更新依赖项，优化 OAuth2 服务，添加 PKCE 支持，增强 OIDC 处理器，新增客户端注册和令牌管理端点，改进数据库模型以支持新功能。

2025-04-17 01:25:46 +08:00
parent 0368547137
commit a3f3cc17cf
13 changed files with 738 additions and 70 deletions
--- a/handlers/oidc.go
+++ b/handlers/oidc.go
@@ -23,28 +23,34 @@ type OIDCHandler struct {
 }

 type OIDCConfig struct {
-	Issuer                 string   `json:"issuer"`
-	AuthorizationEndpoint  string   `json:"authorization_endpoint"`
-	TokenEndpoint          string   `json:"token_endpoint"`
-	UserinfoEndpoint       string   `json:"userinfo_endpoint"`
-	JwksURI                string   `json:"jwks_uri"`
-	ResponseTypesSupported []string `json:"response_types_supported"`
-	SubjectTypesSupported  []string `json:"subject_types_supported"`
-	ScopesSupported        []string `json:"scopes_supported"`
-	ClaimsSupported        []string `json:"claims_supported"`
+	Issuer                            string   `json:"issuer"`
+	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
+	TokenEndpoint                     string   `json:"token_endpoint"`
+	UserinfoEndpoint                  string   `json:"userinfo_endpoint"`
+	JwksURI                           string   `json:"jwks_uri"`
+	ResponseTypesSupported            []string `json:"response_types_supported"`
+	SubjectTypesSupported             []string `json:"subject_types_supported"`
+	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported"`
+	ScopesSupported                   []string `json:"scopes_supported"`
+	ClaimsSupported                   []string `json:"claims_supported"`
+	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
+	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
 }

 func NewOIDCHandler(issuerURL string, oauthService *services.OAuthService, authService *services.AuthService) *OIDCHandler {
 	config := &OIDCConfig{
-		Issuer:                 issuerURL,
-		AuthorizationEndpoint:  issuerURL + "/authorize",
-		TokenEndpoint:          issuerURL + "/token",
-		UserinfoEndpoint:       issuerURL + "/userinfo",
-		JwksURI:                issuerURL + "/jwks",
-		ResponseTypesSupported: []string{"code"},
-		SubjectTypesSupported:  []string{"public"},
-		ScopesSupported:        []string{"openid", "profile", "email"},
-		ClaimsSupported:        []string{"sub", "name", "email", "email_verified"},
+		Issuer:                            issuerURL,
+		AuthorizationEndpoint:             issuerURL + "/authorize",
+		TokenEndpoint:                     issuerURL + "/token",
+		UserinfoEndpoint:                  issuerURL + "/userinfo",
+		JwksURI:                           issuerURL + "/jwks",
+		ResponseTypesSupported:            []string{"code"},
+		SubjectTypesSupported:             []string{"public"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		ScopesSupported:                   []string{"openid", "profile", "email"},
+		ClaimsSupported:                   []string{"sub", "iss", "aud", "exp", "iat", "auth_time", "nonce", "acr", "name", "email", "email_verified"},
+		CodeChallengeMethodsSupported:     []string{"plain", "S256"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
 	}

 	return &OIDCHandler{
@@ -166,6 +172,10 @@ func (h *OIDCHandler) Userinfo(c *gin.Context) {

 // JWKS handles /jwks endpoint
 func (h *OIDCHandler) JWKS(c *gin.Context) {
-	// TODO: 实现 JWKS 密钥集获取逻辑
-	c.JSON(http.StatusNotImplemented, gin.H{"message": "Not implemented yet"})
+	jwks, err := h.oauthService.GetJWKS()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to get JWKS"})
+		return
+	}
+	c.JSON(http.StatusOK, jwks)
 }