RP 공개키 등록 및 Trusted RP 판정 로직 구현

2026-03-27 13:03:19 +09:00
parent cf3d049367
commit 3ffc345c2c
2 changed files with 60 additions and 18 deletions
--- a/backend/internal/domain/hydra_models.go
+++ b/backend/internal/domain/hydra_models.go
@@ -12,9 +12,36 @@ type HydraClient struct {
 	ResponseTypes           []string               `json:"response_types,omitempty"`
 	Scope                   string                 `json:"scope,omitempty"`
 	TokenEndpointAuthMethod string                 `json:"token_endpoint_auth_method,omitempty"`
+	JWKSUri                 string                 `json:"jwks_uri,omitempty"`
+	JWKS                    interface{}            `json:"jwks,omitempty"`
 	Metadata                map[string]interface{} `json:"metadata,omitempty"`
 }

+func (c *HydraClient) IsTrustedRP() bool {
+	// A Trusted RP must have a public key registered (URI or Inline)
+	// and use private_key_jwt for token endpoint authentication.
+	hasPublicKey := c.JWKSUri != "" || c.JWKS != nil
+	isPrivateKeyJwt := c.TokenEndpointAuthMethod == "private_key_jwt"
+	return hasPublicKey && isPrivateKeyJwt
+}
+
+func (c *HydraClient) IsHeadlessLoginEnabled() bool {
+	if !c.IsTrustedRP() {
+		return false
+	}
+	if c.Metadata == nil {
+		return false
+	}
+	val, ok := c.Metadata["headless_login_enabled"]
+	if !ok {
+		return false
+	}
+	if b, ok := val.(bool); ok {
+		return b
+	}
+	return false
+}
+
 type HydraConsentRequest struct {
 	Challenge         string      `json:"challenge"`
 	RequestedScope    []string    `json:"requested_scope"`
--- a/backend/internal/handler/dev_handler.go
+++ b/backend/internal/handler/dev_handler.go
@@ -81,15 +81,18 @@ type devStatsResponse struct {
 }

 type clientSummary struct {
-	ID           string                 `json:"id"`
-	Name         string                 `json:"name"`
-	Type         string                 `json:"type"`
-	Status       string                 `json:"status"`
-	CreatedAt    *time.Time             `json:"createdAt,omitempty"`
-	RedirectURIs []string               `json:"redirectUris"`
-	Scopes       []string               `json:"scopes"`
-	ClientSecret string                 `json:"clientSecret,omitempty"`
-	Metadata     map[string]interface{} `json:"metadata,omitempty"`
+	ID                      string                 `json:"id"`
+	Name                    string                 `json:"name"`
+	Type                    string                 `json:"type"`
+	Status                  string                 `json:"status"`
+	CreatedAt               *time.Time             `json:"createdAt,omitempty"`
+	RedirectURIs            []string               `json:"redirectUris"`
+	Scopes                  []string               `json:"scopes"`
+	ClientSecret            string                 `json:"clientSecret,omitempty"`
+	TokenEndpointAuthMethod string                 `json:"tokenEndpointAuthMethod,omitempty"`
+	JwksUri                 string                 `json:"jwksUri,omitempty"`
+	Jwks                    interface{}            `json:"jwks,omitempty"`
+	Metadata                map[string]interface{} `json:"metadata,omitempty"`
 }

 type clientListResponse struct {
@@ -139,6 +142,8 @@ type clientUpsertRequest struct {
 	GrantTypes              *[]string               `json:"grantTypes"`
 	ResponseTypes           *[]string               `json:"responseTypes"`
 	TokenEndpointAuthMethod *string                 `json:"tokenEndpointAuthMethod"`
+	JwksUri                 *string                 `json:"jwksUri"`
+	Jwks                    interface{}            `json:"jwks"`
 	Metadata                *map[string]interface{} `json:"metadata"`
 }

@@ -895,6 +900,8 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
 		ResponseTypes:           responseTypes,
 		Scope:                   strings.Join(scopes, " "),
 		TokenEndpointAuthMethod: tokenAuthMethod,
+		JWKSUri:                 valueOr(req.JwksUri, ""),
+		JWKS:                    req.Jwks,
 		Metadata:                metadata,
 	}

@@ -1046,8 +1053,13 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
 		ResponseTypes:           derefSlice(req.ResponseTypes, current.ResponseTypes),
 		Scope:                   buildScope(valueOrSlice(req.Scopes, strings.Fields(current.Scope))),
 		TokenEndpointAuthMethod: resolveTokenAuthMethod(tokenAuthMethod, current.TokenEndpointAuthMethod),
+		JWKSUri:                 valueOr(req.JwksUri, current.JWKSUri),
+		JWKS:                    req.Jwks,
 		Metadata:                metadata,
 	}
+	if req.Jwks == nil {
+		updated.JWKS = current.JWKS
+	}
 	if err := validateReservedSystemClientName(updated.ClientID, updated.ClientName); err != nil {
 		return errorJSON(c, fiber.StatusForbidden, err.Error())
 	}
@@ -1640,15 +1652,18 @@ func (h *DevHandler) mapClientSummary(client domain.HydraClient) clientSummary {
 	}

 	return clientSummary{
-		ID:           client.ClientID,
-		Name:         name,
-		Type:         clientType,
-		Status:       status,
-		CreatedAt:    createdAt,
-		RedirectURIs: client.RedirectURIs,
-		Scopes:       scopes,
-		ClientSecret: clientSecret,
-		Metadata:     client.Metadata,
+		ID:                      client.ClientID,
+		Name:                    name,
+		Type:                    clientType,
+		Status:                  status,
+		CreatedAt:               createdAt,
+		RedirectURIs:            client.RedirectURIs,
+		Scopes:                  scopes,
+		ClientSecret:            clientSecret,
+		TokenEndpointAuthMethod: client.TokenEndpointAuthMethod,
+		JwksUri:                 client.JWKSUri,
+		Jwks:                    client.JWKS,
+		Metadata:                client.Metadata,
 	}
 }