Add client_secret_basic auth exchangeCode Method. See related DuendeArchive#892

Valérian Girard · Valérian Girard · commit 7bb91c78a1bd · 2020-02-25T09:39:59.000+01:00
diff --git a/src/JsonService.js b/src/JsonService.js
@@ -96,7 +96,7 @@ export class JsonService {
         });
     }
 
-    postForm(url, payload) {
+    postForm(url, payload, basicAuth) {
         if (!url){
             Log.error("JsonService.postForm: No url passed");
             throw new Error("url");
@@ -197,6 +197,12 @@ export class JsonService {
             }
 
             req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+
+            if (basicAuth !== undefined)
+            {
+                req.setRequestHeader("Authorization", "Basic " + btoa(basicAuth));
+            }
+
             req.send(body);
         });
     }
diff --git a/src/OidcClientSettings.js b/src/OidcClientSettings.js
@@ -10,6 +10,7 @@ const OidcMetadataUrlPath = '.well-known/openid-configuration';
 
 const DefaultResponseType = "id_token";
 const DefaultScope = "openid";
+const DefaultClientAuthentication = "client_secret_post" // The default value must be client_secret_basic, as explained in https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
 const DefaultStaleStateAge = 60 * 15; // seconds
 const DefaultClockSkewInSeconds = 60 * 5;
 
@@ -20,6 +21,7 @@ export class OidcClientSettings {
         // client related
         client_id, client_secret, response_type = DefaultResponseType, scope = DefaultScope,
         redirect_uri, post_logout_redirect_uri,
+        client_authentication = DefaultClientAuthentication,
         // optional protocol
         prompt, display, max_age, ui_locales, acr_values, resource, response_mode,
         // behavior flags
@@ -46,6 +48,7 @@ export class OidcClientSettings {
         this._scope = scope;
         this._redirect_uri = redirect_uri;
         this._post_logout_redirect_uri = post_logout_redirect_uri;
+        this._client_authentication = client_authentication;
 
         this._prompt = prompt;
         this._display = display;
@@ -98,7 +101,10 @@ export class OidcClientSettings {
     get post_logout_redirect_uri() {
         return this._post_logout_redirect_uri;
     }
-
+    get client_authentication() {
+        return this._client_authentication;
+    }
+    
 
     // optional protocol params
     get prompt() {
diff --git a/src/TokenClient.js b/src/TokenClient.js
@@ -20,10 +20,17 @@ export class TokenClient {
     exchangeCode(args = {}) {
         args = Object.assign({}, args);
 
+        var basicAuth = undefined;
+        var urlQuery = "";
+
         args.grant_type = args.grant_type || "authorization_code";
         args.client_id = args.client_id || this._settings.client_id;
+        args.client_secret = args.client_secret || this._settings.client_secret;
         args.redirect_uri = args.redirect_uri || this._settings.redirect_uri;
 
+        var client_authentication = args._client_authentication || this._settings._client_authentication;
+        delete args._client_authentication;
+
         if (!args.code) {
             Log.error("TokenClient.exchangeCode: No code passed");
             return Promise.reject(new Error("A code is required"));
@@ -40,11 +47,26 @@ export class TokenClient {
             Log.error("TokenClient.exchangeCode: No client_id passed");
             return Promise.reject(new Error("A client_id is required"));
         }
+        if (!args.client_secret && client_authentication == "client_secret_basic") {
+            Log.error("TokenClient.exchangeCode: No client_secret passed");
+            return Promise.reject(new Error("A client_secret is required"));
+        }
+
+
+        // Sending the client credentials using the Basic Auth method
+        if(client_authentication == "client_secret_basic")
+        {
+            basicAuth = args.client_id + ':' + args.client_secret;
+            urlQuery = "?grant_type=" + encodeURIComponent(args.grant_type) + 
+                   "&redirect_uri="+ encodeURIComponent(args.redirect_uri) +
+                   "&code="+ encodeURIComponent(args.code);
+
+            args = {};
+        }
 
         return this._metadataService.getTokenEndpoint(false).then(url => {
             Log.debug("TokenClient.exchangeCode: Received token endpoint");
-
-            return this._jsonService.postForm(url, args).then(response => {
+            return this._jsonService.postForm(url + urlQuery, args, basicAuth).then(response => {
                 Log.debug("TokenClient.exchangeCode: response received");
                 return response;
             });

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ export class JsonService {`
`96`	`96`	`});`
`97`	`97`	`}`
`98`	`98`
`99`		`- postForm(url, payload) {`
	`99`	`+ postForm(url, payload, basicAuth) {`
`100`	`100`	`if (!url){`
`101`	`101`	`Log.error("JsonService.postForm: No url passed");`
`102`	`102`	`throw new Error("url");`
`@@ -197,6 +197,12 @@ export class JsonService {`
`197`	`197`	`}`
`198`	`198`
`199`	`199`	`req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");`
	`200`	`+`
	`201`	`+ if (basicAuth !== undefined)`
	`202`	`+ {`
	`203`	`+ req.setRequestHeader("Authorization", "Basic " + btoa(basicAuth));`
	`204`	`+ }`
	`205`	`+`
`200`	`206`	`req.send(body);`
`201`	`207`	`});`
`202`	`208`	`}`