feat: add support for OAuth 2.0 Authorization Server Issuer Identification

2025-12-16 02:03:01 +03:00 · 2025-07-06 15:29:26 +02:00
parent 49f1ab2f75
commit bf042563e9
5 changed files with 22 additions and 17 deletions
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -89,6 +89,7 @@ func (oc *OidcController) authorizeHandler(c *gin.Context) {
 	response := dto.AuthorizeOidcClientResponseDto{
 		Code:        code,
 		CallbackURL: callbackURL,
+		Issuer:         common.EnvConfig.AppURL,
 	}

 	c.JSON(http.StatusOK, response)
--- a/backend/internal/controller/well_known_controller.go
+++ b/backend/internal/controller/well_known_controller.go
@@ -83,6 +83,7 @@ func (wkc *WellKnownController) computeOIDCConfiguration() ([]byte, error) {
 		"response_types_supported":                       []string{"code", "id_token"},
 		"subject_types_supported":                        []string{"public"},
 		"id_token_signing_alg_values_supported":          []string{alg.String()},
+		"authorization_response_iss_parameter_supported": true,
 	}
 	return json.Marshal(config)
 }
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -57,6 +57,7 @@ type AuthorizeOidcClientRequestDto struct {
 type AuthorizeOidcClientResponseDto struct {
 	Code        string `json:"code"`
 	CallbackURL string `json:"callbackURL"`
+	Issuer         string `json:"issuer"`
 }

 type AuthorizationRequiredDto struct {
--- a/frontend/src/lib/types/oidc.type.ts
+++ b/frontend/src/lib/types/oidc.type.ts
@@ -48,4 +48,5 @@ export type OidcDeviceCodeInfo = {
 export type AuthorizeResponse = {
 	code: string;
 	callbackURL: string;
+	issuer: string;
 };
--- a/frontend/src/routes/authorize/+page.svelte
+++ b/frontend/src/routes/authorize/+page.svelte
@@ -57,8 +57,8 @@

 			await oidService
 				.authorize(client!.id, scope, callbackURL, nonce, codeChallenge, codeChallengeMethod)
-				.then(async ({ code, callbackURL }) => {
-					onSuccess(code, callbackURL);
+				.then(async ({ code, callbackURL, issuer }) => {
+					onSuccess(code, callbackURL, issuer);
 				});
 		} catch (e) {
 			errorMessage = getWebauthnErrorMessage(e);
@@ -66,12 +66,13 @@
 		}
 	}

-	function onSuccess(code: string, callbackURL: string) {
+	function onSuccess(code: string, callbackURL: string, issuer: string) {
 		success = true;
 		setTimeout(() => {
 			const redirectURL = new URL(callbackURL);
 			redirectURL.searchParams.append('code', code);
 			redirectURL.searchParams.append('state', authorizeState);
+			redirectURL.searchParams.append('iss', issuer);

 			window.location.href = redirectURL.toString();
 		}, 1000);