Allow overriding usptream OAuth2 providers endpoints

Also have a way to disable OIDC discovery when all the endpoints are known.

Author: sandhose

crates/data-model/src/lib.rs

@@ -48,8 +48,9 @@ pub use self::{
     upstream_oauth2::{
         UpsreamOAuthProviderSetEmailVerification, UpstreamOAuthAuthorizationSession,
         UpstreamOAuthAuthorizationSessionState, UpstreamOAuthLink, UpstreamOAuthProvider,
-        UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderImportAction,
-        UpstreamOAuthProviderImportPreference, UpstreamOAuthProviderSubjectPreference,
+        UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderDiscoveryMode,
+        UpstreamOAuthProviderImportAction, UpstreamOAuthProviderImportPreference,
+        UpstreamOAuthProviderPkceMode, UpstreamOAuthProviderSubjectPreference,
     },
     users::{
         Authentication, AuthenticationMethod, BrowserSession, Password, User, UserEmail,

crates/data-model/src/upstream_oauth2/mod.rs

@@ -20,8 +20,10 @@ pub use self::{
     link::UpstreamOAuthLink,
     provider::{
         ClaimsImports as UpstreamOAuthProviderClaimsImports,
+        DiscoveryMode as UpstreamOAuthProviderDiscoveryMode,
         ImportAction as UpstreamOAuthProviderImportAction,
         ImportPreference as UpstreamOAuthProviderImportPreference,
+        PkceMode as UpstreamOAuthProviderPkceMode,
         SetEmailVerification as UpsreamOAuthProviderSetEmailVerification,
         SubjectPreference as UpstreamOAuthProviderSubjectPreference, UpstreamOAuthProvider,
     },

crates/data-model/src/upstream_oauth2/provider.rs

@@ -17,11 +17,45 @@ use mas_iana::{jose::JsonWebSignatureAlg, oauth::OAuthClientAuthenticationMethod
 use oauth2_types::scope::Scope;
 use serde::{Deserialize, Serialize};
 use ulid::Ulid;
+use url::Url;
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum DiscoveryMode {
+    /// Use OIDC discovery to fetch and verify the provider metadata
+    #[default]
+    Oidc,
+
+    /// Use OIDC discovery to fetch the provider metadata, but don't verify it
+    Insecure,
+
+    /// Don't fetch the provider metadata
+    Disabled,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum PkceMode {
+    /// Use PKCE if the provider supports it
+    #[default]
+    Auto,
+
+    /// Always use PKCE with the S256 method
+    S256,
+
+    /// Don't use PKCE
+    Disabled,
+}
 
 #[derive(Debug, Clone, PartialEq, Eq, Serialize)]
 pub struct UpstreamOAuthProvider {
     pub id: Ulid,
     pub issuer: String,
+    pub discovery_mode: DiscoveryMode,
+    pub pkce_mode: PkceMode,
+    pub jwks_uri_override: Option<Url>,
+    pub authorization_endpoint_override: Option<Url>,
+    pub token_endpoint_override: Option<Url>,
     pub scope: Scope,
     pub client_id: String,
     pub encrypted_client_secret: Option<String>,

crates/handlers/src/upstream_oauth2/authorize.rs

@@ -29,7 +29,7 @@ use mas_storage::{
 use thiserror::Error;
 use ulid::Ulid;
 
-use super::UpstreamSessionsCookie;
+use super::{cache::LazyProviderInfos, UpstreamSessionsCookie};
 use crate::{
     impl_from_error_for_route, upstream_oauth2::cache::MetadataCache,
     views::shared::OptionalPostAuthAction,
@@ -87,23 +87,28 @@ pub(crate) async fn get(
     let http_service = http_client_factory.http_service("upstream_oauth2.authorize");
 
     // First, discover the provider
-    let metadata = metadata_cache.get(&http_service, &provider.issuer).await?;
+    // This is done lazyly according to provider.discovery_mode and the various
+    // endpoint overrides
+    let mut lazy_metadata = LazyProviderInfos::new(&metadata_cache, &provider, &http_service);
+    lazy_metadata.maybe_discover().await?;
 
     let redirect_uri = url_builder.upstream_oauth_callback(provider.id);
 
-    let mut data = AuthorizationRequestData::new(
+    let data = AuthorizationRequestData::new(
         provider.client_id.clone(),
         provider.scope.clone(),
         redirect_uri,
     );
 
-    if let Some(methods) = metadata.code_challenge_methods_supported.clone() {
-        data = data.with_code_challenge_methods_supported(methods);
-    }
+    let data = if let Some(methods) = lazy_metadata.pkce_methods().await? {
+        data.with_code_challenge_methods_supported(methods)
+    } else {
+        data
+    };
 
     // Build an authorization request for it
     let (url, data) = mas_oidc_client::requests::authorization_code::build_authorization_url(
-        metadata.authorization_endpoint().clone(),
+        lazy_metadata.authorization_endpoint().await?.clone(),
         data,
         &mut rng,
     )?;