BastionSSO/app/Http/Controllers/Api/OauthMetadataController.php

<?php

namespace App\Http\Controllers\Api;

use App\Http\Controllers\Controller;
use App\Models\OauthScope;
use App\Services\OAuth\OAuthJwtService;
use hg\apidoc\annotation as Apidoc;
use Illuminate\Http\JsonResponse;
use Illuminate\Support\Facades\URL;

#[Apidoc\Title('OAuth 协议元数据端点')]
class OauthMetadataController extends Controller
{
    public function __construct(
        private readonly OAuthJwtService $jwtService
    ) {}

    #[Apidoc\Title('OIDC Discovery'), Apidoc\Method('GET'), Apidoc\Url('/.well-known/openid-configuration')]
    public function openidConfiguration(): JsonResponse
    {
        $scopes = OauthScope::query()
            ->where('is_active', true)
            ->orderBy('name')
            ->pluck('name')
            ->values()
            ->all();

        return response()->json([
            'issuer' => (string) config('oauth.issuer'),
            'authorization_endpoint' => URL::to('/oauth/authorize'),
            'token_endpoint' => URL::to('/oauth/token'),
            'userinfo_endpoint' => URL::to('/oauth/userinfo'),
            'jwks_uri' => URL::to('/oauth/jwks'),
            'response_types_supported' => ['code'],
            'subject_types_supported' => ['public'],
            'id_token_signing_alg_values_supported' => ['RS256'],
            'scopes_supported' => $scopes,
            'token_endpoint_auth_methods_supported' => ['client_secret_basic', 'client_secret_post'],
            'grant_types_supported' => ['authorization_code', 'refresh_token'],
            'claims_supported' => ['iss', 'sub', 'aud', 'exp', 'iat', 'auth_time', 'nonce', 'at_hash', 'nickname', 'email', 'phone'],
        ]);
    }

    #[Apidoc\Title('OIDC Discovery 2'), Apidoc\Method('GET'), Apidoc\Url('/well-known/openid-configuration')]
    public function openidConfiguration2(): JsonResponse
    {
        $scopes = OauthScope::query()
            ->where('is_active', true)
            ->orderBy('name')
            ->pluck('name')
            ->values()
            ->all();

        return response()->json([
            'issuer' => (string) config('oauth.issuer'),
            'authorization_endpoint' => URL::to('/oauth/authorize'),
            'token_endpoint' => URL::to('/oauth/token'),
            'userinfo_endpoint' => URL::to('/oauth/userinfo'),
            'jwks_uri' => URL::to('/oauth/jwks'),
            'response_types_supported' => ['code'],
            'subject_types_supported' => ['public'],
            'id_token_signing_alg_values_supported' => ['RS256'],
            'scopes_supported' => $scopes,
            'token_endpoint_auth_methods_supported' => ['client_secret_basic', 'client_secret_post'],
            'grant_types_supported' => ['authorization_code', 'refresh_token'],
            'claims_supported' => ['iss', 'sub', 'aud', 'exp', 'iat', 'auth_time', 'nonce', 'at_hash', 'nickname', 'email', 'phone'],
        ]);
    }

    #[Apidoc\Title('JWKS'), Apidoc\Method('GET'), Apidoc\Url('/oauth/jwks')]
    public function jwks(): JsonResponse
    {
        return response()->json($this->jwtService->jwks());
    }
}