ResolveIssuer uses OIDC discovery to fetch the canonical issuer string from the provider's .well-known/openid-configuration endpoint. This does not require OIDC client credentials. This works the same as `oidc.NewProvider`. The `oidc` package does not expose a method to extract the Issuer. So we ha
(ctx context.Context, cli *http.Client, issuerURL string)
| 78 | // expose a method to extract the Issuer. So we have to manually make the |
| 79 | // http request. |
| 80 | func ResolveIssuer(ctx context.Context, cli *http.Client, issuerURL string) (string, error) { |
| 81 | wellKnownURL, err := url.JoinPath(issuerURL, "/.well-known/openid-configuration") |
| 82 | if err != nil { |
| 83 | return "", xerrors.Errorf("resolve issuer URL: %w", err) |
| 84 | } |
| 85 | |
| 86 | req, err := http.NewRequestWithContext(ctx, http.MethodGet, wellKnownURL, nil) |
| 87 | if err != nil { |
| 88 | return "", xerrors.Errorf("create discovery request: %w", err) |
| 89 | } |
| 90 | |
| 91 | resp, err := cli.Do(req) |
| 92 | if err != nil { |
| 93 | return "", xerrors.Errorf("fetch OIDC discovery document: %w", err) |
| 94 | } |
| 95 | defer resp.Body.Close() |
| 96 | |
| 97 | if resp.StatusCode != http.StatusOK { |
| 98 | return "", xerrors.Errorf("OIDC discovery returned HTTP %d", resp.StatusCode) |
| 99 | } |
| 100 | |
| 101 | var discovery struct { |
| 102 | Issuer string `json:"issuer"` |
| 103 | } |
| 104 | if err := json.NewDecoder(resp.Body).Decode(&discovery); err != nil { |
| 105 | return "", xerrors.Errorf("decode OIDC discovery document: %w", err) |
| 106 | } |
| 107 | if discovery.Issuer == "" { |
| 108 | return "", xerrors.New("OIDC discovery document has empty issuer field") |
| 109 | } |
| 110 | return discovery.Issuer, nil |
| 111 | } |
| 112 | |
| 113 | // PrintAnalysis writes a human-readable summary of the OIDC link analysis. |
| 114 | // Used for the cli command and debugging. |