[oidc] fix oauth2 clientId propagation

AlexTugarev · AlexTugarev · commit 6f653430cf1e · 2023-03-28T07:32:30.000Z
diff --git a/components/public-api-server/pkg/oidc/oauth2.go b/components/public-api-server/pkg/oidc/oauth2.go
@@ -13,14 +13,14 @@ import (
 )
 
 type OAuth2Result struct {
-	ClientID    string
-	OAuth2Token *oauth2.Token
-	ReturnToURL string
+	ClientConfigID string
+	OAuth2Token    *oauth2.Token
+	ReturnToURL    string
 }
 
 type StateParam struct {
 	// Internal client ID
-	ClientConfigID string `json:"clientId"`
+	ClientConfigID string `json:"clientConfigId"`
 	ReturnToURL    string `json:"returnTo"`
 }
 
@@ -86,9 +86,9 @@ func (s *Service) OAuth2Middleware(next http.Handler) http.Handler {
 		}
 
 		ctx := AttachOAuth2ResultToContext(r.Context(), &OAuth2Result{
-			OAuth2Token: oauth2Token,
-			ReturnToURL: state.ReturnToURL,
-			ClientID:    state.ClientConfigID,
+			OAuth2Token:    oauth2Token,
+			ReturnToURL:    state.ReturnToURL,
+			ClientConfigID: state.ClientConfigID,
 		})
 		next.ServeHTTP(rw, r.WithContext(ctx))
 	})
diff --git a/components/public-api-server/pkg/oidc/router.go b/components/public-api-server/pkg/oidc/router.go
@@ -99,8 +99,8 @@ func (s *Service) getCallbackHandler() http.HandlerFunc {
 			return
 		}
 		result, err := s.Authenticate(r.Context(), AuthenticateParams{
+			Config:           config,
 			OAuth2Result:     oauth2Result,
-			Issuer:           config.Issuer,
 			NonceCookieValue: nonceCookie.Value,
 		})
 		if err != nil {
diff --git a/components/public-api-server/pkg/oidc/service.go b/components/public-api-server/pkg/oidc/service.go
@@ -229,8 +229,8 @@ func (s *Service) convertClientConfig(ctx context.Context, dbEntry db.OIDCClient
 }
 
 type AuthenticateParams struct {
+	Config           *ClientConfig
 	OAuth2Result     *OAuth2Result
-	Issuer           string
 	NonceCookieValue string
 }
 
@@ -240,12 +240,12 @@ func (s *Service) Authenticate(ctx context.Context, params AuthenticateParams) (
 		return nil, fmt.Errorf("id_token not found")
 	}
 
-	provider, err := oidc.NewProvider(ctx, params.Issuer)
+	provider, err := oidc.NewProvider(ctx, params.Config.Issuer)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to initialize provider.")
 	}
 	verifier := provider.Verifier(&goidc.Config{
-		ClientID: params.OAuth2Result.ClientID,
+		ClientID: params.Config.OAuth2Config.ClientID,
 	})
 
 	idToken, err := verifier.Verify(ctx, rawIDToken)
diff --git a/components/public-api-server/pkg/oidc/service_test.go b/components/public-api-server/pkg/oidc/service_test.go
@@ -209,7 +209,9 @@ func TestAuthenticate_nonce_check(t *testing.T) {
 			OAuth2Token: token.WithExtra(extra),
 		},
 		NonceCookieValue: "111",
-		Issuer:           issuer,
+		Config: &ClientConfig{
+			Issuer: issuer,
+		},
 	})
 
 	require.NoError(t, err, "failed to authenticate")

Original file line number	Diff line number	Diff line change
`@@ -229,8 +229,8 @@ func (s *Service) convertClientConfig(ctx context.Context, dbEntry db.OIDCClient`
`229`	`229`	`}`
`230`	`230`
`231`	`231`	`type AuthenticateParams struct {`
	`232`	`+ Config *ClientConfig`
`232`	`233`	`OAuth2Result *OAuth2Result`
`233`		`- Issuer string`
`234`	`234`	`NonceCookieValue string`
`235`	`235`	`}`
`236`	`236`
`@@ -240,12 +240,12 @@ func (s *Service) Authenticate(ctx context.Context, params AuthenticateParams) (`
`240`	`240`	`return nil, fmt.Errorf("id_token not found")`
`241`	`241`	`}`
`242`	`242`
`243`		`- provider, err := oidc.NewProvider(ctx, params.Issuer)`
	`243`	`+ provider, err := oidc.NewProvider(ctx, params.Config.Issuer)`
`244`	`244`	`if err != nil {`
`245`	`245`	`return nil, fmt.Errorf("Failed to initialize provider.")`
`246`	`246`	`}`
`247`	`247`	`verifier := provider.Verifier(&goidc.Config{`
`248`		`- ClientID: params.OAuth2Result.ClientID,`
	`248`	`+ ClientID: params.Config.OAuth2Config.ClientID,`
`249`	`249`	`})`
`250`	`250`
`251`	`251`	`idToken, err := verifier.Verify(ctx, rawIDToken)`