Can initiate code authentication without client secret

2025-02-21 14:49:45 +01:00 · 2025-02-21 14:49:45 +01:00 · d01311abf1
commit d01311abf1
parent a73ad4bf41
2 changed files with 11 additions and 19 deletions
--- a/src/controllers/openid_controller.rs
+++ b/src/controllers/openid_controller.rs
@ -16,7 +16,7 @@ use crate::constants::*;
 use crate::controllers::base_controller::{build_fatal_error_page, redirect_user};
 use crate::data::action_logger::{Action, ActionLogger};
 use crate::data::app_config::AppConfig;
-use crate::data::client::{AdditionalClaims, AuthenticationFlow, ClientID, ClientManager};
+use crate::data::client::{AdditionalClaims, ClientID, ClientManager};
 use crate::data::code_challenge::CodeChallenge;
 use crate::data::current_user::CurrentUser;
 use crate::data::id_token::IdToken;
@ -220,8 +220,8 @@ pub async fn authorize(
        ));
    }

-    match (client.auth_flow(), query.response_type.as_str()) {
-        (AuthenticationFlow::AuthorizationCode, "code") => {
+    match (client.has_secret(), query.response_type.as_str()) {
+        (_, "code") => {
            // Save all authentication information in memory
            let session = Session {
                session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
@ -263,7 +263,8 @@ pub async fn authorize(
                .finish())
        }

-        (AuthenticationFlow::Implicit, "id_token") => {
+        // id_token is available only if user has no secret configured
+        (false, "id_token") => {
            let id_token = IdToken {
                issuer: AppConfig::get().website_origin.to_string(),
                subject_identifier: user.uid.0.clone(),
@ -295,11 +296,11 @@ pub async fn authorize(
                .finish())
        }

-        (flow, code) => {
+        (secret, code) => {
            log::warn!(
-                "For client {:?}, configured with flow {:?}, made request with code {}",
+                "For client {:?}, configured with secret {:?}, made request with code {}",
                client.id,
-                flow,
+                secret,
                code
            );
            Ok(error_redirect(
--- a/src/data/client.rs
+++ b/src/data/client.rs
@ -7,12 +7,6 @@ use std::collections::HashMap;
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
 pub struct ClientID(pub String);

-#[derive(Debug, Copy, Clone, Eq, PartialEq)]
-pub enum AuthenticationFlow {
-    AuthorizationCode,
-    Implicit,
-}
-
 pub type AdditionalClaims = HashMap<String, Value>;

 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
@ -61,12 +55,9 @@ impl PartialEq for Client {
 impl Eq for Client {}

 impl Client {
-    /// Get the client authentication flow
-    pub fn auth_flow(&self) -> AuthenticationFlow {
-        match self.secret {
-            None => AuthenticationFlow::Implicit,
-            Some(_) => AuthenticationFlow::AuthorizationCode,
-        }
+    /// Check if the client has a secret defined
+    pub fn has_secret(&self) -> bool {
+        self.secret.is_some()
    }

    /// Process a single claim value