RP 공개키 등록 및 Trusted RP 판정 로직 구현

2026-03-27 13:03:19 +09:00
parent cf3d049367
commit 3ffc345c2c
2 changed files with 60 additions and 18 deletions
--- a/backend/internal/domain/hydra_models.go
+++ b/backend/internal/domain/hydra_models.go
@@ -12,9 +12,36 @@ type HydraClient struct {
 	ResponseTypes           []string               `json:"response_types,omitempty"`
 	Scope                   string                 `json:"scope,omitempty"`
 	TokenEndpointAuthMethod string                 `json:"token_endpoint_auth_method,omitempty"`
+	JWKSUri                 string                 `json:"jwks_uri,omitempty"`
+	JWKS                    interface{}            `json:"jwks,omitempty"`
 	Metadata                map[string]interface{} `json:"metadata,omitempty"`
 }

+func (c *HydraClient) IsTrustedRP() bool {
+	// A Trusted RP must have a public key registered (URI or Inline)
+	// and use private_key_jwt for token endpoint authentication.
+	hasPublicKey := c.JWKSUri != "" || c.JWKS != nil
+	isPrivateKeyJwt := c.TokenEndpointAuthMethod == "private_key_jwt"
+	return hasPublicKey && isPrivateKeyJwt
+}
+
+func (c *HydraClient) IsHeadlessLoginEnabled() bool {
+	if !c.IsTrustedRP() {
+		return false
+	}
+	if c.Metadata == nil {
+		return false
+	}
+	val, ok := c.Metadata["headless_login_enabled"]
+	if !ok {
+		return false
+	}
+	if b, ok := val.(bool); ok {
+		return b
+	}
+	return false
+}
+
 type HydraConsentRequest struct {
 	Challenge         string      `json:"challenge"`
 	RequestedScope    []string    `json:"requested_scope"`