Fix authorization code flow handling (#1767)

Remove checking for unnecessary response types - this has been causing a regression since MinIO release RELEASE.2022-03-03T21-21-16Z
minio · Mar 31, 2022 · aaa55a1 · aaa55a1
1 parent 2eecabf
commit aaa55a1
Showing 1 changed file with 14 additions and 11 deletions.
diff --git a/pkg/auth/idp/oauth2/provider.go b/pkg/auth/idp/oauth2/provider.go
@@ -143,30 +143,33 @@ func getLoginCallbackURL(r *http.Request) string {
 	return redirectURL
 }
 
-var supportedResponseTypes = set.CreateStringSet([]string{
-	"code id_token",
-	"code token id_token",
-}...)
+var requiredResponseTypes = set.CreateStringSet("code")
 
 // NewOauth2ProviderClient instantiates a new oauth2 client using the configured credentials
 // it returns a *Provider object that contains the necessary configuration to initiate an
-// oauth2 authentication flow
+// oauth2 authentication flow.
+//
+// We only support Authentication with the Authorization Code Flow - spec:
+// https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
 func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error) {
 	ddoc, err := parseDiscoveryDoc(GetIDPURL(), httpClient)
 	if err != nil {
 		return nil, err
 	}
 
-	var supported bool
+	supportedResponseTypes := set.NewStringSet()
 	for _, responseType := range ddoc.ResponseTypesSupported {
-		if supportedResponseTypes.Contains(responseType) {
-			supported = true
-			break // one support is enough
+		// FIXME: ResponseTypesSupported is a JSON array of strings - it
+		// may not actually have strings with spaces inside them -
+		// making the following code unnecessary.
+		for _, s := range strings.Fields(responseType) {
+			supportedResponseTypes.Add(s)
 		}
 	}
+	isSupported := requiredResponseTypes.Difference(supportedResponseTypes).IsEmpty()
 
-	if !supported {
-		return nil, fmt.Errorf("expected 'code id_token' response type - got %s, login not allowed", ddoc.ResponseTypesSupported)
+	if !isSupported {
+		return nil, fmt.Errorf("expected 'code' response type - got %s, login not allowed", ddoc.ResponseTypesSupported)
 	}
 
 	// If provided scopes are empty we use a default list or the user configured list