handle client credentials in VerifyClient

2023-09-25 12:06:25 +03:00 · 2023-09-25 12:06:25 +03:00 · b7cbe15ced
commit b7cbe15ced
parent d27be590c4
2 changed files with 19 additions and 15 deletions
--- a/pkg/op/server_http_routes_test.go
+++ b/pkg/op/server_http_routes_test.go
@ -145,22 +145,18 @@ func TestServerRoutes(t *testing.T) {
 				`","issued_token_type":"urn:ietf:params:oauth:token-type:refresh_token","token_type":"Bearer","expires_in":299,"scope":"openid offline_access","refresh_token":"`,
 			},
 		},
-
-		/*
-			{
-				name:      "Client credentials exchange",
-				method:    http.MethodGet,
-				path:      testProvider.TokenEndpoint().Relative(),
-				basicAuth: &basicAuth{"web", "secret"},
-				values: map[string]string{
-					"grant_type": string(oidc.GrantTypeClientCredentials),
-					"scope":      oidc.SpaceDelimitedArray{oidc.ScopeOpenID, oidc.ScopeOfflineAccess}.String(),
-				},
-				wantCode: http.StatusOK,
-				contains: []string{`{"access_token":"`, `","token_type":"Bearer","expires_in":299}`},
+		{
+			name:      "Client credentials exchange",
+			method:    http.MethodGet,
+			path:      testProvider.TokenEndpoint().Relative(),
+			basicAuth: &basicAuth{"sid1", "verysecret"},
+			values: map[string]string{
+				"grant_type": string(oidc.GrantTypeClientCredentials),
+				"scope":      oidc.SpaceDelimitedArray{oidc.ScopeOpenID, oidc.ScopeOfflineAccess}.String(),
 			},
-		*/
-
+			wantCode: http.StatusOK,
+			contains: []string{`{"access_token":"`, `","token_type":"Bearer","expires_in":299}`},
+		},
 		{
 			// This call will fail. A successfull test is already
 			// part of device_test.go
--- a/pkg/op/server_legacy.go
+++ b/pkg/op/server_legacy.go
@ -105,6 +105,14 @@ func (s *LegacyServer) DeviceAuthorization(ctx context.Context, r *ClientRequest
 }

 func (s *LegacyServer) VerifyClient(ctx context.Context, r *Request[ClientCredentials]) (Client, error) {
+	if oidc.GrantType(r.Form.Get("grant_type")) == oidc.GrantTypeClientCredentials {
+		storage, ok := s.provider.Storage().(ClientCredentialsStorage)
+		if !ok {
+			return nil, oidc.ErrUnsupportedGrantType().WithDescription("client_credentials grant not supported")
+		}
+		return storage.ClientCredentials(ctx, r.Data.ClientID, r.Data.ClientSecret)
+	}
+
 	if r.Data.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
 		jwtExchanger, ok := s.provider.(JWTAuthorizationGrantExchanger)
 		if !ok || !s.provider.AuthMethodPrivateKeyJWTSupported() {