-
Notifications
You must be signed in to change notification settings - Fork 3
/
flow_none_auth.go
67 lines (52 loc) · 2.19 KB
/
flow_none_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
package oauth2
import (
"context"
"net/url"
"strings"
"authelia.com/provider/oauth2"
"authelia.com/provider/oauth2/internal/consts"
"authelia.com/provider/oauth2/internal/errorsx"
)
// NoneResponseTypeHandler is a response handler for when the None response type is requested
// as defined in https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#none
type NoneResponseTypeHandler struct {
Config interface {
oauth2.ScopeStrategyProvider
oauth2.AudienceStrategyProvider
oauth2.RedirectSecureCheckerProvider
oauth2.OmitRedirectScopeParamProvider
}
}
var (
_ oauth2.AuthorizeEndpointHandler = (*NoneResponseTypeHandler)(nil)
)
func (c *NoneResponseTypeHandler) HandleAuthorizeEndpointRequest(ctx context.Context, requester oauth2.AuthorizeRequester, responder oauth2.AuthorizeResponder) error {
if !requester.GetResponseTypes().ExactOne(consts.ResponseTypeNone) {
return nil
}
requester.SetDefaultResponseMode(oauth2.ResponseModeQuery)
if !c.GetRedirectSecureChecker(ctx)(ctx, requester.GetRedirectURI()) {
return errorsx.WithStack(oauth2.ErrInvalidRequest.WithHint("Redirect URL is using an insecure protocol, http is only allowed for hosts with suffix 'localhost', for example: http://myapp.localhost/."))
}
client := requester.GetClient()
for _, scope := range requester.GetRequestedScopes() {
if !c.Config.GetScopeStrategy(ctx)(client.GetScopes(), scope) {
return errorsx.WithStack(oauth2.ErrInvalidScope.WithHintf("The OAuth 2.0 Client is not allowed to request scope '%s'.", scope))
}
}
if err := c.Config.GetAudienceStrategy(ctx)(client.GetAudience(), requester.GetRequestedAudience()); err != nil {
return err
}
responder.AddParameter(consts.FormParameterState, requester.GetState())
if !c.Config.GetOmitRedirectScopeParam(ctx) {
responder.AddParameter(consts.FormParameterScope, strings.Join(requester.GetGrantedScopes(), " "))
}
requester.SetResponseTypeHandled(consts.ResponseTypeNone)
return nil
}
func (c *NoneResponseTypeHandler) GetRedirectSecureChecker(ctx context.Context) func(context.Context, *url.URL) bool {
if c.Config.GetRedirectSecureChecker(ctx) == nil {
return oauth2.IsRedirectURISecure
}
return c.Config.GetRedirectSecureChecker(ctx)
}