fix(authelia): use adapter's own client_id/redirect_uri in AuthorizeURL
The adapter was forwarding the downstream client's client_id and redirect_uri to Authelia, which would always be rejected — Authelia only recognises client_id=keycape and its registered callback URI. Also removed downstream PKCE forwarding: KeyCape is a confidential OIDC client to Authelia and authenticates via client_secret instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
18dbad68ed
commit
a6af43b332
2 changed files with 22 additions and 20 deletions
|
|
@ -75,6 +75,7 @@ func jsonResponse(body string) *http.Response {
|
|||
|
||||
func TestAuthorizeURL_ContainsRequiredParams(t *testing.T) {
|
||||
adapter := authelia.New(testConfig(), &mockHTTPClient{})
|
||||
// Downstream client values — must NOT appear in the Authelia URL.
|
||||
req := domain.AuthRequest{
|
||||
ClientID: "myapp",
|
||||
RedirectURI: "https://myapp.local/cb",
|
||||
|
|
@ -90,22 +91,29 @@ func TestAuthorizeURL_ContainsRequiredParams(t *testing.T) {
|
|||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
checks := []string{
|
||||
"client_id=myapp",
|
||||
// Must use adapter's own client_id and redirect_uri, not the downstream client's.
|
||||
required := []string{
|
||||
"client_id=keycape",
|
||||
"redirect_uri=",
|
||||
"response_type=code",
|
||||
"state=state-abc",
|
||||
"nonce=nonce-xyz",
|
||||
"code_challenge=challenge123",
|
||||
"code_challenge_method=S256",
|
||||
"scope=",
|
||||
"openid",
|
||||
}
|
||||
for _, want := range checks {
|
||||
for _, want := range required {
|
||||
if !strings.Contains(u, want) {
|
||||
t.Errorf("AuthorizeURL missing %q in: %s", want, u)
|
||||
}
|
||||
}
|
||||
|
||||
// Downstream client_id must NOT be forwarded to Authelia.
|
||||
if strings.Contains(u, "client_id=myapp") {
|
||||
t.Errorf("AuthorizeURL must not forward downstream client_id to Authelia, got: %s", u)
|
||||
}
|
||||
// PKCE must NOT be forwarded — confidential client uses client_secret instead.
|
||||
if strings.Contains(u, "code_challenge") {
|
||||
t.Errorf("AuthorizeURL must not include PKCE params for confidential client, got: %s", u)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthorizeURL_UsesBaseURL(t *testing.T) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue