MCPcopy
hub / github.com/zitadel/oidc / AuthorizeCodeClient

Function AuthorizeCodeClient

pkg/op/token_code.go:73–122  ·  view source on GitHub ↗

AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered. It than returns the auth request corresponding to the auth code

(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger)

Source from the content-addressed store, hash-verified

71// AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered.
72// It than returns the auth request corresponding to the auth code
73func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (request AuthRequest, client Client, err error) {
74 ctx, span := Tracer.Start(ctx, "AuthorizeCodeClient")
75 defer span.End()
76
77 request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
78 if err != nil {
79 return nil, nil, err
80 }
81
82 codeChallenge := request.GetCodeChallenge()
83 err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, codeChallenge)
84 if err != nil {
85 return nil, nil, err
86 }
87
88 if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
89 jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger)
90 if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() {
91 return nil, nil, oidc.ErrInvalidClient().WithDescription("auth_method private_key_jwt not supported")
92 }
93 client, err = AuthorizePrivateJWTKey(ctx, tokenReq.ClientAssertion, jwtExchanger)
94 if err != nil {
95 return nil, nil, err
96 }
97 return request, client, err
98 }
99
100 client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID)
101 if err != nil {
102 return nil, nil, oidc.ErrInvalidClient().WithParent(err)
103 }
104 if client.AuthMethod() == oidc.AuthMethodPrivateKeyJWT {
105 return nil, nil, oidc.ErrInvalidClient().WithDescription("private_key_jwt not allowed for this client")
106 }
107 if client.AuthMethod() == oidc.AuthMethodNone {
108 if codeChallenge == nil {
109 return nil, nil, oidc.ErrInvalidRequest().WithDescription("PKCE required")
110 }
111 return request, client, nil
112 }
113 if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() {
114 return nil, nil, oidc.ErrInvalidClient().WithDescription("auth_method post not supported")
115 }
116 err = AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, exchanger.Storage())
117 if err != nil {
118 return nil, nil, err
119 }
120
121 return request, client, err
122}
123
124// AuthRequestByCode returns the AuthRequest previously created from Storage corresponding to the auth code or an error
125func AuthRequestByCode(ctx context.Context, storage Storage, code string) (AuthRequest, error) {

Callers 1

Calls 14

AuthRequestByCodeFunction · 0.85
AuthorizeCodeChallengeFunction · 0.85
AuthorizePrivateJWTKeyFunction · 0.85
AuthorizeClientIDSecretFunction · 0.85
StartMethod · 0.80
EndMethod · 0.80
WithDescriptionMethod · 0.80
WithParentMethod · 0.80
StorageMethod · 0.65
GetCodeChallengeMethod · 0.65
GetClientByClientIDMethod · 0.65

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…