Differentiate between authenticated and not authenticated client cont…

…exts
erlef · Sep 26, 2023 · 223e11c · 223e11c
1 parent b971a32
commit 223e11c
Show file tree

Hide file tree

Showing 15 changed files with 186 additions and 101 deletions.
diff --git a/include/oidcc_client_context.hrl b/include/oidcc_client_context.hrl
@@ -4,7 +4,7 @@
     provider_configuration :: oidcc_provider_configuration:t(),
     jwks :: jose_jwk:key(),
     client_id :: binary(),
-    client_secret :: binary(),
+    client_secret :: binary() | unauthenticated,
     client_jwks = none :: jose_jwk:key() | none
 }).
 

diff --git a/lib/oidcc.ex b/lib/oidcc.ex
@@ -371,8 +371,7 @@ defmodule Oidcc do
       ...> {:ok, _redirect_uri} = Oidcc.initiate_logout_url(
       ...>   token,
       ...>   pid,
-      ...>   "client_id",
-      ...>   "client_secret"
+      ...>   "client_id"
       ...> )
 
   """
@@ -381,7 +380,6 @@ defmodule Oidcc do
           token :: id_token | Oidcc.Token.t() | :undefined,
           provider_configuration_name :: GenServer.name(),
           client_id :: String.t(),
-          client_secret :: String.t(),
           opts :: :oidcc_logout.initiate_url_opts() | :oidcc_client_context.opts()
         ) ::
           {:ok, :uri_string.uri_string()}
@@ -391,7 +389,6 @@ defmodule Oidcc do
         token,
         provider_configuration_name,
         client_id,
-        client_secret,
         opts \\ %{}
       ) do
     token =
@@ -405,7 +402,6 @@ defmodule Oidcc do
       token,
       provider_configuration_name,
       client_id,
-      client_secret,
       opts
     )
   end

diff --git a/lib/oidcc/client_context.ex b/lib/oidcc/client_context.ex
@@ -17,14 +17,26 @@ defmodule Oidcc.ClientContext do
   alias Oidcc.ProviderConfiguration
 
   @typedoc since: "3.0.0"
-  @type t() :: %__MODULE__{
+  @type t() :: authenticated_t() | unauthenticated_t()
+
+  @typedoc since: "3.0.0"
+  @type authenticated_t() :: %__MODULE__{
           provider_configuration: ProviderConfiguration.t(),
           jwks: JOSE.JWK.t(),
           client_id: String.t(),
           client_secret: String.t(),
           client_jwks: JOSE.JWK.t() | none
         }
 
+  @typedoc since: "3.0.0"
+  @type unauthenticated_t() :: %__MODULE__{
+          provider_configuration: ProviderConfiguration.t(),
+          jwks: JOSE.JWK.t(),
+          client_id: String.t(),
+          client_secret: :unauthenticated,
+          client_jwks: :none
+        }
+
   @doc """
   Create Client Context from a `Oidcc.ProviderConfiguration.Worker`
 
@@ -56,8 +68,14 @@ defmodule Oidcc.ClientContext do
           provider_name :: GenServer.name(),
           client_id :: String.t(),
           client_secret :: String.t(),
-          opts :: :oidcc_client_context.opts()
-        ) :: {:ok, t()} | {:error, :oidcc_client_context.t()}
+          opts :: :oidcc_client_context.authenticated_opts()
+        ) :: {:ok, authenticated_t()} | {:error, :oidcc_client_context.t()}
+  @spec from_configuration_worker(
+          provider_name :: GenServer.name(),
+          client_id :: String.t(),
+          client_secret :: :unauthenticated,
+          opts :: :oidcc_client_context.unauthenticated_opts()
+        ) :: {:ok, unauthenticated_t()} | {:error, :oidcc_client_context.t()}
   def from_configuration_worker(provider_name, client_id, client_secret, opts \\ %{}) do
     opts = Map.update(opts, :client_jwks, :none, &JOSE.JWK.to_record/1)
 
@@ -102,8 +120,15 @@ defmodule Oidcc.ClientContext do
           jwks :: JOSE.JWK.t(),
           client_id :: String.t(),
           client_secret :: String.t(),
-          opts :: :oidcc_client_context.opts()
-        ) :: t()
+          opts :: :oidcc_client_context.authenticated_opts()
+        ) :: authenticated_t()
+  @spec from_manual(
+          configuration :: ProviderConfiguration.t(),
+          jwks :: JOSE.JWK.t(),
+          client_id :: String.t(),
+          client_secret :: :unauthenticated,
+          opts :: :oidcc_client_context.unauthenticated_opts()
+        ) :: unauthenticated_t()
   def from_manual(configuration, jwks, client_id, client_secret, opts \\ %{}) do
     configuration = ProviderConfiguration.struct_to_record(configuration)
     jwks = JOSE.JWK.to_record(jwks)

diff --git a/lib/oidcc/logout.ex b/lib/oidcc/logout.ex
@@ -12,7 +12,7 @@ defmodule Oidcc.Logout do
   See https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
 
   For a high level interface using `Oidcc.ProviderConfiguration.Worker`
-  see `Oidcc.initiate_logout_url/5`.
+  see `Oidcc.initiate_logout_url/4`.
 
   ## Examples
 
@@ -25,7 +25,7 @@ defmodule Oidcc.Logout do
       ...>   Oidcc.ClientContext.from_configuration_worker(
       ...>     pid,
       ...>     "client_id",
-      ...>     "client_secret"
+      ...>     :unauthenticated
       ...>   )
       ...>
       ...> # Get `token` from `Oidcc.retrieve_token/5`

diff --git a/src/oidcc.erl b/src/oidcc.erl
@@ -30,7 +30,7 @@
 
 -export([client_credentials_token/4]).
 -export([create_redirect_url/4]).
--export([initiate_logout_url/5]).
+-export([initiate_logout_url/4]).
 -export([introspect_token/5]).
 -export([jwt_profile_token/6]).
 -export([refresh_token/5]).
@@ -65,7 +65,7 @@
 when
     ProviderConfigurationWorkerName :: gen_server:server_ref(),
     ClientId :: binary(),
-    ClientSecret :: binary(),
+    ClientSecret :: binary() | unauthenticated,
     Opts :: oidcc_authorization:opts() | oidcc_client_context:opts(),
     Uri :: uri_string:uri_string().
 create_redirect_url(ProviderConfigurationWorkerName, ClientId, ClientSecret, Opts) ->
@@ -108,7 +108,7 @@ create_redirect_url(ProviderConfigurationWorkerName, ClientId, ClientSecret, Opt
     AuthCode,
     ProviderConfigurationWorkerName,
     ClientId,
-    ClientSecret,
+    ClientSecret | unauthenticated,
     Opts
 ) ->
     {ok, oidcc_token:t()} | {error, oidcc_client_context:error() | oidcc_token:error()}
@@ -165,15 +165,15 @@ retrieve_token(
         Token,
         ProviderConfigurationWorkerName,
         ClientId,
-        ClientSecret,
+        ClientSecret | unauthenticated,
         Opts
     ) ->
         {ok, map()} | {error, oidcc_client_context:error() | oidcc_userinfo:error()}
     when
         Token :: oidcc_token:t(),
         ProviderConfigurationWorkerName :: gen_server:server_ref(),
         ClientId :: binary(),
-        ClientSecret :: binary(),
+        ClientSecret :: binary() | unauthenticated,
         Opts :: oidcc_userinfo:retrieve_opts_no_sub() | oidcc_client_context:opts();
     (Token, ProviderConfigurationWorkerName, ClientId, ClientSecret, Opts) ->
         {ok, map()} | {error, any()}
@@ -226,7 +226,7 @@ retrieve_userinfo(
         RefreshToken,
         ProviderConfigurationWorkerName,
         ClientId,
-        ClientSecret,
+        ClientSecret | unauthenticated,
         Opts
     ) ->
         {ok, oidcc_token:t()} | {error, oidcc_client_context:error() | oidcc_token:error()}
@@ -357,7 +357,7 @@ introspect_token(
     Subject,
     ProviderConfigurationWorkerName,
     ClientId,
-    ClientSecret,
+    ClientSecret | unauthenticated,
     Jwk,
     Opts
 ) -> {ok, oidcc_token:t()} | {error, oidcc_client_context:error() | oidcc_token:error()} when
@@ -443,7 +443,6 @@ client_credentials_token(ProviderConfigurationWorkerName, ClientId, ClientSecret
 %%     Token,
 %%     provider_name,
 %%     <<"client_id">>,
-%%     <<"client_secret">>,
 %%     #{post_logout_redirect_uri: <<"https://my.server/return"}
 %% ),
 %%
@@ -455,7 +454,6 @@ client_credentials_token(ProviderConfigurationWorkerName, ClientId, ClientSecret
     Token,
     ProviderConfigurationWorkerName,
     ClientId,
-    ClientSecret,
     Opts
 ) ->
     {ok, uri_string:uri_string()} | {error, oidcc_client_context:error() | oidcc_logout:error()}
@@ -464,17 +462,16 @@ when
     IdToken :: binary(),
     ProviderConfigurationWorkerName :: gen_server:server_ref(),
     ClientId :: binary(),
-    ClientSecret :: binary(),
-    Opts :: oidcc_logout:initiate_url_opts() | oidcc_client_context:opts().
-initiate_logout_url(Token, ProviderConfigurationWorkerName, ClientId, ClientSecret, Opts) ->
+    Opts :: oidcc_logout:initiate_url_opts() | oidcc_client_context:unauthenticated_opts().
+initiate_logout_url(Token, ProviderConfigurationWorkerName, ClientId, Opts) ->
     {ClientContextOpts, OtherOpts} = extract_client_context_opts(Opts),
 
     maybe
         {ok, ClientContext} ?=
             oidcc_client_context:from_configuration_worker(
                 ProviderConfigurationWorkerName,
                 ClientId,
-                ClientSecret,
+                unauthenticated,
                 ClientContextOpts
             ),
         oidcc_logout:initiate_url(Token, ClientContext, OtherOpts)

diff --git a/src/oidcc_authorization.erl b/src/oidcc_authorization.erl
@@ -167,6 +167,8 @@ attempt_request_object(QueryParams, #oidcc_client_context{
     provider_configuration = #oidcc_provider_configuration{request_parameter_supported = false}
 }) ->
     QueryParams;
+attempt_request_object(QueryParams, #oidcc_client_context{client_secret = unauthenticated}) ->
+    QueryParams;
 attempt_request_object(QueryParams, #oidcc_client_context{
     client_id = ClientId,
     client_secret = ClientSecret,