From 0f9a74f1d055a4780d5be1f93a2e1dba905f0e9c Mon Sep 17 00:00:00 2001
From: Rui Yang <ryang@pivotal.io>
Date: Fri, 10 Jan 2020 14:39:08 -0500
Subject: [PATCH] Remove uneccesary client verification

---
 server/handlers.go | 34 ++--------------------------------
 1 file changed, 2 insertions(+), 32 deletions(-)

diff --git a/server/handlers.go b/server/handlers.go
index 0fe8084d..694ababb 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -1153,7 +1153,6 @@ func (s *Server) handleUserInfo(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, client storage.Client) {
-
 	// Parse the fields
 	if err := r.ParseForm(); err != nil {
 		s.tokenErrHelper(w, errInvalidRequest, "Couldn't parse data", http.StatusBadRequest)
@@ -1161,38 +1160,10 @@ func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, cli
 	}
 	q := r.Form
 
-	// Get the clientID and secret from basic auth or form variables
-	clientID, clientSecret, ok := r.BasicAuth()
-	if ok {
-		var err error
-		if clientID, err = url.QueryUnescape(clientID); err != nil {
-			s.tokenErrHelper(w, errInvalidRequest, "client_id improperly encoded", http.StatusBadRequest)
-			return
-		}
-		if clientSecret, err = url.QueryUnescape(clientSecret); err != nil {
-			s.tokenErrHelper(w, errInvalidRequest, "client_secret improperly encoded", http.StatusBadRequest)
-			return
-		}
-	} else {
-		clientID = q.Get("client_id")
-		clientSecret = q.Get("client_secret")
-	}
-
 	nonce := q.Get("nonce")
 	// Some clients, like the old go-oidc, provide extra whitespace. Tolerate this.
 	scopes := strings.Fields(q.Get("scope"))
 
-	// Get the client from the database
-	client, err := s.storage.GetClient(clientID)
-	if err != nil {
-		if err == storage.ErrNotFound {
-			s.tokenErrHelper(w, errInvalidClient, fmt.Sprintf("Invalid client_id (%q).", clientID), http.StatusBadRequest)
-			return
-		}
-		s.tokenErrHelper(w, errInvalidClient, fmt.Sprintf("Failed to get client %v.", err), http.StatusBadRequest)
-		return
-	}
-
 	// Parse the scopes if they are passed
 	var (
 		unrecognized  []string
@@ -1211,7 +1182,7 @@ func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, cli
 				continue
 			}
 
-			isTrusted, err := s.validateCrossClientTrust(clientID, peerID)
+			isTrusted, err := s.validateCrossClientTrust(client.ID, peerID)
 			if err != nil {
 				s.tokenErrHelper(w, errInvalidClient, fmt.Sprintf("Error validating cross client trust %v.", err), http.StatusBadRequest)
 				return
@@ -1299,7 +1270,7 @@ func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, cli
 		refresh := storage.RefreshToken{
 			ID:          storage.NewID(),
 			Token:       storage.NewID(),
-			ClientID:    clientID,
+			ClientID:    client.ID,
 			ConnectorID: connID,
 			Scopes:      scopes,
 			Claims:      claims,
@@ -1390,7 +1361,6 @@ func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, cli
 				deleteToken = true
 				return
 			}
-
 		}
 	}