mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix authorization code flow handling (#1767)

Browse Source 
Remove checking for unnecessary response types - this has been causing a regression since MinIO release RELEASE.2022-03-03T21-21-16Z
This commit is contained in:
Aditya Manthramurthy
2022-03-31 11:21:32 -07:00
committed by GitHub
parent 2eecabf5e6
commit aaa55a1f4a
1 changed files with 14 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
pkg/auth/idp/oauth2/provider.go
View File

@@ -143,30 +143,33 @@ func getLoginCallbackURL(r *http.Request) string {
return redirectURL return redirectURL
} }
var supportedResponseTypes = set.CreateStringSet([]string{ var requiredResponseTypes = set.CreateStringSet("code")
"code id_token",
"code token id_token",
}...)
// NewOauth2ProviderClient instantiates a new oauth2 client using the configured credentials // NewOauth2ProviderClient instantiates a new oauth2 client using the configured credentials
// it returns a *Provider object that contains the necessary configuration to initiate an // it returns a *Provider object that contains the necessary configuration to initiate an
// oauth2 authentication flow // oauth2 authentication flow.
//
// We only support Authentication with the Authorization Code Flow - spec:
// https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error) { func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error) {
ddoc, err := parseDiscoveryDoc(GetIDPURL(), httpClient) ddoc, err := parseDiscoveryDoc(GetIDPURL(), httpClient)
if err != nil { if err != nil {
return nil, err return nil, err
} }
var supported bool supportedResponseTypes := set.NewStringSet()
for _, responseType := range ddoc.ResponseTypesSupported { for _, responseType := range ddoc.ResponseTypesSupported {
if supportedResponseTypes.Contains(responseType) { // FIXME: ResponseTypesSupported is a JSON array of strings - it
supported = true // may not actually have strings with spaces inside them -
break // one support is enough // making the following code unnecessary.
for _, s := range strings.Fields(responseType) {
supportedResponseTypes.Add(s)
} }
} }
isSupported := requiredResponseTypes.Difference(supportedResponseTypes).IsEmpty()
if !supported { if !isSupported {
return nil, fmt.Errorf("expected 'code id_token' response type - got %s, login not allowed", ddoc.ResponseTypesSupported) return nil, fmt.Errorf("expected 'code' response type - got %s, login not allowed", ddoc.ResponseTypesSupported)
} }
// If provided scopes are empty we use a default list or the user configured list // If provided scopes are empty we use a default list or the user configured list