feat: jwk endpoint

2026-02-25 10:22:00 +00:00 · 2026-01-29 15:44:26 +02:00
parent a8f57e584e
commit 63fcc654f0
7 changed files with 84 additions and 22 deletions
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -150,7 +150,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	}

 	// We also need a snapshot of the user that authorized this (skip if no openid scope)
-	if slices.Contains(strings.Split(req.Scope, " "), "openid") {
+	if slices.Contains(strings.Fields(req.Scope), "openid") {
 		err = controller.oidc.StoreUserinfo(c, sub, userContext, req)

 		if err != nil {
--- a/internal/controller/well_known_controller.go
+++ b/internal/controller/well_known_controller.go
@@ -2,6 +2,7 @@ package controller

 import (
 	"fmt"
+	"net/http"

 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/tinyauth/internal/service"
@@ -23,33 +24,35 @@ type OpenIDConnectConfiguration struct {
 	ServiceDocumentation              string   `json:"service_documentation"`
 }

-type WellKnownControllerConfig struct {
-	OpenIDConnectIssuer string
-}
+type WellKnownControllerConfig struct{}

 type WellKnownController struct {
 	config WellKnownControllerConfig
 	engine *gin.Engine
+	oidc   *service.OIDCService
 }

-func NewWellKnownController(config WellKnownControllerConfig, engine *gin.Engine) *WellKnownController {
+func NewWellKnownController(config WellKnownControllerConfig, oidc *service.OIDCService, engine *gin.Engine) *WellKnownController {
 	return &WellKnownController{
 		config: config,
+		oidc:   oidc,
 		engine: engine,
 	}
 }

 func (controller *WellKnownController) SetupRoutes() {
 	controller.engine.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
+	controller.engine.GET("/.well-known/jwks.json", controller.JWKS)
 }

 func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
+	issuer := controller.oidc.GetIssuer()
 	c.JSON(200, OpenIDConnectConfiguration{
-		Issuer:                            controller.config.OpenIDConnectIssuer,
-		AuthorizationEndpoint:             fmt.Sprintf("%s/authorize", controller.config.OpenIDConnectIssuer),
-		TokenEndpoint:                     fmt.Sprintf("%s/api/oidc/token", controller.config.OpenIDConnectIssuer),
-		UserinfoEndpoint:                  fmt.Sprintf("%s/api/oidc/userinfo", controller.config.OpenIDConnectIssuer),
-		JwksUri:                           fmt.Sprintf("%s/api/oidc/jwks", controller.config.OpenIDConnectIssuer),
+		Issuer:                            issuer,
+		AuthorizationEndpoint:             fmt.Sprintf("%s/authorize", issuer),
+		TokenEndpoint:                     fmt.Sprintf("%s/api/oidc/token", issuer),
+		UserinfoEndpoint:                  fmt.Sprintf("%s/api/oidc/userinfo", issuer),
+		JwksUri:                           fmt.Sprintf("%s/.well-known/jwks.json", issuer),
 		ScopesSupported:                   service.SupportedScopes,
 		ResponseTypesSupported:            service.SupportedResponseTypes,
 		GrantTypesSupported:               service.SupportedGrantTypes,
@@ -60,3 +63,23 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 		ServiceDocumentation:              "https://tinyauth.app/docs/reference/openid",
 	})
 }
+
+func (controller *WellKnownController) JWKS(c *gin.Context) {
+	jwks, err := controller.oidc.GetJWK()
+
+	if err != nil {
+		c.JSON(500, gin.H{
+			"status":  "500",
+			"message": "failed to get JWK",
+		})
+		return
+	}
+
+	c.Header("content-type", "application/json")
+
+	c.Writer.WriteString(`{"keys":[`)
+	c.Writer.Write(jwks)
+	c.Writer.WriteString(`]}`)
+
+	c.Status(http.StatusOK)
+}