fix: add scopes to token hook on authorization_code #3970
Conversation
|
|
| @@ -1178,7 +1178,8 @@ func (h *Handler) oauth2TokenExchange(w http.ResponseWriter, r *http.Request) { | |||
|
|
|||
| if accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeClientCredentials)) || | |||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeJWTBearer)) || | |||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypePassword)) { | |||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypePassword)) || | |||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeAuthorizationCode)) { | |||
There was a problem hiding this comment.
I think the reason that authorization code is left out of here is that a lot of this information is already determined when handling the authorization endpoint. I think the token endpoint should not be receiving the scope and audience parameters in the authorization code flow.
Line 1306 calls Handler.updateSessionWithRequest which should grant the scopes. If the scopes aren't available in the token hook, I think something else must be going on.
There was a problem hiding this comment.
And I hope the drive-by is welcome! I'm not a maintainer here or anything, just someone who saw your note about this PR on Slack and was curious and has spent some time recently staring at some of this code.
There was a problem hiding this comment.
I think what may be happening here is that fosite is supposed to handle this but it's called in two phases. First it's called to process the token request, then it's called to issue the token response. I think the token hook might be getting called in between these two phases. Moving some code between the two phases in fosite fixes the issue, I think.
I put up a draft fosite PR that seems to fix this for me, but haven't checked yet whether tests need to be updated or looked into whether there are other consequences to be aware of.
There was a problem hiding this comment.
Just to explain that a little more clearly, maybe. The token endpoint handler does these things:
- Calls
fosite.OAuth2Provider.NewAccessRequest(), which calls the fosite code to handle the token request. This is just above your patch. - Runs the code around where you've patched here, to handle some things that fosite does not.
- Calls all the hooks returned from
Registry.AccessTokenHooks(), just below the code in your patch. That's where the token hook gets called. - Calls
fosite.OAuth2Provider.NewAccessResponse(), which calls the fosite code to generate a response.
So, I think my patch in fosite is moving the code that reads the granted scope and audience, already set and persisted by the consent flow, and updates the token request. It moves this from step 4 to step 1 so that it's visible in the token hook in step 3.
There was a problem hiding this comment.
I think you are on to something!
I'll keep this PR in draft until we have a resolution from your's as well if you don't mind
There was a problem hiding this comment.
Hello, this definitely is not correct. This code part is only for machine interaction. User interaction has to be done differently.
| @@ -1178,7 +1178,8 @@ func (h *Handler) oauth2TokenExchange(w http.ResponseWriter, r *http.Request) { | |||
|
|
|||
| if accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeClientCredentials)) || | |||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeJWTBearer)) || | |||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypePassword)) { | |||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypePassword)) || | |||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeAuthorizationCode)) { | |||
There was a problem hiding this comment.
Hello, this definitely is not correct. This code part is only for machine interaction. User interaction has to be done differently.
Related issue(s)
#3969 #3891 #3969
Adding
authorization_codeto conditional of adding scopes to the requests for the token hookChecklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
[email protected]) from the maintainers to push
the changes.
works.
Further Comments