oauth2: Make client registration endpoint configurable (ory#1167)

Closes ory#1072
wolfeidau · Nov 8, 2018 · ddafef5 · ddafef5
1 parent e88c7b6
commit ddafef5
Show file tree

Hide file tree

Showing 10 changed files with 24 additions and 12 deletions.
diff --git a/cmd/root.go b/cmd/root.go
@@ -201,6 +201,9 @@ func initConfig() {
 	viper.BindEnv("TRACING_PROVIDER")
 	viper.SetDefault("TRACING_PROVIDER", "")
 
+	viper.BindEnv("OAUTH2_CLIENT_REGISTRATION_URL")
+	viper.SetDefault("OAUTH2_CLIENT_REGISTRATION_URL", "")
+
 	viper.BindEnv("TRACING_PROVIDER_JAEGER_SAMPLING_SERVER_URL")
 	viper.SetDefault("TRACING_PROVIDER_JAEGER_SAMPLING_SERVER_URL", "")
 

diff --git a/cmd/serve.go b/cmd/serve.go
@@ -103,6 +103,9 @@ OAUTH2 CONTROLS
 	specified and using HTTPS protocol, unless --dangerous-force-http is set.
 	Example: OAUTH2_ISSUER_URL=https://hydra.myapp.com/
 
+- OAUTH2_CLIENT_REGISTRATION_URL: This is the path to the OAuth 2.0 Client Registration endpoint (as defined by OpenID
+	Connect Dynamic Client Registration). Leave this value empty, if that endpoint is not publicly accessible.
+
 - AUTH_CODE_LIFESPAN: Lifespan of OAuth2 authorize codes. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
 	Defaults to AUTH_CODE_LIFESPAN=10m
 

diff --git a/cmd/server/handler_oauth2_factory.go b/cmd/server/handler_oauth2_factory.go
@@ -220,6 +220,7 @@ func newOAuth2Handler(c *config.Config, frontend, backend *httprouter.Router, cm
 		AccessTokenLifespan:    c.GetAccessTokenLifespan(),
 		CookieStore:            sessions.NewCookieStore(c.GetCookieSecret()),
 		IssuerURL:              c.Issuer,
+		ClientRegistrationURL:  c.ClientRegistrationURL,
 		L:                      c.GetLogger(),
 		OpenIDJWTStrategy:      openIDJWTStrategy,
 		AccessTokenJWTStrategy: accessTokenJWTStrategy,

diff --git a/config/config.go b/config/config.go
@@ -36,7 +36,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
-	yaml "gopkg.in/yaml.v1"
+	"gopkg.in/yaml.v1"
 
 	"github.com/ory/fosite"
 	foauth2 "github.com/ory/fosite/handler/oauth2"
@@ -60,6 +60,7 @@ type Config struct {
 	BackendBindPort                  int     `mapstructure:"ADMIN_PORT" yaml:"-"`
 	BackendBindHost                  string  `mapstructure:"ADMIN_HOST" yaml:"-"`
 	Issuer                           string  `mapstructure:"OAUTH2_ISSUER_URL" yaml:"-"`
+	ClientRegistrationURL            string  `mapstructure:"OAUTH2_CLIENT_REGISTRATION_URL" yaml:"-"`
 	SystemSecret                     string  `mapstructure:"SYSTEM_SECRET" yaml:"-"`
 	RotatedSystemSecret              string  `mapstructure:"ROTATED_SYSTEM_SECRET" yaml:"-"`
 	DatabaseURL                      string  `mapstructure:"DATABASE_URL" yaml:"-"`

diff --git a/go.mod b/go.mod
@@ -31,7 +31,7 @@ require (
 	github.com/pkg/errors v0.8.0
 	github.com/prometheus/client_golang v0.8.0
 	github.com/rs/cors v1.6.0
-	github.com/rubenv/sql-migrate v0.0.0-20180704111356-3f452fc0ebeb
+	github.com/rubenv/sql-migrate v0.0.0-20180704111356-ba2c6a7295c59448dbc195cef2f41df5163b3892
 	github.com/sirupsen/logrus v1.1.1
 	github.com/spf13/cobra v0.0.3
 	github.com/spf13/viper v1.2.1

diff --git a/go.sum b/go.sum
@@ -198,6 +198,8 @@ github.com/rubenv/sql-migrate v0.0.0-20170824124545-79fe99e24311 h1:zM8ImA1q87UL
 github.com/rubenv/sql-migrate v0.0.0-20170824124545-79fe99e24311/go.mod h1:WS0rl9eEliYI8DPnr3TOwz4439pay+qNgzJoVya/DmY=
 github.com/rubenv/sql-migrate v0.0.0-20180704111356-3f452fc0ebeb h1:lAOy8O8yKU3unXE92z9pfE7ylDwXr3202BLskpOaUcA=
 github.com/rubenv/sql-migrate v0.0.0-20180704111356-3f452fc0ebeb/go.mod h1:WS0rl9eEliYI8DPnr3TOwz4439pay+qNgzJoVya/DmY=
+github.com/rubenv/sql-migrate v0.0.0-20180704111356-ba2c6a7295c59448dbc195cef2f41df5163b3892 h1:dKonk0uAnxXkHVWh5vGV3rD3NKkLvuhhJN4zpicBc/M=
+github.com/rubenv/sql-migrate v0.0.0-20180704111356-ba2c6a7295c59448dbc195cef2f41df5163b3892/go.mod h1:WS0rl9eEliYI8DPnr3TOwz4439pay+qNgzJoVya/DmY=
 github.com/segmentio/analytics-go v3.0.1+incompatible h1:W7T3ieNQjPFMb+SE8SAVYo6mPkKK/Y37wYdiNf5lCVg=
 github.com/segmentio/analytics-go v3.0.1+incompatible/go.mod h1:C7CYBtQWk4vRk2RyLu0qOcbHJ18E3F1HV2C/8JvKN48=
 github.com/segmentio/backo-go v0.0.0-20160424052352-204274ad699c h1:rsRTAcCR5CeNLkvgBVSjQoDGRRt6kggsE6XYBqCv2KQ=

diff --git a/oauth2/handler.go b/oauth2/handler.go
@@ -75,7 +75,7 @@ type WellKnown struct {
 	AuthURL string `json:"authorization_endpoint"`
 
 	// URL of the OP's Dynamic Client Registration Endpoint.
-	RegistrationEndpoint string `json:"registration_endpoint"`
+	RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
 
 	// URL of the OP's OAuth 2.0 Token Endpoint
 	//
@@ -219,7 +219,7 @@ func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request) {
 		AuthURL:                           strings.TrimRight(h.IssuerURL, "/") + AuthPath,
 		TokenURL:                          strings.TrimRight(h.IssuerURL, "/") + TokenPath,
 		JWKsURI:                           strings.TrimRight(h.IssuerURL, "/") + JWKPath,
-		RegistrationEndpoint:              strings.TrimRight(h.IssuerURL, "/") + client.ClientsHandlerPath,
+		RegistrationEndpoint:              h.ClientRegistrationURL,
 		SubjectTypes:                      subjectTypes,
 		ResponseTypes:                     []string{"code", "code id_token", "id_token", "token id_token", "token", "token id_token code"},
 		ClaimsSupported:                   claimsSupported,

diff --git a/oauth2/handler_struct.go b/oauth2/handler_struct.go
@@ -57,7 +57,8 @@ type Handler struct {
 	ScopeStrategy    fosite.ScopeStrategy
 	AudienceStrategy fosite.AudienceMatchingStrategy
 
-	IssuerURL string
+	IssuerURL             string
+	ClientRegistrationURL string
 
 	ClaimsSupported  string
 	ScopesSupported  string

diff --git a/oauth2/handler_test.go b/oauth2/handler_test.go
@@ -40,7 +40,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	jose "gopkg.in/square/go-jose.v2"
+	"gopkg.in/square/go-jose.v2"
 
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/openid"
@@ -357,10 +357,11 @@ func TestUserinfo(t *testing.T) {
 
 func TestHandlerWellKnown(t *testing.T) {
 	h := &oauth2.Handler{
-		H:             herodot.NewJSONWriter(nil),
-		ScopeStrategy: fosite.HierarchicScopeStrategy,
-		IssuerURL:     "http://hydra.localhost",
-		SubjectTypes:  []string{"pairwise", "public"},
+		H:                     herodot.NewJSONWriter(nil),
+		ScopeStrategy:         fosite.HierarchicScopeStrategy,
+		IssuerURL:             "http://hydra.localhost",
+		SubjectTypes:          []string{"pairwise", "public"},
+		ClientRegistrationURL: "http://client-register/registration",
 	}
 
 	AuthPathT := "/oauth2/auth"
@@ -382,7 +383,7 @@ func TestHandlerWellKnown(t *testing.T) {
 		AuthURL:                           strings.TrimRight(h.IssuerURL, "/") + AuthPathT,
 		TokenURL:                          strings.TrimRight(h.IssuerURL, "/") + TokenPathT,
 		JWKsURI:                           strings.TrimRight(h.IssuerURL, "/") + JWKPathT,
-		RegistrationEndpoint:              strings.TrimRight(h.IssuerURL, "/") + client.ClientsHandlerPath,
+		RegistrationEndpoint:              h.ClientRegistrationURL,
 		SubjectTypes:                      []string{"pairwise", "public"},
 		ResponseTypes:                     []string{"code", "code id_token", "id_token", "token id_token", "token", "token id_token code"},
 		ClaimsSupported:                   []string{"sub"},

diff --git a/sdk/go/hydra/sdk.go b/sdk/go/hydra/sdk.go
@@ -43,7 +43,7 @@ type CodeGenSDK struct {
 
 // Configuration configures the CodeGenSDK.
 type Configuration struct {
-	// AdminURL should point to the administrative URL of ORY Hydra, for example: http://localhost:4445
+	// ClientRegistrationPath should point to the administrative URL of ORY Hydra, for example: http://localhost:4445
 	AdminURL string
 
 	// PublicURL should point to the public url of ORY Hydra, for example: http://localhost:4444