.(string)
+		return &valueString
+	}
+	return nil
+}
+
+// Get the allowed values for an individual claim request that specifies
+// a values field.
+//
+// Specification
+//
+// https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests
+//
+// Requests that the Claim be returned with one of a set of values, with the
+// values appearing in order of preference. For instance the Claim request:
+//
+//   "acr": {"essential": true,
+//           "values": ["urn:mace:incommon:iap:silver",
+//                      "urn:mace:incommon:iap:bronze"]}
+//
+// specifies that it is Essential that the acr Claim be returned with either
+// the value urn:mace:incommon:iap:silver or urn:mace:incommon:iap:bronze.
+// The values in the values member array MUST be valid values for the Claim
+// being requested. Definitions of individual Claims can include requirements
+// on how and whether the values qualifier is to be used when requesting that
+// Claim.
+func (i IndividualClaimRequest) AllowedValues() []string {
+	if values, ok := i["values"]; ok {
+		return values.([]string)
+	}
+	return nil
+}
+
+// OpenIDConfiguration contains the parts of the OpenID discovery information
+// that are relevant for us.
+//
+// Specification
+//
+// See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+type OpenIDConfiguration struct {
+	AuthorizationEndpoint string `json:"authorization_endpoint"`
+	TokenEndpoint         string `json:"token_endpoint"`
+	JwksUri               string `json:"jwks_uri"`
+	EndSessionEndpoint    string `json:"end_session_endpoint"`
+}