From a2744d671a931b90480fee60fc8c3c6fe50926b0 Mon Sep 17 00:00:00 2001 From: Dominik Klein Date: Thu, 13 Feb 2025 11:27:19 +0100 Subject: [PATCH 1/2] feat: Add extra token request params for authorization code flow --- lib/omniauth/strategies/openid_connect.rb | 6 ++++++ test/lib/omniauth/strategies/openid_connect_test.rb | 12 +++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb index 73dd0fe0..961b47a6 100644 --- a/lib/omniauth/strategies/openid_connect.rb +++ b/lib/omniauth/strategies/openid_connect.rb @@ -282,6 +282,12 @@ def access_token token_request_params[:code_verifier] = params['code_verifier'] || session.delete('omniauth.pkce.verifier') if options.pkce + if configured_response_type == 'code' + token_request_params[:grant_type] = :authorization_code + token_request_params[:code] = authorization_code + token_request_params[:redirect_uri] = redirect_uri + end + @access_token = client.access_token!(token_request_params) verify_id_token!(@access_token.id_token) if configured_response_type == 'code' diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/openid_connect_test.rb index ffa9f708..62864dfb 100644 --- a/test/lib/omniauth/strategies/openid_connect_test.rb +++ b/test/lib/omniauth/strategies/openid_connect_test.rb @@ -852,10 +852,12 @@ def test_dynamic_state def test_option_client_auth_method state = SecureRandom.hex(16) + code = SecureRandom.hex(16) opts = strategy.options.client_options opts[:host] = 'foobar.com' strategy.options.issuer = 'foobar.com' + strategy.options.client_options.redirect_uri = 'https://mysite.com/callback' strategy.options.client_auth_method = :not_basic strategy.options.client_signing_alg = :RS256 strategy.options.client_jwk_signing_key = jwks.to_json @@ -867,6 +869,7 @@ def test_option_client_auth_method } request.stubs(:path).returns('') + request.stubs(:params).returns('code' => code, 'state' => state) strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) id_token = stub('OpenIDConnect::ResponseObject::IdToken') @@ -874,7 +877,14 @@ def test_option_client_auth_method ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token) url = "#{ opts.scheme }://#{ opts.host }:#{ opts.port }#{ opts.token_endpoint }" - body = { scope: 'openid', grant_type: 'client_credentials', client_id: @identifier, client_secret: @secret } + body = { + scope: 'openid', + grant_type: 'authorization_code', + client_id: @identifier, + client_secret: @secret, + redirect_uri: 'https://mysite.com/callback', + code: code, + } stub_request(:post, url).with(body: body).to_return( body: json_response.to_json, From b1e287cf46d89998c773ceec7315b9f15e0e8306 Mon Sep 17 00:00:00 2001 From: Dominik Klein Date: Thu, 13 Feb 2025 11:51:25 +0100 Subject: [PATCH 2/2] Added client_id again, because it's needed with basic client_auth_method. --- lib/omniauth/strategies/openid_connect.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb index 961b47a6..ca9fc6e0 100644 --- a/lib/omniauth/strategies/openid_connect.rb +++ b/lib/omniauth/strategies/openid_connect.rb @@ -286,6 +286,7 @@ def access_token token_request_params[:grant_type] = :authorization_code token_request_params[:code] = authorization_code token_request_params[:redirect_uri] = redirect_uri + token_request_params[:client_id] = client_options.identifier end @access_token = client.access_token!(token_request_params)