From 3e296c70d56e2aa83ce882d2ac1738f85606fd7a Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 18 Aug 2022 14:01:34 +0200 Subject: [PATCH 22/24] oidc_child: use client secret if available to get device code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some IdP have the concept of confidential client, i.e. clients where the client's secret can be stored safely by the related application. For a confidential client some IdPs expects that the client secret is used in all requests together with the client ID although OAuth2 specs currently only mention this explicitly for the token request. To make sure the device code can be requested in this case the client secret is added to the device code request if the secret is provided. Resolves: https://github.com/SSSD/sssd/issues/6146 Reviewed-by: Justin Stephenson Reviewed-by: Pavel Březina (cherry picked from commit a4d4617efeff871c5d2762e35f9dec57fa24fb1a) Reviewed-by: Alexey Tikhonov --- src/oidc_child/oidc_child.c | 2 +- src/oidc_child/oidc_child_curl.c | 12 +++++++++++- src/oidc_child/oidc_child_util.h | 2 +- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c index aeeac3595..c8d35d5d8 100644 --- a/src/oidc_child/oidc_child.c +++ b/src/oidc_child/oidc_child.c @@ -454,7 +454,7 @@ int main(int argc, const char *argv[]) } if (opts.get_device_code) { - ret = get_devicecode(dc_ctx, opts.client_id); + ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n"); goto done; diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c index df438e007..6e80c3abf 100644 --- a/src/oidc_child/oidc_child_curl.c +++ b/src/oidc_child/oidc_child_curl.c @@ -428,7 +428,7 @@ done: #define DEFAULT_SCOPE "user" errno_t get_devicecode(struct devicecode_ctx *dc_ctx, - const char *client_id) + const char *client_id, const char *client_secret) { int ret; @@ -443,6 +443,16 @@ errno_t get_devicecode(struct devicecode_ctx *dc_ctx, return ENOMEM; } + if (client_secret != NULL) { + post_data = talloc_asprintf_append(post_data, "&client_secret=%s", + client_secret); + if (post_data == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to add client secret to POST data.\n"); + return ENOMEM; + } + } + clean_http_data(dc_ctx); ret = do_http_request(dc_ctx, dc_ctx->device_authorization_endpoint, post_data, NULL); diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h index ae5a72bc2..8b106ae79 100644 --- a/src/oidc_child/oidc_child_util.h +++ b/src/oidc_child/oidc_child_util.h @@ -73,7 +73,7 @@ errno_t get_openid_configuration(struct devicecode_ctx *dc_ctx, errno_t get_jwks(struct devicecode_ctx *dc_ctx); errno_t get_devicecode(struct devicecode_ctx *dc_ctx, - const char *client_id); + const char *client_id, const char *client_secret); errno_t get_token(TALLOC_CTX *mem_ctx, struct devicecode_ctx *dc_ctx, const char *client_id, -- 2.37.3