From 8541184afb79448d2f4f8be785dc7753a360557e Mon Sep 17 00:00:00 2001
From: Eric Chiang <eric.chiang@coreos.com>
Date: Fri, 27 Jan 2017 11:42:46 -0800
Subject: [PATCH] server: support POSTing to authorization endpoint

Fixes #791
---
 server/oauth2.go      |  5 ++++-
 server/oauth2_test.go | 30 +++++++++++++++++++++++++++++-
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/server/oauth2.go b/server/oauth2.go
index 18c554ec..15b85ed2 100644
--- a/server/oauth2.go
+++ b/server/oauth2.go
@@ -333,7 +333,10 @@ func (s *Server) newIDToken(clientID string, claims storage.Claims, scopes []str
 
 // parse the initial request from the OAuth2 client.
 func (s *Server) parseAuthorizationRequest(r *http.Request) (req storage.AuthRequest, oauth2Err *authErr) {
-	q := r.URL.Query()
+	if err := r.ParseForm(); err != nil {
+		return req, &authErr{"", "", errInvalidRequest, "Failed to parse request body."}
+	}
+	q := r.Form
 	redirectURI, err := url.QueryUnescape(q.Get("redirect_uri"))
 	if err != nil {
 		return req, &authErr{"", "", errInvalidRequest, "No redirect_uri provided."}
diff --git a/server/oauth2_test.go b/server/oauth2_test.go
index 7f9a449d..83de2256 100644
--- a/server/oauth2_test.go
+++ b/server/oauth2_test.go
@@ -2,8 +2,10 @@ package server
 
 import (
 	"context"
+	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"strings"
 	"testing"
 
 	jose "gopkg.in/square/go-jose.v2"
@@ -17,6 +19,8 @@ func TestParseAuthorizationRequest(t *testing.T) {
 		clients                []storage.Client
 		supportedResponseTypes []string
 
+		usePOST bool
+
 		queryParams map[string]string
 
 		wantErr bool
@@ -37,6 +41,23 @@ func TestParseAuthorizationRequest(t *testing.T) {
 				"scope":         "openid email profile",
 			},
 		},
+		{
+			name: "POST request",
+			clients: []storage.Client{
+				{
+					ID:           "foo",
+					RedirectURIs: []string{"https://example.com/foo"},
+				},
+			},
+			supportedResponseTypes: []string{"code"},
+			queryParams: map[string]string{
+				"client_id":     "foo",
+				"redirect_uri":  "https://example.com/foo",
+				"response_type": "code",
+				"scope":         "openid email profile",
+			},
+			usePOST: true,
+		},
 		{
 			name: "invalid client id",
 			clients: []storage.Client{
@@ -139,7 +160,14 @@ func TestParseAuthorizationRequest(t *testing.T) {
 				params.Set(k, v)
 			}
 
-			req := httptest.NewRequest("GET", httpServer.URL+"/auth?"+params.Encode(), nil)
+			var req *http.Request
+			if tc.usePOST {
+				body := strings.NewReader(params.Encode())
+				req = httptest.NewRequest("POST", httpServer.URL+"/auth", body)
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			} else {
+				req = httptest.NewRequest("GET", httpServer.URL+"/auth?"+params.Encode(), nil)
+			}
 			_, err := server.parseAuthorizationRequest(req)
 			if err != nil && !tc.wantErr {
 				t.Errorf("%s: %v", tc.name, err)