Commit ae6a630

mo khan <mo@mokhan.ca>
2025-03-11 22:25:32
refactor: extract oauth controller
main
1 parent 5ad8108
Changed files (1)
bin
idp
bin/idp
@@ -257,7 +257,7 @@ module Authz
   end
 end
 
-class IdentityProvider
+class OAuthController
   include ::HTTPHelpers
 
   def call(env)
@@ -265,22 +265,16 @@ class IdentityProvider
     case env['REQUEST_METHOD']
     when 'GET'
       case path
-      when '/.well-known/openid-configuration'
-        return openid_metadata
-      when '/.well-known/oauth-authorization-server'
-        return oauth_metadata
-      when '/.well-known/webfinger' # RFC-7033
-        return http_not_found
-      when "/oauth/authorize" # RFC-6749
+      when "/authorize" # RFC-6749
         return get_authorize(Rack::Request.new(env))
       else
         return http_not_found
       end
     when 'POST'
       case path
-      when "/oauth/authorize" # RFC-6749
+      when "/authorize" # RFC-6749
         return post_authorize(Rack::Request.new(env))
-      when "/oauth/token" # RFC-6749
+      when "/token" # RFC-6749
         return [200, { 'Content-Type' => "application/json" }, [JSON.pretty_generate({
           access_token: ::Authz::JWT.new(sub: SecureRandom.uuid, iat: Time.now.to_i).to_jwt,
           token_type: "Bearer",
@@ -297,36 +291,6 @@ class IdentityProvider
     http_not_found
   end
 
-  private
-
-  # GET /.well-known/oauth-authorization-server
-  def oauth_metadata
-    [200, { 'Content-Type' => "application/json" }, [JSON.pretty_generate({
-      issuer: "#{$scheme}://#{$host}/.well-known/oauth-authorization-server",
-      authorization_endpoint: "#{$scheme}://#{$host}/oauth/authorize",
-      token_endpoint: "#{$scheme}://#{$host}/oauth/token",
-      jwks_uri: "", # RFC-7517
-      registration_endpoint: "", # RFC-7591
-      scopes_supported: ["openid", "profile", "email"],
-      response_types_supported: ["code", "code id_token", "id_token", "token id_token"],
-      response_modes_supported: ["query", "fragment", "form_post"],
-      grant_types_supported: ["authorization_code", "implicit"], # RFC-7591
-      token_endpoint_auth_methods_supported: ["client_secret_basic"], # RFC-7591
-      token_endpoint_auth_signing_alg_values_supported: ["RS256"],
-      service_documentation: "",
-      ui_locales_supported: ["en-US"],
-      op_policy_uri: "",
-      op_tos_uri: "",
-      revocation_endpoint: "#{$scheme}://#{$host}/oauth/revoke", # RFC-7009
-      revocation_endpoint_auth_methods_supported: ["client_secret_basic"],
-      revocation_endpoint_auth_signing_alg_values_supported: ["RS256"],
-      introspection_endpoint: "#{$scheme}://#{$host}/oauth/introspect", # RFC-7662
-      introspection_endpoint_auth_methods_supported: ["client_secret_basic"],
-      introspection_endpoint_auth_signing_alg_values_supported: ["RS256"],
-      code_challenge_methods_supported: [], # RFC-7636
-    })]]
-  end
-
   def get_authorize(request)
     template = <<~ERB
       <!doctype html>
@@ -371,6 +335,58 @@ class IdentityProvider
       return http_not_found
     end
   end
+end
+
+class IdentityProvider
+  include ::HTTPHelpers
+
+  def call(env)
+    path = env['PATH_INFO']
+    case env['REQUEST_METHOD']
+    when 'GET'
+      case path
+      when '/.well-known/openid-configuration'
+        return openid_metadata
+      when '/.well-known/oauth-authorization-server'
+        return oauth_metadata
+      when '/.well-known/webfinger' # RFC-7033
+        return http_not_found
+      else
+        return http_not_found
+      end
+    end
+    http_not_found
+  end
+
+  private
+
+  # GET /.well-known/oauth-authorization-server
+  def oauth_metadata
+    [200, { 'Content-Type' => "application/json" }, [JSON.pretty_generate({
+      issuer: "#{$scheme}://#{$host}/.well-known/oauth-authorization-server",
+      authorization_endpoint: "#{$scheme}://#{$host}/oauth/authorize",
+      token_endpoint: "#{$scheme}://#{$host}/oauth/token",
+      jwks_uri: "", # RFC-7517
+      registration_endpoint: "", # RFC-7591
+      scopes_supported: ["openid", "profile", "email"],
+      response_types_supported: ["code", "code id_token", "id_token", "token id_token"],
+      response_modes_supported: ["query", "fragment", "form_post"],
+      grant_types_supported: ["authorization_code", "implicit"], # RFC-7591
+      token_endpoint_auth_methods_supported: ["client_secret_basic"], # RFC-7591
+      token_endpoint_auth_signing_alg_values_supported: ["RS256"],
+      service_documentation: "",
+      ui_locales_supported: ["en-US"],
+      op_policy_uri: "",
+      op_tos_uri: "",
+      revocation_endpoint: "#{$scheme}://#{$host}/oauth/revoke", # RFC-7009
+      revocation_endpoint_auth_methods_supported: ["client_secret_basic"],
+      revocation_endpoint_auth_signing_alg_values_supported: ["RS256"],
+      introspection_endpoint: "#{$scheme}://#{$host}/oauth/introspect", # RFC-7662
+      introspection_endpoint_auth_methods_supported: ["client_secret_basic"],
+      introspection_endpoint_auth_signing_alg_values_supported: ["RS256"],
+      code_challenge_methods_supported: [], # RFC-7636
+    })]]
+  end
 
   # GET /.well-known/openid-configuration
   def openid_metadata
@@ -435,7 +451,10 @@ if __FILE__ == $0
     use Rack::Reloader
     map "/twirp" do
       # https://github.com/arthurnn/twirp-ruby/wiki/Service-Handlers
-      run ::Authz::Rpc::AbilityService.new(::Authz::Rpc::AbilityHandler.new)
+      run ::Authx::Rpc::AbilityService.new(::Authz::Rpc::AbilityHandler.new)
+    end
+    map "/oauth" do
+      run OAuthController.new
     end
 
     map "/saml" do