From ed9ed83bc8ea8bdb7b20fde51b0e3479a4a299d6 Mon Sep 17 00:00:00 2001
From: Ayato <ay4toh5i@gmail.com>
Date: Sun, 25 Feb 2024 02:22:26 +0900
Subject: [PATCH 01/11] feat(op): Add response_mode: form_post

---
 pkg/oidc/authorization.go   |  1 +
 pkg/op/auth_request.go      | 56 +++++++++++++++++++++++++++++++++++++
 pkg/op/auth_request_test.go | 28 +++++++++++++++++++
 pkg/op/form_post.html.tmpl  | 14 ++++++++++
 4 files changed, 99 insertions(+)
 create mode 100644 pkg/op/form_post.html.tmpl

diff --git a/pkg/oidc/authorization.go b/pkg/oidc/authorization.go
index 511e396..b502d92 100644
--- a/pkg/oidc/authorization.go
+++ b/pkg/oidc/authorization.go
@@ -48,6 +48,7 @@ const (
 
 	ResponseModeQuery    ResponseMode = "query"
 	ResponseModeFragment ResponseMode = "fragment"
+	ResponseModeFormPost ResponseMode = "form_post"
 
 	// PromptNone (`none`) disallows the Authorization Server to display any authentication or consent user interface pages.
 	// An error (login_required, interaction_required, ...) will be returned if the user is not already authenticated or consent is needed
diff --git a/pkg/op/auth_request.go b/pkg/op/auth_request.go
index 7058ebc..3da53b5 100644
--- a/pkg/op/auth_request.go
+++ b/pkg/op/auth_request.go
@@ -2,8 +2,10 @@ package op
 
 import (
 	"context"
+	_ "embed"
 	"errors"
 	"fmt"
+	"html/template"
 	"net"
 	"net/http"
 	"net/url"
@@ -464,6 +466,17 @@ func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthReques
 		Code:  code,
 		State: authReq.GetState(),
 	}
+
+	if authReq.GetResponseMode() == oidc.ResponseModeFormPost {
+		err = AuthResponseFormPost(w, authReq.GetRedirectURI(), &codeResponse, authorizer.Encoder())
+		if err != nil {
+			AuthRequestError(w, r, authReq, err, authorizer)
+			return
+		}
+
+		return
+	}
+
 	callback, err := AuthResponseURL(authReq.GetRedirectURI(), authReq.GetResponseType(), authReq.GetResponseMode(), &codeResponse, authorizer.Encoder())
 	if err != nil {
 		AuthRequestError(w, r, authReq, err, authorizer)
@@ -484,6 +497,17 @@ func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthReque
 		AuthRequestError(w, r, authReq, err, authorizer)
 		return
 	}
+
+	if authReq.GetResponseMode() == oidc.ResponseModeFormPost {
+		err = AuthResponseFormPost(w, authReq.GetRedirectURI(), resp, authorizer.Encoder())
+		if err != nil {
+			AuthRequestError(w, r, authReq, err, authorizer)
+			return
+		}
+
+		return
+	}
+
 	callback, err := AuthResponseURL(authReq.GetRedirectURI(), authReq.GetResponseType(), authReq.GetResponseMode(), resp, authorizer.Encoder())
 	if err != nil {
 		AuthRequestError(w, r, authReq, err, authorizer)
@@ -535,6 +559,38 @@ func AuthResponseURL(redirectURI string, responseType oidc.ResponseType, respons
 	return mergeQueryParams(uri, params), nil
 }
 
+//go:embed form_post.html.tmpl
+var formPostTemplate string
+
+// AuthResponseFormPost responds a html page that automatically submits the form which contains the auth response parameters
+func AuthResponseFormPost(w http.ResponseWriter, redirectURI string, response any, encoder httphelper.Encoder) error {
+	t, err := template.New("form_post").Parse(formPostTemplate)
+	if err != nil {
+		return oidc.ErrServerError().WithParent(err)
+	}
+
+	values := make(map[string][]string)
+	err = encoder.Encode(response, values)
+	if err != nil {
+		return oidc.ErrServerError().WithParent(err)
+	}
+
+	params := &struct {
+		RedirectURI string
+		Params      any
+	}{
+		RedirectURI: redirectURI,
+		Params:      values,
+	}
+
+	err = t.Execute(w, params)
+	if err != nil {
+		return oidc.ErrServerError().WithParent(err)
+	}
+
+	return nil
+}
+
 func setFragment(uri *url.URL, params url.Values) string {
 	uri.Fragment = params.Encode()
 	return uri.String()
diff --git a/pkg/op/auth_request_test.go b/pkg/op/auth_request_test.go
index 18880f0..5959a2e 100644
--- a/pkg/op/auth_request_test.go
+++ b/pkg/op/auth_request_test.go
@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"reflect"
 	"testing"
+	"time"
 
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
@@ -1111,6 +1112,33 @@ func TestAuthResponseCode(t *testing.T) {
 				wantBody:           "",
 			},
 		},
+		{
+			name: "success form_post",
+			args: args{
+				authReq: &storage.AuthRequest{
+					ID:            "id1",
+					CallbackURI:   "https://example.com/callback",
+					TransferState: "state1",
+					ResponseMode:  "form_post",
+				},
+				authorizer: func(t *testing.T) op.Authorizer {
+					ctrl := gomock.NewController(t)
+					storage := mock.NewMockStorage(ctrl)
+					storage.EXPECT().SaveAuthCode(context.Background(), "id1", "id1")
+
+					authorizer := mock.NewMockAuthorizer(ctrl)
+					authorizer.EXPECT().Storage().Return(storage)
+					authorizer.EXPECT().Crypto().Return(&mockCrypto{})
+					authorizer.EXPECT().Encoder().Return(schema.NewEncoder())
+					return authorizer
+				},
+			},
+			res: res{
+				wantCode:           http.StatusOK,
+				wantLocationHeader: "",
+				wantBody:           "<!doctype html>\n<html>\n<head><meta charset=\"UTF-8\" /></head>\n<body onload=\"javascript:document.forms[0].submit()\">\n<form method=\"post\" action=\"https://example.com/callback\">\n<input type=\"hidden\" name=\"state\" value=\"state1\"/>\n<input type=\"hidden\" name=\"code\" value=\"id1\" />\n\n\n\n</form>\n</body>\n</html>",
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/op/form_post.html.tmpl b/pkg/op/form_post.html.tmpl
new file mode 100644
index 0000000..7bc9ab3
--- /dev/null
+++ b/pkg/op/form_post.html.tmpl
@@ -0,0 +1,14 @@
+<!doctype html>
+<html>
+<head><meta charset="UTF-8" /></head>
+<body onload="javascript:document.forms[0].submit()">
+<form method="post" action="{{ .RedirectURI }}">
+{{with .Params.state}}<input type="hidden" name="state" value="{{ index . 0 }}"/>{{end}}
+{{with .Params.code}}<input type="hidden" name="code" value="{{ index . 0 }}" />{{end}}
+{{with .Params.id_token}}<input type="hidden" name="id_token" value="{{ index . 0 }}"/>{{end}}
+{{with .Params.access_token}}<input type="hidden" name="access_token" value="{{ index . 0 }}" />{{end}}
+{{with .Params.token_type}}<input type="hidden" name="token_type" value="{{ index . 0 }}" />{{end}}
+{{with .Params.expires_in}}<input type="hidden" name="expires_in" value="{{ index . 0 }}" />{{end}}
+</form>
+</body>
+</html>
\ No newline at end of file

From a49642c898af3b8d636279ecb9e20190aa47cb6b Mon Sep 17 00:00:00 2001
From: Ayato <ay4toh5i@gmail.com>
Date: Tue, 27 Feb 2024 21:30:41 +0900
Subject: [PATCH 02/11] Fix to parse the template ahead of time

---
 pkg/op/auth_request.go | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/pkg/op/auth_request.go b/pkg/op/auth_request.go
index 3da53b5..0474a05 100644
--- a/pkg/op/auth_request.go
+++ b/pkg/op/auth_request.go
@@ -560,17 +560,14 @@ func AuthResponseURL(redirectURI string, responseType oidc.ResponseType, respons
 }
 
 //go:embed form_post.html.tmpl
-var formPostTemplate string
+var formPostHtmlTemplate string
+
+var formPostTmpl = template.Must(template.New("form_post").Parse(formPostHtmlTemplate))
 
 // AuthResponseFormPost responds a html page that automatically submits the form which contains the auth response parameters
 func AuthResponseFormPost(w http.ResponseWriter, redirectURI string, response any, encoder httphelper.Encoder) error {
-	t, err := template.New("form_post").Parse(formPostTemplate)
-	if err != nil {
-		return oidc.ErrServerError().WithParent(err)
-	}
-
 	values := make(map[string][]string)
-	err = encoder.Encode(response, values)
+	err := encoder.Encode(response, values)
 	if err != nil {
 		return oidc.ErrServerError().WithParent(err)
 	}
@@ -583,7 +580,7 @@ func AuthResponseFormPost(w http.ResponseWriter, redirectURI string, response an
 		Params:      values,
 	}
 
-	err = t.Execute(w, params)
+	err = formPostTmpl.Execute(w, params)
 	if err != nil {
 		return oidc.ErrServerError().WithParent(err)
 	}

From 9a288fa017002aeae95f065c0d6911c6ad72f29f Mon Sep 17 00:00:00 2001
From: Ayato <ay4toh5i@gmail.com>
Date: Tue, 27 Feb 2024 22:01:29 +0900
Subject: [PATCH 03/11] Fix to render the template in a buffer

---
 pkg/op/auth_request.go | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/pkg/op/auth_request.go b/pkg/op/auth_request.go
index 0474a05..fc87293 100644
--- a/pkg/op/auth_request.go
+++ b/pkg/op/auth_request.go
@@ -1,6 +1,7 @@
 package op
 
 import (
+	"bytes"
 	"context"
 	_ "embed"
 	"errors"
@@ -468,12 +469,13 @@ func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthReques
 	}
 
 	if authReq.GetResponseMode() == oidc.ResponseModeFormPost {
-		err = AuthResponseFormPost(w, authReq.GetRedirectURI(), &codeResponse, authorizer.Encoder())
+		res, err := AuthResponseFormPost(authReq.GetRedirectURI(), &codeResponse, authorizer.Encoder())
 		if err != nil {
 			AuthRequestError(w, r, authReq, err, authorizer)
 			return
 		}
 
+		res.WriteTo(w)
 		return
 	}
 
@@ -499,12 +501,13 @@ func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthReque
 	}
 
 	if authReq.GetResponseMode() == oidc.ResponseModeFormPost {
-		err = AuthResponseFormPost(w, authReq.GetRedirectURI(), resp, authorizer.Encoder())
+		res, err := AuthResponseFormPost(authReq.GetRedirectURI(), resp, authorizer.Encoder())
 		if err != nil {
 			AuthRequestError(w, r, authReq, err, authorizer)
 			return
 		}
 
+		res.WriteTo(w)
 		return
 	}
 
@@ -565,11 +568,11 @@ var formPostHtmlTemplate string
 var formPostTmpl = template.Must(template.New("form_post").Parse(formPostHtmlTemplate))
 
 // AuthResponseFormPost responds a html page that automatically submits the form which contains the auth response parameters
-func AuthResponseFormPost(w http.ResponseWriter, redirectURI string, response any, encoder httphelper.Encoder) error {
+func AuthResponseFormPost(redirectURI string, response any, encoder httphelper.Encoder) (*bytes.Buffer, error) {
 	values := make(map[string][]string)
 	err := encoder.Encode(response, values)
 	if err != nil {
-		return oidc.ErrServerError().WithParent(err)
+		return nil, oidc.ErrServerError().WithParent(err)
 	}
 
 	params := &struct {
@@ -580,12 +583,13 @@ func AuthResponseFormPost(w http.ResponseWriter, redirectURI string, response an
 		Params:      values,
 	}
 
-	err = formPostTmpl.Execute(w, params)
+	var buf bytes.Buffer
+	err = formPostTmpl.Execute(&buf, params)
 	if err != nil {
-		return oidc.ErrServerError().WithParent(err)
+		return nil, oidc.ErrServerError().WithParent(err)
 	}
 
-	return nil
+	return &buf, nil
 }
 
 func setFragment(uri *url.URL, params url.Values) string {

From 8544727be28316af5255dd55793da1a0b6c6c4e9 Mon Sep 17 00:00:00 2001
From: Ayato <ay4toh5i@gmail.com>
Date: Thu, 29 Feb 2024 00:42:21 +0900
Subject: [PATCH 04/11] Remove unnecessary import

---
 pkg/op/auth_request_test.go | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pkg/op/auth_request_test.go b/pkg/op/auth_request_test.go
index 6f0b375..f2b98ad 100644
--- a/pkg/op/auth_request_test.go
+++ b/pkg/op/auth_request_test.go
@@ -10,7 +10,6 @@ import (
 	"net/url"
 	"reflect"
 	"testing"
-	"time"
 
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
@@ -1137,8 +1136,7 @@ func TestAuthResponseCode(t *testing.T) {
 				wantCode:           http.StatusOK,
 				wantLocationHeader: "",
 				wantBody:           "<!doctype html>\n<html>\n<head><meta charset=\"UTF-8\" /></head>\n<body onload=\"javascript:document.forms[0].submit()\">\n<form method=\"post\" action=\"https://example.com/callback\">\n<input type=\"hidden\" name=\"state\" value=\"state1\"/>\n<input type=\"hidden\" name=\"code\" value=\"id1\" />\n\n\n\n</form>\n</body>\n</html>",
-			},
-		},
+			}},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From f692c18b0a08f492567a95205b59574d3476a1ac Mon Sep 17 00:00:00 2001
From: Ayato <ay4toh5i@gmail.com>
Date: Thu, 29 Feb 2024 23:59:36 +0900
Subject: [PATCH 05/11] Fix test

---
 example/server/storage/oidc.go | 4 +++-
 pkg/op/auth_request_test.go    | 5 +++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/example/server/storage/oidc.go b/example/server/storage/oidc.go
index 2509f77..9cd08d9 100644
--- a/example/server/storage/oidc.go
+++ b/example/server/storage/oidc.go
@@ -35,6 +35,7 @@ type AuthRequest struct {
 	UserID        string
 	Scopes        []string
 	ResponseType  oidc.ResponseType
+	ResponseMode  oidc.ResponseMode
 	Nonce         string
 	CodeChallenge *OIDCCodeChallenge
 
@@ -100,7 +101,7 @@ func (a *AuthRequest) GetResponseType() oidc.ResponseType {
 }
 
 func (a *AuthRequest) GetResponseMode() oidc.ResponseMode {
-	return "" // we won't handle response mode in this example
+	return a.ResponseMode
 }
 
 func (a *AuthRequest) GetScopes() []string {
@@ -154,6 +155,7 @@ func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthReques
 		UserID:        userID,
 		Scopes:        authReq.Scopes,
 		ResponseType:  authReq.ResponseType,
+		ResponseMode:  authReq.ResponseMode,
 		Nonce:         authReq.Nonce,
 		CodeChallenge: &OIDCCodeChallenge{
 			Challenge: authReq.CodeChallenge,
diff --git a/pkg/op/auth_request_test.go b/pkg/op/auth_request_test.go
index f2b98ad..7a363ff 100644
--- a/pkg/op/auth_request_test.go
+++ b/pkg/op/auth_request_test.go
@@ -1135,8 +1135,9 @@ func TestAuthResponseCode(t *testing.T) {
 			res: res{
 				wantCode:           http.StatusOK,
 				wantLocationHeader: "",
-				wantBody:           "<!doctype html>\n<html>\n<head><meta charset=\"UTF-8\" /></head>\n<body onload=\"javascript:document.forms[0].submit()\">\n<form method=\"post\" action=\"https://example.com/callback\">\n<input type=\"hidden\" name=\"state\" value=\"state1\"/>\n<input type=\"hidden\" name=\"code\" value=\"id1\" />\n\n\n\n</form>\n</body>\n</html>",
-			}},
+				wantBody:           "<!doctype html>\n<html>\n<head><meta charset=\"UTF-8\" /></head>\n<body onload=\"javascript:document.forms[0].submit()\">\n<form method=\"post\" action=\"https://example.com/callback\">\n<input type=\"hidden\" name=\"state\" value=\"state1\"/>\n<input type=\"hidden\" name=\"code\" value=\"id1\" />\n\n\n\n\n</form>\n</body>\n</html>",
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From 938be2529ab8d65ceaddd06755b3bf609353c0aa Mon Sep 17 00:00:00 2001
From: Ayato <ay4toh5i@gmail.com>
Date: Fri, 1 Mar 2024 00:38:59 +0900
Subject: [PATCH 06/11] Fix example client setting

---
 example/server/storage/client.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/example/server/storage/client.go b/example/server/storage/client.go
index 2e57cc5..90e27aa 100644
--- a/example/server/storage/client.go
+++ b/example/server/storage/client.go
@@ -184,10 +184,10 @@ func WebClient(id, secret string, redirectURIs ...string) *Client {
 		applicationType:                op.ApplicationTypeWeb,
 		authMethod:                     oidc.AuthMethodBasic,
 		loginURL:                       defaultLoginURL,
-		responseTypes:                  []oidc.ResponseType{oidc.ResponseTypeCode},
+		responseTypes:                  []oidc.ResponseType{oidc.ResponseTypeCode, oidc.ResponseTypeIDTokenOnly},
 		grantTypes:                     []oidc.GrantType{oidc.GrantTypeCode, oidc.GrantTypeRefreshToken, oidc.GrantTypeTokenExchange},
 		accessTokenType:                op.AccessTokenTypeBearer,
-		devMode:                        false,
+		devMode:                        true,
 		idTokenUserinfoClaimsAssertion: false,
 		clockSkew:                      0,
 	}

From 8045e4b9197f0c90f3c5a3f9930761a79cfcaf29 Mon Sep 17 00:00:00 2001
From: Ayato <ay4toh5i@gmail.com>
Date: Sun, 3 Mar 2024 16:16:19 +0900
Subject: [PATCH 07/11] Make sure the client not to reuse the content of the
 response

---
 pkg/op/auth_request.go      | 18 ++++++++++--------
 pkg/op/auth_request_test.go | 14 ++++++++------
 2 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/pkg/op/auth_request.go b/pkg/op/auth_request.go
index 7f9e3b6..a8ca0e0 100644
--- a/pkg/op/auth_request.go
+++ b/pkg/op/auth_request.go
@@ -469,13 +469,12 @@ func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthReques
 	}
 
 	if authReq.GetResponseMode() == oidc.ResponseModeFormPost {
-		res, err := AuthResponseFormPost(authReq.GetRedirectURI(), &codeResponse, authorizer.Encoder())
+		err := AuthResponseFormPost(w, authReq.GetRedirectURI(), &codeResponse, authorizer.Encoder())
 		if err != nil {
 			AuthRequestError(w, r, authReq, err, authorizer)
 			return
 		}
 
-		res.WriteTo(w)
 		return
 	}
 
@@ -501,13 +500,12 @@ func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthReque
 	}
 
 	if authReq.GetResponseMode() == oidc.ResponseModeFormPost {
-		res, err := AuthResponseFormPost(authReq.GetRedirectURI(), resp, authorizer.Encoder())
+		err := AuthResponseFormPost(w, authReq.GetRedirectURI(), resp, authorizer.Encoder())
 		if err != nil {
 			AuthRequestError(w, r, authReq, err, authorizer)
 			return
 		}
 
-		res.WriteTo(w)
 		return
 	}
 
@@ -568,11 +566,11 @@ var formPostHtmlTemplate string
 var formPostTmpl = template.Must(template.New("form_post").Parse(formPostHtmlTemplate))
 
 // AuthResponseFormPost responds a html page that automatically submits the form which contains the auth response parameters
-func AuthResponseFormPost(redirectURI string, response any, encoder httphelper.Encoder) (*bytes.Buffer, error) {
+func AuthResponseFormPost(res http.ResponseWriter, redirectURI string, response any, encoder httphelper.Encoder) error {
 	values := make(map[string][]string)
 	err := encoder.Encode(response, values)
 	if err != nil {
-		return nil, oidc.ErrServerError().WithParent(err)
+		return oidc.ErrServerError().WithParent(err)
 	}
 
 	params := &struct {
@@ -586,10 +584,14 @@ func AuthResponseFormPost(redirectURI string, response any, encoder httphelper.E
 	var buf bytes.Buffer
 	err = formPostTmpl.Execute(&buf, params)
 	if err != nil {
-		return nil, oidc.ErrServerError().WithParent(err)
+		return oidc.ErrServerError().WithParent(err)
 	}
 
-	return &buf, nil
+	res.Header().Set("Cache-Control", "no-store")
+	res.WriteHeader(http.StatusOK)
+	buf.WriteTo(res)
+
+	return nil
 }
 
 func setFragment(uri *url.URL, params url.Values) string {
diff --git a/pkg/op/auth_request_test.go b/pkg/op/auth_request_test.go
index 7a363ff..76cb00d 100644
--- a/pkg/op/auth_request_test.go
+++ b/pkg/op/auth_request_test.go
@@ -1027,9 +1027,10 @@ func TestAuthResponseCode(t *testing.T) {
 		authorizer func(*testing.T) op.Authorizer
 	}
 	type res struct {
-		wantCode           int
-		wantLocationHeader string
-		wantBody           string
+		wantCode               int
+		wantLocationHeader     string
+		wantCacheControlHeader string
+		wantBody               string
 	}
 	tests := []struct {
 		name string
@@ -1133,9 +1134,9 @@ func TestAuthResponseCode(t *testing.T) {
 				},
 			},
 			res: res{
-				wantCode:           http.StatusOK,
-				wantLocationHeader: "",
-				wantBody:           "<!doctype html>\n<html>\n<head><meta charset=\"UTF-8\" /></head>\n<body onload=\"javascript:document.forms[0].submit()\">\n<form method=\"post\" action=\"https://example.com/callback\">\n<input type=\"hidden\" name=\"state\" value=\"state1\"/>\n<input type=\"hidden\" name=\"code\" value=\"id1\" />\n\n\n\n\n</form>\n</body>\n</html>",
+				wantCode:               http.StatusOK,
+				wantCacheControlHeader: "no-store",
+				wantBody:               "<!doctype html>\n<html>\n<head><meta charset=\"UTF-8\" /></head>\n<body onload=\"javascript:document.forms[0].submit()\">\n<form method=\"post\" action=\"https://example.com/callback\">\n<input type=\"hidden\" name=\"state\" value=\"state1\"/>\n<input type=\"hidden\" name=\"code\" value=\"id1\" />\n\n\n\n\n</form>\n</body>\n</html>",
 			},
 		},
 	}
@@ -1148,6 +1149,7 @@ func TestAuthResponseCode(t *testing.T) {
 			defer resp.Body.Close()
 			assert.Equal(t, tt.res.wantCode, resp.StatusCode)
 			assert.Equal(t, tt.res.wantLocationHeader, resp.Header.Get("Location"))
+			assert.Equal(t, tt.res.wantCacheControlHeader, resp.Header.Get("Cache-Control"))
 			body, err := io.ReadAll(resp.Body)
 			require.NoError(t, err)
 			assert.Equal(t, tt.res.wantBody, string(body))

From 0b750134a3c2cf7bcb1dd7bbc05055da28afebf8 Mon Sep 17 00:00:00 2001
From: Ayato <ay4toh5i@gmail.com>
Date: Sun, 3 Mar 2024 16:19:32 +0900
Subject: [PATCH 08/11] Fix error handling

---
 pkg/op/auth_request.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkg/op/auth_request.go b/pkg/op/auth_request.go
index a8ca0e0..18d8826 100644
--- a/pkg/op/auth_request.go
+++ b/pkg/op/auth_request.go
@@ -589,7 +589,10 @@ func AuthResponseFormPost(res http.ResponseWriter, redirectURI string, response
 
 	res.Header().Set("Cache-Control", "no-store")
 	res.WriteHeader(http.StatusOK)
-	buf.WriteTo(res)
+	_, err = buf.WriteTo(res)
+	if err != nil {
+		return oidc.ErrServerError().WithParent(err)
+	}
 
 	return nil
 }

From a6b62c5c3e3d2f794cc5a79923028f0ca2c2c2d4 Mon Sep 17 00:00:00 2001
From: Ayato <ay4toh5i@gmail.com>
Date: Sun, 3 Mar 2024 16:27:01 +0900
Subject: [PATCH 09/11] Add the response_mode param

---
 example/client/app/app.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/example/client/app/app.go b/example/client/app/app.go
index a779169..9b43b8d 100644
--- a/example/client/app/app.go
+++ b/example/client/app/app.go
@@ -32,6 +32,7 @@ func main() {
 	issuer := os.Getenv("ISSUER")
 	port := os.Getenv("PORT")
 	scopes := strings.Split(os.Getenv("SCOPES"), " ")
+	responseMode := os.Getenv("RESPONSE_MODE")
 
 	redirectURI := fmt.Sprintf("http://localhost:%v%v", port, callbackPath)
 	cookieHandler := httphelper.NewCookieHandler(key, key, httphelper.WithUnsecure())
@@ -77,12 +78,24 @@ func main() {
 		return uuid.New().String()
 	}
 
+	urlOptions := []rp.URLParamOpt{
+		rp.WithPromptURLParam("Welcome back!"),
+	}
+
+	if responseMode != "" {
+		urlOptions = append(urlOptions, rp.WithResponseModeURLParam(oidc.ResponseMode(responseMode)))
+	}
+
 	// register the AuthURLHandler at your preferred path.
 	// the AuthURLHandler creates the auth request and redirects the user to the auth server.
 	// including state handling with secure cookie and the possibility to use PKCE.
 	// Prompts can optionally be set to inform the server of
 	// any messages that need to be prompted back to the user.
-	http.Handle("/login", rp.AuthURLHandler(state, provider, rp.WithPromptURLParam("Welcome back!")))
+	http.Handle("/login", rp.AuthURLHandler(
+		state,
+		provider,
+		urlOptions...,
+	))
 
 	// for demonstration purposes the returned userinfo response is written as JSON object onto response
 	marshalUserinfo := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[*oidc.IDTokenClaims], state string, rp rp.RelyingParty, info *oidc.UserInfo) {

From 6d9aaf79866c62f8f0d83691a5481eebb523495c Mon Sep 17 00:00:00 2001
From: Ayato <ay4toh5i@gmail.com>
Date: Sun, 3 Mar 2024 16:44:25 +0900
Subject: [PATCH 10/11] Allow implicit flow in the example app

---
 example/server/storage/client.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/server/storage/client.go b/example/server/storage/client.go
index 90e27aa..010b9ce 100644
--- a/example/server/storage/client.go
+++ b/example/server/storage/client.go
@@ -184,7 +184,7 @@ func WebClient(id, secret string, redirectURIs ...string) *Client {
 		applicationType:                op.ApplicationTypeWeb,
 		authMethod:                     oidc.AuthMethodBasic,
 		loginURL:                       defaultLoginURL,
-		responseTypes:                  []oidc.ResponseType{oidc.ResponseTypeCode, oidc.ResponseTypeIDTokenOnly},
+		responseTypes:                  []oidc.ResponseType{oidc.ResponseTypeCode, oidc.ResponseTypeIDTokenOnly, oidc.ResponseTypeIDToken},
 		grantTypes:                     []oidc.GrantType{oidc.GrantTypeCode, oidc.GrantTypeRefreshToken, oidc.GrantTypeTokenExchange},
 		accessTokenType:                op.AccessTokenTypeBearer,
 		devMode:                        true,

From 67206e757e6b0e4413caad6c9070c446b4ec7d85 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <tim+github@zitadel.com>
Date: Mon, 4 Mar 2024 18:16:16 +0200
Subject: [PATCH 11/11] feat(rp): allow form_post in code exchange callback
 handler

---
 pkg/client/rp/relying_party.go | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/pkg/client/rp/relying_party.go b/pkg/client/rp/relying_party.go
index 72270fe..74da71e 100644
--- a/pkg/client/rp/relying_party.go
+++ b/pkg/client/rp/relying_party.go
@@ -494,9 +494,8 @@ func CodeExchangeHandler[C oidc.IDClaims](callback CodeExchangeCallback[C], rp R
 			unauthorizedError(w, r, "failed to get state: "+err.Error(), state, rp)
 			return
 		}
-		params := r.URL.Query()
-		if params.Get("error") != "" {
-			rp.ErrorHandler()(w, r, params.Get("error"), params.Get("error_description"), state)
+		if errValue := r.FormValue("error"); errValue != "" {
+			rp.ErrorHandler()(w, r, errValue, r.FormValue("error_description"), state)
 			return
 		}
 		codeOpts := make([]CodeExchangeOpt, len(urlParam))
@@ -521,7 +520,7 @@ func CodeExchangeHandler[C oidc.IDClaims](callback CodeExchangeCallback[C], rp R
 			}
 			codeOpts = append(codeOpts, WithClientAssertionJWT(assertion))
 		}
-		tokens, err := CodeExchange[C](r.Context(), params.Get("code"), rp, codeOpts...)
+		tokens, err := CodeExchange[C](r.Context(), r.FormValue("code"), rp, codeOpts...)
 		if err != nil {
 			unauthorizedError(w, r, "failed to exchange token: "+err.Error(), state, rp)
 			return