fix: use AuthURLParam to set client id and secret (#216)

Workaround to deal with golang/oauth2#320 tldr is that IDP servers tend to not be fully compliant with how client credentials are passed and have bespoke arrangements so anything goes this enforces the standard implementation from the RFC and has it working for any RFC compliant OIDC server full info here golang/oauth2#320
ubuntu · Nov 13, 2024 · 0235101 · 0235101
2 parents c296d9f + 6df5401
commit 0235101
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/internal/broker/broker.go b/internal/broker/broker.go
@@ -357,7 +357,20 @@ func (b *Broker) generateUILayout(session *sessionInfo, authModeID string) (map[
 	case authmodes.Device, authmodes.DeviceQr:
 		ctx, cancel := context.WithTimeout(context.Background(), maxRequestDuration)
 		defer cancel()
-		response, err := session.authCfg.oauth.DeviceAuth(ctx)
+
+		var authOpts []oauth2.AuthCodeOption
+
+		// workaround to cater for fully RFC compliant oauth2 server which require this
+		// extra option, public providers tend to have bespoke implementation for passing client
+		// credentials that completely bypass this
+		// full explanation in https://github.com/golang/oauth2/issues/320
+		if secret := session.authCfg.oauth.ClientSecret; secret != "" {
+			// TODO @shipperizer verificationMethod should be a configurable value
+			verificationMethod := "client_post"
+			authOpts = append(authOpts, oauth2.SetAuthURLParam(verificationMethod, secret))
+		}
+
+		response, err := session.authCfg.oauth.DeviceAuth(ctx, authOpts...)
 		if err != nil {
 			return nil, fmt.Errorf("could not generate Device Authentication code layout: %v", err)
 		}