更新依赖项,优化 OAuth2 服务,添加 PKCE 支持,增强 OIDC 处理器,新增客户端注册和令牌管理端点,改进数据库模型以支持新功能。
This commit is contained in:
@@ -23,28 +23,34 @@ type OIDCHandler struct {
|
||||
}
|
||||
|
||||
type OIDCConfig struct {
|
||||
Issuer string `json:"issuer"`
|
||||
AuthorizationEndpoint string `json:"authorization_endpoint"`
|
||||
TokenEndpoint string `json:"token_endpoint"`
|
||||
UserinfoEndpoint string `json:"userinfo_endpoint"`
|
||||
JwksURI string `json:"jwks_uri"`
|
||||
ResponseTypesSupported []string `json:"response_types_supported"`
|
||||
SubjectTypesSupported []string `json:"subject_types_supported"`
|
||||
ScopesSupported []string `json:"scopes_supported"`
|
||||
ClaimsSupported []string `json:"claims_supported"`
|
||||
Issuer string `json:"issuer"`
|
||||
AuthorizationEndpoint string `json:"authorization_endpoint"`
|
||||
TokenEndpoint string `json:"token_endpoint"`
|
||||
UserinfoEndpoint string `json:"userinfo_endpoint"`
|
||||
JwksURI string `json:"jwks_uri"`
|
||||
ResponseTypesSupported []string `json:"response_types_supported"`
|
||||
SubjectTypesSupported []string `json:"subject_types_supported"`
|
||||
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
|
||||
ScopesSupported []string `json:"scopes_supported"`
|
||||
ClaimsSupported []string `json:"claims_supported"`
|
||||
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
|
||||
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
|
||||
}
|
||||
|
||||
func NewOIDCHandler(issuerURL string, oauthService *services.OAuthService, authService *services.AuthService) *OIDCHandler {
|
||||
config := &OIDCConfig{
|
||||
Issuer: issuerURL,
|
||||
AuthorizationEndpoint: issuerURL + "/authorize",
|
||||
TokenEndpoint: issuerURL + "/token",
|
||||
UserinfoEndpoint: issuerURL + "/userinfo",
|
||||
JwksURI: issuerURL + "/jwks",
|
||||
ResponseTypesSupported: []string{"code"},
|
||||
SubjectTypesSupported: []string{"public"},
|
||||
ScopesSupported: []string{"openid", "profile", "email"},
|
||||
ClaimsSupported: []string{"sub", "name", "email", "email_verified"},
|
||||
Issuer: issuerURL,
|
||||
AuthorizationEndpoint: issuerURL + "/authorize",
|
||||
TokenEndpoint: issuerURL + "/token",
|
||||
UserinfoEndpoint: issuerURL + "/userinfo",
|
||||
JwksURI: issuerURL + "/jwks",
|
||||
ResponseTypesSupported: []string{"code"},
|
||||
SubjectTypesSupported: []string{"public"},
|
||||
IDTokenSigningAlgValuesSupported: []string{"RS256"},
|
||||
ScopesSupported: []string{"openid", "profile", "email"},
|
||||
ClaimsSupported: []string{"sub", "iss", "aud", "exp", "iat", "auth_time", "nonce", "acr", "name", "email", "email_verified"},
|
||||
CodeChallengeMethodsSupported: []string{"plain", "S256"},
|
||||
TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
|
||||
}
|
||||
|
||||
return &OIDCHandler{
|
||||
@@ -166,6 +172,10 @@ func (h *OIDCHandler) Userinfo(c *gin.Context) {
|
||||
|
||||
// JWKS handles /jwks endpoint
|
||||
func (h *OIDCHandler) JWKS(c *gin.Context) {
|
||||
// TODO: 实现 JWKS 密钥集获取逻辑
|
||||
c.JSON(http.StatusNotImplemented, gin.H{"message": "Not implemented yet"})
|
||||
jwks, err := h.oauthService.GetJWKS()
|
||||
if err != nil {
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get JWKS"})
|
||||
return
|
||||
}
|
||||
c.JSON(http.StatusOK, jwks)
|
||||
}
|
||||
|
||||
77
handlers/registration.go
Normal file
77
handlers/registration.go
Normal file
@@ -0,0 +1,77 @@
|
||||
package handlers
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"oidc-oauth2-server/services"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
type RegistrationHandler struct {
|
||||
clientService *services.ClientService
|
||||
}
|
||||
|
||||
func NewRegistrationHandler(clientService *services.ClientService) *RegistrationHandler {
|
||||
return &RegistrationHandler{
|
||||
clientService: clientService,
|
||||
}
|
||||
}
|
||||
|
||||
// Register 处理动态客户端注册
|
||||
func (h *RegistrationHandler) Register(c *gin.Context) {
|
||||
var req services.ClientRegistrationRequest
|
||||
if err := c.ShouldBindJSON(&req); err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid_request", "error_description": err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
client, err := h.clientService.RegisterClient(&req)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid_request", "error_description": err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
c.JSON(http.StatusCreated, client)
|
||||
}
|
||||
|
||||
// GetClient 获取客户端信息
|
||||
func (h *RegistrationHandler) GetClient(c *gin.Context) {
|
||||
clientID := c.Param("client_id")
|
||||
client, err := h.clientService.GetClient(clientID)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusNotFound, gin.H{"error": "not_found"})
|
||||
return
|
||||
}
|
||||
|
||||
c.JSON(http.StatusOK, client)
|
||||
}
|
||||
|
||||
// UpdateClient 更新客户端信息
|
||||
func (h *RegistrationHandler) UpdateClient(c *gin.Context) {
|
||||
clientID := c.Param("client_id")
|
||||
var req services.ClientRegistrationRequest
|
||||
if err := c.ShouldBindJSON(&req); err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid_request"})
|
||||
return
|
||||
}
|
||||
|
||||
client, err := h.clientService.UpdateClient(clientID, &req)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid_request"})
|
||||
return
|
||||
}
|
||||
|
||||
c.JSON(http.StatusOK, client)
|
||||
}
|
||||
|
||||
// DeleteClient 删除客户端
|
||||
func (h *RegistrationHandler) DeleteClient(c *gin.Context) {
|
||||
clientID := c.Param("client_id")
|
||||
if err := h.clientService.DeleteClient(clientID); err != nil {
|
||||
c.JSON(http.StatusNotFound, gin.H{"error": "not_found"})
|
||||
return
|
||||
}
|
||||
|
||||
c.Status(http.StatusNoContent)
|
||||
}
|
||||
46
handlers/token.go
Normal file
46
handlers/token.go
Normal file
@@ -0,0 +1,46 @@
|
||||
package handlers
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"oidc-oauth2-server/services"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
type TokenHandler struct {
|
||||
tokenService *services.TokenService
|
||||
}
|
||||
|
||||
func NewTokenHandler(tokenService *services.TokenService) *TokenHandler {
|
||||
return &TokenHandler{
|
||||
tokenService: tokenService,
|
||||
}
|
||||
}
|
||||
|
||||
// Revoke 处理令牌撤销请求
|
||||
func (h *TokenHandler) Revoke(c *gin.Context) {
|
||||
token := c.PostForm("token")
|
||||
tokenTypeHint := c.PostForm("token_type_hint")
|
||||
|
||||
if err := h.tokenService.RevokeToken(token, tokenTypeHint); err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid_request"})
|
||||
return
|
||||
}
|
||||
|
||||
c.Status(http.StatusOK)
|
||||
}
|
||||
|
||||
// Introspect 处理令牌自省请求
|
||||
func (h *TokenHandler) Introspect(c *gin.Context) {
|
||||
token := c.PostForm("token")
|
||||
tokenTypeHint := c.PostForm("token_type_hint")
|
||||
|
||||
result, err := h.tokenService.IntrospectToken(token, tokenTypeHint)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid_request"})
|
||||
return
|
||||
}
|
||||
|
||||
c.JSON(http.StatusOK, result)
|
||||
}
|
||||
Reference in New Issue
Block a user