Skip to content

Commit 33d8e64

Browse files
lallonilalloni
committed
Correct RFC 6749 implementation
Remove "scope" & "client_id" from "token request" in the "authorization code grant" flow, while keeping "client_id" in case the provider is one of the known to be broken ones.
1 parent 397fe76 commit 33d8e64

File tree

3 files changed

+5
-6
lines changed

3 files changed

+5
-6
lines changed

internal/token.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -140,9 +140,9 @@ func RetrieveToken(ctx context.Context, ClientID, ClientSecret, TokenURL string,
140140
if err != nil {
141141
return nil, err
142142
}
143-
v.Set("client_id", ClientID)
144143
bustedAuth := !providerAuthHeaderWorks(TokenURL)
145144
if bustedAuth && ClientSecret != "" {
145+
v.Set("client_id", ClientID)
146146
v.Set("client_secret", ClientSecret)
147147
}
148148
req, err := http.NewRequest("POST", TokenURL, strings.NewReader(v.Encode()))

oauth2.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -164,7 +164,6 @@ func (c *Config) Exchange(ctx context.Context, code string) (*Token, error) {
164164
"grant_type": {"authorization_code"},
165165
"code": {code},
166166
"redirect_uri": internal.CondVal(c.RedirectURL),
167-
"scope": internal.CondVal(strings.Join(c.Scopes, " ")),
168167
})
169168
}
170169

oauth2_test.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ func TestExchangeRequest(t *testing.T) {
101101
if err != nil {
102102
t.Errorf("Failed reading request body: %s.", err)
103103
}
104-
if string(body) != "client_id=CLIENT_ID&code=exchange-code&grant_type=authorization_code&redirect_uri=REDIRECT_URL&scope=scope1+scope2" {
104+
if string(body) != "code=exchange-code&grant_type=authorization_code&redirect_uri=REDIRECT_URL" {
105105
t.Errorf("Unexpected exchange payload, %v is found.", string(body))
106106
}
107107
w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
@@ -145,7 +145,7 @@ func TestExchangeRequest_JSONResponse(t *testing.T) {
145145
if err != nil {
146146
t.Errorf("Failed reading request body: %s.", err)
147147
}
148-
if string(body) != "client_id=CLIENT_ID&code=exchange-code&grant_type=authorization_code&redirect_uri=REDIRECT_URL&scope=scope1+scope2" {
148+
if string(body) != "code=exchange-code&grant_type=authorization_code&redirect_uri=REDIRECT_URL" {
149149
t.Errorf("Unexpected exchange payload, %v is found.", string(body))
150150
}
151151
w.Header().Set("Content-Type", "application/json")
@@ -299,7 +299,7 @@ func TestPasswordCredentialsTokenRequest(t *testing.T) {
299299
if err != nil {
300300
t.Errorf("Failed reading request body: %s.", err)
301301
}
302-
expected = "client_id=CLIENT_ID&grant_type=password&password=password1&scope=scope1+scope2&username=user1"
302+
expected = "grant_type=password&password=password1&scope=scope1+scope2&username=user1"
303303
if string(body) != expected {
304304
t.Errorf("res.Body = %q; want %q", string(body), expected)
305305
}
@@ -338,7 +338,7 @@ func TestTokenRefreshRequest(t *testing.T) {
338338
t.Errorf("Unexpected Content-Type header, %v is found.", headerContentType)
339339
}
340340
body, _ := ioutil.ReadAll(r.Body)
341-
if string(body) != "client_id=CLIENT_ID&grant_type=refresh_token&refresh_token=REFRESH_TOKEN" {
341+
if string(body) != "grant_type=refresh_token&refresh_token=REFRESH_TOKEN" {
342342
t.Errorf("Unexpected refresh token payload, %v is found.", string(body))
343343
}
344344
}))

0 commit comments

Comments
 (0)