cmd: Introduce subject type algorithm configuration

See #950 Signed-off-by: arekkas <[email protected]>
ory · Aug 6, 2018 · 8117c69 · 8117c69
1 parent 80c320a
commit 8117c69
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 1 deletion.
diff --git a/cmd/root.go b/cmd/root.go
@@ -188,6 +188,9 @@ func initConfig() {
 	viper.BindEnv("OIDC_DISCOVERY_USERINFO_ENDPOINT")
 	viper.SetDefault("OIDC_DISCOVERY_USERINFO_ENDPOINT", "")
 
+	viper.BindEnv("OIDC_SUBJECT_TYPES_SUPPORTED")
+	viper.SetDefault("OIDC_SUBJECT_TYPES_SUPPORTED", "public")
+
 	// If a config file is found, read it in.
 	if err := viper.ReadInConfig(); err != nil {
 		fmt.Printf(`Config file not found because "%s"`, err)

diff --git a/cmd/serve.go b/cmd/serve.go
@@ -140,6 +140,9 @@ OPENID CONNECT CONTROLS
 	"scope" key in the registration payload, effectively disabling the concept of whitelisted scopes.
 	Example: OIDC_DYNAMIC_CLIENT_REGISTRATION_DEFAULT_SCOPE=openid,offline,scope-a,scope-b
 
+- OIDC_SUBJECT_TYPES_SUPPORTED: Sets which pairwise identifier algorithms (comma-separated) should be supported.
+	Can be "public" or "pairwise" or both. Defaults to "public".
+	Example: OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise
 
 HTTPS CONTROLS
 ==============

diff --git a/cmd/server/handler_client_factory.go b/cmd/server/handler_client_factory.go
@@ -39,7 +39,12 @@ func newClientHandler(c *config.Config, router *httprouter.Router, manager clien
 	w.ErrorEnhancer = writerErrorEnhancer
 
 	expectDependency(c.GetLogger(), manager)
-	h := client.NewHandler(manager, w, strings.Split(c.DefaultClientScope, ","))
+	h := client.NewHandler(
+		manager,
+		w,
+		strings.Split(c.DefaultClientScope, ","),
+		c.GetSubjectTypesSupported(),
+	)
 	h.SetRoutes(router)
 	return h
 }
diff --git a/config/config.go b/config/config.go
@@ -63,6 +63,7 @@ type Config struct {
 	ConsentURL                       string `mapstructure:"OAUTH2_CONSENT_URL" yaml:"-"`
 	LoginURL                         string `mapstructure:"OAUTH2_LOGIN_URL" yaml:"-"`
 	DefaultClientScope               string `mapstructure:"OIDC_DYNAMIC_CLIENT_REGISTRATION_DEFAULT_SCOPE" yaml:"-"`
+	SubjectTypesSupported            string `mapstructure:"OIDC_SUBJECT_TYPES_SUPPORTED" yaml:"-"`
 	ErrorURL                         string `mapstructure:"OAUTH2_ERROR_URL" yaml:"-"`
 	AllowTLSTermination              string `mapstructure:"HTTPS_ALLOW_TERMINATION_FROM" yaml:"-"`
 	BCryptWorkFactor                 int    `mapstructure:"BCRYPT_COST" yaml:"-"`
@@ -93,6 +94,14 @@ type Config struct {
 	systemSecret []byte                     `yaml:"-"`
 }
 
+func (c *Config) GetSubjectTypesSupported() []string {
+	types := strings.Split(c.SubjectTypesSupported, ",")
+	if len(types) == 0 {
+		return []string{"public"}
+	}
+	return types
+}
+
 func (c *Config) GetClusterURLWithoutTailingSlashOrFail(cmd *cobra.Command) string {
 	endpoint := c.GetClusterURLWithoutTailingSlash(cmd)
 	if endpoint == "" {