Add a discovery endpoint for OIDC

hiboo/sso/oidc.py

@@ -164,6 +164,21 @@ class Client(sqla_oauth2.OAuth2ClientMixin):
                 time.time() < (float(token["issued_at"]) + float(token["expires_in"]))):
                 return token
 
+    def generate_discovery(self):
+        """ Generate an OIDC discovery JSON
+        """
+        uuid = self.service.uuid
+        return flask.jsonify({
+            "issuer": flask.url_for("sso.oidc_token", service_uuid=uuid, _external=True),
+            "authorization_endpoint": flask.url_for("sso.oidc_authorize", service_uuid=uuid, _external=True),
+            "token_endpoint": flask.url_for("sso.oidc_token", service_uuid=uuid, _external=True),
+            "userinfo_endpoint": flask.url_for("sso.oidc_userinfo", service_uuid=uuid, _external=True),
+            "response_types_supported": " ".join(self.service.config["response_types"]),
+            "subject_types_supported": ["pairwise"],
+            "id_token_signing_alg_values_supported": ["none"],
+            "claims_supported": ["openid", "profile", "email"]
+        })
+
 
 @blueprint.route("/oidc/authorize/<service_uuid>", methods=["GET", "POST"])
 @security.authentication_required()
@@ -185,4 +200,9 @@ def oidc_userinfo(service_uuid):
     token = client.validate_token(flask.request)
     profile = models.Profile.query.get(token["profile_uuid"])
     return client.generate_user_info(profile, token["scope"])
-    
\ No newline at end of file
+    
+
+@blueprint.route("/oidc/discovery/<service_uuid>", methods=["GET"])
+def oidc_discovery(service_uuid):
+    client = Client(get_service(service_uuid, __name__))
+    return client.generate_discovery()
\ No newline at end of file