From cac461e03d066fa81502f3afeed324ed95ad09cb Mon Sep 17 00:00:00 2001
From: Pierre Hubert <pierre.git@communiquons.org>
Date: Fri, 15 Apr 2022 18:28:53 +0200
Subject: [PATCH] Can bypass code verifier for specific clients

---
 src/controllers/openid_controller.rs | 23 +++++++++++++----------
 src/data/client.rs                   |  1 +
 src/data/openid_config.rs            |  2 ++
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/src/controllers/openid_controller.rs b/src/controllers/openid_controller.rs
index 1bbf052..eb6e2b1 100644
--- a/src/controllers/openid_controller.rs
+++ b/src/controllers/openid_controller.rs
@@ -36,7 +36,8 @@ pub async fn get_configuration(app_conf: web::Data<AppConfig>) -> impl Responder
         subject_types_supported: vec!["public"],
         id_token_signing_alg_values_supported: vec!["RS256"],
         token_endpoint_auth_methods_supported: vec!["client_secret_post", "client_secret_basic"],
-        claims_supported: vec!["sub", "exp", "name", "given_name", "family_name", "email"],
+        claims_supported: vec!["sub", "name", "given_name", "family_name", "email"],
+        code_challenge_methods_supported: vec!["plain", "S256"],
     })
 }
 
@@ -293,16 +294,18 @@ pub async fn token(req: HttpRequest,
             }
 
             // Check code challenge, if needed
-            if let Some(chall) = &session.code_challenge {
-                let code_verifier = match &q.code_verifier {
-                    None => {
-                        return Ok(error_response(&query, "access_denied", "Code verifier missing"));
-                    }
-                    Some(s) => s
-                };
+            if !client.disable_code_verifier.unwrap_or(false) {
+                if let Some(chall) = &session.code_challenge {
+                    let code_verifier = match &q.code_verifier {
+                        None => {
+                            return Ok(error_response(&query, "access_denied", "Code verifier missing"));
+                        }
+                        Some(s) => s
+                    };
 
-                if !chall.verify_code(code_verifier) {
-                    return Ok(error_response(&query, "invalid_grant", "Invalid code verifier"));
+                    if !chall.verify_code(code_verifier) {
+                        return Ok(error_response(&query, "invalid_grant", "Invalid code verifier"));
+                    }
                 }
             }
 
diff --git a/src/data/client.rs b/src/data/client.rs
index 145833f..bab0c01 100644
--- a/src/data/client.rs
+++ b/src/data/client.rs
@@ -10,6 +10,7 @@ pub struct Client {
     pub description: String,
     pub secret: String,
     pub redirect_uri: String,
+    pub disable_code_verifier: Option<bool>,
 }
 
 impl PartialEq for Client {
diff --git a/src/data/openid_config.rs b/src/data/openid_config.rs
index 9575dad..3587e8a 100644
--- a/src/data/openid_config.rs
+++ b/src/data/openid_config.rs
@@ -32,4 +32,6 @@ pub struct OpenIDConfig {
 
     /// RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.
     pub claims_supported: Vec<&'static str>,
+
+    pub code_challenge_methods_supported: Vec<&'static str>,
 }
\ No newline at end of file