AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered. It than returns the auth request corresponding to the auth code
(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger)
| 71 | // AuthorizeCodeClient checks the authorization of the client and that the used method was the one previously registered. |
| 72 | // It than returns the auth request corresponding to the auth code |
| 73 | func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (request AuthRequest, client Client, err error) { |
| 74 | ctx, span := Tracer.Start(ctx, "AuthorizeCodeClient") |
| 75 | defer span.End() |
| 76 | |
| 77 | request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code) |
| 78 | if err != nil { |
| 79 | return nil, nil, err |
| 80 | } |
| 81 | |
| 82 | codeChallenge := request.GetCodeChallenge() |
| 83 | err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, codeChallenge) |
| 84 | if err != nil { |
| 85 | return nil, nil, err |
| 86 | } |
| 87 | |
| 88 | if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion { |
| 89 | jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger) |
| 90 | if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() { |
| 91 | return nil, nil, oidc.ErrInvalidClient().WithDescription("auth_method private_key_jwt not supported") |
| 92 | } |
| 93 | client, err = AuthorizePrivateJWTKey(ctx, tokenReq.ClientAssertion, jwtExchanger) |
| 94 | if err != nil { |
| 95 | return nil, nil, err |
| 96 | } |
| 97 | return request, client, err |
| 98 | } |
| 99 | |
| 100 | client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID) |
| 101 | if err != nil { |
| 102 | return nil, nil, oidc.ErrInvalidClient().WithParent(err) |
| 103 | } |
| 104 | if client.AuthMethod() == oidc.AuthMethodPrivateKeyJWT { |
| 105 | return nil, nil, oidc.ErrInvalidClient().WithDescription("private_key_jwt not allowed for this client") |
| 106 | } |
| 107 | if client.AuthMethod() == oidc.AuthMethodNone { |
| 108 | if codeChallenge == nil { |
| 109 | return nil, nil, oidc.ErrInvalidRequest().WithDescription("PKCE required") |
| 110 | } |
| 111 | return request, client, nil |
| 112 | } |
| 113 | if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() { |
| 114 | return nil, nil, oidc.ErrInvalidClient().WithDescription("auth_method post not supported") |
| 115 | } |
| 116 | err = AuthorizeClientIDSecret(ctx, tokenReq.ClientID, tokenReq.ClientSecret, exchanger.Storage()) |
| 117 | if err != nil { |
| 118 | return nil, nil, err |
| 119 | } |
| 120 | |
| 121 | return request, client, err |
| 122 | } |
| 123 | |
| 124 | // AuthRequestByCode returns the AuthRequest previously created from Storage corresponding to the auth code or an error |
| 125 | func AuthRequestByCode(ctx context.Context, storage Storage, code string) (AuthRequest, error) { |
no test coverage detected
searching dependent graphs…