errors
This commit is contained in:
Livio Amstutz
parent
f90e685c76
commit
b60f1ed7a8
3 changed files with 20 additions and 19 deletions
|
|
@ -16,7 +16,7 @@ func CodeExchange(w http.ResponseWriter, r *http.Request, exchanger Exchanger) {
|
|||
RequestError(w, r, err)
|
||||
}
|
||||
if tokenReq.Code == "" {
|
||||
RequestError(w, r, oidc.ErrInvalidGrant()) //TODO: ErrInvalidRequest("code missing")?
|
||||
RequestError(w, r, oidc.ErrInvalidRequest().WithDescription("code missing"))
|
||||
return
|
||||
}
|
||||
authReq, client, err := ValidateAccessTokenRequest(r.Context(), tokenReq, exchanger)
|
||||
|
|
@ -96,7 +96,7 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
|
|||
}
|
||||
err = AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, exchanger.Storage())
|
||||
if err != nil {
|
||||
return nil, nil, oidc.ErrInvalidClient().WithDescription("invalid client_id / client_secret").WithParent(err)
|
||||
return nil, nil, err
|
||||
}
|
||||
request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
|
||||
return request, client, err
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ func ParseRefreshTokenRequest(r *http.Request, decoder utils.Decoder) (*oidc.Ref
|
|||
//and returns the data representing the original auth request corresponding to the refresh_token
|
||||
func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshTokenRequest, exchanger Exchanger) (RefreshTokenRequest, Client, error) {
|
||||
if tokenReq.RefreshToken == "" {
|
||||
return nil, nil, oidc.ErrInvalidGrant() //TODO: ErrInvalidRequest("refresh_token missing")?
|
||||
return nil, nil, oidc.ErrInvalidRequest().WithDescription("refresh_token missing")
|
||||
}
|
||||
request, client, err := AuthorizeRefreshClient(ctx, tokenReq, exchanger)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ func tokenHandler(exchanger Exchanger) func(w http.ResponseWriter, r *http.Reque
|
|||
}
|
||||
}
|
||||
|
||||
//authenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest
|
||||
//AuthenticatedTokenRequest is a helper interface for ParseAuthenticatedTokenRequest
|
||||
//it is implemented by oidc.AuthRequest and oidc.RefreshTokenRequest
|
||||
type AuthenticatedTokenRequest interface {
|
||||
SetClientID(string)
|
||||
|
|
@ -71,35 +71,36 @@ func ParseAuthenticatedTokenRequest(r *http.Request, decoder utils.Decoder, requ
|
|||
return oidc.ErrInvalidRequest().WithDescription("error decoding form").WithParent(err)
|
||||
}
|
||||
clientID, clientSecret, ok := r.BasicAuth()
|
||||
if ok {
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
clientID, err = url.QueryUnescape(clientID)
|
||||
if err != nil {
|
||||
return oidc.ErrInvalidRequest().WithDescription("invalid basic auth header").WithParent(err)
|
||||
return oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
|
||||
}
|
||||
clientSecret, err = url.QueryUnescape(clientSecret)
|
||||
if err != nil {
|
||||
return oidc.ErrInvalidRequest().WithDescription("invalid basic auth header").WithParent(err)
|
||||
return oidc.ErrInvalidClient().WithDescription("invalid basic auth header").WithParent(err)
|
||||
}
|
||||
request.SetClientID(clientID)
|
||||
request.SetClientSecret(clientSecret)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
//AuthorizeRefreshClientByClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST)
|
||||
//AuthorizeClientIDSecret authorizes a client by validating the client_id and client_secret (Basic Auth and POST)
|
||||
func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string, storage Storage) error {
|
||||
err := storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret)
|
||||
if err != nil {
|
||||
return oidc.ErrInvalidGrant().WithDescription("code_challenge required").WithParent(err)
|
||||
return oidc.ErrInvalidClient().WithDescription("invalid client_id / client_secret").WithParent(err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
//AuthorizeCodeClientByCodeChallenge authorizes a client by validating the code_verifier against the previously sent
|
||||
//AuthorizeCodeChallenge authorizes a client by validating the code_verifier against the previously sent
|
||||
//code_challenge of the auth request (PKCE)
|
||||
func AuthorizeCodeChallenge(tokenReq *oidc.AccessTokenRequest, challenge *oidc.CodeChallenge) error {
|
||||
if tokenReq.CodeVerifier == "" {
|
||||
return oidc.ErrInvalidGrant().WithDescription("code_challenge required") //TODO: ErrInvalidRequest("code_challenge required")
|
||||
return oidc.ErrInvalidRequest().WithDescription("code_challenge required")
|
||||
}
|
||||
if !oidc.VerifyCodeChallenge(challenge, tokenReq.CodeVerifier) {
|
||||
return oidc.ErrInvalidGrant().WithDescription("invalid code challenge")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue