From b7cbe15cedd60798366750f4f5158b44e4b7cc0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Mon, 25 Sep 2023 12:06:25 +0300 Subject: [PATCH] handle client credentials in VerifyClient --- pkg/op/server_http_routes_test.go | 26 +++++++++++--------------- pkg/op/server_legacy.go | 8 ++++++++ 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/pkg/op/server_http_routes_test.go b/pkg/op/server_http_routes_test.go index fdaf406..88e0e00 100644 --- a/pkg/op/server_http_routes_test.go +++ b/pkg/op/server_http_routes_test.go @@ -145,22 +145,18 @@ func TestServerRoutes(t *testing.T) { `","issued_token_type":"urn:ietf:params:oauth:token-type:refresh_token","token_type":"Bearer","expires_in":299,"scope":"openid offline_access","refresh_token":"`, }, }, - - /* - { - name: "Client credentials exchange", - method: http.MethodGet, - path: testProvider.TokenEndpoint().Relative(), - basicAuth: &basicAuth{"web", "secret"}, - values: map[string]string{ - "grant_type": string(oidc.GrantTypeClientCredentials), - "scope": oidc.SpaceDelimitedArray{oidc.ScopeOpenID, oidc.ScopeOfflineAccess}.String(), - }, - wantCode: http.StatusOK, - contains: []string{`{"access_token":"`, `","token_type":"Bearer","expires_in":299}`}, + { + name: "Client credentials exchange", + method: http.MethodGet, + path: testProvider.TokenEndpoint().Relative(), + basicAuth: &basicAuth{"sid1", "verysecret"}, + values: map[string]string{ + "grant_type": string(oidc.GrantTypeClientCredentials), + "scope": oidc.SpaceDelimitedArray{oidc.ScopeOpenID, oidc.ScopeOfflineAccess}.String(), }, - */ - + wantCode: http.StatusOK, + contains: []string{`{"access_token":"`, `","token_type":"Bearer","expires_in":299}`}, + }, { // This call will fail. A successfull test is already // part of device_test.go diff --git a/pkg/op/server_legacy.go b/pkg/op/server_legacy.go index 82fa361..8f6ef17 100644 --- a/pkg/op/server_legacy.go +++ b/pkg/op/server_legacy.go @@ -105,6 +105,14 @@ func (s *LegacyServer) DeviceAuthorization(ctx context.Context, r *ClientRequest } func (s *LegacyServer) VerifyClient(ctx context.Context, r *Request[ClientCredentials]) (Client, error) { + if oidc.GrantType(r.Form.Get("grant_type")) == oidc.GrantTypeClientCredentials { + storage, ok := s.provider.Storage().(ClientCredentialsStorage) + if !ok { + return nil, oidc.ErrUnsupportedGrantType().WithDescription("client_credentials grant not supported") + } + return storage.ClientCredentials(ctx, r.Data.ClientID, r.Data.ClientSecret) + } + if r.Data.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion { jwtExchanger, ok := s.provider.(JWTAuthorizationGrantExchanger) if !ok || !s.provider.AuthMethodPrivateKeyJWTSupported() {