In oidcclient token exchange request, pass client_id but don't bother with authorization header.
I think this should be more correct. In the server we're authenticating the request primarily via the `subject_token` parameter anyway, and Fosite needs the `client_id` to be set. Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
1db2ae3a45
commit
b1542be7b1
@ -338,11 +338,9 @@ func (h *handlerState) tokenExchangeRFC8693(baseToken *oidctypes.Token) (*oidcty
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Use the base access token to authenticate our request. This will populate the "authorization" header.
|
||||
client := oauth2.NewClient(h.ctx, oauth2.StaticTokenSource(&oauth2.Token{AccessToken: baseToken.AccessToken.Token}))
|
||||
|
||||
// Form the HTTP POST request with the parameters specified by RFC8693.
|
||||
reqBody := strings.NewReader(url.Values{
|
||||
"client_id": []string{h.clientID},
|
||||
"grant_type": []string{"urn:ietf:params:oauth:grant-type:token-exchange"},
|
||||
"audience": []string{h.requestedAudience},
|
||||
"subject_token": []string{baseToken.AccessToken.Token},
|
||||
@ -356,7 +354,7 @@ func (h *handlerState) tokenExchangeRFC8693(baseToken *oidctypes.Token) (*oidcty
|
||||
req.Header.Set("content-type", "application/x-www-form-urlencoded")
|
||||
|
||||
// Perform the request.
|
||||
resp, err := client.Do(req)
|
||||
resp, err := h.httpClient.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -152,6 +152,11 @@ func TestLogin(t *testing.T) {
|
||||
}
|
||||
|
||||
case "urn:ietf:params:oauth:grant-type:token-exchange":
|
||||
if r.Form.Get("client_id") != "test-client-id" {
|
||||
http.Error(w, "bad client_id", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
switch r.Form.Get("audience") {
|
||||
case "test-audience-produce-invalid-http-response":
|
||||
http.Redirect(w, r, "%", http.StatusTemporaryRedirect)
|
||||
|
Loading…
Reference in New Issue
Block a user