From e5fbaa26e19fcd2b59283a97179fb0f541f7fd01 Mon Sep 17 00:00:00 2001 From: Lakhan Samani Date: Mon, 8 Jan 2024 14:21:24 +0530 Subject: [PATCH 1/2] fix: pkce flow for oauth login --- server/handlers/authorize.go | 2 +- server/handlers/oauth_callback.go | 11 ++++++++++- server/handlers/token.go | 9 ++++++--- server/token/auth_token.go | 1 - 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/server/handlers/authorize.go b/server/handlers/authorize.go index 46559dd..d9c3686 100644 --- a/server/handlers/authorize.go +++ b/server/handlers/authorize.go @@ -123,7 +123,7 @@ func AuthorizeHandler() gin.HandlerFunc { // TODO add state with timeout // used for response mode query or fragment - authState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI + authState := "state=" + state + "&scope=" + scopeString + "&redirect_uri=" + redirectURI if responseType == constants.ResponseTypeCode { authState += "&code=" + code if err := memorystore.Provider.SetState(state, code+"@@"+codeChallenge); err != nil { diff --git a/server/handlers/oauth_callback.go b/server/handlers/oauth_callback.go index 7a744af..280b28d 100644 --- a/server/handlers/oauth_callback.go +++ b/server/handlers/oauth_callback.go @@ -53,7 +53,16 @@ func OAuthCallbackHandler() gin.HandlerFunc { stateValue := sessionSplit[0] redirectURL := sessionSplit[1] inputRoles := strings.Split(sessionSplit[2], ",") - scopes := strings.Split(sessionSplit[3], ",") + scopeString := sessionSplit[3] + scopes := []string{} + if scopeString != "" { + if strings.Contains(scopeString, ",") { + scopes = strings.Split(scopeString, ",") + } + if strings.Contains(scopeString, " ") { + scopes = strings.Split(scopeString, " ") + } + } var user *models.User oauthCode := ctx.Request.FormValue("code") if oauthCode == "" { diff --git a/server/handlers/token.go b/server/handlers/token.go index 2b38f7e..7d8bb31 100644 --- a/server/handlers/token.go +++ b/server/handlers/token.go @@ -3,6 +3,7 @@ package handlers import ( "crypto/sha256" "encoding/base64" + "fmt" "net/http" "strings" "time" @@ -105,7 +106,7 @@ func TokenHandler() gin.HandlerFunc { if codeVerifier == "" && clientSecret == "" { gc.JSON(http.StatusBadRequest, gin.H{ - "error": "invalid_dat", + "error": "invalid_data", "error_description": "The code verifier or client secret is required", }) return @@ -263,12 +264,14 @@ func TokenHandler() gin.HandlerFunc { "roles": roles, "expires_in": expiresIn, } - + fmt.Println("=> scopes:", scope) + fmt.Println("=> refreshToken:", authToken.RefreshToken) if authToken.RefreshToken != nil { + log.Debug("Refresh token is present: ", fmt.Sprintf("%s:%s", sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint)) res["refresh_token"] = authToken.RefreshToken.Token memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt) } - + fmt.Printf("=> res %v", res) gc.JSON(http.StatusOK, res) } } diff --git a/server/token/auth_token.go b/server/token/auth_token.go index de434a3..3fb4f3a 100644 --- a/server/token/auth_token.go +++ b/server/token/auth_token.go @@ -91,7 +91,6 @@ func CreateAuthToken(gc *gin.Context, user *models.User, roles, scope []string, AccessToken: &JWTToken{Token: accessToken, ExpiresAt: accessTokenExpiresAt}, IDToken: &JWTToken{Token: idToken, ExpiresAt: idTokenExpiresAt}, } - if utils.StringSliceContains(scope, "offline_access") { refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce, loginMethod) if err != nil { From 0bce901749a1a73f2b0e84b410af56e9b9443cbe Mon Sep 17 00:00:00 2001 From: Lakhan Samani Date: Mon, 8 Jan 2024 14:28:23 +0530 Subject: [PATCH 2/2] remove debug logs --- server/handlers/token.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/server/handlers/token.go b/server/handlers/token.go index 7d8bb31..1a60130 100644 --- a/server/handlers/token.go +++ b/server/handlers/token.go @@ -3,7 +3,6 @@ package handlers import ( "crypto/sha256" "encoding/base64" - "fmt" "net/http" "strings" "time" @@ -264,14 +263,10 @@ func TokenHandler() gin.HandlerFunc { "roles": roles, "expires_in": expiresIn, } - fmt.Println("=> scopes:", scope) - fmt.Println("=> refreshToken:", authToken.RefreshToken) if authToken.RefreshToken != nil { - log.Debug("Refresh token is present: ", fmt.Sprintf("%s:%s", sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint)) res["refresh_token"] = authToken.RefreshToken.Token memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt) } - fmt.Printf("=> res %v", res) gc.JSON(http.StatusOK, res) } }