refactor: unify how .well-known routes are handled

frappe/app.py

@@ -22,6 +22,7 @@ import frappe.recorder
 import frappe.utils.response
 from frappe import _
 from frappe.auth import SAFE_HTTP_METHODS, UNSAFE_HTTP_METHODS, HTTPRequest, check_request_ip, validate_auth
+from frappe.integrations.oauth2 import handle_wellknown
 from frappe.middlewares import StaticDataMiddleware
 from frappe.permissions import handle_does_not_exist_error
 from frappe.utils import CallbackManager, cint, get_site_name
@@ -125,10 +126,8 @@ def application(request: Request):
 		elif request.path.startswith("/private/files/"):
 			response = frappe.utils.response.download_private_file(request.path)
 
-		elif request.path.startswith("/.well-known/oauth-authorization-server") and request.method == "GET":
-			from frappe.integrations.oauth2 import get_authorization_server_metadata
-
-			response = get_authorization_server_metadata()
+		elif request.path.startswith("/.well-known/") and request.method == "GET":
+			response = handle_wellknown(request.path)
 
 		elif request.method in ("GET", "HEAD", "POST"):
 			response = get_response()

frappe/hooks.py

@@ -62,10 +62,6 @@ website_route_rules = [
 
 website_redirects = [
 	{"source": r"/desk(.*)", "target": r"/app\1"},
-	{
-		"source": "/.well-known/openid-configuration",
-		"target": "/api/method/frappe.integrations.oauth2.openid_configuration",
-	},
 ]
 
 base_template = "templates/base.html"

frappe/integrations/oauth2.py

@@ -7,6 +7,7 @@ from oauthlib.oauth2 import FatalClientError, OAuth2Error
 from oauthlib.openid.connect.core.endpoints.pre_configured import Server as WebApplicationServer
 from pydantic import ValidationError
 from werkzeug import Response
+from werkzeug.exceptions import NotFound
 
 import frappe
 from frappe.integrations.doctype.oauth_provider_settings.oauth_provider_settings import (
@@ -188,10 +189,11 @@ def openid_profile(*args, **kwargs):
 		return generate_json_error_response(e)
 
 
-@frappe.whitelist(allow_guest=True)
-def openid_configuration():
+def get_openid_configuration():
+	response = Response()
+	response.mimetype = "application/json"
 	frappe_server_url = get_server_url()
-	frappe.local.response = frappe._dict(
+	response.data = frappe.as_json(
 		{
 			"issuer": frappe_server_url,
 			"authorization_endpoint": f"{frappe_server_url}/api/method/frappe.integrations.oauth2.authorize",
@@ -211,6 +213,7 @@ def openid_configuration():
 			"id_token_signing_alg_values_supported": ["HS256"],
 		}
 	)
+	return response
 
 
 @frappe.whitelist(allow_guest=True)
@@ -255,13 +258,27 @@ def introspect_token(token=None, token_type_hint=None):
 		frappe.local.response = frappe._dict({"active": False})
 
 
+def handle_wellknown(path: str):
+	"""Path handler for /.well-known/ endpoints. Invoked in app.py"""
+
+	if path.startswith("/.well-known/openid-configuration"):
+		return get_openid_configuration()
+
+	if path.startswith("/.well-known/oauth-authorization-server"):
+		return get_authorization_server_metadata()
+
+	if path.startswith("/.well-known/oauth-protected-resource"):
+		return get_protected_resource_metadata()
+
+	raise NotFound
+
+
 def get_authorization_server_metadata():
 	"""
 	Creates response for the /.well-known/oauth-authorization-server endpoint.
 
 	Reference: https://datatracker.ietf.org/doc/html/rfc8414
 	"""
-	from werkzeug import Response
 
 	response = Response()
 	response.mimetype = "application/json"
@@ -366,3 +383,6 @@ def register_client():
 
 	response.data = frappe.as_json(response_data)
 	return response
+
+
+def get_protected_resource_metadata(): ...