From d4025ac0cadd042bdfeb6dd004916d35e0045f2b Mon Sep 17 00:00:00 2001 From: KS Chan Date: Tue, 27 May 2025 10:24:01 +0800 Subject: [PATCH 1/3] openidConnect: Respect the discovered oauth2.AuthStyle in token refresh The `oauth2.TokenSource` would discover the right place to pass the client credentials, i.e. HTTP Authorization header vs HTTP POST form. It is better not to hardcode the use of HTTP POST form. --- providers/openidConnect/openidConnect.go | 36 +++++++----------------- 1 file changed, 10 insertions(+), 26 deletions(-) diff --git a/providers/openidConnect/openidConnect.go b/providers/openidConnect/openidConnect.go index c928547a..68ae1ed9 100644 --- a/providers/openidConnect/openidConnect.go +++ b/providers/openidConnect/openidConnect.go @@ -276,38 +276,22 @@ func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) { // compatibility purposes) that also returns the id_token in the OpenID refresh token flow API response // Learn more about ID tokens: https://openid.net/specs/openid-connect-core-1_0.html#IDToken func (p *Provider) RefreshTokenWithIDToken(refreshToken string) (*RefreshTokenResponse, error) { - urlValues := url.Values{ - "grant_type": {"refresh_token"}, - "refresh_token": {refreshToken}, - "client_id": {p.ClientKey}, - "client_secret": {p.Secret}, - } - req, err := http.NewRequest("POST", p.OpenIDConfig.TokenEndpoint, strings.NewReader(urlValues.Encode())) - if err != nil { - return nil, err - } - - req.Header.Set("Content-Type", "application/x-www-form-urlencoded") - - resp, err := p.Client().Do(req) + newToken, err := p.RefreshToken(refreshToken) if err != nil { return nil, err } - if resp.StatusCode != http.StatusOK { - return nil, fmt.Errorf("Non-200 response from RefreshToken: %d, WWW-Authenticate=%s", resp.StatusCode, resp.Header.Get("WWW-Authenticate")) - } - body, err := io.ReadAll(resp.Body) - if err != nil { - return nil, err + idToken, ok := newToken.Extra("id_token").(string) + if !ok || idToken == "" { + return nil, fmt.Errorf("id_token not present in token response") } - resp.Body.Close() - refreshTokenResponse := &RefreshTokenResponse{} - - err = json.Unmarshal(body, refreshTokenResponse) - if err != nil { - return nil, err + refreshTokenResponse := &RefreshTokenResponse{ + AccessToken: newToken.AccessToken, + IdToken: idToken, + RefreshToken: newToken.RefreshToken, + ExpiresIn: expirationTime(newToken.ExpiresIn), + Expiry: newToken.Expiry, } return refreshTokenResponse, nil From 1d18e30fbccc90716558f3a174728873f0d3e5a2 Mon Sep 17 00:00:00 2001 From: KS Chan Date: Tue, 27 May 2025 10:29:11 +0800 Subject: [PATCH 2/3] Drop unused net/url --- providers/openidConnect/openidConnect.go | 1 - 1 file changed, 1 deletion(-) diff --git a/providers/openidConnect/openidConnect.go b/providers/openidConnect/openidConnect.go index 68ae1ed9..0bcaaa32 100644 --- a/providers/openidConnect/openidConnect.go +++ b/providers/openidConnect/openidConnect.go @@ -8,7 +8,6 @@ import ( "fmt" "io" "net/http" - "net/url" "strings" "time" From 2402c74b6fa5be9278c7436dc10a9e4bd652de21 Mon Sep 17 00:00:00 2001 From: KS Chan Date: Tue, 27 May 2025 10:31:11 +0800 Subject: [PATCH 3/3] Drop non-existing fields... --- providers/openidConnect/openidConnect.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/providers/openidConnect/openidConnect.go b/providers/openidConnect/openidConnect.go index 0bcaaa32..6dc75920 100644 --- a/providers/openidConnect/openidConnect.go +++ b/providers/openidConnect/openidConnect.go @@ -289,8 +289,6 @@ func (p *Provider) RefreshTokenWithIDToken(refreshToken string) (*RefreshTokenRe AccessToken: newToken.AccessToken, IdToken: idToken, RefreshToken: newToken.RefreshToken, - ExpiresIn: expirationTime(newToken.ExpiresIn), - Expiry: newToken.Expiry, } return refreshTokenResponse, nil