From 6df54011fa35e0ab0de8bbda040ad4b7cef853f1 Mon Sep 17 00:00:00 2001 From: shipperizer Date: Sun, 3 Nov 2024 19:54:36 +0100 Subject: [PATCH] fix: use AuthURLParam to set client id and secret Co-authored-by: 3v1n0 workaround to deal with golang/oauth2#320 tldr is that IDP servers tend to not be fully compliant with how client credentials are passed and have bespoke arrangements so anything goes this enforces the standard implementation from the RFC and has it working for any RFC compliant OIDC server full info here https://github.com/golang/oauth2/issues/320 --- internal/broker/broker.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/internal/broker/broker.go b/internal/broker/broker.go index 1dd2bfb3..2833989b 100644 --- a/internal/broker/broker.go +++ b/internal/broker/broker.go @@ -357,7 +357,20 @@ func (b *Broker) generateUILayout(session *sessionInfo, authModeID string) (map[ case authmodes.Device, authmodes.DeviceQr: ctx, cancel := context.WithTimeout(context.Background(), maxRequestDuration) defer cancel() - response, err := session.authCfg.oauth.DeviceAuth(ctx) + + var authOpts []oauth2.AuthCodeOption + + // workaround to cater for fully RFC compliant oauth2 server which require this + // extra option, public providers tend to have bespoke implementation for passing client + // credentials that completely bypass this + // full explanation in https://github.com/golang/oauth2/issues/320 + if secret := session.authCfg.oauth.ClientSecret; secret != "" { + // TODO @shipperizer verificationMethod should be a configurable value + verificationMethod := "client_post" + authOpts = append(authOpts, oauth2.SetAuthURLParam(verificationMethod, secret)) + } + + response, err := session.authCfg.oauth.DeviceAuth(ctx, authOpts...) if err != nil { return nil, fmt.Errorf("could not generate Device Authentication code layout: %v", err) }