From d01311abf10a0d6c7db5d9594a4f592ff1ea99b5 Mon Sep 17 00:00:00 2001
From: Pierre HUBERT <pierre.git@communiquons.org>
Date: Fri, 21 Feb 2025 14:49:45 +0100
Subject: [PATCH] Can initiate code authentication without client secret

---
 src/controllers/openid_controller.rs | 15 ++++++++-------
 src/data/client.rs                   | 15 +++------------
 2 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/src/controllers/openid_controller.rs b/src/controllers/openid_controller.rs
index f7b0c31..f464283 100644
--- a/src/controllers/openid_controller.rs
+++ b/src/controllers/openid_controller.rs
@@ -16,7 +16,7 @@ use crate::constants::*;
 use crate::controllers::base_controller::{build_fatal_error_page, redirect_user};
 use crate::data::action_logger::{Action, ActionLogger};
 use crate::data::app_config::AppConfig;
-use crate::data::client::{AdditionalClaims, AuthenticationFlow, ClientID, ClientManager};
+use crate::data::client::{AdditionalClaims, ClientID, ClientManager};
 use crate::data::code_challenge::CodeChallenge;
 use crate::data::current_user::CurrentUser;
 use crate::data::id_token::IdToken;
@@ -220,8 +220,8 @@ pub async fn authorize(
         ));
     }
 
-    match (client.auth_flow(), query.response_type.as_str()) {
-        (AuthenticationFlow::AuthorizationCode, "code") => {
+    match (client.has_secret(), query.response_type.as_str()) {
+        (_, "code") => {
             // Save all authentication information in memory
             let session = Session {
                 session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
@@ -263,7 +263,8 @@ pub async fn authorize(
                 .finish())
         }
 
-        (AuthenticationFlow::Implicit, "id_token") => {
+        // id_token is available only if user has no secret configured
+        (false, "id_token") => {
             let id_token = IdToken {
                 issuer: AppConfig::get().website_origin.to_string(),
                 subject_identifier: user.uid.0.clone(),
@@ -295,11 +296,11 @@ pub async fn authorize(
                 .finish())
         }
 
-        (flow, code) => {
+        (secret, code) => {
             log::warn!(
-                "For client {:?}, configured with flow {:?}, made request with code {}",
+                "For client {:?}, configured with secret {:?}, made request with code {}",
                 client.id,
-                flow,
+                secret,
                 code
             );
             Ok(error_redirect(
diff --git a/src/data/client.rs b/src/data/client.rs
index 76b2b90..2271f91 100644
--- a/src/data/client.rs
+++ b/src/data/client.rs
@@ -7,12 +7,6 @@ use std::collections::HashMap;
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
 pub struct ClientID(pub String);
 
-#[derive(Debug, Copy, Clone, Eq, PartialEq)]
-pub enum AuthenticationFlow {
-    AuthorizationCode,
-    Implicit,
-}
-
 pub type AdditionalClaims = HashMap<String, Value>;
 
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
@@ -61,12 +55,9 @@ impl PartialEq for Client {
 impl Eq for Client {}
 
 impl Client {
-    /// Get the client authentication flow
-    pub fn auth_flow(&self) -> AuthenticationFlow {
-        match self.secret {
-            None => AuthenticationFlow::Implicit,
-            Some(_) => AuthenticationFlow::AuthorizationCode,
-        }
+    /// Check if the client has a secret defined
+    pub fn has_secret(&self) -> bool {
+        self.secret.is_some()
     }
 
     /// Process a single claim value