Fetch upstream configuration

src/constants.rs

@@ -72,8 +72,11 @@ pub const OPEN_ID_REFRESH_TOKEN_TIMEOUT: u64 = 360000;
 pub const WEBAUTHN_REGISTER_CHALLENGE_EXPIRE: u64 = 3600;
 pub const WEBAUTHN_LOGIN_CHALLENGE_EXPIRE: u64 = 3600;
 
-/// OpenID provider login constants
+/// OpenID providers login state constants
 pub const OIDC_STATES_CLEANUP_INTERVAL: Duration = Duration::from_secs(60);
 pub const MAX_OIDC_PROVIDERS_STATES: usize = 10;
 pub const OIDC_PROVIDERS_STATE_LEN: usize = 40;
 pub const OIDC_PROVIDERS_STATE_DURATION: u64 = 60 * 15;
+
+/// OpenID providers configuration constants
+pub const OIDC_PROVIDERS_LIFETIME: u64 = 3600;

src/controllers/providers_controller.rs

@@ -1,13 +1,16 @@
+use std::sync::Arc;
+
+use actix::Addr;
+use actix_web::{web, HttpResponse, Responder};
+
 use crate::actors::providers_states_actor;
 use crate::actors::providers_states_actor::{ProviderLoginState, ProvidersStatesActor};
 use crate::controllers::base_controller::build_fatal_error_page;
 use crate::data::action_logger::{Action, ActionLogger};
 use crate::data::login_redirect::LoginRedirect;
 use crate::data::provider::{ProviderID, ProvidersManager};
+use crate::data::provider_configuration::ProviderConfigurationHelper;
 use crate::data::remote_ip::RemoteIP;
-use actix::Addr;
-use actix_web::{web, HttpResponse, Responder};
-use std::sync::Arc;
 
 #[derive(serde::Deserialize)]
 pub struct StartLoginQuery {
@@ -29,7 +32,7 @@ pub async fn start_login(
     let provider = match providers.find_by_id(&query.id) {
         None => {
             return HttpResponse::NotFound()
-                .body(build_fatal_error_page("Login provider not found!"))
+                .body(build_fatal_error_page("Login provider not found!"));
         }
         Some(p) => p,
     };
@@ -49,6 +52,19 @@ pub async fn start_login(
         state: &state.state_id,
     });
 
+    // Get provider configuration
+    let config = match ProviderConfigurationHelper::get_configuration(&provider).await {
+        Ok(c) => c,
+        Err(e) => {
+            log::error!("Failed to load provider configuration! {}", e);
+            return HttpResponse::InternalServerError().body(build_fatal_error_page(
+                "Failed to load provider configuration!",
+            ));
+        }
+    };
+
+    log::debug!("Provider configuration: {:?}", config);
+
     HttpResponse::Ok().body(state.state_id)
 
     // Redirect user

src/data/jwt_signer.rs

@@ -11,8 +11,10 @@ use base64::Engine as _;
 use crate::utils::err::Res;
 use crate::utils::string_utils::rand_str;
 
+const JWK_USE_SIGN: &str = "sig";
+
 /// Json Web Key <https://datatracker.ietf.org/doc/html/rfc7517>
-#[derive(serde::Serialize, serde::Deserialize)]
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
 pub struct JsonWebKey {
     #[serde(rename = "alg")]
     algorithm: String,
@@ -24,6 +26,8 @@ pub struct JsonWebKey {
     modulus: String,
     #[serde(rename = "e")]
     public_exponent: String,
+    #[serde(rename = "use", skip_serializing_if = "Option::is_none")]
+    usage: Option<String>,
 }
 
 #[derive(Debug, Clone)]
@@ -44,6 +48,7 @@ impl JWTSigner {
             key_id: self.0.key_id().as_ref().unwrap().to_string(),
             public_exponent: BASE64_URL_URL_SAFE.encode(components.e),
             modulus: BASE64_URL_SAFE_NO_PAD.encode(components.n),
+            usage: Some(JWK_USE_SIGN.to_string()),
         }
     }
 

src/data/mod.rs

@@ -12,6 +12,7 @@ pub mod login_redirect;
 pub mod open_id_user_info;
 pub mod openid_config;
 pub mod provider;
+pub mod provider_configuration;
 pub mod remote_ip;
 pub mod session_identity;
 pub mod totp_key;

src/data/provider_configuration.rs

@@ -0,0 +1,75 @@
+use std::cell::RefCell;
+use std::collections::HashMap;
+
+use crate::constants::OIDC_PROVIDERS_LIFETIME;
+use crate::data::jwt_signer::JsonWebKey;
+use crate::data::provider::Provider;
+use crate::utils::err::Res;
+use crate::utils::time::time;
+
+#[derive(Debug, Clone, serde::Deserialize)]
+pub struct ProviderDiscovery {
+    pub issuer: String,
+    pub authorization_endpoint: String,
+    pub token_endpoint: String,
+    pub userinfo_endpoint: Option<String>,
+    pub jwks_uri: String,
+    pub claims_supported: Option<Vec<String>>,
+}
+
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
+pub struct ProviderJWKs {
+    pub keys: Vec<JsonWebKey>,
+}
+
+/// Provider configuration
+#[derive(Debug, Clone)]
+pub struct ProviderConfiguration {
+    pub discovery: ProviderDiscovery,
+    pub keys: ProviderJWKs,
+    pub expire: u64,
+}
+
+thread_local! {
+    static THREAD_CACHE: RefCell<HashMap<String, ProviderConfiguration>> = RefCell::new(Default::default());
+}
+
+pub struct ProviderConfigurationHelper {}
+
+impl ProviderConfigurationHelper {
+    /// Get or refresh the configuration for a provider
+    pub async fn get_configuration(provider: &Provider) -> Res<ProviderConfiguration> {
+        let config = THREAD_CACHE.with(|i| i.borrow().get(&provider.configuration_url).cloned());
+
+        // Refresh config cache if needed
+        if config.is_none() || config.as_ref().unwrap().expire < time() {
+            let conf = Self::fetch_configuration(provider).await?;
+
+            THREAD_CACHE.with(|i| {
+                i.borrow_mut()
+                    .insert(provider.configuration_url.clone(), conf.clone())
+            });
+
+            return Ok(conf);
+        }
+
+        // We can return immediately previously extracted value
+        Ok(config.unwrap())
+    }
+
+    /// Get fresh configuration from provider
+    async fn fetch_configuration(provider: &Provider) -> Res<ProviderConfiguration> {
+        let discovery: ProviderDiscovery = reqwest::get(&provider.configuration_url)
+            .await?
+            .json()
+            .await?;
+
+        let keys: ProviderJWKs = reqwest::get(&discovery.jwks_uri).await?.json().await?;
+
+        Ok(ProviderConfiguration {
+            discovery,
+            keys,
+            expire: time() + OIDC_PROVIDERS_LIFETIME,
+        })
+    }
+}