Code Monkey home page Code Monkey logo

Comments (6)

livio-a avatar livio-a commented on May 29, 2024 1

Hey @shnplr

I see the problem. The AuthURLHandler currently does not allow to do so.
It's only possible in the AuthURL function:

http.Redirect(w, r, rp.AuthURL(state, provider, rp.WithPrompt(oidc.PromptSelectAccount)), http.StatusFound)

I'll create a PR to change it and for the CodeExchange / CodeExchangeHandler.

from oidc.

fforootd avatar fforootd commented on May 29, 2024

@livio-a can you glance into this?

from oidc.

muhlemmer avatar muhlemmer commented on May 29, 2024

@livio-a
If we expose opts ...AuthURLOpt in AuthURLHandler(), there will be a hypothetical case where a double code challenge can be set. 1 time by the caller using WithCodeChallenge() directly and 1 time by the conditional below:

oidc/pkg/client/rp/relying_party.go

Lines 345 to 352 in fa222c5

if rp.IsPKCE() {
codeChallenge, err := GenerateAndStoreCodeChallenge(w, rp)
if err != nil {
http.Error(w, "failed to create code challenge: "+err.Error(), http.StatusUnauthorized)
return
}
opts = append(opts, WithCodeChallenge(codeChallenge))
}

There is no way of knowing if it was already set in opts, as the AuthURLOpt type is a function, which cannot be compared to be equal in Go. Perhaps calling the option and comparing outputs or some other de-duplication logic when building the redirect URL, but that would be a dirty solution.

As WithPrompt() and WithCodeChallenge() are the only 2 AuthURLOpts, I would propose to only expose the ability of setting additional prompts:

func AuthURLHandler(stateFn func() string, rp RelyingParty, prompts ...string) http.HandlerFunc {
...
    if len(prompts) > 0 {
        opts = append(opts, WithPrompt(prompts...))
    }
...
}

... and for the CodeExchange / CodeExchangeHandler.

Likewise, for CodeExchangeHandler() there are only 2 CodeExchangeOpts and both of them are set in conditionals. IMO we shouldn't change anything here:

oidc/pkg/client/rp/relying_party.go

Lines 415 to 430 in fa222c5

if rp.IsPKCE() {
codeVerifier, err := rp.CookieHandler().CheckCookie(r, pkceCode)
if err != nil {
http.Error(w, "failed to get code verifier: "+err.Error(), http.StatusUnauthorized)
return
}
codeOpts = append(codeOpts, WithCodeVerifier(codeVerifier))
}
if rp.Signer() != nil {
assertion, err := client.SignedJWTProfileAssertion(rp.OAuthConfig().ClientID, []string{rp.Issuer()}, time.Hour, rp.Signer())
if err != nil {
http.Error(w, "failed to build assertion: "+err.Error(), http.StatusUnauthorized)
return
}
codeOpts = append(codeOpts, WithClientAssertionJWT(assertion))
}

from oidc.

muhlemmer avatar muhlemmer commented on May 29, 2024

Oops. I just now read #265, which would add more options. I will give it some more thought.

from oidc.

muhlemmer avatar muhlemmer commented on May 29, 2024

I think I found a suitable solution. Perhaps we should continue the conversation at PR #273. Have a good weekend.

from oidc.

github-actions avatar github-actions commented on May 29, 2024

🎉 This issue has been resolved in version 1.13.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

from oidc.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.