OIDC Conformance Fixes (#211)

unikorn-cloud · Feb 26, 2025 · 71886c2 · 71886c2
1 parent 13508cc
commit 71886c2
Show file tree

Hide file tree

Showing 6 changed files with 244 additions and 217 deletions.
diff --git a/charts/identity/Chart.yaml b/charts/identity/Chart.yaml
@@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn's IdP
 
 type: application
 
-version: v0.2.58-rc7
-appVersion: v0.2.58-rc7
+version: v0.2.58-rc8
+appVersion: v0.2.58-rc8
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png
 

diff --git a/pkg/handler/handler.go b/pkg/handler/handler.go
@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"net/http"
 	"slices"
+	"strings"
 
 	"github.com/unikorn-cloud/core/pkg/server/errors"
 	"github.com/unikorn-cloud/core/pkg/server/util"
@@ -178,6 +179,31 @@ func (h *Handler) GetOauth2V2Userinfo(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) PostOauth2V2Userinfo(w http.ResponseWriter, r *http.Request) {
+	if header := r.Header.Get("Authorization"); header != "" {
+		parts := strings.Split(header, " ")
+
+		if len(parts) != 2 {
+			errors.HandleError(w, r, errors.OAuth2InvalidRequest("authorization header malformed"))
+			return
+		}
+
+		if !strings.EqualFold(parts[0], "bearer") {
+			errors.HandleError(w, r, errors.OAuth2InvalidRequest("authorization scheme not allowed"))
+			return
+		}
+
+		userinfo, _, err := h.oauth2.GetUserinfo(r.Context(), r, parts[1])
+		if err != nil {
+			errors.HandleError(w, r, errors.OAuth2AccessDenied("access token is invalid").WithError(err))
+			return
+		}
+
+		h.setUncacheable(w)
+		util.WriteJSONResponse(w, r, http.StatusOK, userinfo)
+
+		return
+	}
+
 	if err := r.ParseForm(); err != nil {
 		errors.HandleError(w, r, errors.OAuth2InvalidRequest("unable to parse form data").WithError(err))
 		return

diff --git a/pkg/oauth2/oauth2.go b/pkg/oauth2/oauth2.go
@@ -148,6 +148,7 @@ const (
 	ErrorServerError             Error = "server_error"
 	ErrorLoginRequired           Error = "login_required"
 	ErrorRequestNotSupported     Error = "request_not_supported"
+	ErrorInteractionRequired     Error = "interaction_required"
 )
 
 // State records state across the call to the authorization server.
@@ -389,6 +390,9 @@ func authorizationValidateRedirecting(w http.ResponseWriter, r *http.Request, qu
 	var description string
 
 	switch {
+	case query.Get("prompt") == "none":
+		kind = ErrorInteractionRequired
+		description = "prompt=none is not supported"
 	case query.Has("request"):
 		kind = ErrorRequestNotSupported
 		description = "request object by value not supported"