From 8541184afb79448d2f4f8be785dc7753a360557e Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Fri, 27 Jan 2017 11:42:46 -0800 Subject: [PATCH] server: support POSTing to authorization endpoint Fixes #791 --- server/oauth2.go | 5 ++++- server/oauth2_test.go | 30 +++++++++++++++++++++++++++++- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/server/oauth2.go b/server/oauth2.go index 18c554ec..15b85ed2 100644 --- a/server/oauth2.go +++ b/server/oauth2.go @@ -333,7 +333,10 @@ func (s *Server) newIDToken(clientID string, claims storage.Claims, scopes []str // parse the initial request from the OAuth2 client. func (s *Server) parseAuthorizationRequest(r *http.Request) (req storage.AuthRequest, oauth2Err *authErr) { - q := r.URL.Query() + if err := r.ParseForm(); err != nil { + return req, &authErr{"", "", errInvalidRequest, "Failed to parse request body."} + } + q := r.Form redirectURI, err := url.QueryUnescape(q.Get("redirect_uri")) if err != nil { return req, &authErr{"", "", errInvalidRequest, "No redirect_uri provided."} diff --git a/server/oauth2_test.go b/server/oauth2_test.go index 7f9a449d..83de2256 100644 --- a/server/oauth2_test.go +++ b/server/oauth2_test.go @@ -2,8 +2,10 @@ package server import ( "context" + "net/http" "net/http/httptest" "net/url" + "strings" "testing" jose "gopkg.in/square/go-jose.v2" @@ -17,6 +19,8 @@ func TestParseAuthorizationRequest(t *testing.T) { clients []storage.Client supportedResponseTypes []string + usePOST bool + queryParams map[string]string wantErr bool @@ -37,6 +41,23 @@ func TestParseAuthorizationRequest(t *testing.T) { "scope": "openid email profile", }, }, + { + name: "POST request", + clients: []storage.Client{ + { + ID: "foo", + RedirectURIs: []string{"https://example.com/foo"}, + }, + }, + supportedResponseTypes: []string{"code"}, + queryParams: map[string]string{ + "client_id": "foo", + "redirect_uri": "https://example.com/foo", + "response_type": "code", + "scope": "openid email profile", + }, + usePOST: true, + }, { name: "invalid client id", clients: []storage.Client{ @@ -139,7 +160,14 @@ func TestParseAuthorizationRequest(t *testing.T) { params.Set(k, v) } - req := httptest.NewRequest("GET", httpServer.URL+"/auth?"+params.Encode(), nil) + var req *http.Request + if tc.usePOST { + body := strings.NewReader(params.Encode()) + req = httptest.NewRequest("POST", httpServer.URL+"/auth", body) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + } else { + req = httptest.NewRequest("GET", httpServer.URL+"/auth?"+params.Encode(), nil) + } _, err := server.parseAuthorizationRequest(req) if err != nil && !tc.wantErr { t.Errorf("%s: %v", tc.name, err)