From 3cd99fe5f62b58e66b3bbcbd2be7236c37b10b18 Mon Sep 17 00:00:00 2001 From: Lakhan Samani Date: Sun, 16 Oct 2022 21:03:37 +0530 Subject: [PATCH] fix: open id config --- server/constants/oauth2.go | 2 ++ server/handlers/authorize.go | 36 ++++++++++++++++++++++---------- server/handlers/openid_config.go | 2 +- 3 files changed, 28 insertions(+), 12 deletions(-) diff --git a/server/constants/oauth2.go b/server/constants/oauth2.go index d3ff253..f3e0a67 100644 --- a/server/constants/oauth2.go +++ b/server/constants/oauth2.go @@ -14,4 +14,6 @@ const ( ResponseTypeCode = "code" // For the Implicit grant, use response_type=token to include an access token. ResponseTypeToken = "token" + // For the Implicit grant of id_token, use response_type=id_token to include an identifier token. + ResponseTypeIDToken = "id_token" ) diff --git a/server/handlers/authorize.go b/server/handlers/authorize.go index 9337ce9..ad26576 100644 --- a/server/handlers/authorize.go +++ b/server/handlers/authorize.go @@ -137,20 +137,34 @@ func AuthorizeHandler() gin.HandlerFunc { // in case, response type is code and user is already logged in send the code and state // and cookie session will already be rolled over and set - gc.HTML(http.StatusOK, authorizeWebMessageTemplate, gin.H{ - "target_origin": redirectURI, - "authorization_response": map[string]interface{}{ - "type": "authorization_response", - "response": map[string]string{ - "code": code, - "state": state, + if responseMode == constants.ResponseModeFormPost { + gc.HTML(http.StatusOK, authorizeFormPostTemplate, gin.H{ + "target_origin": redirectURI, + "authorization_response": map[string]interface{}{ + "type": "authorization_response", + "response": map[string]string{ + "code": code, + "state": state, + }, }, - }, - }) + }) + } else { + gc.HTML(http.StatusOK, authorizeWebMessageTemplate, gin.H{ + "target_origin": redirectURI, + "authorization_response": map[string]interface{}{ + "type": "authorization_response", + "response": map[string]string{ + "code": code, + "state": state, + }, + }, + }) + } + return } - if responseType == constants.ResponseTypeToken { + if responseType == constants.ResponseTypeToken || responseType == constants.ResponseTypeIDToken { // rollover the session for security authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod) if err != nil { @@ -222,7 +236,7 @@ func AuthorizeHandler() gin.HandlerFunc { } func validateAuthorizeRequest(responseType, responseMode, clientID, state, codeChallenge string) error { - if responseType != constants.ResponseTypeCode && responseType != constants.ResponseTypeToken { + if responseType != constants.ResponseTypeCode && responseType != constants.ResponseTypeToken && responseType != constants.ResponseTypeIDToken { return fmt.Errorf("invalid response type %s. 'code' & 'token' are valid response_type", responseMode) } diff --git a/server/handlers/openid_config.go b/server/handlers/openid_config.go index 781caf1..db3a52f 100644 --- a/server/handlers/openid_config.go +++ b/server/handlers/openid_config.go @@ -22,7 +22,7 @@ func OpenIDConfigurationHandler() gin.HandlerFunc { "jwks_uri": issuer + "/.well-known/jwks.json", "response_types_supported": []string{"code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token"}, "scopes_supported": []string{"openid", "email", "profile", "email_verified", "given_name", "family_name", "nick_name", "picture"}, - "response_modes_supported": []string{"query", "fragment", "form_post"}, + "response_modes_supported": []string{"query", "fragment", "form_post", "web_message"}, "id_token_signing_alg_values_supported": []string{jwtType}, "claims_supported": []string{"aud", "exp", "iss", "iat", "sub", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "picture", "email", "email_verified", "roles", "gender", "birthdate", "phone_number", "phone_number_verified"}, })