devstack/authorizer
4
0
Fork 0
Code Pull Requests Actions Activity

fix: pkce flow for oauth login

Browse Source
This commit is contained in:
Lakhan Samani 2024-01-08 14:21:24 +05:30
parent 3bd3a52d3b
commit e5fbaa26e1
4 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
server/handlers/authorize.go
View File

@ -123,7 +123,7 @@ func AuthorizeHandler() gin.HandlerFunc {
// TODO add state with timeout // TODO add state with timeout
// used for response mode query or fragment // used for response mode query or fragment
authState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI authState := "state=" + state + "&scope=" + scopeString + "&redirect_uri=" + redirectURI
if responseType == constants.ResponseTypeCode { if responseType == constants.ResponseTypeCode {
authState += "&code=" + code authState += "&code=" + code
if err := memorystore.Provider.SetState(state, code+"@@"+codeChallenge); err != nil { if err := memorystore.Provider.SetState(state, code+"@@"+codeChallenge); err != nil {

11
server/handlers/oauth_callback.go
View File

@ -53,7 +53,16 @@ func OAuthCallbackHandler() gin.HandlerFunc {
stateValue := sessionSplit[0] stateValue := sessionSplit[0]
redirectURL := sessionSplit[1] redirectURL := sessionSplit[1]
inputRoles := strings.Split(sessionSplit[2], ",") inputRoles := strings.Split(sessionSplit[2], ",")
scopes := strings.Split(sessionSplit[3], ",") scopeString := sessionSplit[3]
scopes := []string{}
if scopeString != "" {
if strings.Contains(scopeString, ",") {
scopes = strings.Split(scopeString, ",")
}
if strings.Contains(scopeString, " ") {
scopes = strings.Split(scopeString, " ")
}
}
var user *models.User var user *models.User
oauthCode := ctx.Request.FormValue("code") oauthCode := ctx.Request.FormValue("code")
if oauthCode == "" { if oauthCode == "" {

9
server/handlers/token.go
View File

@ -3,6 +3,7 @@ package handlers
import ( import (
"crypto/sha256" "crypto/sha256"
"encoding/base64" "encoding/base64"
"fmt"
"net/http" "net/http"
"strings" "strings"
"time" "time"
@ -105,7 +106,7 @@ func TokenHandler() gin.HandlerFunc {
if codeVerifier == "" && clientSecret == "" { if codeVerifier == "" && clientSecret == "" {
gc.JSON(http.StatusBadRequest, gin.H{ gc.JSON(http.StatusBadRequest, gin.H{
"error": "invalid_dat", "error": "invalid_data",
"error_description": "The code verifier or client secret is required", "error_description": "The code verifier or client secret is required",
}) })
return return
@ -263,12 +264,14 @@ func TokenHandler() gin.HandlerFunc {
"roles": roles, "roles": roles,
"expires_in": expiresIn, "expires_in": expiresIn,
} }
fmt.Println("=> scopes:", scope)
fmt.Println("=> refreshToken:", authToken.RefreshToken)
if authToken.RefreshToken != nil { if authToken.RefreshToken != nil {
log.Debug("Refresh token is present: ", fmt.Sprintf("%s:%s", sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint))
res["refresh_token"] = authToken.RefreshToken.Token res["refresh_token"] = authToken.RefreshToken.Token
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt) memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
} }
fmt.Printf("=> res %v", res)
gc.JSON(http.StatusOK, res) gc.JSON(http.StatusOK, res)
} }
} }

1
server/token/auth_token.go
View File

@ -91,7 +91,6 @@ func CreateAuthToken(gc *gin.Context, user *models.User, roles, scope []string,
AccessToken: &JWTToken{Token: accessToken, ExpiresAt: accessTokenExpiresAt}, AccessToken: &JWTToken{Token: accessToken, ExpiresAt: accessTokenExpiresAt},
IDToken: &JWTToken{Token: idToken, ExpiresAt: idTokenExpiresAt}, IDToken: &JWTToken{Token: idToken, ExpiresAt: idTokenExpiresAt},
} }
if utils.StringSliceContains(scope, "offline_access") { if utils.StringSliceContains(scope, "offline_access") {
refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce, loginMethod) refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce, loginMethod)
if err != nil { if err != nil {