zitadel / oidc

Easy to use OpenID Connect client and server library written for Go and certified by the OpenID Foundation
https://zitadel.com
Apache License 2.0
1.39k stars 147 forks source link

Access to auto discovery configuration #506

Open jkroepke opened 10 months ago

jkroepke commented 10 months ago

Preflight Checklist

Describe your problem

Hi,

I'm using rp.NewRelyingPartyOIDC which does an auto-discovery by default. I'm missing a method to access the auto discovery and I would like to avoid call the endpoint twice.

A goal is to detect, if PKCE is supported by provider and if yes, enable it. An other goal is a check, if the current configured scopes are present in the scopes_supported array.

Describe your ideal solution

Having a receiver function which allow the access to the discoveryConfiguration.

https://github.com/zitadel/oidc/blob/dce79a73fb3db57e90b60e0ff409ae8bd8fb496e/pkg/client/rp/relying_party.go#L213

Version

3.8.1

Environment

Self-hosted

Additional Context

No response

hifabienne commented 10 months ago

hei @livio-a @muhlemmer what do you think about this?

muhlemmer commented 10 months ago

With the proposed solution there would still be 2 discovery calls. As WithPKCE is an Option and discovery is always done during constructing the RP. If you would able to extract the obtained discovery response and enable PKCE afterwards, you need to rebuild the RP anyway.

Instead, I would propose an Option that enables PKCE if supported. For example:

// WithPKCEFromDiscovery enables Oauth2 Code Challenge if support is found in the discovery response from the OP.
// Passing this option to a Oauth2-only RP will result in an error, as there is no discovery call.
func WithPKCEFromDiscovery(cookieHandler *httphelper.CookieHandler) Option
jkroepke commented 10 months ago

That makes sense. Good idea