Skip to content

Commit

Permalink
fix: use AuthURLParam to set client id and secret
Browse files Browse the repository at this point in the history
Co-authored-by: 3v1n0 <mail@3v1n0.net>

workaround to deal with golang/oauth2#320

tldr is that IDP servers tend to not be fully compliant with how client
credentials are passed and have bespoke arrangements so anything goes
this enforces the standard implementation from the RFC and has it working
for any RFC compliant OIDC server

full info here golang/oauth2#320
  • Loading branch information
shipperizer committed Nov 13, 2024
1 parent 14fad3f commit 6df5401
Showing 1 changed file with 14 additions and 1 deletion.
15 changes: 14 additions & 1 deletion internal/broker/broker.go
Original file line number Diff line number Diff line change
Expand Up @@ -357,7 +357,20 @@ func (b *Broker) generateUILayout(session *sessionInfo, authModeID string) (map[
case authmodes.Device, authmodes.DeviceQr:
ctx, cancel := context.WithTimeout(context.Background(), maxRequestDuration)
defer cancel()
response, err := session.authCfg.oauth.DeviceAuth(ctx)

var authOpts []oauth2.AuthCodeOption

// workaround to cater for fully RFC compliant oauth2 server which require this
// extra option, public providers tend to have bespoke implementation for passing client
// credentials that completely bypass this
// full explanation in https://github.com/golang/oauth2/issues/320
if secret := session.authCfg.oauth.ClientSecret; secret != "" {
// TODO @shipperizer verificationMethod should be a configurable value
verificationMethod := "client_post"
authOpts = append(authOpts, oauth2.SetAuthURLParam(verificationMethod, secret))
}

response, err := session.authCfg.oauth.DeviceAuth(ctx, authOpts...)
if err != nil {
return nil, fmt.Errorf("could not generate Device Authentication code layout: %v", err)
}
Expand Down

0 comments on commit 6df5401

Please sign in to comment.