90 lines
3.4 KiB
Diff
90 lines
3.4 KiB
Diff
From 3e296c70d56e2aa83ce882d2ac1738f85606fd7a Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Thu, 18 Aug 2022 14:01:34 +0200
|
|
Subject: [PATCH 21/23] oidc_child: use client secret if available to get
|
|
device code
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Some IdP have the concept of confidential client, i.e. clients where the
|
|
client's secret can be stored safely by the related application. For a
|
|
confidential client some IdPs expects that the client secret is used in
|
|
all requests together with the client ID although OAuth2 specs currently
|
|
only mention this explicitly for the token request. To make sure the
|
|
device code can be requested in this case the client secret is added to
|
|
the device code request if the secret is provided.
|
|
|
|
Resolves: https://github.com/SSSD/sssd/issues/6146
|
|
|
|
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
(cherry picked from commit a4d4617efeff871c5d2762e35f9dec57fa24fb1a)
|
|
|
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
---
|
|
src/oidc_child/oidc_child.c | 2 +-
|
|
src/oidc_child/oidc_child_curl.c | 12 +++++++++++-
|
|
src/oidc_child/oidc_child_util.h | 2 +-
|
|
3 files changed, 13 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
|
|
index aeeac3595..c8d35d5d8 100644
|
|
--- a/src/oidc_child/oidc_child.c
|
|
+++ b/src/oidc_child/oidc_child.c
|
|
@@ -454,7 +454,7 @@ int main(int argc, const char *argv[])
|
|
}
|
|
|
|
if (opts.get_device_code) {
|
|
- ret = get_devicecode(dc_ctx, opts.client_id);
|
|
+ ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");
|
|
goto done;
|
|
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
|
|
index df438e007..6e80c3abf 100644
|
|
--- a/src/oidc_child/oidc_child_curl.c
|
|
+++ b/src/oidc_child/oidc_child_curl.c
|
|
@@ -428,7 +428,7 @@ done:
|
|
#define DEFAULT_SCOPE "user"
|
|
|
|
errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
|
|
- const char *client_id)
|
|
+ const char *client_id, const char *client_secret)
|
|
{
|
|
int ret;
|
|
|
|
@@ -443,6 +443,16 @@ errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
|
|
return ENOMEM;
|
|
}
|
|
|
|
+ if (client_secret != NULL) {
|
|
+ post_data = talloc_asprintf_append(post_data, "&client_secret=%s",
|
|
+ client_secret);
|
|
+ if (post_data == NULL) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
+ "Failed to add client secret to POST data.\n");
|
|
+ return ENOMEM;
|
|
+ }
|
|
+ }
|
|
+
|
|
clean_http_data(dc_ctx);
|
|
ret = do_http_request(dc_ctx, dc_ctx->device_authorization_endpoint,
|
|
post_data, NULL);
|
|
diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h
|
|
index ae5a72bc2..8b106ae79 100644
|
|
--- a/src/oidc_child/oidc_child_util.h
|
|
+++ b/src/oidc_child/oidc_child_util.h
|
|
@@ -73,7 +73,7 @@ errno_t get_openid_configuration(struct devicecode_ctx *dc_ctx,
|
|
errno_t get_jwks(struct devicecode_ctx *dc_ctx);
|
|
|
|
errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
|
|
- const char *client_id);
|
|
+ const char *client_id, const char *client_secret);
|
|
|
|
errno_t get_token(TALLOC_CTX *mem_ctx,
|
|
struct devicecode_ctx *dc_ctx, const char *client_id,
|
|
--
|
|
2.37.3
|
|
|