1 files changed, 99 insertions, 0 deletions

diff --git a/VPNAuth.Server/Api/Oidc.cs b/VPNAuth.Server/Api/Oidc.cs
new file mode 100644
index 0000000..6c15113
--- /dev/null
+++ b/VPNAuth.Server/Api/Oidc.cs
@@ -0,0 +1,99 @@
+using VPNAuth.Server.Responses;
+
+namespace VPNAuth.Server.Api;
+
+public static class Oidc
+{
+    public static async Task UserInfoHandler(HttpContext context)
+    {
+        if (context.Request.Method != "GET" && context.Request.Method != "POST")
+        {
+            context.Response.StatusCode = StatusCodes.Status405MethodNotAllowed;
+            return;
+        }
+
+        var tokenHeader = context.Request.Headers["Authorization"].First()?.Split(" ");
+
+        if (tokenHeader?.Length == 1 || tokenHeader?[0] != "Bearer")
+        {
+            context.Response.StatusCode = StatusCodes.Status400BadRequest;
+            return;
+        }
+
+        if (tokenHeader.Length < 2)
+        {
+            context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+            return;
+        }
+
+        using var db = new Database.Database();
+        var tokenDbEntry = db.AccessTokens
+            .Where(tokenEntry => tokenEntry.Token == tokenHeader[1])
+            .ToList()
+            .FirstOrDefault();
+
+        if (tokenDbEntry == null)
+        {
+            context.Response.StatusCode = StatusCodes.Status403Forbidden;
+            return;
+        }
+
+        if (!tokenDbEntry.Scopes.Contains("openid"))
+        {
+            context.Response.StatusCode = StatusCodes.Status403Forbidden;
+            return;
+        }
+
+        var userInformation = db.UserInformation
+            .Where(entry => entry.Sub == tokenDbEntry.Username)
+            .ToList()
+            .FirstOrDefault();
+
+        if (userInformation == null)
+        {
+            context.Response.StatusCode = StatusCodes.Status204NoContent;
+            return;
+        }
+
+        var userInfoResponse = new UserInfo();
+
+        if (tokenDbEntry.Scopes.Contains("profile"))
+        {
+            userInfoResponse.GivenName = userInformation.GivenName;
+            userInfoResponse.FamilyName = userInformation.FamilyName;
+            userInfoResponse.Name = userInformation.Name;
+            userInfoResponse.Picture = userInformation.Picture;
+            userInfoResponse.PreferredUsername = userInformation.PreferredUsername;
+        }
+
+        if (tokenDbEntry.Scopes.Contains("email"))
+            userInfoResponse.Email = userInformation.Email;
+
+        userInfoResponse.Sub = userInformation.Sub;
+
+        await context.Response.WriteAsJsonAsync(userInfoResponse);
+    }
+
+    public static async Task DiscoveryHandler(HttpContext context)
+    {
+        if (!context.Request.Host.HasValue)
+        {
+            context.Response.StatusCode = StatusCodes.Status400BadRequest;
+            return;
+        }
+
+        var serverAddress = context.Request.IsHttps ? "https://" : "http://" + context.Request.Host.Value;
+
+        await context.Response.WriteAsJsonAsync(new OidcDiscovery
+        {
+            Issuer = serverAddress + "/",
+            AuthorizationEndpoint = $"{serverAddress}/auth",
+            TokenEndpoint = $"{serverAddress}/access-token",
+            UserInfoEndpoint = $"{serverAddress}/user-info",
+            JwksUri = "",
+            ResponseTypesSupported = ["code"],
+            SubjectTypesSupported = [],
+            IdTokenSigningAlgValuesSupported = ["RS256"]
+        });
+    }
+}