Use basic auth for Authelia token exchange
This commit is contained in:
parent
1d68639225
commit
56d279a8e6
2 changed files with 23 additions and 1 deletions
|
|
@ -143,13 +143,13 @@ func (a *AutheliaAdapter) exchangeCode(_ context.Context, code string) (*tokenRe
|
||||||
body.Set("code", code)
|
body.Set("code", code)
|
||||||
body.Set("redirect_uri", a.cfg.RedirectURI)
|
body.Set("redirect_uri", a.cfg.RedirectURI)
|
||||||
body.Set("client_id", a.cfg.ClientID)
|
body.Set("client_id", a.cfg.ClientID)
|
||||||
body.Set("client_secret", a.cfg.ClientSecret)
|
|
||||||
|
|
||||||
req, err := http.NewRequest(http.MethodPost, tokenURL, strings.NewReader(body.Encode()))
|
req, err := http.NewRequest(http.MethodPost, tokenURL, strings.NewReader(body.Encode()))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("authelia: build token request: %w", err)
|
return nil, fmt.Errorf("authelia: build token request: %w", err)
|
||||||
}
|
}
|
||||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||||
|
req.SetBasicAuth(a.cfg.ClientID, a.cfg.ClientSecret)
|
||||||
|
|
||||||
resp, err := a.client.Do(req)
|
resp, err := a.client.Do(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"net/url"
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
|
@ -179,6 +180,27 @@ func TestHandleCallback_Success_PreferredUsername(t *testing.T) {
|
||||||
if req.Method != http.MethodPost {
|
if req.Method != http.MethodPost {
|
||||||
t.Errorf("expected POST, got %s", req.Method)
|
t.Errorf("expected POST, got %s", req.Method)
|
||||||
}
|
}
|
||||||
|
gotID, gotSecret, ok := req.BasicAuth()
|
||||||
|
if !ok {
|
||||||
|
t.Error("expected client_secret_basic authentication")
|
||||||
|
}
|
||||||
|
if gotID != "keycape" || gotSecret != "test-secret" {
|
||||||
|
t.Errorf("unexpected basic auth credentials for client %q", gotID)
|
||||||
|
}
|
||||||
|
rawBody, err := io.ReadAll(req.Body)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("read request body: %v", err)
|
||||||
|
}
|
||||||
|
form, err := url.ParseQuery(string(rawBody))
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("parse request body: %v", err)
|
||||||
|
}
|
||||||
|
if form.Get("client_secret") != "" {
|
||||||
|
t.Error("client_secret must not be sent in the form body")
|
||||||
|
}
|
||||||
|
if form.Get("client_id") != "keycape" {
|
||||||
|
t.Errorf("client_id: want keycape, got %q", form.Get("client_id"))
|
||||||
|
}
|
||||||
return jsonResponse(tokenBody), nil
|
return jsonResponse(tokenBody), nil
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue