mirror of
https://github.com/pocket-id/pocket-id.git
synced 2026-07-15 21:48:13 +03:00
feat: prompt admin with PKCE client support hint (#1499)
Co-authored-by: james <james@goldfish.net> Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Co-authored-by: Elias Schneider <login@eliasschneider.com> Co-authored-by: Kyle Mendell <kmendell@ofkm.us>
This commit is contained in:
@@ -21,6 +21,7 @@ type OidcClientDto struct {
|
||||
SkipConsent bool `json:"skipConsent"`
|
||||
Credentials OidcClientCredentialsDto `json:"credentials"`
|
||||
IsGroupRestricted bool `json:"isGroupRestricted"`
|
||||
PkceSupported bool `json:"pkceSupported,omitempty"`
|
||||
}
|
||||
|
||||
type OidcClientWithAllowedUserGroupsDto struct {
|
||||
|
||||
@@ -36,6 +36,7 @@ type OidcClient struct {
|
||||
Credentials OidcClientCredentials
|
||||
LaunchURL *string
|
||||
IsGroupRestricted bool `sortable:"true" filterable:"true"`
|
||||
PkceSupported bool `sortable:"true" filterable:"true"`
|
||||
|
||||
AllowedUserGroups []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
|
||||
CreatedByID *string
|
||||
|
||||
@@ -133,12 +133,28 @@ func (s *authorizationService) authorize(ctx context.Context, input authorizeInp
|
||||
now: time.Now().UTC(),
|
||||
}
|
||||
|
||||
codeChallenge := input.requester.GetRequestForm().Get("code_challenge")
|
||||
|
||||
var result authorizationResult
|
||||
err = withTx(ctx, s.db, func(ctx context.Context) error {
|
||||
var err error
|
||||
result, err = s.authorizeAuthenticated(ctx, req)
|
||||
return err
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if codeChallenge != "" &&
|
||||
!client.PkceEnabled &&
|
||||
!client.PkceSupported {
|
||||
|
||||
tx := dbFromContext(ctx, s.db)
|
||||
|
||||
_ = flagPkceSupportedClient(ctx, client.GetID(), tx)
|
||||
}
|
||||
|
||||
return nil
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return authorizationResult{}, err
|
||||
}
|
||||
@@ -229,6 +245,20 @@ func (s *authorizationService) authorizeAuthenticated(ctx context.Context, req a
|
||||
return authorizationResult{Session: session}, nil
|
||||
}
|
||||
|
||||
func flagPkceSupportedClient(ctx context.Context, clientID string, tx *gorm.DB) error {
|
||||
err := tx.
|
||||
WithContext(ctx).
|
||||
Model(&model.OidcClient{}).
|
||||
Where("id = ?", clientID).
|
||||
Update("pkce_supported", true).
|
||||
Error
|
||||
|
||||
if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// resolveRequirements determines the interaction steps still required; the requirements
|
||||
// of a resumed interaction session win over the ones derived from the request.
|
||||
func (s *authorizationService) resolveRequirements(ctx context.Context, req authorizeRequest, interactionSession *InteractionSession) (interactionRequirements, time.Time, error) {
|
||||
|
||||
@@ -218,6 +218,10 @@ func updateOIDCClientModelFromDto(client *model.OidcClient, input *dto.OidcClien
|
||||
client.IsPublic = input.IsPublic
|
||||
// PKCE is required for public clients
|
||||
client.PkceEnabled = input.IsPublic || input.PkceEnabled
|
||||
// Reset any pkce support prompt if previously flagged
|
||||
if !input.PkceEnabled {
|
||||
client.PkceSupported = false
|
||||
}
|
||||
client.RequiresReauthentication = input.RequiresReauthentication
|
||||
client.RequiresPushedAuthorizationRequests = input.RequiresPushedAuthorizationRequests
|
||||
client.SkipConsent = input.SkipConsent
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
ALTER TABLE oidc_clients DROP COLUMN pkce_supported;
|
||||
@@ -0,0 +1,2 @@
|
||||
ALTER TABLE oidc_clients
|
||||
ADD COLUMN pkce_supported BOOLEAN NOT NULL DEFAULT FALSE;
|
||||
@@ -0,0 +1,7 @@
|
||||
PRAGMA foreign_keys=OFF;
|
||||
BEGIN;
|
||||
|
||||
ALTER TABLE oidc_clients DROP COLUMN pkce_supported;
|
||||
|
||||
COMMIT;
|
||||
PRAGMA foreign_keys=ON;
|
||||
@@ -0,0 +1,8 @@
|
||||
PRAGMA foreign_keys= OFF;
|
||||
BEGIN;
|
||||
|
||||
ALTER TABLE oidc_clients
|
||||
ADD COLUMN pkce_supported BOOLEAN NOT NULL DEFAULT 0;
|
||||
|
||||
COMMIT;
|
||||
PRAGMA foreign_keys= ON;
|
||||
Reference in New Issue
Block a user