feat: add OIDC discovery, JWKS, and authorization endpoints

2026-02-16 13:33:40 +01:00 · 2026-02-16 13:33:40 +01:00 · d8c891af89
commit d8c891af89
parent 95d184ce0f
4 changed files with 191 additions and 0 deletions
--- a/src/fastapi_oidc_op/oidc/endpoints.py
+++ b/src/fastapi_oidc_op/oidc/endpoints.py
@ -0,0 +1,77 @@
+"""FastAPI routes wrapping idpyoidc endpoint processing."""
+
+from __future__ import annotations
+
+import json
+
+from fastapi import APIRouter, Request, Response
+from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
+
+router = APIRouter(tags=["oidc"])
+
+
+@router.get("/.well-known/openid-configuration")
+async def provider_configuration(request: Request) -> JSONResponse:
+    """OIDC Discovery endpoint."""
+    oidc_server = request.app.state.oidc_server
+    endpoint = oidc_server.get_endpoint("provider_config")
+
+    parsed = endpoint.parse_request({})
+    result = endpoint.process_request(parsed)
+    response_info = endpoint.do_response(response_args=result.get("response_args"), request=parsed)
+
+    response_data = response_info["response"]
+    if isinstance(response_data, str):
+        response_data = json.loads(response_data)
+    elif hasattr(response_data, "to_dict"):
+        response_data = response_data.to_dict()
+
+    return JSONResponse(content=response_data)
+
+
+@router.get("/jwks")
+async def jwks(request: Request) -> JSONResponse:
+    """Public signing keys (JWK Set)."""
+    oidc_server = request.app.state.oidc_server
+    keys = oidc_server.keyjar.export_jwks()
+    return JSONResponse(content=keys)
+
+
+@router.get("/authorization")
+async def authorization(request: Request) -> Response:
+    """OIDC Authorization endpoint."""
+    oidc_server = request.app.state.oidc_server
+    endpoint = oidc_server.get_endpoint("authorization")
+    query_params = dict(request.query_params)
+
+    try:
+        parsed = endpoint.parse_request(query_params)
+    except Exception as exc:
+        return HTMLResponse(f"<h1>Invalid Request</h1><p>{exc}</p>", status_code=400)
+
+    if "error" in parsed:
+        error_desc = parsed.get("error_description", parsed["error"])
+        return HTMLResponse(f"<h1>Error</h1><p>{error_desc}</p>", status_code=400)
+
+    # Check if user is authenticated
+    userid = request.session.get("userid")
+    username = request.session.get("username")
+
+    if userid and username:
+        return await _complete_authorization(request, oidc_server, endpoint, parsed, userid, username)
+
+    # Not authenticated — store and redirect to login
+    request.session["oidc_auth_request"] = query_params
+    return RedirectResponse("/login", status_code=303)
+
+
+async def _complete_authorization(
+    request: Request,
+    oidc_server: object,
+    endpoint: object,
+    parsed: object,
+    userid: str,
+    username: str,
+) -> Response:
+    """Complete the authorization after authentication. Placeholder — implemented in Task 7."""
+    return HTMLResponse("Authorization completion not yet implemented", status_code=501)