mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix(oauth2): use empty connector ID and pass nonce for client_credentials 

Use an empty connector ID instead of __client_credentials to avoid
requiring reserved ID validation. Read the nonce parameter from the
token request and forward it to newAccessToken and newIDToken.

Signed-off-by: Mathias Gebbe <mathias.gebbe@gmail.com>
pull/4583/head
Mathias Gebbe 3 weeks ago
parent
d9d679930d
commit
3c10d71ed7
No known key found for this signature in database
GPG Key ID: 2A35E2EC75E5438F
2 changed files with 6 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      server/handlers.go
  2. 2
      server/handlers_test.go

8
server/handlers.go
Unescape View File

@ -1538,9 +1538,11 @@ func (s *Server) handleClientCredentialsGrant(w http.ResponseWriter, r *http.Req
}
}
connID := "__client_credentials"
nonce := r.Form.Get("nonce")
accessToken, expiry, err := s.newAccessToken(ctx, client.ID, claims, scopes, "", connID)
connID := ""
accessToken, expiry, err := s.newAccessToken(ctx, client.ID, claims, scopes, nonce, connID)
if err != nil {
s.logger.ErrorContext(ctx, "client_credentials grant failed to create new access token", "err", err)
s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
@ -1549,7 +1551,7 @@ func (s *Server) handleClientCredentialsGrant(w http.ResponseWriter, r *http.Req
var idToken string
if hasOpenIDScope {
idToken, expiry, err = s.newIDToken(ctx, client.ID, claims, scopes, "", accessToken, "", connID)
idToken, expiry, err = s.newIDToken(ctx, client.ID, claims, scopes, nonce, accessToken, "", connID)
if err != nil {
s.logger.ErrorContext(ctx, "client_credentials grant failed to create new ID token", "err", err)
s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)

2
server/handlers_test.go
Unescape View File

@ -791,7 +791,7 @@ func TestHandleClientCredentials(t *testing.T) {
// Decode the subject to verify the connector ID.
var sub internal.IDTokenSubject
require.NoError(t, internal.Unmarshal(idToken.Subject, &sub))
require.Equal(t, "__client_credentials", sub.ConnId)
require.Equal(t, "", sub.ConnId)
require.Equal(t, tc.clientID, sub.UserId)
var claims struct {

Write Preview
Loading…
Cancel
Save