fix: simplify verifying PKCE
This commit is contained in:
Ayato
parent
c2842f3356
commit
b06e76c54e
3 changed files with 28 additions and 30 deletions
|
|
@ -74,6 +74,20 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
|
|||
ctx, span := tracer.Start(ctx, "AuthorizeCodeClient")
|
||||
defer span.End()
|
||||
|
||||
request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
codeChallenge := request.GetCodeChallenge()
|
||||
if codeChallenge != nil {
|
||||
err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, codeChallenge)
|
||||
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
}
|
||||
|
||||
if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
|
||||
jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger)
|
||||
if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() {
|
||||
|
|
@ -83,19 +97,9 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
|
|||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
|
||||
|
||||
codeChallenge := request.GetCodeChallenge()
|
||||
if codeChallenge != nil && codeChallenge.Challenge != "" {
|
||||
err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, request.GetCodeChallenge())
|
||||
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
}
|
||||
|
||||
return request, client, err
|
||||
}
|
||||
|
||||
client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID)
|
||||
if err != nil {
|
||||
return nil, nil, oidc.ErrInvalidClient().WithParent(err)
|
||||
|
|
@ -104,12 +108,10 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
|
|||
return nil, nil, oidc.ErrInvalidClient().WithDescription("private_key_jwt not allowed for this client")
|
||||
}
|
||||
if client.AuthMethod() == oidc.AuthMethodNone {
|
||||
request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
if codeChallenge == nil {
|
||||
return nil, nil, oidc.ErrInvalidRequest().WithDescription("PKCE required")
|
||||
}
|
||||
err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, request.GetCodeChallenge())
|
||||
return request, client, err
|
||||
return request, client, nil
|
||||
}
|
||||
if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() {
|
||||
return nil, nil, oidc.ErrInvalidClient().WithDescription("auth_method post not supported")
|
||||
|
|
@ -118,16 +120,6 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
|
|||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
|
||||
|
||||
codeChallenge := request.GetCodeChallenge()
|
||||
if codeChallenge != nil && codeChallenge.Challenge != "" {
|
||||
err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, request.GetCodeChallenge())
|
||||
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
}
|
||||
|
||||
return request, client, err
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue