GitBug:17644 ([NetKit] OpenID support)

yannicktrinh · yannicktrinh · commit 2a5357f132dd · 2025-09-15T16:49:46.000+02:00
#17644
diff --git a/Project/Sources/Classes/OAuth2Provider.4dm b/Project/Sources/Classes/OAuth2Provider.4dm
@@ -23,12 +23,14 @@ property clientAssertionType : Text  // When authenticating with certificate thi
 property thumbprint : Text  // used to set x5t in JWT (x5t = BASE64URL-ENCODE(BYTEARRAY(thumbprint)))
 property browserAutoOpen : Boolean  // If true, the class will automatically open the URL in signed mode to handle the authentication process (default is True)
 
+property state : Text
+property nonce : Text  // For OpenID Connect
+
 property _scope : Text
 property _authenticateURI : Text
 property _tokenURI : Text
 property _grantType : Text
 property _codeVerifier : Text
-property _state : Text
 
 property enableDebugLog : Boolean  // Enable HTTP Server debug log for Debug purposes only
 
@@ -234,7 +236,11 @@ Class constructor($inParams : Object)
 			This.clientAssertionType:="urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
 		End if 
 		
-		This._state:=Generate UUID
+		This.state:=Choose(Value type($inParams.state)=Is text; $inParams.state; Generate UUID)
+		If (Value type($inParams.nonce)#Is undefined)
+			This.nonce:=String($inParams.nonce)
+		End if 
+		
 		This.browserAutoOpen:=Choose(Value type($inParams.browserAutoOpen)=Is undefined; True; Bool($inParams.browserAutoOpen))
 		
 	End if 
@@ -426,7 +432,7 @@ Function _getAuthorizationCode() : Text
 			
 		Else 
 			
-			var $state : Text:=This._state
+			var $state : Text:=This.state
 			
 			Use (Storage)
 				If (Storage.requests=Null)
@@ -473,21 +479,21 @@ Function _getAuthorizationCode() : Text
 Function _getToken_SignedIn($bUseRefreshToken : Boolean) : Object
 	
 	var $result : Object:=Null
-	var $params : Text
+	var $params : cs.URL:=cs.URL.new()
 	var $bSendRequest : Boolean:=True
 	If ($bUseRefreshToken)
-		
-		$params:="client_id="+This.clientId
+
+		$params.addQueryParameter("client_id"; This.clientId)
 		If (Length(This.scope)>0)
-			$params+="&scope="+cs.Tools.me.urlEncode(This.scope)
-		End if 
-		$params+="&refresh_token="+This.token.refresh_token
-		$params+="&grant_type=refresh_token"
+			$params.addQueryParameter("scope"; cs.Tools.me.urlEncode(This.scope))
+		End if
+		$params.addQueryParameter("refresh_token"; This.token.refresh_token)
+		$params.addQueryParameter("grant_type"; "refresh_token")
 		If (Length(This.clientSecret)>0)
-			$params+="&client_secret="+This.clientSecret
-		End if 
-		
-	Else 
+			$params.addQueryParameter("client_secret"; This.clientSecret)
+		End if
+
+	Else
 		
 		If (Length(String(This.redirectURI))>0)
 			
@@ -523,19 +529,19 @@ Function _getToken_SignedIn($bUseRefreshToken : Boolean) : Object
 				var $authorizationCode : Text:=This._getAuthorizationCode()
 				
 				If (Length($authorizationCode)>0)
-					
-					$params:="client_id="+This.clientId
-					$params+="&grant_type=authorization_code"
-					$params+="&code="+$authorizationCode
-					$params+="&redirect_uri="+cs.Tools.me.urlEncode(This.redirectURI)
+
+					$params.addQueryParameter("client_id"; This.clientId)
+					$params.addQueryParameter("grant_type"; "authorization_code")
+					$params.addQueryParameter("code"; $authorizationCode)
+					$params.addQueryParameter("redirect_uri"; cs.Tools.me.urlEncode(This.redirectURI))
 					If (This.PKCEEnabled)
-						$params+="&code_verifier="+This.codeVerifier
+						$params.addQueryParameter("code_verifier"; This.codeVerifier)
 					End if 
 					If (Length(This.clientSecret)>0)
-						$params+="&client_secret="+This.clientSecret
+						$params.addQueryParameter("client_secret"; This.clientSecret)
 					End if 
-					$params+="&scope="+cs.Tools.me.urlEncode(This.scope)
-					
+					$params.addQueryParameter("scope"; cs.Tools.me.urlEncode(This.scope))
+
 				Else 
 					
 					$bSendRequest:=False
@@ -555,7 +561,7 @@ Function _getToken_SignedIn($bUseRefreshToken : Boolean) : Object
 	
 	If ($bSendRequest)
 		
-		$result:=This._sendTokenRequest($params)
+		$result:=This._sendTokenRequest($params.getQueryString())
 		
 	End if 
 	
@@ -568,7 +574,7 @@ Function _getToken_SignedIn($bUseRefreshToken : Boolean) : Object
 Function _getToken_Service() : Object
 	
 	var $result : Object:=Null
-	var $params : Text
+	var $params : cs.URL:=cs.URL.new()
 	var $jwt : cs._JWT
 	var $options : Object
 	var $bearer : Text
@@ -592,8 +598,8 @@ Function _getToken_Service() : Object
 			$jwt:=cs._JWT.new($options)
 			$bearer:=$jwt.generate()
 			
-			$params:="grant_type="+cs.Tools.me.urlEncode(This.grantType)
-			$params+="&assertion="+$bearer
+			$params.addQueryParameter("grant_type"; cs.Tools.me.urlEncode(This.grantType))
+			$params.addQueryParameter("assertion"; $bearer)
 			
 		: (This._useJWTBearerAssertionType())
 			// See documentation of https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials
@@ -613,24 +619,24 @@ Function _getToken_Service() : Object
 			$bearer:=$jwt.generate()
 			
 			// See documentation of https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate
-			$params:="grant_type="+This.grantType
-			$params+="&client_id="+This.clientId
-			$params+="&scope="+cs.Tools.me.urlEncode(This.scope)
-			$params+="&client_assertion_type="+cs.Tools.me.urlEncode(This.clientAssertionType)
-			$params+="&client_assertion="+$bearer
-			
+			$params.addQueryParameter("grant_type"; This.grantType)
+			$params.addQueryParameter("client_id"; This.clientId)
+			$params.addQueryParameter("scope"; cs.Tools.me.urlEncode(This.scope))
+			$params.addQueryParameter("client_assertion_type"; cs.Tools.me.urlEncode(This.clientAssertionType))
+			$params.addQueryParameter("client_assertion"; $bearer)
+
 		Else 
-			
-			$params:="client_id="+This.clientId
+
+			$params.addQueryParameter("client_id"; This.clientId)
 			If (Length(This.scope)>0)
-				$params+="&scope="+cs.Tools.me.urlEncode(This.scope)
+				$params.addQueryParameter("scope"; cs.Tools.me.urlEncode(This.scope))
 			End if 
-			$params+="&client_secret="+This.clientSecret
-			$params+="&grant_type="+This.grantType
+			$params.addQueryParameter("client_secret"; This.clientSecret)
+			$params.addQueryParameter("grant_type"; This.grantType)
 			
 	End case 
 	
-	$result:=This._sendTokenRequest($params)
+	$result:=This._sendTokenRequest($params.getQueryString())
 	
 	return $result
 	
@@ -918,34 +924,37 @@ Function get authenticateURI() : Text
 	If (This._isSignedIn())
 		
 		var $scope : Text:=This.scope
-		var $state : Text:=This._state
+		var $state : Text:=This.state
 		var $redirectURI : Text:=This.redirectURI
-		var $urlParams : Text
+		var $urlParams : cs.URL:=cs.URL.new()
 		
-		$urlParams:="?client_id="+This.clientId
-		$urlParams+="&response_type=code"
+		$urlParams.addQueryParameter("client_id"; This.clientId)
+		$urlParams.addQueryParameter("response_type"; "code")
 		If (Length(String($scope))>0)
-			$urlParams+="&scope="+cs.Tools.me.urlEncode($scope)
+			$urlParams.addQueryParameter("scope"; cs.Tools.me.urlEncode($scope))
 		End if 
-		$urlParams+="&state="+String($state)
-		$urlParams+="&response_mode=query"
-		$urlParams+="&redirect_uri="+cs.Tools.me.urlEncode($redirectURI)
+		$urlParams.addQueryParameter("state"; String($state))
+		$urlParams.addQueryParameter("response_mode"; "query")
+		$urlParams.addQueryParameter("redirect_uri"; cs.Tools.me.urlEncode($redirectURI))
 		If (This.PKCEEnabled)
-			$urlParams+="&code_challenge="+This._generateCodeChallenge(This.codeVerifier)
-			$urlParams+="&code_challenge_method="+String(This.PKCEMethod)
+			$urlParams.addQueryParameter("code_challenge"; This._generateCodeChallenge(This.codeVerifier))
+			$urlParams.addQueryParameter("code_challenge_method"; String(This.PKCEMethod))
 		Else 
 			If (Length(String(This.accessType))>0)
-				$urlParams+="&access_type="+This.accessType
+				$urlParams.addQueryParameter("access_type"; This.accessType)
 			End if 
 			If (Length(String(This.loginHint))>0)
-				$urlParams+="&login_hint="+This.loginHint
+				$urlParams.addQueryParameter("login_hint"; This.loginHint)
 			End if 
 			If (Length(String(This.prompt))>0)
-				$urlParams+="&prompt="+This.prompt
+				$urlParams.addQueryParameter("prompt"; This.prompt)
 			End if 
 		End if 
+		If (Length(String(This.nonce))>0)
+			$urlParams.addQueryParameter("nonce"; This.nonce)
+		End if 
 		
-		$authenticateURI+=$urlParams
+		$authenticateURI+=$urlParams.getQueryString()
 	End if 
 	
 	return $authenticateURI
