Skip to content

Commit

Permalink
fix: use AuthURLParam to set client id and secret
Browse files Browse the repository at this point in the history
workaround to deal with golang/oauth2#320

tldr is that IDP servers tend to not be fully compliant with how client
credentials are passed and have bespoke arrangements so anything goes
this enforces the standard implementation from the RFC and has it working
for any RFC compliant OIDC server

full info here golang/oauth2#320
  • Loading branch information
shipperizer committed Nov 13, 2024
1 parent 14fad3f commit a5a3be5
Showing 1 changed file with 15 additions and 1 deletion.
16 changes: 15 additions & 1 deletion internal/broker/broker.go
Original file line number Diff line number Diff line change
Expand Up @@ -357,7 +357,21 @@ func (b *Broker) generateUILayout(session *sessionInfo, authModeID string) (map[
case authmodes.Device, authmodes.DeviceQr:
ctx, cancel := context.WithTimeout(context.Background(), maxRequestDuration)
defer cancel()
response, err := session.authCfg.oauth.DeviceAuth(ctx)

var authOpts []oauth2.AuthCodeOption

// workaround to cater for fully RFC compliant oauth2 server which require this
// extra option, public providers tend to have bespoke implementation for passing client
// credentials that completely bypass this
// full explanation in https://github.com/golang/oauth2/issues/320
if secret := session.authCfg.oauth.ClientSecret; secret != "" {
// TODO @shipperizer verificationMethod should be a configurable value
verificationMethod := "client_post"
authOpts = append(authOpts, oauth2.SetAuthURLParam(verificationMethod, secret))
}

response, err := session.authCfg.oauth.DeviceAuth(ctx, authOpts...)

if err != nil {
return nil, fmt.Errorf("could not generate Device Authentication code layout: %v", err)
}
Expand Down

0 comments on commit a5a3be5

Please sign in to comment.