server: support POSTing to authorization endpoint

Fixes #791
9 years ago · 8541184afb
2 changed files with 33 additions and 2 deletions
--- a/server/oauth2.go
+++ b/server/oauth2.go
@ -333,7 +333,10 @@ func (s *Server) newIDToken(clientID string, claims storage.Claims, scopes []str

 // parse the initial request from the OAuth2 client.
 func (s *Server) parseAuthorizationRequest(r *http.Request) (req storage.AuthRequest, oauth2Err *authErr) {
-	q := r.URL.Query()
+	if err := r.ParseForm(); err != nil {
+		return req, &authErr{"", "", errInvalidRequest, "Failed to parse request body."}
+	}
+	q := r.Form
 	redirectURI, err := url.QueryUnescape(q.Get("redirect_uri"))
 	if err != nil {
 		return req, &authErr{"", "", errInvalidRequest, "No redirect_uri provided."}
--- a/server/oauth2_test.go
+++ b/server/oauth2_test.go
@ -2,8 +2,10 @@ package server

 import (
 	"context"
+	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"strings"
 	"testing"

 	jose "gopkg.in/square/go-jose.v2"
@ -17,6 +19,8 @@ func TestParseAuthorizationRequest(t *testing.T) {
 		clients                []storage.Client
 		supportedResponseTypes []string

+		usePOST bool
+
 		queryParams map[string]string

 		wantErr bool
@ -37,6 +41,23 @@ func TestParseAuthorizationRequest(t *testing.T) {
 				"scope":         "openid email profile",
 			},
 		},
+		{
+			name: "POST request",
+			clients: []storage.Client{
+				{
+					ID:           "foo",
+					RedirectURIs: []string{"https://example.com/foo"},
+				},
+			},
+			supportedResponseTypes: []string{"code"},
+			queryParams: map[string]string{
+				"client_id":     "foo",
+				"redirect_uri":  "https://example.com/foo",
+				"response_type": "code",
+				"scope":         "openid email profile",
+			},
+			usePOST: true,
+		},
 		{
 			name: "invalid client id",
 			clients: []storage.Client{
@ -139,7 +160,14 @@ func TestParseAuthorizationRequest(t *testing.T) {
 				params.Set(k, v)
 			}

-			req := httptest.NewRequest("GET", httpServer.URL+"/auth?"+params.Encode(), nil)
+			var req *http.Request
+			if tc.usePOST {
+				body := strings.NewReader(params.Encode())
+				req = httptest.NewRequest("POST", httpServer.URL+"/auth", body)
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			} else {
+				req = httptest.NewRequest("GET", httpServer.URL+"/auth?"+params.Encode(), nil)
+			}
 			_, err := server.parseAuthorizationRequest(req)
 			if err != nil && !tc.wantErr {
 				t.Errorf("%s: %v", tc.name, err)