Merge pull request #187 from rp8/master

fixed the bug to compare client secrets when refreshing token
go-oauth2 · Jul 6, 2021 · 002e44a · 002e44a
2 parents 68172d1 + d34e841
commit 002e44a
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -23,6 +23,8 @@ _testmain.go
 *.test
 *.prof
 
+coverage.txt
+
 # OSX
 *.DS_Store
 *.db

diff --git a/manage/manager.go b/manage/manager.go
@@ -363,6 +363,10 @@ func (m *Manager) RefreshAccessToken(ctx context.Context, tgr *oauth2.TokenGener
 	cli, err := m.GetClient(ctx, tgr.ClientID)
 	if err != nil {
 		return nil, err
+	} else if cliPass, ok := cli.(oauth2.ClientPasswordVerifier); ok {
+		if !cliPass.VerifyPassword(tgr.ClientSecret) {
+			return nil, errors.ErrInvalidClient
+		}
 	} else if tgr.ClientSecret != cli.GetSecret() {
 		return nil, errors.ErrInvalidClient
 	}

diff --git a/server/server.go b/server/server.go
@@ -240,7 +240,7 @@ func (s *Server) GetAuthorizeToken(ctx context.Context, req *AuthorizeRequest) (
 		}
 	}
 
-	tgr := &oauth2.TokenGenerateRequest{
+	tgr = &oauth2.TokenGenerateRequest{
 		ClientID:            req.ClientID,
 		UserID:              req.UserID,
 		RedirectURI:         req.RedirectURI,