Merge pull request #601 from ericchiang/dev-allow-extra-space-in-scopes

server: allow extra spaces in scopes
This commit is contained in:
Eric Chiang 2016-10-12 15:39:22 -07:00 committed by GitHub
commit 13554ee735
3 changed files with 30 additions and 2 deletions

View file

@ -537,7 +537,7 @@ func (s *Server) handleRefreshToken(w http.ResponseWriter, r *http.Request, clie
scopes := refresh.Scopes scopes := refresh.Scopes
if scope != "" { if scope != "" {
requestedScopes := strings.Split(scope, " ") requestedScopes := strings.Fields(scope)
var unauthorizedScopes []string var unauthorizedScopes []string
for _, s := range requestedScopes { for _, s := range requestedScopes {

View file

@ -213,7 +213,7 @@ func parseAuthorizationRequest(s storage.Storage, supportedResponseTypes map[str
return &authErr{state, redirectURI, typ, fmt.Sprintf(format, a...)} return &authErr{state, redirectURI, typ, fmt.Sprintf(format, a...)}
} }
scopes := strings.Split(r.Form.Get("scope"), " ") scopes := strings.Fields(r.Form.Get("scope"))
var ( var (
unrecognized []string unrecognized []string

View file

@ -195,6 +195,34 @@ func TestOAuth2CodeFlow(t *testing.T) {
return nil return nil
}, },
}, },
{
name: "refresh with extra spaces",
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error {
v := url.Values{}
v.Add("client_id", clientID)
v.Add("client_secret", clientSecret)
v.Add("grant_type", "refresh_token")
v.Add("refresh_token", token.RefreshToken)
// go-oidc adds an additional space before scopes when refreshing.
// Since we support that client we choose to be more relaxed about
// scope parsing, disregarding extra whitespace.
v.Add("scope", " "+strings.Join(requestedScopes, " "))
resp, err := http.PostForm(p.TokenURL, v)
if err != nil {
return err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
dump, err := httputil.DumpResponse(resp, true)
if err != nil {
panic(err)
}
return fmt.Errorf("unexpected response: %s", dump)
}
return nil
},
},
{ {
name: "refresh with unauthorized scopes", name: "refresh with unauthorized scopes",
handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error { handleToken: func(ctx context.Context, p *oidc.Provider, config *oauth2.Config, token *oauth2.Token) error {