matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-31 09:24:31 +03:00
Code Activity

oauth2-types: Only require redirect_uris & change the default response type for the auth code grant and implicit grant

Browse Source
This commit is contained in:
Quentin Gliech
2023-09-05 12:05:53 +02:00
parent b9edbda5e1
commit aeb379eee9
1 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
crates/oauth2-types/src/registration/mod.rs
View File

@ -449,23 +449,31 @@ impl ClientMetadata {
/// [OpenID Connect Dynamic Client Registration Spec 1.0]: https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata /// [OpenID Connect Dynamic Client Registration Spec 1.0]: https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
#[allow(clippy::too_many_lines)] #[allow(clippy::too_many_lines)]
pub fn validate(self) -> Result<VerifiedClientMetadata, ClientMetadataVerificationError> { pub fn validate(self) -> Result<VerifiedClientMetadata, ClientMetadataVerificationError> {
let grant_types = self.grant_types();
let has_implicit = grant_types.contains(&GrantType::Implicit);
let has_authorization_code = grant_types.contains(&GrantType::AuthorizationCode);
let has_both = has_implicit && has_authorization_code;
if let Some(uris) = &self.redirect_uris { if let Some(uris) = &self.redirect_uris {
if let Some(uri) = uris.iter().find(|uri| uri.fragment().is_some()) { if let Some(uri) = uris.iter().find(|uri| uri.fragment().is_some()) {
return Err(ClientMetadataVerificationError::RedirectUriWithFragment( return Err(ClientMetadataVerificationError::RedirectUriWithFragment(
uri.clone(), uri.clone(),
)); ));
} }
} else { } else if has_authorization_code || has_implicit {
// Required for authorization code and implicit flows
return Err(ClientMetadataVerificationError::MissingRedirectUris); return Err(ClientMetadataVerificationError::MissingRedirectUris);
} }
let response_types = self.response_types(); let response_type_code = [OAuthAuthorizationEndpointResponseType::Code.into()];
let grant_types = self.grant_types(); let response_types = match &self.response_types {
let has_implicit = grant_types.contains(&GrantType::Implicit); Some(types) => &types[..],
let has_authorization_code = grant_types.contains(&GrantType::AuthorizationCode); // Default to code only if the client uses the authorization code or implicit flow
let has_both = has_implicit && has_authorization_code; None if has_authorization_code || has_implicit => &response_type_code[..],
None => &[],
};
for response_type in &response_types { for response_type in response_types {
let has_code = response_type.has_code(); let has_code = response_type.has_code();
let has_id_token = response_type.has_id_token(); let has_id_token = response_type.has_id_token();
let has_token = response_type.has_token(); let has_token = response_type.has_token();
@ -578,7 +586,7 @@ impl ClientMetadata {
self.response_types.clone().unwrap_or_else(|| { self.response_types.clone().unwrap_or_else(|| {
DEFAULT_RESPONSE_TYPES DEFAULT_RESPONSE_TYPES
.into_iter() .into_iter()
.filter_map(|t| ResponseType::try_from(t).ok()) .map(ResponseType::from)
.collect() .collect()
}) })
} }
@ -813,7 +821,7 @@ impl VerifiedClientMetadata {
pub fn redirect_uris(&self) -> &[Url] { pub fn redirect_uris(&self) -> &[Url] {
match &self.redirect_uris { match &self.redirect_uris {
Some(v) => v, Some(v) => v,
None => unreachable!(), None => &[],
} }
} }
} }