Add a redirectURI parameter to ExchangeAuthcodeAndValidateTokens() method.

We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2026-01-08 07:11:53 +00:00 · 2020-12-02 10:36:07 -06:00
parent 4fe691de92
commit fde56164cd
10 changed files with 53 additions and 13 deletions
--- a/pkg/oidcclient/login.go
+++ b/pkg/oidcclient/login.go
@@ -328,7 +328,14 @@ func (h *handlerState) handleAuthCodeCallback(w http.ResponseWriter, r *http.Req

 	// Exchange the authorization code for access, ID, and refresh tokens and perform required
 	// validations on the returned ID token.
-	token, _, err := h.getProvider(h.oauth2Config, h.provider, h.httpClient).ExchangeAuthcodeAndValidateTokens(r.Context(), params.Get("code"), h.pkce, h.nonce)
+	token, _, err := h.getProvider(h.oauth2Config, h.provider, h.httpClient).
+		ExchangeAuthcodeAndValidateTokens(
+			r.Context(),
+			params.Get("code"),
+			h.pkce,
+			h.nonce,
+			h.oauth2Config.RedirectURL,
+		)
 	if err != nil {
 		return httperr.Wrap(http.StatusBadRequest, "could not complete code exchange", err)
 	}
--- a/pkg/oidcclient/login_test.go
+++ b/pkg/oidcclient/login_test.go
@@ -488,6 +488,8 @@ func TestLogin(t *testing.T) {
 }

 func TestHandleAuthCodeCallback(t *testing.T) {
+	const testRedirectURI = "http://127.0.0.1:12324/callback"
+
 	tests := []struct {
 		name           string
 		method         string
@@ -522,10 +524,11 @@ func TestHandleAuthCodeCallback(t *testing.T) {
 			wantHTTPStatus: http.StatusBadRequest,
 			opt: func(t *testing.T) Option {
 				return func(h *handlerState) error {
+					h.oauth2Config = &oauth2.Config{RedirectURL: testRedirectURI}
 					h.getProvider = func(_ *oauth2.Config, _ *oidc.Provider, _ *http.Client) provider.UpstreamOIDCIdentityProviderI {
 						mock := mockUpstream(t)
 						mock.EXPECT().
-							ExchangeAuthcodeAndValidateTokens(gomock.Any(), "invalid", pkce.Code("test-pkce"), nonce.Nonce("test-nonce")).
+							ExchangeAuthcodeAndValidateTokens(gomock.Any(), "invalid", pkce.Code("test-pkce"), nonce.Nonce("test-nonce"), testRedirectURI).
 							Return(oidctypes.Token{}, nil, fmt.Errorf("some exchange error"))
 						return mock
 					}
@@ -538,10 +541,11 @@ func TestHandleAuthCodeCallback(t *testing.T) {
 			query: "state=test-state&code=valid",
 			opt: func(t *testing.T) Option {
 				return func(h *handlerState) error {
+					h.oauth2Config = &oauth2.Config{RedirectURL: testRedirectURI}
 					h.getProvider = func(_ *oauth2.Config, _ *oidc.Provider, _ *http.Client) provider.UpstreamOIDCIdentityProviderI {
 						mock := mockUpstream(t)
 						mock.EXPECT().
-							ExchangeAuthcodeAndValidateTokens(gomock.Any(), "valid", pkce.Code("test-pkce"), nonce.Nonce("test-nonce")).
+							ExchangeAuthcodeAndValidateTokens(gomock.Any(), "valid", pkce.Code("test-pkce"), nonce.Nonce("test-nonce"), testRedirectURI).
 							Return(oidctypes.Token{IDToken: &oidctypes.IDToken{Token: "test-id-token"}}, nil, nil)
 						return mock
 					}