cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

errors

Browse source
This commit is contained in:
Livio Amstutz 2021-09-27 09:08:34 +02:00
parent f90e685c76
commit b60f1ed7a8
3 changed files with 20 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

4
pkg/op/token_code.go
View file

@ -16,7 +16,7 @@ func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
RequestError(w, r, err) RequestError(w, r, err)
} }
if tokenReq.Code == "" { if tokenReq.Code == "" {
RequestError(w, r, oidc.ErrInvalidGrant()) //TODO: ErrInvalidRequest("code missing")? RequestError(w, r, oidc.ErrInvalidRequest().WithDescription("code missing"))
return return
} }
authReq, client, err := ValidateAccessTokenRequest(r.Context(), tokenReq, exchanger) authReq, client, err := ValidateAccessTokenRequest(r.Context(), tokenReq, exchanger)
@ -96,7 +96,7 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
} }
err = AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, exchanger.Storage()) err = AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, exchanger.Storage())
if err != nil { if err != nil {
return nil, nil, oidc.ErrInvalidClient().WithDescription("invalid client_id / client_secret").WithParent(err) return nil, nil, err
} }
request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code) request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
return request, client, err return request, client, err

2
pkg/op/token_refresh.go
View file

@ -54,7 +54,7 @@ func ParseRefreshTokenRequest(r *http.Request, decoder utils.Decoder) (*oidc.Ref
//and returns the data representing the original auth request corresponding to the refresh_token //and returns the data representing the original auth request corresponding to the refresh_token
func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error) { func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error) {
if tokenReq.RefreshToken == "" { if tokenReq.RefreshToken == "" {
return nil, nil, oidc.ErrInvalidGrant() //TODO: ErrInvalidRequest("refresh_token missing")? return nil, nil, oidc.ErrInvalidRequest().WithDescription("refresh_token missing")
} }
request, client, err := AuthorizeRefreshClient(ctx, tokenReq, exchanger) request, client, err := AuthorizeRefreshClient(ctx, tokenReq, exchanger)
if err != nil { if err != nil {

33
pkg/op/token_request.go
View file

@ -52,7 +52,7 @@ func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Reque
} }
} }
//authenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest //AuthenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest
//it is implemented by oidc.AuthRequest and oidc.RefreshTokenRequest //it is implemented by oidc.AuthRequest and oidc.RefreshTokenRequest
type AuthenticatedTokenRequest interface { type AuthenticatedTokenRequest interface {
SetClientID(string) SetClientID(string)
@ -71,35 +71,36 @@ func ParseAuthenticatedTokenRequest(r *http.Request, decoder utils.Decoder, requ
return oidc.ErrInvalidRequest().WithDescription("error decoding form").WithParent(err) return oidc.ErrInvalidRequest().WithDescription("error decoding form").WithParent(err)
} }
clientID, clientSecret, ok := r.BasicAuth() clientID, clientSecret, ok := r.BasicAuth()
if ok { if !ok {
clientID, err = url.QueryUnescape(clientID) return nil
if err != nil {
return oidc.ErrInvalidRequest().WithDescription("invalid basic auth header").WithParent(err)
}
clientSecret, err = url.QueryUnescape(clientSecret)
if err != nil {
return oidc.ErrInvalidRequest().WithDescription("invalid basic auth header").WithParent(err)
}
request.SetClientID(clientID)
request.SetClientSecret(clientSecret)
} }
clientID, err = url.QueryUnescape(clientID)
if err != nil {
return oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
}
clientSecret, err = url.QueryUnescape(clientSecret)
if err != nil {
return oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
}
request.SetClientID(clientID)
request.SetClientSecret(clientSecret)
return nil return nil
} }
//AuthorizeRefreshClientByClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST) //AuthorizeClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST)
func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error { func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error {
err := storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret) err := storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret)
if err != nil { if err != nil {
return oidc.ErrInvalidGrant().WithDescription("code_challenge required").WithParent(err) return oidc.ErrInvalidClient().WithDescription("invalid client_id / client_secret").WithParent(err)
} }
return nil return nil
} }
//AuthorizeCodeClientByCodeChallenge authorizes a client by validating the code_verifier against the previously sent //AuthorizeCodeChallenge authorizes a client by validating the code_verifier against the previously sent
//code_challenge of the auth request (PKCE) //code_challenge of the auth request (PKCE)
func AuthorizeCodeChallenge(tokenReq *oidc.AccessTokenRequest, challenge *oidc.CodeChallenge) error { func AuthorizeCodeChallenge(tokenReq *oidc.AccessTokenRequest, challenge *oidc.CodeChallenge) error {
if tokenReq.CodeVerifier == "" { if tokenReq.CodeVerifier == "" {
return oidc.ErrInvalidGrant().WithDescription("code_challenge required") //TODO: ErrInvalidRequest("code_challenge required") return oidc.ErrInvalidRequest().WithDescription("code_challenge required")
} }
if !oidc.VerifyCodeChallenge(challenge, tokenReq.CodeVerifier) { if !oidc.VerifyCodeChallenge(challenge, tokenReq.CodeVerifier) {
return oidc.ErrInvalidGrant().WithDescription("invalid code challenge") return oidc.ErrInvalidGrant().WithDescription("invalid code challenge")