From 31a2b961bbfd41316c4181a6cb1717daadaabc00 Mon Sep 17 00:00:00 2001 From: Alex Holland Date: Wed, 22 May 2024 17:39:26 -0400 Subject: [PATCH] AUTH-6066 Add hybrid and implicit grant type support --- .changelog/2131.txt | 3 +++ access_application.go | 26 ++++++++++++++++---------- access_application_test.go | 24 +++++++++++++++++++++--- 3 files changed, 40 insertions(+), 13 deletions(-) create mode 100644 .changelog/2131.txt diff --git a/.changelog/2131.txt b/.changelog/2131.txt new file mode 100644 index 00000000000..d32928a2d05 --- /dev/null +++ b/.changelog/2131.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +access_application: Add support for Hybrid/Implicit flows and options +``` diff --git a/access_application.go b/access_application.go index 75ef4f31cb4..315ccb0270a 100644 --- a/access_application.go +++ b/access_application.go @@ -210,6 +210,11 @@ type RefreshTokenOptions struct { Lifetime string `json:"lifetime,omitempty"` } +type AccessApplicationHybridAndImplicitOptions struct { + ReturnIDTokenFromAuthorizationEndpoint *bool `json:"return_id_token_from_authorization_endpoint,omitempty"` + ReturnAccessTokenFromAuthorizationEndpoint *bool `json:"return_access_token_from_authorization_endpoint,omitempty"` +} + type SaasApplication struct { // Items common to both SAML and OIDC AppID string `json:"app_id,omitempty"` @@ -230,16 +235,17 @@ type SaasApplication struct { SamlAttributeTransformJsonata string `json:"saml_attribute_transform_jsonata"` // OIDC saas app - ClientID string `json:"client_id,omitempty"` - ClientSecret string `json:"client_secret,omitempty"` - RedirectURIs []string `json:"redirect_uris,omitempty"` - GrantTypes []string `json:"grant_types,omitempty"` - Scopes []string `json:"scopes,omitempty"` - AppLauncherURL string `json:"app_launcher_url,omitempty"` - GroupFilterRegex string `json:"group_filter_regex,omitempty"` - CustomClaims []OIDCClaimConfig `json:"custom_claims,omitempty"` - AllowPKCEWithoutClientSecret *bool `json:"allow_pkce_without_client_secret,omitempty"` - RefreshTokenOptions *RefreshTokenOptions `json:"refresh_token_options,omitempty"` + ClientID string `json:"client_id,omitempty"` + ClientSecret string `json:"client_secret,omitempty"` + RedirectURIs []string `json:"redirect_uris,omitempty"` + GrantTypes []string `json:"grant_types,omitempty"` + Scopes []string `json:"scopes,omitempty"` + AppLauncherURL string `json:"app_launcher_url,omitempty"` + GroupFilterRegex string `json:"group_filter_regex,omitempty"` + CustomClaims []OIDCClaimConfig `json:"custom_claims,omitempty"` + AllowPKCEWithoutClientSecret *bool `json:"allow_pkce_without_client_secret,omitempty"` + RefreshTokenOptions *RefreshTokenOptions `json:"refresh_token_options,omitempty"` + HybridAndImplicitOptions *AccessApplicationHybridAndImplicitOptions `json:"hybrid_and_implicit_options,omitempty"` } type AccessAppLauncherCustomization struct { diff --git a/access_application_test.go b/access_application_test.go index 086479c95ea..714dde5686b 100644 --- a/access_application_test.go +++ b/access_application_test.go @@ -1112,7 +1112,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { "client_id": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "client_secret": "secret", "redirect_uris": ["https://saas.example.com"], - "grant_types": ["authorization_code"], + "grant_types": ["authorization_code", "hybrid", "implicit"], "scopes": ["openid", "email", "profile", "groups"], "app_launcher_url": "https://saas.example.com", "group_filter_regex": ".*", @@ -1126,7 +1126,11 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { "required": true, "scope": "profile" } - ] + ], + "hybrid_and_implicit_options": { + "return_id_token_from_authorization_endpoint": true, + "return_access_token_from_authorization_endpoint": true + } } } } @@ -1156,7 +1160,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { ClientID: "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", ClientSecret: "secret", RedirectURIs: []string{"https://saas.example.com"}, - GrantTypes: []string{"authorization_code"}, + GrantTypes: []string{"authorization_code", "hybrid", "implicit"}, Scopes: []string{"openid", "email", "profile", "groups"}, AppLauncherURL: "https://saas.example.com", GroupFilterRegex: ".*", @@ -1169,6 +1173,10 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { Scope: "profile", }, }, + HybridAndImplicitOptions: &AccessApplicationHybridAndImplicitOptions{ + ReturnIDTokenFromAuthorizationEndpoint: BoolPtr(true), + ReturnAccessTokenFromAuthorizationEndpoint: BoolPtr(true), + }, }, CreatedAt: &createdAt, UpdatedAt: &updatedAt, @@ -1182,6 +1190,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { Name: "Admin Saas Site", SaasApplication: &SaasApplication{ AuthType: "oidc", + GrantTypes: []string{"authorization_code", "hybrid", "implicit"}, RedirectURIs: []string{"https://saas.example.com"}, AppLauncherURL: "https://saas.example.com", GroupFilterRegex: ".*", @@ -1194,6 +1203,10 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { Scope: "profile", }, }, + HybridAndImplicitOptions: &AccessApplicationHybridAndImplicitOptions{ + ReturnIDTokenFromAuthorizationEndpoint: BoolPtr(true), + ReturnAccessTokenFromAuthorizationEndpoint: BoolPtr(true), + }, }, SessionDuration: "24h", }) @@ -1208,6 +1221,7 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { Name: "Admin Saas Site", SaasApplication: &SaasApplication{ AuthType: "oidc", + GrantTypes: []string{"authorization_code", "hybrid", "implicit"}, RedirectURIs: []string{"https://saas.example.com"}, AppLauncherURL: "https://saas.example.com", GroupFilterRegex: ".*", @@ -1220,6 +1234,10 @@ func TestCreateOIDCSaasAccessApplications(t *testing.T) { Scope: "profile", }, }, + HybridAndImplicitOptions: &AccessApplicationHybridAndImplicitOptions{ + ReturnIDTokenFromAuthorizationEndpoint: BoolPtr(true), + ReturnAccessTokenFromAuthorizationEndpoint: BoolPtr(true), + }, }, SessionDuration: "24h", })