draft: serve wellknown openid configuration from metadata server

examples/webmesh-desktop/deploy/allowed-ids.yaml

@@ -1,3 +1,4 @@
+---
 # An example of pre-allowed IDs that we want to give
 # access to our applications and the network at large.
 apiVersion: v1

examples/webmesh-desktop/deploy/app-secrets.yaml

@@ -0,0 +1,10 @@
+---
+# Dummy OIDC client credentials for the Webmesh Desktop.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kvdi-app-secrets
+  namespace: default
+stringData:
+  oidc-clientid: "kvdi"
+  oidc-clientsecret: "kvdi"

examples/webmesh-desktop/deploy/desktop-values.yaml

@@ -6,6 +6,7 @@ vdi:
   spec:
     app:
       image: ghcr.io/webmeshproj/vdi-app:latest
+      serviceType: ClusterIP
     auth:
       tokenDuration: 8h
       oidcAuth:

internal/metadata/server.go

@@ -162,6 +162,26 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	switch r.URL.Path {
+	case "/.well-known/openid-configuration":
+		if !s.EnableOauth {
+			s.returnError(w, fmt.Errorf("oauth is not enabled"))
+			return
+		}
+		// We return the oauth endpoints.
+		rlog.Info("Serving oauth endpoints")
+		info := map[string]any{
+			"authorization_endpoint": fmt.Sprintf("http://%s/authorize", s.Address.String()),
+			"token_endpoint":         fmt.Sprintf("http://%s/token", s.Address.String()),
+			"userinfo_endpoint":      fmt.Sprintf("http://%s/userinfo", s.Address.String()),
+			"jwks_uri":               fmt.Sprintf("http://%s/jwks", s.Address.String()),
+			"scopes_supported":       []string{"openid", "profile"},
+		}
+		out, err := json.MarshalIndent(info, "", "  ")
+		if err != nil {
+			s.returnError(w, err)
+			return
+		}
+		fmt.Fprintln(w, string(out))
 	case "/":
 		// We return the available keys for the metadata server.
 		// This is a bit of a hack but we marshal the peer to JSON