Allow calling the OIDC provider with a different hostname

CSCfi · Jun 12, 2024 · 778efd2 · 778efd2
1 parent 7c4ddc5
commit 778efd2
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 8 deletions.
diff --git a/.env.example b/.env.example
@@ -1,7 +1,8 @@
 CLIENT_ID=
 CLIENT_SECRET=
 DEBUG=True
-URL_OIDC=https://openid-provider.org/oidc/.well-known/openid-configuration
+URL_BASE=https://openid-provider.org
+URL_CONFIG_PATH=/oidc/.well-known/openid-configuration
 URL_CALLBACK=http://localhost:8080/callback
 URL_REDIRECT=http://localhost:8080/
 SCOPE=openid

diff --git a/main.py b/main.py
@@ -16,11 +16,14 @@
 from fastapi.responses import RedirectResponse, JSONResponse, HTMLResponse
 from fastapi.middleware.cors import CORSMiddleware
 
+from yarl import URL
+
 # configuration
 ENV_VARS = {
     "CLIENT_ID",
     "CLIENT_SECRET",
-    "URL_OIDC",
+    "URL_BASE",
+    "URL_CONFIG_PATH",
     "URL_CALLBACK",
     "URL_REDIRECT",
     "SCOPE",
@@ -59,22 +62,31 @@ def strtobool(val):
 )
 LOG = logging.getLogger("tiny-rp")
 
-DEFAULT_TIMEOUT = httpx.Timeout(15.0, read=60.0)
 
+def make_oidc_url(path: str) -> str:
+    return CONFIG["URL_BASE"] + path
+
+
+CONFIG["url_oidc"] = make_oidc_url(CONFIG["URL_CONFIG_PATH"])
+
+DEFAULT_TIMEOUT = httpx.Timeout(15.0, read=60.0)
 
 def get_configs():
     """Request OpenID configuration from OpenID provider."""
     with httpx.Client(verify=False, timeout=DEFAULT_TIMEOUT) as client:
-        LOG.debug(f"requesting OpenID configuration from {CONFIG['URL_OIDC']}")
-        response = client.get(CONFIG["URL_OIDC"])
+        LOG.debug(f"requesting OpenID configuration from {CONFIG['url_oidc']}")
+        response = client.get(CONFIG["url_oidc"])
         if response.status_code == 200:
             # store URLs for later use
             LOG.debug("OpenID configuration received")
             data = response.json()
+            token_endpoint = URL(data.get("token_endpoint", ""))
+            revocation_endpoint = URL(data.get("revocation_endpoint", ""))
+            userinfo_endpoint = URL(data.get("userinfo_endpoint", ""))
             CONFIG["url_auth"] = data.get("authorization_endpoint", "")
-            CONFIG["url_token"] = data.get("token_endpoint", "")
-            CONFIG["url_revoke"] = data.get("revocation_endpoint", "")
-            CONFIG["url_userinfo"] = data.get("userinfo_endpoint", "")
+            CONFIG["url_token"] = make_oidc_url(token_endpoint.path)
+            CONFIG["url_revoke"] = make_oidc_url(revocation_endpoint.path) if revocation_endpoint else ""
+            CONFIG["url_userinfo"] = make_oidc_url(userinfo_endpoint.path)
             LOG.debug(f"new config: {CONFIG}")
         else:
             # we can't proceed without these URLs

diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,4 @@
 fastapi
 httpx
 uvicorn
+yarl