diff --git a/internal/oidc/auth/auth_handler_test.go b/internal/oidc/auth/auth_handler_test.go index 16694676..3a522495 100644 --- a/internal/oidc/auth/auth_handler_test.go +++ b/internal/oidc/auth/auth_handler_test.go @@ -4,6 +4,7 @@ package auth import ( + "crypto/ecdsa" "fmt" "html" "mime" @@ -124,8 +125,9 @@ func TestAuthorizationEndpoint(t *testing.T) { // Configure fosite the same way that the production code would, except use in-memory storage. oauthStore := oidc.NullStorage{} hmacSecret := []byte("some secret - must have at least 32 bytes") + var signingKeyIsUnused *ecdsa.PrivateKey require.GreaterOrEqual(t, len(hmacSecret), 32, "fosite requires that hmac secrets have at least 32 bytes") - oauthHelper := oidc.FositeOauth2Helper(issuer, oauthStore, hmacSecret) + oauthHelper := oidc.FositeOauth2Helper(issuer, oauthStore, hmacSecret, signingKeyIsUnused) happyCSRF := "test-csrf" happyPKCE := "test-pkce" diff --git a/internal/oidc/nullstorage_test.go b/internal/oidc/nullstorage_test.go index 8555c031..2983a800 100644 --- a/internal/oidc/nullstorage_test.go +++ b/internal/oidc/nullstorage_test.go @@ -30,6 +30,7 @@ func TestNullStorage_GetClient(t *testing.T) { GrantTypes: []string{"authorization_code"}, Scopes: []string{"openid", "profile", "email"}, }, + TokenEndpointAuthMethod: "none", }, client, ) diff --git a/internal/oidc/provider/manager/manager.go b/internal/oidc/provider/manager/manager.go index 6c2e12db..9414b5bc 100644 --- a/internal/oidc/provider/manager/manager.go +++ b/internal/oidc/provider/manager/manager.go @@ -70,7 +70,12 @@ func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) { // Use NullStorage for the authorize endpoint because we do not actually want to store anything until // the upstream callback endpoint is called later. - oauthHelper := oidc.FositeOauth2Helper(incomingProvider.Issuer(), oidc.NullStorage{}, []byte("some secret - must have at least 32 bytes")) // TODO replace this secret + oauthHelper := oidc.FositeOauth2Helper( + incomingProvider.Issuer(), + oidc.NullStorage{}, + []byte("some secret - must have at least 32 bytes"), // TODO replace this secret + nil, // TODO: inject me properly + ) // TODO use different codecs for the state and the cookie, because: // 1. we would like to state to have an embedded expiration date while the cookie does not need that