Module: StandardId::Oauth::DiscoveryDocument

Defined in:
lib/standard_id/oauth/discovery_document.rb

Overview

Shared builder for the OIDC / OAuth 2.0 metadata documents served at:

* /.well-known/openid-configuration   (OpenID Connect Discovery)
* /.well-known/oauth-authorization-server (RFC 8414)

Both well-known controllers render this single builder so the two documents cannot drift. Endpoint URLs are derived from the configured issuer.

NOTE on mounting (RFC 8414 caveat): the ApiEngine is consumer-mounted at a sub-path (e.g. ‘/auth/api`), so the gem can only serve `/auth/api/.well-known/oauth-authorization-server`. A strict RFC 8414 client that derives a root-anchored metadata URL from a path-carrying issuer would probe `<host>/.well-known/oauth-authorization-server/auth/api`, which falls outside any engine mount. Hosts that need the root-anchored form must add their own root route — the gem cannot.

Class Method Summary collapse

Class Method Details

.build(issuer, registration_enabled: false) ⇒ Hash

Parameters:

  • issuer (String)

    the configured issuer (e.g. “auth.example.com”)

  • registration_enabled (Boolean) (defaults to: false)

    when true, advertises the RFC 7591 dynamic client registration endpoint. Defaults to false; the seam is kept here so Phase 2 (DCR) can flip it on via config without touching either controller. While false, no registration_endpoint is emitted.

Returns:

  • (Hash) 


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
# File 'lib/standard_id/oauth/discovery_document.rb', line 27

def build(issuer, registration_enabled: false)
  base = issuer.to_s.chomp("/")

  doc = {
    issuer: issuer,
    authorization_endpoint: "#{base}/authorize",
    token_endpoint: "#{base}/oauth/token",
    revocation_endpoint: "#{base}/oauth/revoke",
    userinfo_endpoint: "#{base}/userinfo",
    jwks_uri: "#{base}/.well-known/jwks.json",
    response_types_supported: %w[code],
    grant_types_supported: %w[authorization_code refresh_token client_credentials],
    subject_types_supported: %w[public],
    id_token_signing_alg_values_supported: [StandardId.config.oauth.signing_algorithm.to_s.upcase],
    token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
    # PKCE is always enforced (require_pkce defaults true and cannot be
    # disabled for public clients), so advertise the supported method.
    code_challenge_methods_supported: %w[S256]
  }

  doc[:registration_endpoint] = "#{base}/oauth/register" if registration_enabled

  doc
end