From 024ef3940f016fe3b4100d4cd1e9f8d99ccb12ba Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Thu, 15 Apr 2021 22:32:00 -0400
Subject: [PATCH] add well-known config for OIDC (#15355)

* add well-known config for OIDC

* spacing per feedback

* Update oidc_wellknown.tmpl

* add id_token

* Update oidc_wellknown.tmpl

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 .editorconfig                           |  3 +++
 routers/routes/web.go                   |  1 +
 routers/user/oauth.go                   | 10 ++++++++++
 templates/user/auth/oidc_wellknown.tmpl |  9 +++++++++
 4 files changed, 23 insertions(+)
 create mode 100644 templates/user/auth/oidc_wellknown.tmpl

diff --git a/.editorconfig b/.editorconfig
index b7ff926c34..0f8603e5a2 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -18,6 +18,9 @@ insert_final_newline = false
 [templates/swagger/v1_json.tmpl]
 indent_style = space
 
+[templates/user/auth/oidc_wellknown.tmpl]
+indent_style = space
+
 [Makefile]
 indent_style = tab
 
diff --git a/routers/routes/web.go b/routers/routes/web.go
index 4815680c99..a8d64b4c44 100644
--- a/routers/routes/web.go
+++ b/routers/routes/web.go
@@ -336,6 +336,7 @@ func RegisterRoutes(m *web.Route) {
 	// Routers.
 	// for health check
 	m.Get("/", routers.Home)
+	m.Get("/.well-known/openid-configuration", user.OIDCWellKnown)
 	m.Group("/explore", func() {
 		m.Get("", func(ctx *context.Context) {
 			ctx.Redirect(setting.AppSubURL + "/explore/repos")
diff --git a/routers/user/oauth.go b/routers/user/oauth.go
index c8c846c687..ae06efd0c0 100644
--- a/routers/user/oauth.go
+++ b/routers/user/oauth.go
@@ -389,6 +389,16 @@ func GrantApplicationOAuth(ctx *context.Context) {
 	ctx.Redirect(redirect.String(), 302)
 }
 
+// OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities
+func OIDCWellKnown(ctx *context.Context) {
+	t := ctx.Render.TemplateLookup("user/auth/oidc_wellknown")
+	ctx.Resp.Header().Set("Content-Type", "application/json")
+	if err := t.Execute(ctx.Resp, ctx.Data); err != nil {
+		log.Error("%v", err)
+		ctx.Error(http.StatusInternalServerError)
+	}
+}
+
 // AccessTokenOAuth manages all access token requests by the client
 func AccessTokenOAuth(ctx *context.Context) {
 	form := *web.GetForm(ctx).(*forms.AccessTokenForm)
diff --git a/templates/user/auth/oidc_wellknown.tmpl b/templates/user/auth/oidc_wellknown.tmpl
new file mode 100644
index 0000000000..290ed4a71d
--- /dev/null
+++ b/templates/user/auth/oidc_wellknown.tmpl
@@ -0,0 +1,9 @@
+{
+    "issuer": "{{AppUrl | JSEscape | Safe}}",
+    "authorization_endpoint": "{{AppUrl | JSEscape | Safe}}login/oauth/authorize",
+    "token_endpoint": "{{AppUrl | JSEscape | Safe}}login/oauth/access_token",
+    "response_types_supported": [
+        "code",
+        "id_token"
+    ]
+}