Skip to content

Commit

Permalink
Differentiate between authenticated and not authenticated client cont…
Browse files Browse the repository at this point in the history
…exts (#259)
  • Loading branch information
maennchen authored Sep 26, 2023
1 parent b971a32 commit f449674
Show file tree
Hide file tree
Showing 15 changed files with 186 additions and 101 deletions.
2 changes: 1 addition & 1 deletion include/oidcc_client_context.hrl
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
provider_configuration :: oidcc_provider_configuration:t(),
jwks :: jose_jwk:key(),
client_id :: binary(),
client_secret :: binary(),
client_secret :: binary() | unauthenticated,
client_jwks = none :: jose_jwk:key() | none
}).

Expand Down
6 changes: 1 addition & 5 deletions lib/oidcc.ex
Original file line number Diff line number Diff line change
Expand Up @@ -371,8 +371,7 @@ defmodule Oidcc do
...> {:ok, _redirect_uri} = Oidcc.initiate_logout_url(
...> token,
...> pid,
...> "client_id",
...> "client_secret"
...> "client_id"
...> )
"""
Expand All @@ -381,7 +380,6 @@ defmodule Oidcc do
token :: id_token | Oidcc.Token.t() | :undefined,
provider_configuration_name :: GenServer.name(),
client_id :: String.t(),
client_secret :: String.t(),
opts :: :oidcc_logout.initiate_url_opts() | :oidcc_client_context.opts()
) ::
{:ok, :uri_string.uri_string()}
Expand All @@ -391,7 +389,6 @@ defmodule Oidcc do
token,
provider_configuration_name,
client_id,
client_secret,
opts \\ %{}
) do
token =
Expand All @@ -405,7 +402,6 @@ defmodule Oidcc do
token,
provider_configuration_name,
client_id,
client_secret,
opts
)
end
Expand Down
35 changes: 30 additions & 5 deletions lib/oidcc/client_context.ex
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,26 @@ defmodule Oidcc.ClientContext do
alias Oidcc.ProviderConfiguration

@typedoc since: "3.0.0"
@type t() :: %__MODULE__{
@type t() :: authenticated_t() | unauthenticated_t()

@typedoc since: "3.0.0"
@type authenticated_t() :: %__MODULE__{
provider_configuration: ProviderConfiguration.t(),
jwks: JOSE.JWK.t(),
client_id: String.t(),
client_secret: String.t(),
client_jwks: JOSE.JWK.t() | none
}

@typedoc since: "3.0.0"
@type unauthenticated_t() :: %__MODULE__{
provider_configuration: ProviderConfiguration.t(),
jwks: JOSE.JWK.t(),
client_id: String.t(),
client_secret: :unauthenticated,
client_jwks: :none
}

@doc """
Create Client Context from a `Oidcc.ProviderConfiguration.Worker`
Expand Down Expand Up @@ -56,8 +68,14 @@ defmodule Oidcc.ClientContext do
provider_name :: GenServer.name(),
client_id :: String.t(),
client_secret :: String.t(),
opts :: :oidcc_client_context.opts()
) :: {:ok, t()} | {:error, :oidcc_client_context.t()}
opts :: :oidcc_client_context.authenticated_opts()
) :: {:ok, authenticated_t()} | {:error, :oidcc_client_context.t()}
@spec from_configuration_worker(
provider_name :: GenServer.name(),
client_id :: String.t(),
client_secret :: :unauthenticated,
opts :: :oidcc_client_context.unauthenticated_opts()
) :: {:ok, unauthenticated_t()} | {:error, :oidcc_client_context.t()}
def from_configuration_worker(provider_name, client_id, client_secret, opts \\ %{}) do
opts = Map.update(opts, :client_jwks, :none, &JOSE.JWK.to_record/1)

Expand Down Expand Up @@ -102,8 +120,15 @@ defmodule Oidcc.ClientContext do
jwks :: JOSE.JWK.t(),
client_id :: String.t(),
client_secret :: String.t(),
opts :: :oidcc_client_context.opts()
) :: t()
opts :: :oidcc_client_context.authenticated_opts()
) :: authenticated_t()
@spec from_manual(
configuration :: ProviderConfiguration.t(),
jwks :: JOSE.JWK.t(),
client_id :: String.t(),
client_secret :: :unauthenticated,
opts :: :oidcc_client_context.unauthenticated_opts()
) :: unauthenticated_t()
def from_manual(configuration, jwks, client_id, client_secret, opts \\ %{}) do
configuration = ProviderConfiguration.struct_to_record(configuration)
jwks = JOSE.JWK.to_record(jwks)
Expand Down
4 changes: 2 additions & 2 deletions lib/oidcc/logout.ex
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ defmodule Oidcc.Logout do
See https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
For a high level interface using `Oidcc.ProviderConfiguration.Worker`
see `Oidcc.initiate_logout_url/5`.
see `Oidcc.initiate_logout_url/4`.
## Examples
Expand All @@ -25,7 +25,7 @@ defmodule Oidcc.Logout do
...> Oidcc.ClientContext.from_configuration_worker(
...> pid,
...> "client_id",
...> "client_secret"
...> :unauthenticated
...> )
...>
...> # Get `token` from `Oidcc.retrieve_token/5`
Expand Down
23 changes: 10 additions & 13 deletions src/oidcc.erl
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@

-export([client_credentials_token/4]).
-export([create_redirect_url/4]).
-export([initiate_logout_url/5]).
-export([initiate_logout_url/4]).
-export([introspect_token/5]).
-export([jwt_profile_token/6]).
-export([refresh_token/5]).
Expand Down Expand Up @@ -65,7 +65,7 @@
when
ProviderConfigurationWorkerName :: gen_server:server_ref(),
ClientId :: binary(),
ClientSecret :: binary(),
ClientSecret :: binary() | unauthenticated,
Opts :: oidcc_authorization:opts() | oidcc_client_context:opts(),
Uri :: uri_string:uri_string().
create_redirect_url(ProviderConfigurationWorkerName, ClientId, ClientSecret, Opts) ->
Expand Down Expand Up @@ -108,7 +108,7 @@ create_redirect_url(ProviderConfigurationWorkerName, ClientId, ClientSecret, Opt
AuthCode,
ProviderConfigurationWorkerName,
ClientId,
ClientSecret,
ClientSecret | unauthenticated,
Opts
) ->
{ok, oidcc_token:t()} | {error, oidcc_client_context:error() | oidcc_token:error()}
Expand Down Expand Up @@ -165,15 +165,15 @@ retrieve_token(
Token,
ProviderConfigurationWorkerName,
ClientId,
ClientSecret,
ClientSecret | unauthenticated,
Opts
) ->
{ok, map()} | {error, oidcc_client_context:error() | oidcc_userinfo:error()}
when
Token :: oidcc_token:t(),
ProviderConfigurationWorkerName :: gen_server:server_ref(),
ClientId :: binary(),
ClientSecret :: binary(),
ClientSecret :: binary() | unauthenticated,
Opts :: oidcc_userinfo:retrieve_opts_no_sub() | oidcc_client_context:opts();
(Token, ProviderConfigurationWorkerName, ClientId, ClientSecret, Opts) ->
{ok, map()} | {error, any()}
Expand Down Expand Up @@ -226,7 +226,7 @@ retrieve_userinfo(
RefreshToken,
ProviderConfigurationWorkerName,
ClientId,
ClientSecret,
ClientSecret | unauthenticated,
Opts
) ->
{ok, oidcc_token:t()} | {error, oidcc_client_context:error() | oidcc_token:error()}
Expand Down Expand Up @@ -357,7 +357,7 @@ introspect_token(
Subject,
ProviderConfigurationWorkerName,
ClientId,
ClientSecret,
ClientSecret | unauthenticated,
Jwk,
Opts
) -> {ok, oidcc_token:t()} | {error, oidcc_client_context:error() | oidcc_token:error()} when
Expand Down Expand Up @@ -443,7 +443,6 @@ client_credentials_token(ProviderConfigurationWorkerName, ClientId, ClientSecret
%% Token,
%% provider_name,
%% <<"client_id">>,
%% <<"client_secret">>,
%% #{post_logout_redirect_uri: <<"https://my.server/return"}
%% ),
%%
Expand All @@ -455,7 +454,6 @@ client_credentials_token(ProviderConfigurationWorkerName, ClientId, ClientSecret
Token,
ProviderConfigurationWorkerName,
ClientId,
ClientSecret,
Opts
) ->
{ok, uri_string:uri_string()} | {error, oidcc_client_context:error() | oidcc_logout:error()}
Expand All @@ -464,17 +462,16 @@ when
IdToken :: binary(),
ProviderConfigurationWorkerName :: gen_server:server_ref(),
ClientId :: binary(),
ClientSecret :: binary(),
Opts :: oidcc_logout:initiate_url_opts() | oidcc_client_context:opts().
initiate_logout_url(Token, ProviderConfigurationWorkerName, ClientId, ClientSecret, Opts) ->
Opts :: oidcc_logout:initiate_url_opts() | oidcc_client_context:unauthenticated_opts().
initiate_logout_url(Token, ProviderConfigurationWorkerName, ClientId, Opts) ->
{ClientContextOpts, OtherOpts} = extract_client_context_opts(Opts),

maybe
{ok, ClientContext} ?=
oidcc_client_context:from_configuration_worker(
ProviderConfigurationWorkerName,
ClientId,
ClientSecret,
unauthenticated,
ClientContextOpts
),
oidcc_logout:initiate_url(Token, ClientContext, OtherOpts)
Expand Down
2 changes: 2 additions & 0 deletions src/oidcc_authorization.erl
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,8 @@ attempt_request_object(QueryParams, #oidcc_client_context{
provider_configuration = #oidcc_provider_configuration{request_parameter_supported = false}
}) ->
QueryParams;
attempt_request_object(QueryParams, #oidcc_client_context{client_secret = unauthenticated}) ->
QueryParams;
attempt_request_object(QueryParams, #oidcc_client_context{
client_id = ClientId,
client_secret = ClientSecret,
Expand Down
Loading

0 comments on commit f449674

Please sign in to comment.