From d8d07b7dbdff7b7b2222c5cc778946a5a4663959 Mon Sep 17 00:00:00 2001
From: d42 <d42@users.noreply.github.com>
Date: Tue, 25 Feb 2020 02:32:35 +0100
Subject: [PATCH] openid-configuration

---
 website/config.py | 26 ++++++++++++++++++++++++++
 website/models.py |  9 ++-------
 website/routes.py | 15 ++++++++++-----
 3 files changed, 38 insertions(+), 12 deletions(-)
 create mode 100644 website/config.py

diff --git a/website/config.py b/website/config.py
new file mode 100644
index 0000000..2784ec3
--- /dev/null
+++ b/website/config.py
@@ -0,0 +1,26 @@
+def read_private_key_file(path):
+    with open(path) as f:
+        return f.read()
+
+ISSUER_URL = 'https://arkhack.org'
+JWT_CONFIG = {
+    'key': read_private_key_file('private.pem'),
+    'alg': 'RS512',
+    'iss': ISSUER_URL,
+    'exp': 3600
+}
+
+SCOPES_SUPPORTED = [
+    "profile:read",
+    "profile:write",
+    "password:write",
+    "users:read",
+    "openid",
+]
+
+RESPONSE_TYPES_SUPPORTED = [
+    "code",
+    "code id_token",
+    "id_token",
+    "token id_token",
+]
diff --git a/website/models.py b/website/models.py
index fc49465..fc4d78b 100644
--- a/website/models.py
+++ b/website/models.py
@@ -1,6 +1,7 @@
 from datetime import datetime
 
 from flask_sqlalchemy import SQLAlchemy
+from .config import SCOPES_SUPPORTED
 
 
 db = SQLAlchemy()
@@ -54,13 +55,7 @@ class Client(db.Model):
         return redirect_uri in self.redirect_uris
 
     def check_requested_scopes(self, scopes):
-        return {
-            "profile:read",
-            "profile:write",
-            "password:write",
-            "users:read",
-            "openid",
-        }.issuperset(scopes)
+        set(SCOPES_SUPPORTED).issuperset(scopes)
 
     def check_token_endpoint_auth_method(self, method):
         allowed = ['client_secret_post', 'client_secret_basic']
diff --git a/website/routes.py b/website/routes.py
index 6e6caa6..5ebc2a5 100644
--- a/website/routes.py
+++ b/website/routes.py
@@ -2,6 +2,7 @@ from authlib.oauth2 import OAuth2Error
 from flask import Blueprint, render_template, jsonify, request, flash, redirect, current_app
 from flask_login import login_required, current_user, login_user, logout_user
 
+from .config import SCOPES_SUPPORTED, RESPONSE_TYPES_SUPPORTED, ISSUER_URL
 from .forms import LoginForm
 from .ldap import LDAPUser, check_credentials
 from .oauth2 import authorization, require_oauth
@@ -124,10 +125,14 @@ def oauth_token_revoke():
 
 @bp.route("/.well-known/openid-configuration")
 def oidc_configuration():
-    issuer = current_app.config['ISSUER_URL']
     return jsonify({
-        "issuer": issuer,
-        "authorization_endpoint": issuer + "/oauth/authorize",
-        "token_endpoint": issuer + "/oauth/token",
-        "userinfo_endpoint": issuer + "/api/1/userinfo",
+        "issuer": ISSUER_URL,
+        "authorization_endpoint": f"{ISSUER_URL}/oauth/authorize",
+        "token_endpoint": f"{ISSUER_URL}/oauth/token",
+        "userinfo_endpoint": f"{ISSUER_URL}/api/1/userinfo",
+        "jwks_uri": f"{ISSUER_URL}/jwks.json",
+        "scopes_supported": SCOPES_SUPPORTED,  # recommended
+        "response_types_supported": RESPONSE_TYPES_SUPPORTED,
+        "subject_types_supported": ["pairwise"],
+        "id_token_signing_alg_values_supported": ["RS256", "none"],
     })