pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Can initiate code authentication without client secret
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Pierre HUBERT 2025-02-21 14:49:45 +01:00
parent a73ad4bf41
commit d01311abf1
2 changed files with 11 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/controllers/openid_controller.rs
View File

@ -16,7 +16,7 @@ use crate::constants::*;
use crate::controllers::base_controller::{build_fatal_error_page, redirect_user}; use crate::controllers::base_controller::{build_fatal_error_page, redirect_user};
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};
use crate::data::app_config::AppConfig; use crate::data::app_config::AppConfig;
use crate::data::client::{AdditionalClaims, AuthenticationFlow, ClientID, ClientManager}; use crate::data::client::{AdditionalClaims, ClientID, ClientManager};
use crate::data::code_challenge::CodeChallenge; use crate::data::code_challenge::CodeChallenge;
use crate::data::current_user::CurrentUser; use crate::data::current_user::CurrentUser;
use crate::data::id_token::IdToken; use crate::data::id_token::IdToken;
@ -220,8 +220,8 @@ pub async fn authorize(
)); ));
} }
match (client.auth_flow(), query.response_type.as_str()) { match (client.has_secret(), query.response_type.as_str()) {
(AuthenticationFlow::AuthorizationCode, "code") => { (_, "code") => {
// Save all authentication information in memory // Save all authentication information in memory
let session = Session { let session = Session {
session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)), session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
@ -263,7 +263,8 @@ pub async fn authorize(
.finish()) .finish())
} }
(AuthenticationFlow::Implicit, "id_token") => { // id_token is available only if user has no secret configured
(false, "id_token") => {
let id_token = IdToken { let id_token = IdToken {
issuer: AppConfig::get().website_origin.to_string(), issuer: AppConfig::get().website_origin.to_string(),
subject_identifier: user.uid.0.clone(), subject_identifier: user.uid.0.clone(),
@ -295,11 +296,11 @@ pub async fn authorize(
.finish()) .finish())
} }
(flow, code) => { (secret, code) => {
log::warn!( log::warn!(
"For client {:?}, configured with flow {:?}, made request with code {}", "For client {:?}, configured with secret {:?}, made request with code {}",
client.id, client.id,
flow, secret,
code code
); );
Ok(error_redirect( Ok(error_redirect(

15
src/data/client.rs
View File

@ -7,12 +7,6 @@ use std::collections::HashMap;
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)] #[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
pub struct ClientID(pub String); pub struct ClientID(pub String);
#[derive(Debug, Copy, Clone, Eq, PartialEq)]
pub enum AuthenticationFlow {
AuthorizationCode,
Implicit,
}
pub type AdditionalClaims = HashMap<String, Value>; pub type AdditionalClaims = HashMap<String, Value>;
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)] #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
@ -61,12 +55,9 @@ impl PartialEq for Client {
impl Eq for Client {} impl Eq for Client {}
impl Client { impl Client {
/// Get the client authentication flow /// Check if the client has a secret defined
pub fn auth_flow(&self) -> AuthenticationFlow { pub fn has_secret(&self) -> bool {
match self.secret { self.secret.is_some()
None => AuthenticationFlow::Implicit,
Some(_) => AuthenticationFlow::AuthorizationCode,
}
} }
/// Process a single claim value /// Process a single claim value