feat: add dedicated Logto OIDC config with custom JWS algorithm support

src/main/java/run/halo/oauth/HaloOAuth2AuthenticationWebFilter.java

@@ -8,6 +8,7 @@
 import org.springframework.http.client.reactive.ReactorClientHttpConnector;
 import org.springframework.security.authentication.DelegatingReactiveAuthenticationManager;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.authentication.OAuth2LoginReactiveAuthenticationManager;
 import org.springframework.security.oauth2.client.endpoint.WebClientReactiveAuthorizationCodeTokenResponseClient;
 import org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeReactiveAuthenticationManager;
@@ -42,6 +43,7 @@
 @Component
 public class HaloOAuth2AuthenticationWebFilter implements AuthenticationSecurityWebFilter {
 
+    static final String JWS_ALGORITHM_METADATA_KEY = "jwsAlgorithm";
     private final WebFilter delegate;
 
     public HaloOAuth2AuthenticationWebFilter(Oauth2LoginConfiguration configuration,
@@ -83,25 +85,9 @@ public HaloOAuth2AuthenticationWebFilter(Oauth2LoginConfiguration configuration,
             new OidcReactiveOAuth2UserService()
         );
         var oidcIdTokenDecodeFactory = new ReactiveOidcIdTokenDecoderFactory();
-        oidcIdTokenDecodeFactory.setJwsAlgorithmResolver(clientRegistration -> {
-            var configurationMetadata = clientRegistration.getProviderDetails()
-                .getConfigurationMetadata();
-            try {
-                var supportedJwsAlgorithms = JSONObjectUtils.getStringList(
-                    new JSONObject(configurationMetadata),
-                    "id_token_signing_alg_values_supported"
-                );
-                // we choose the first one as JWS algorithm
-                if (!supportedJwsAlgorithms.isEmpty()) {
-                    var jwsAlgorithm = supportedJwsAlgorithms.get(0);
-                    return SignatureAlgorithm.from(jwsAlgorithm);
-                }
-            } catch (ParseException e) {
-                // ignore the error.
-            }
-            // default algorithm
-            return SignatureAlgorithm.RS256;
-        });
+        oidcIdTokenDecodeFactory.setJwsAlgorithmResolver(
+            HaloOAuth2AuthenticationWebFilter::resolveJwsAlgorithm
+        );
         oidcAuthManager.setJwtDecoderFactory(oidcIdTokenDecodeFactory);
         var authManager =
             new DelegatingReactiveAuthenticationManager(oauth2AuthManager, oidcAuthManager);
@@ -136,4 +122,27 @@ public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
         return delegate.filter(exchange, chain);
     }
 
+    static SignatureAlgorithm resolveJwsAlgorithm(ClientRegistration clientRegistration) {
+        var configurationMetadata = clientRegistration.getProviderDetails()
+            .getConfigurationMetadata();
+        var configuredJwsAlgorithm = configurationMetadata.get(JWS_ALGORITHM_METADATA_KEY);
+        if (configuredJwsAlgorithm instanceof String jwsAlgorithm
+            && StringUtils.hasText(jwsAlgorithm)) {
+            return SignatureAlgorithm.from(jwsAlgorithm);
+        }
+        try {
+            var supportedJwsAlgorithms = JSONObjectUtils.getStringList(
+                new JSONObject(configurationMetadata),
+                "id_token_signing_alg_values_supported"
+            );
+            // we choose the first one as JWS algorithm
+            if (!supportedJwsAlgorithms.isEmpty()) {
+                return SignatureAlgorithm.from(supportedJwsAlgorithms.get(0));
+            }
+        } catch (ParseException | IllegalArgumentException e) {
+            log.debug("Failed to resolve JWS algorithm from provider metadata.", e);
+        }
+        // default algorithm
+        return SignatureAlgorithm.RS256;
+    }
 }

src/main/java/run/halo/oauth/Oauth2ClientRegistration.java

@@ -3,7 +3,6 @@
 import static io.swagger.v3.oas.annotations.media.Schema.RequiredMode.REQUIRED;
 
 import io.swagger.v3.oas.annotations.media.Schema;
-import java.util.Map;
 import java.util.Set;
 import lombok.Data;
 import lombok.EqualsAndHashCode;
@@ -54,7 +53,7 @@ public static class Oauth2ClientRegistrationSpec {
 
         private String issuerUri;
 
-        private Map<String, Object> configurationMetadata;
+        private String jwsAlgorithm;
 
         private String clientName;
     }

src/main/java/run/halo/oauth/OauthClientRegistrationRepository.java

@@ -38,7 +38,9 @@
 @RequiredArgsConstructor
 public class OauthClientRegistrationRepository implements ReactiveClientRegistrationRepository {
     static final String DEFAULT_REDIRECT_URL = "{baseUrl}/{action}/oauth2/code/{registrationId}";
-    static final String SSO_PROVIDER_NAME = "sso";
+    static final String ADVANCED_OIDC_SETTING_GROUP = "ssoOauth";
+    static final String LOGTO_SETTING_GROUP = "logtoOauth";
+    static final String JWS_ALGORITHM_METADATA_KEY = "jwsAlgorithm";
     private final ReactiveExtensionClient client;
     private final ExternalUrlSupplier externalUrlSupplier;
 
@@ -74,7 +76,20 @@ private Mono<ClientRegistration> getClientRegistrationMono(AuthProvider authProv
             )
             .flatMap(data -> {
                 String value = data.getOrDefault(group, "{}");
-                if (SSO_PROVIDER_NAME.equals(name)) {
+                if (LOGTO_SETTING_GROUP.equals(group)) {
+                    if (StringUtils.isBlank(value) || "{}".equals(value.trim())) {
+                        String legacyValue = data.getOrDefault(ADVANCED_OIDC_SETTING_GROUP, "{}");
+                        if (!"{}".equals(legacyValue.trim())) {
+                            SsoClientConf ssoClientConf =
+                                JsonUtils.jsonToObject(legacyValue, SsoClientConf.class);
+                            return SsoClientRegistration(ssoClientConf, authProvider);
+                        }
+                    }
+                    LogtoClientConf logtoClientConf =
+                        JsonUtils.jsonToObject(value, LogtoClientConf.class);
+                    return LogtoClientRegistration(logtoClientConf, authProvider);
+                }
+                if (ADVANCED_OIDC_SETTING_GROUP.equals(group)) {
                     SsoClientConf ssoClientConf =
                         JsonUtils.jsonToObject(value, SsoClientConf.class);
                     return SsoClientRegistration(ssoClientConf, authProvider);
@@ -108,6 +123,27 @@ private Mono<ClientRegistration> GenericClientRegistration(GenericClientConf gen
             );
     }
 
+    private Mono<ClientRegistration> LogtoClientRegistration(LogtoClientConf logtoClientConf,
+        AuthProvider authProvider) {
+        String registrationId = authProvider.getMetadata().getName();
+        var issuerUri = normalizeLogtoIssuerUri(logtoClientConf.endpoint());
+        return client.fetch(Oauth2ClientRegistration.class, registrationId)
+            .switchIfEmpty(Mono.error(new NotFoundException(
+                "Oauth2 client registration " + registrationId + " not found")
+            ))
+            .map(oauth2ClientRegistration -> clientRegistrationBuilder(oauth2ClientRegistration)
+                .clientId(logtoClientConf.clientId())
+                .clientSecret(logtoClientConf.clientSecret())
+                .authorizationUri(issuerUri + "/auth")
+                .tokenUri(issuerUri + "/token")
+                .userInfoUri(issuerUri + "/me")
+                .jwkSetUri(issuerUri + "/jwks")
+                .issuerUri(issuerUri)
+                .userNameAttributeName("sub")
+                .build()
+            );
+    }
+
     private Mono<ClientRegistration> SsoClientRegistration(SsoClientConf ssoClientConf,
         AuthProvider authProvider) {
         String registrationId = authProvider.getMetadata().getName();
@@ -157,6 +193,20 @@ record GenericClientConf(String clientId, String clientSecret) {
         }
     }
 
+    record LogtoClientConf(String clientId, String clientSecret, String endpoint) {
+        LogtoClientConf {
+            if (StringUtils.isBlank(clientId)) {
+                throw new IllegalArgumentException("clientId must not be blank");
+            }
+            if (StringUtils.isBlank(clientSecret)) {
+                throw new IllegalArgumentException("clientSecret must not be blank");
+            }
+            if (StringUtils.isBlank(endpoint)) {
+                throw new IllegalArgumentException("endpoint must not be blank");
+            }
+        }
+    }
+
     record SsoClientConf(String clientId, String clientSecret, String authorizationUrl,
                          String tokenUrl, String userInfoUrl, String scopes,
                          String userNameAttribute, String issuerUri, String jwkSetUri) {
@@ -239,12 +289,29 @@ ClientRegistration.Builder clientRegistrationBuilder(Oauth2ClientRegistration re
                 toAuthenticationMethod(spec.getUserInfoAuthenticationMethod())
             )
             .userInfoUri(spec.getUserInfoUri())
-            .providerConfigurationMetadata(
-                defaultIfNull(spec.getConfigurationMetadata(), Map.of())
-            )
+            .providerConfigurationMetadata(buildProviderConfigurationMetadata(spec))
             .userNameAttributeName(spec.getUserNameAttributeName());
     }
 
+    private Map<String, Object> buildProviderConfigurationMetadata(
+        Oauth2ClientRegistration.Oauth2ClientRegistrationSpec spec) {
+        if (StringUtils.isBlank(spec.getJwsAlgorithm())) {
+            return Map.of();
+        }
+        return Map.of(JWS_ALGORITHM_METADATA_KEY, spec.getJwsAlgorithm());
+    }
+
+    private String normalizeLogtoIssuerUri(String endpoint) {
+        String normalized = StringUtils.removeEnd(endpoint.trim(), "/");
+        for (String suffix : List.of("/auth", "/token", "/me", "/jwks")) {
+            normalized = StringUtils.removeEnd(normalized, suffix);
+        }
+        if (!normalized.endsWith("/oidc")) {
+            normalized = normalized + "/oidc";
+        }
+        return normalized;
+    }
+
     Mono<Set<String>> fetchEnabledProviders() {
         return client.fetch(ConfigMap.class, SystemSetting.SYSTEM_CONFIG)
             .map(configMap -> {

src/main/resources/extensions/auth-provider.yaml

@@ -80,4 +80,26 @@ spec:
     name: sso-oauth2-setting
     group: ssoOauth
   configMapRef:
-    name: oauth2-sso-config
+    name: oauth2-sso-config
+---
+apiVersion: auth.halo.run/v1alpha1
+kind: AuthProvider
+metadata:
+  name: logto
+  labels:
+    auth.halo.run/auth-binding: "true"
+spec:
+  displayName: Logto
+  description: Logto is an open-source identity infrastructure for customer and workforce authentication.
+  logo: /plugins/plugin-oauth2/assets/static/logto.svg
+  website: https://logto.io
+  helpPage: https://docs.logto.io/
+  authenticationUrl: /oauth2/authorization/logto
+  bindingUrl: /oauth2/authorization/logto
+  unbindUrl: /apis/uc.api.auth.halo.run/v1alpha1/user-connections/logto/disconnect
+  authType: oauth2
+  settingRef:
+    name: logto-oauth2-setting
+    group: logtoOauth
+  configMapRef:
+    name: oauth2-logto-config

src/main/resources/extensions/client-registrations.yaml

@@ -65,3 +65,23 @@ spec:
   userInfoAuthenticationMethod: "header"
   userNameAttributeName: "name"
   clientName: "SSO"
+---
+apiVersion: oauth.halo.run/v1alpha1
+kind: Oauth2ClientRegistration
+metadata:
+  name: logto
+spec:
+  clientAuthenticationMethod: "client_secret_basic"
+  authorizationGrantType: "authorization_code"
+  redirectUri: "{baseUrl}/login/oauth2/code/logto"
+  scopes:
+    - "openid"
+    - "profile"
+    - "email"
+  authorizationUri: "https://example.logto.app/oidc/auth"
+  tokenUri: "https://example.logto.app/oidc/token"
+  userInfoUri: "https://example.logto.app/oidc/me"
+  userInfoAuthenticationMethod: "header"
+  userNameAttributeName: "sub"
+  jwsAlgorithm: "ES384"
+  clientName: "Logto"

src/main/resources/extensions/setting.yaml

@@ -69,3 +69,27 @@ spec:
           name: jwkSetUri
           label: "JWK Set URI"
           help: "The URL to the JWK Set (KEYS) of the OpenID Connect Provider."
+---
+apiVersion: v1alpha1
+kind: Setting
+metadata:
+  name: logto-oauth2-setting
+spec:
+  forms:
+    - group: logtoOauth
+      label: "Logto OAuth 配置"
+      formSchema:
+        - $formkit: text
+          name: clientId
+          label: "Client ID"
+          validation: required:trim
+        - $formkit: password
+          name: clientSecret
+          label: "Client Secret"
+          validation: required:trim
+        - $formkit: text
+          name: endpoint
+          label: "Endpoint"
+          validation: required:trim
+          value: "https://example.logto.app"
+          help: "填写 Logto 域名、Issuer 或 OIDC 端点，例如 https://auth.example.com、https://auth.example.com/oidc 或 https://auth.example.com/oidc/auth。"

src/test/java/run/halo/oauth/HaloOAuth2AuthenticationWebFilterTest.java

@@ -0,0 +1,79 @@
+package run.halo.oauth;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.fail;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.List;
+import java.util.Map;
+import org.junit.jupiter.api.Test;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
+
+class HaloOAuth2AuthenticationWebFilterTest {
+
+    @Test
+    void explicitJwsAlgorithmShouldTakePrecedence() {
+        var registration = registrationBuilder()
+            .providerConfigurationMetadata(
+                Map.of(
+                    "jwsAlgorithm", "ES384",
+                    "id_token_signing_alg_values_supported", List.of("RS256")
+                )
+            )
+            .build();
+
+        assertThat(resolveJwsAlgorithm(registration)).isEqualTo(SignatureAlgorithm.ES384);
+    }
+
+    @Test
+    void metadataSupportedAlgorithmsShouldFallbackToFirstValue() {
+        var registration = registrationBuilder()
+            .providerConfigurationMetadata(
+                Map.of("id_token_signing_alg_values_supported", List.of("ES384", "RS256"))
+            )
+            .build();
+
+        assertThat(resolveJwsAlgorithm(registration)).isEqualTo(SignatureAlgorithm.ES384);
+    }
+
+    @Test
+    void shouldFallbackToDefaultRs256WhenMetadataIsMissing() {
+        var registration = registrationBuilder().build();
+
+        assertThat(resolveJwsAlgorithm(registration)).isEqualTo(SignatureAlgorithm.RS256);
+    }
+
+    private static ClientRegistration.Builder registrationBuilder() {
+        return ClientRegistration.withRegistrationId("logto")
+            .clientId("client-id")
+            .clientSecret("client-secret")
+            .clientName("Logto")
+            .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+            .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+            .redirectUri("{baseUrl}/login/oauth2/code/logto")
+            .authorizationUri("https://logto.example.com/oidc/auth")
+            .tokenUri("https://logto.example.com/oidc/token")
+            .userInfoUri("https://logto.example.com/oidc/me")
+            .jwkSetUri("https://logto.example.com/oidc/jwks")
+            .userNameAttributeName("sub");
+    }
+
+    private static SignatureAlgorithm resolveJwsAlgorithm(ClientRegistration registration) {
+        try {
+            Method method = HaloOAuth2AuthenticationWebFilter.class.getDeclaredMethod(
+                "resolveJwsAlgorithm", ClientRegistration.class
+            );
+            method.setAccessible(true);
+            return (SignatureAlgorithm) method.invoke(null, registration);
+        } catch (NoSuchMethodException e) {
+            fail("Expected resolveJwsAlgorithm(ClientRegistration) helper to exist", e);
+        } catch (IllegalAccessException | InvocationTargetException e) {
+            fail("Failed to invoke resolveJwsAlgorithm(ClientRegistration)", e);
+        }
+        throw new IllegalStateException("Unreachable");
+    }
+}