feat: add support for response mode

server/crypto/common.go

@@ -94,6 +94,7 @@ func EncryptEnvData(data envstore.Store) (string, error) {
 	if err != nil {
 		return "", err
 	}
+
 	encryptedConfig, err := EncryptAESEnv(configData)
 	if err != nil {
 		return "", err

server/env/persist_env.go

@@ -112,7 +112,7 @@ func PersistEnv() error {
 
 		for key, value := range storeData.StringEnv {
 			// don't override unexposed envs
-			if key != constants.EnvKeyEncryptionKey && key != constants.EnvKeyClientID && key != constants.EnvKeyClientSecret && key != constants.EnvKeyJWK {
+			if key != constants.EnvKeyEncryptionKey {
 				// check only for derivative keys
 				// No need to check for ENCRYPTION_KEY which special key we use for encrypting config data
 				// as we have removed it from json

server/handlers/authorize.go

@@ -6,10 +6,12 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/sessionstore"
 	"github.com/authorizerdev/authorizer/server/token"
+	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )
@@ -17,6 +19,7 @@ import (
 // AuthorizeHandler is the handler for the /authorize route
 // required params
 // ?redirect_uri = redirect url
+// ?response_mode = to decide if result should be html or re-direct
 // state[recommended] = to prevent CSRF attack (for authorizer its compulsory)
 // code_challenge = to prevent CSRF attack
 // code_challenge_method = to prevent CSRF attack [only sh256 is supported]
@@ -31,8 +34,30 @@ func AuthorizeHandler() gin.HandlerFunc {
 		scopeString := strings.TrimSpace(gc.Query("scope"))
 		clientID := strings.TrimSpace(gc.Query("client_id"))
 		template := "authorize.tmpl"
+		responseMode := strings.TrimSpace(gc.Query("response_mode"))
+
+		if responseMode == "" {
+			responseMode = "query"
+		}
+
+		if responseMode != "query" && responseMode != "web_message" {
+			gc.JSON(400, gin.H{"error": "invalid response mode"})
+		}
+
+		if redirectURI == "" {
+			redirectURI = "/app"
+		}
+
+		isQuery := responseMode == "query"
+
+		hostname := utils.GetHost(gc)
+		loginRedirectState := crypto.EncryptB64(`{"authorizerURL":"` + hostname + `","redirectURL":"` + redirectURI + `"}`)
+		loginURL := "/app?state=" + loginRedirectState
 
 		if clientID == "" {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
 				gc.HTML(http.StatusOK, template, gin.H{
 					"target_origin": redirectURI,
 					"authorization_response": map[string]interface{}{
@@ -42,10 +67,14 @@ func AuthorizeHandler() gin.HandlerFunc {
 						},
 					},
 				})
+			}
 			return
 		}
 
 		if clientID != envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyClientID) {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
 				gc.HTML(http.StatusOK, template, gin.H{
 					"target_origin": redirectURI,
 					"authorization_response": map[string]interface{}{
@@ -55,23 +84,14 @@ func AuthorizeHandler() gin.HandlerFunc {
 						},
 					},
 				})
-			return
 			}
-
-		if redirectURI == "" {
-			gc.HTML(http.StatusOK, template, gin.H{
-				"target_origin": redirectURI,
-				"authorization_response": map[string]interface{}{
-					"type": "authorization_response",
-					"response": map[string]string{
-						"error": "redirect_uri is required",
-					},
-				},
-			})
 			return
 		}
 
 		if state == "" {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
 				gc.HTML(http.StatusOK, template, gin.H{
 					"target_origin": redirectURI,
 					"authorization_response": map[string]interface{}{
@@ -81,6 +101,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 						},
 					},
 				})
+			}
 			return
 		}
 
@@ -99,6 +120,9 @@ func AuthorizeHandler() gin.HandlerFunc {
 		isResponseTypeToken := responseType == "token"
 
 		if !isResponseTypeCode && !isResponseTypeToken {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
 				gc.HTML(http.StatusOK, template, gin.H{
 					"target_origin": redirectURI,
 					"authorization_response": map[string]interface{}{
@@ -108,11 +132,15 @@ func AuthorizeHandler() gin.HandlerFunc {
 						},
 					},
 				})
+			}
 			return
 		}
 
 		if isResponseTypeCode {
 			if codeChallenge == "" {
+				if isQuery {
+					gc.Redirect(http.StatusFound, loginURL)
+				} else {
 					gc.HTML(http.StatusBadRequest, template, gin.H{
 						"target_origin": redirectURI,
 						"authorization_response": map[string]interface{}{
@@ -122,12 +150,16 @@ func AuthorizeHandler() gin.HandlerFunc {
 							},
 						},
 					})
+				}
 				return
 			}
 		}
 
 		sessionToken, err := cookie.GetSession(gc)
 		if err != nil {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
 				gc.HTML(http.StatusOK, template, gin.H{
 					"target_origin": redirectURI,
 					"authorization_response": map[string]interface{}{
@@ -138,12 +170,16 @@ func AuthorizeHandler() gin.HandlerFunc {
 						},
 					},
 				})
+			}
 			return
 		}
 
 		// get session from cookie
 		claims, err := token.ValidateBrowserSession(gc, sessionToken)
 		if err != nil {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
 				gc.HTML(http.StatusOK, template, gin.H{
 					"target_origin": redirectURI,
 					"authorization_response": map[string]interface{}{
@@ -154,11 +190,15 @@ func AuthorizeHandler() gin.HandlerFunc {
 						},
 					},
 				})
+			}
 			return
 		}
 		userID := claims.Subject
 		user, err := db.Provider.GetUserByID(userID)
 		if err != nil {
+			if isQuery {
+				gc.Redirect(http.StatusFound, loginURL)
+			} else {
 				gc.HTML(http.StatusOK, template, gin.H{
 					"target_origin": redirectURI,
 					"authorization_response": map[string]interface{}{
@@ -169,6 +209,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 						},
 					},
 				})
+			}
 			return
 		}
 
@@ -180,6 +221,9 @@ func AuthorizeHandler() gin.HandlerFunc {
 			nonce := uuid.New().String()
 			newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope)
 			if err != nil {
+				if isQuery {
+					gc.Redirect(http.StatusFound, loginURL)
+				} else {
 					gc.HTML(http.StatusOK, template, gin.H{
 						"target_origin": redirectURI,
 						"authorization_response": map[string]interface{}{
@@ -190,6 +234,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 							},
 						},
 					})
+				}
 				return
 			}
 
@@ -214,6 +259,9 @@ func AuthorizeHandler() gin.HandlerFunc {
 			// rollover the session for security
 			authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope)
 			if err != nil {
+				if isQuery {
+					gc.Redirect(http.StatusFound, loginURL)
+				} else {
 					gc.HTML(http.StatusOK, template, gin.H{
 						"target_origin": redirectURI,
 						"authorization_response": map[string]interface{}{
@@ -224,6 +272,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 							},
 						},
 					})
+				}
 				return
 			}
 			sessionstore.RemoveState(sessionToken)
@@ -256,6 +305,9 @@ func AuthorizeHandler() gin.HandlerFunc {
 			return
 		}
 
+		if isQuery {
+			gc.Redirect(http.StatusFound, loginURL)
+		} else {
 			// by default return with error
 			gc.HTML(http.StatusOK, template, gin.H{
 				"target_origin": redirectURI,
@@ -268,4 +320,5 @@ func AuthorizeHandler() gin.HandlerFunc {
 				},
 			})
 		}
+	}
 }

templates/authorize.tmpl

@@ -8,7 +8,6 @@
 			(function (window, document) {
 				var targetOrigin = {{.target_origin}};
 				var authorizationResponse = {{.authorization_response}};
-				console.log({targetOrigin})
 				window.parent.postMessage(authorizationResponse, targetOrigin);
 			})(this, this.document);
 		</script>