Expose OIDC provider server metadata in Provider#172
Merged
jimlambrt merged 4 commits intohashicorp:mainfrom Dec 4, 2025
Merged
Expose OIDC provider server metadata in Provider#172jimlambrt merged 4 commits intohashicorp:mainfrom
jimlambrt merged 4 commits intohashicorp:mainfrom
Conversation
jimlambrt
requested changes
Dec 1, 2025
oidc/provider.go
Outdated
| return p, nil | ||
| } | ||
|
|
||
| // Claims unmarshals raw fields returned by the server during discovery. |
Collaborator
There was a problem hiding this comment.
Suggested change
| // Claims unmarshals raw fields returned by the server during discovery. | |
| // Claims unmarshals raw fields returned by the provider during discovery. | |
| // | |
| // For a list of fields defined by the OpenID Connect spec see: | |
| // https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata | |
| // see also: https://datatracker.ietf.org/doc/html/rfc8414 | |
| // | |
| // This list of fields may include 'authorization_response_iss_parameter_supported' | |
| // which can be used to prevent mix-up attacks. | |
| // https://datatracker.ietf.org/doc/html/rfc9207#section-3 |
| @@ -929,6 +930,12 @@ func (p *TestProvider) UserInfoReply() map[string]interface{} { | |||
| return p.replyUserinfo | |||
| } | |||
|
|
|||
Collaborator
There was a problem hiding this comment.
can you add a godoc here?
Contributor
Author
|
Thanks @jimlambrt! Godocs have been added & updated, ready for another pass |
allisonlarson
force-pushed
the
f-oidc-provider-claims
branch
from
f772afb to
a498de3
Compare
allisonlarson
force-pushed
the
f-oidc-provider-claims
branch
from
a498de3 to
f52be16
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This exposes the OIDC Provider auth server metadata that is returned during service discovery, and exposed by go-oidc, and adds a way to supply it during testing. This allows OP metadata to be accessed on the provider object once its been discovered, instead of making an additional request to the same endpoint, or having to have explicit support.
Hi! I'm an engineer on Nomad and I'm hoping to add some support for RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification), which involves two steps during the OIDC Complete Authorization step of the login flow:
authorization_response_iss_parameter_supportedof the OP auth server metadata (returned in the.well-known/openid-configurationendpoint)issparam value in the Auth Response is present & matches based on OP supportCurrently there isn't a way to check the auth server metadata via the cap/oidc library for an unsupported configuration value. Once we have a way to access the metadata, we can determine if we should manually check the
issparam in the auth response. Theauthorization_response_iss_parameter_supportedisn't required to be set, so the approach I took was to supply a way to get the configuration value out; I'm happy to discuss any other thoughts about the best way to approach. I'm hoping this will help any other users of the library support the same functionality.The approach is to expose the same
Claims()function on the Provider as defined in go-oidc, as a new function with a unit test.The test provider has been updated to be able to supply additional server metadata that gets merged and returned in the
openidConfigurationpath. (The test was implemented with an arbitrary config value, but I can update it to something realistic)PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.