{-|

Copyright:

  This file is part of the package openid-connect.  It is subject to
  the license terms in the LICENSE file found in the top-level
  directory of this distribution and at:

    https://code.devalot.com/sthenauth/openid-connect

  No part of this package, including this file, may be copied,
  modified, propagated, or distributed except according to the terms
  contained in the LICENSE file.

License: BSD-2-Clause

-}
module OpenID.Connect.Discovery
  ( Discovery(..)
  , ProviderDiscoveryURI
  ) where

--------------------------------------------------------------------------------
-- Imports:
import Data.List.NonEmpty (NonEmpty)
import Data.Text (Text)
import GHC.Generics (Generic)
import qualified Network.URI as Network
import OpenID.Connect.Authentication
import OpenID.Connect.JSON
import OpenID.Connect.Scope

--------------------------------------------------------------------------------
-- | URI pointing to an OpenID Connect provider's discovery document.
--
-- If necessary, the /well-known/ discovery path will be added
-- automatically.
--
-- A list of certified OpenID Connect providers can be found here:
-- <https://openid.net/certification/>
--
-- @since 0.1.0.0
type ProviderDiscoveryURI = Network.URI

--------------------------------------------------------------------------------
-- | The provider discovery document as specified in
-- /OpenID Connect Discovery 1.0/ §3.
--
-- @since 0.1.0.0
data Discovery = Discovery
  { issuer :: URI
    -- ^ URL using the https scheme with no query or fragment
    -- component that the OP asserts as its Issuer Identifier.

  , authorizationEndpoint :: URI
    -- ^ URL of the OP's OAuth 2.0 Authorization Endpoint.

  , tokenEndpoint :: Maybe URI
    -- ^ URL of the OP's OAuth 2.0 Token Endpoint.  Not provided when
    -- using the implicit flow.

  , userinfoEndpoint :: Maybe URI
    -- ^ URL of the OP's UserInfo Endpoint.

  , jwksUri :: URI
    -- ^ URL of the OP's JSON Web Key Set document.

  , registrationEndpoint :: Maybe URI
    -- ^ URL of the OP's Dynamic Client Registration Endpoint.

  , scopesSupported :: Maybe Scope
    -- ^ List of OAuth 2.0 scope values that this server supports.

  , responseTypesSupported :: NonEmpty Text
    -- ^ Array containing a list of the OAuth 2.0 @response_type@
    -- values that this OP supports.

  , responseModesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the OAuth 2.0 response_mode
    -- values that this OP supports.

  , grantTypesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the OAuth 2.0 Grant Type
    -- values that this OP supports.

  , acrValuesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the Authentication Context
    -- Class References that this OP supports.

  , subjectTypesSupported :: NonEmpty Text
    -- ^ JSON array containing a list of the Subject Identifier types
    -- that this OP supports.

  , idTokenSigningAlgValuesSupported :: NonEmpty Text
    -- ^ JSON array containing a list of the JWS signing algorithms
    -- (alg values) supported by the OP for the ID Token to encode the
    -- Claims in a JWT.

  , idTokenEncryptionAlgValuesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the JWE encryption algorithms
    -- (alg values) supported by the OP for the ID Token to encode the
    -- Claims in a JWT.

  , idTokenEncryptionEncValuesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the JWE encryption algorithms
    -- (enc values) supported by the OP for the ID Token to encode the
    -- Claims in a JWT.

  , userinfoSigningAlgValuesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the JWS signing algorithms
    -- (alg values).

  , userinfoEncryptionAlgValuesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the JWE encryption algorithms
    -- (alg values).

  , userinfoEncryptionEncValuesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the JWE encryption algorithms
    -- (enc values).

  , requestObjectSigningAlgValuesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the JWS signing algorithms
    -- (alg values) supported by the OP for Request Objects, which are
    -- described in Section 6.1 of OpenID Connect Core 1.0.

  , requestObjectEncryptionAlgValuesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the JWE encryption algorithms
    -- (alg values) supported by the OP for Request Objects. These
    -- algorithms are used both when the Request Object is passed by
    -- value and when it is passed by reference.

  , requestObjectEncryptionEncValuesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the JWE encryption algorithms
    -- (enc values) supported by the OP for Request Objects. These
    -- algorithms are used both when the Request Object is passed by
    -- value and when it is passed by reference.

  , tokenEndpointAuthMethodsSupported :: Maybe (NonEmpty ClientAuthentication)
    -- ^ JSON array containing a list of Client Authentication methods
    -- supported by this Token Endpoint.

  , tokenEndpointAuthSigningAlgValuesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the JWS signing algorithms
    -- (alg values) supported by the Token Endpoint for the signature
    -- on the JWT used to authenticate the Client at the Token
    -- Endpoint for the private_key_jwt and client_secret_jwt
    -- authentication methods.

  , displayValuesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the display parameter values
    -- that the OpenID Provider supports. These values are described
    -- in Section 3.1.2.1 of OpenID Connect Core 1.0.

  , claimTypesSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the Claim Types
    -- that the OpenID Provider supports. These Claim Types are
    -- described in Section 5.6 of OpenID Connect Core 1.0.

  , claimsSupported :: Maybe (NonEmpty Text)
    -- ^ JSON array containing a list of the Claim Names of the Claims
    -- that the OpenID Provider MAY be able to supply values for. Note
    -- that for privacy or other reasons, this might not be an
    -- exhaustive list.

  , serviceDocumentation :: Maybe Text
    -- ^ URL of a page containing human-readable information that
    -- developers might want or need to know when using the OpenID
    -- Provider. In particular, if the OpenID Provider does not
    -- support Dynamic Client Registration, then information on how to
    -- register Clients needs to be provided in this documentation.

  , claimsLocalesSupported :: Maybe (NonEmpty Text)
    -- ^ Languages and scripts supported for values in Claims being
    -- returned, represented as a JSON array of language tag
    -- values. Not all languages and scripts are necessarily supported
    -- for all Claim values.

  , claimsParameterSupported :: Maybe Bool
    -- ^ Boolean value specifying whether the OP supports use of the
    -- claims parameter, with true indicating support. If omitted, the
    -- default value is false.

  , requestParameterSupported :: Maybe Bool
    -- ^ Boolean value specifying whether the OP supports use of the
    -- request parameter, with true indicating support. If omitted,
    -- the default value is false.

  , requestUriParameterSupported :: Maybe Bool
    -- ^ Boolean value specifying whether the OP supports use of the
    -- request_uri parameter, with true indicating support. If
    -- omitted, the default value is true.

  , requireRequestUriRegistration :: Maybe Bool
    -- ^ Boolean value specifying whether the OP requires any
    -- request_uri values used to be pre-registered using the
    -- request_uris registration parameter. Pre-registration is
    -- REQUIRED when the value is true. If omitted, the default value
    -- is false.

  , opPolicyUri :: Maybe URI
    -- ^ URL that the OpenID Provider provides to the person
    -- registering the Client to read about the OP's requirements on
    -- how the Relying Party can use the data provided by the OP. The
    -- registration process SHOULD display this URL to the person
    -- registering the Client if it is given.

  , opTosUri :: Maybe URI
    -- ^ URL that the OpenID Provider provides to the person
    -- registering the Client to read about OpenID Provider's terms of
    -- service. The registration process SHOULD display this URL to
    -- the person registering the Client if it is given.
  }
  deriving stock (Generic, Show)
  deriving (ToJSON, FromJSON) via GenericJSON Discovery