From b1542be7b1a1fa391e2927850ad13fce75eb17c5 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 9 Dec 2020 10:08:41 -0600 Subject: [PATCH] In oidcclient token exchange request, pass client_id but don't bother with authorization header. I think this should be more correct. In the server we're authenticating the request primarily via the `subject_token` parameter anyway, and Fosite needs the `client_id` to be set. Signed-off-by: Matt Moyer --- pkg/oidcclient/login.go | 6 ++---- pkg/oidcclient/login_test.go | 5 +++++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/oidcclient/login.go b/pkg/oidcclient/login.go index 62c380c9..98146fa5 100644 --- a/pkg/oidcclient/login.go +++ b/pkg/oidcclient/login.go @@ -338,11 +338,9 @@ func (h *handlerState) tokenExchangeRFC8693(baseToken *oidctypes.Token) (*oidcty return nil, err } - // Use the base access token to authenticate our request. This will populate the "authorization" header. - client := oauth2.NewClient(h.ctx, oauth2.StaticTokenSource(&oauth2.Token{AccessToken: baseToken.AccessToken.Token})) - // Form the HTTP POST request with the parameters specified by RFC8693. reqBody := strings.NewReader(url.Values{ + "client_id": []string{h.clientID}, "grant_type": []string{"urn:ietf:params:oauth:grant-type:token-exchange"}, "audience": []string{h.requestedAudience}, "subject_token": []string{baseToken.AccessToken.Token}, @@ -356,7 +354,7 @@ func (h *handlerState) tokenExchangeRFC8693(baseToken *oidctypes.Token) (*oidcty req.Header.Set("content-type", "application/x-www-form-urlencoded") // Perform the request. - resp, err := client.Do(req) + resp, err := h.httpClient.Do(req) if err != nil { return nil, err } diff --git a/pkg/oidcclient/login_test.go b/pkg/oidcclient/login_test.go index 04c0b4b2..10daf6ab 100644 --- a/pkg/oidcclient/login_test.go +++ b/pkg/oidcclient/login_test.go @@ -152,6 +152,11 @@ func TestLogin(t *testing.T) { } case "urn:ietf:params:oauth:grant-type:token-exchange": + if r.Form.Get("client_id") != "test-client-id" { + http.Error(w, "bad client_id", http.StatusBadRequest) + return + } + switch r.Form.Get("audience") { case "test-audience-produce-invalid-http-response": http.Redirect(w, r, "%", http.StatusTemporaryRedirect)