Can bypass code verifier for specific clients

2022-04-15 18:28:53 +02:00 · 2022-04-15 18:28:53 +02:00 · cac461e03d
commit cac461e03d
parent 1d21b30b68
3 changed files with 16 additions and 10 deletions
--- a/src/controllers/openid_controller.rs
+++ b/src/controllers/openid_controller.rs
@ -36,7 +36,8 @@ pub async fn get_configuration(app_conf: web::Data<AppConfig>) -> impl Responder
        subject_types_supported: vec!["public"],
        id_token_signing_alg_values_supported: vec!["RS256"],
        token_endpoint_auth_methods_supported: vec!["client_secret_post", "client_secret_basic"],
-        claims_supported: vec!["sub", "exp", "name", "given_name", "family_name", "email"],
+        claims_supported: vec!["sub", "name", "given_name", "family_name", "email"],
+        code_challenge_methods_supported: vec!["plain", "S256"],
    })
 }

@ -293,16 +294,18 @@ pub async fn token(req: HttpRequest,
            }

            // Check code challenge, if needed
-            if let Some(chall) = &session.code_challenge {
-                let code_verifier = match &q.code_verifier {
-                    None => {
-                        return Ok(error_response(&query, "access_denied", "Code verifier missing"));
-                    }
-                    Some(s) => s
-                };
+            if !client.disable_code_verifier.unwrap_or(false) {
+                if let Some(chall) = &session.code_challenge {
+                    let code_verifier = match &q.code_verifier {
+                        None => {
+                            return Ok(error_response(&query, "access_denied", "Code verifier missing"));
+                        }
+                        Some(s) => s
+                    };

-                if !chall.verify_code(code_verifier) {
-                    return Ok(error_response(&query, "invalid_grant", "Invalid code verifier"));
+                    if !chall.verify_code(code_verifier) {
+                        return Ok(error_response(&query, "invalid_grant", "Invalid code verifier"));
+                    }
                }
            }

--- a/src/data/client.rs
+++ b/src/data/client.rs
@ -10,6 +10,7 @@ pub struct Client {
    pub description: String,
    pub secret: String,
    pub redirect_uri: String,
+    pub disable_code_verifier: Option<bool>,
 }

 impl PartialEq for Client {
--- a/src/data/openid_config.rs
+++ b/src/data/openid_config.rs
@ -32,4 +32,6 @@ pub struct OpenIDConfig {

    /// RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.
    pub claims_supported: Vec<&'static str>,
+
+    pub code_challenge_methods_supported: Vec<&'static str>,
 }