fix(authelia): use adapter's own client_id/redirect_uri in AuthorizeURL

The adapter was forwarding the downstream client's client_id and
redirect_uri to Authelia, which would always be rejected — Authelia
only recognises client_id=keycape and its registered callback URI.
Also removed downstream PKCE forwarding: KeyCape is a confidential
OIDC client to Authelia and authenticates via client_secret instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch 2026-03-25 03:15:36 +00:00
parent 18dbad68ed
commit a6af43b332
2 changed files with 22 additions and 20 deletions

View file

@ -75,6 +75,7 @@ func jsonResponse(body string) *http.Response {
func TestAuthorizeURL_ContainsRequiredParams(t *testing.T) {
adapter := authelia.New(testConfig(), &mockHTTPClient{})
// Downstream client values — must NOT appear in the Authelia URL.
req := domain.AuthRequest{
ClientID: "myapp",
RedirectURI: "https://myapp.local/cb",
@ -90,22 +91,29 @@ func TestAuthorizeURL_ContainsRequiredParams(t *testing.T) {
t.Fatalf("unexpected error: %v", err)
}
checks := []string{
"client_id=myapp",
// Must use adapter's own client_id and redirect_uri, not the downstream client's.
required := []string{
"client_id=keycape",
"redirect_uri=",
"response_type=code",
"state=state-abc",
"nonce=nonce-xyz",
"code_challenge=challenge123",
"code_challenge_method=S256",
"scope=",
"openid",
}
for _, want := range checks {
for _, want := range required {
if !strings.Contains(u, want) {
t.Errorf("AuthorizeURL missing %q in: %s", want, u)
}
}
// Downstream client_id must NOT be forwarded to Authelia.
if strings.Contains(u, "client_id=myapp") {
t.Errorf("AuthorizeURL must not forward downstream client_id to Authelia, got: %s", u)
}
// PKCE must NOT be forwarded — confidential client uses client_secret instead.
if strings.Contains(u, "code_challenge") {
t.Errorf("AuthorizeURL must not include PKCE params for confidential client, got: %s", u)
}
}
func TestAuthorizeURL_UsesBaseURL(t *testing.T) {