fix: pkce flow for oauth login

lakhansamani · lakhansamani · commit e5fbaa26e19f · 2024-01-08T14:21:24.000+05:30
diff --git a/server/handlers/authorize.go b/server/handlers/authorize.go
@@ -123,7 +123,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 
 		// TODO add state with timeout
 		// used for response mode query or fragment
-		authState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI
+		authState := "state=" + state + "&scope=" + scopeString + "&redirect_uri=" + redirectURI
 		if responseType == constants.ResponseTypeCode {
 			authState += "&code=" + code
 			if err := memorystore.Provider.SetState(state, code+"@@"+codeChallenge); err != nil {
diff --git a/server/handlers/oauth_callback.go b/server/handlers/oauth_callback.go
@@ -53,7 +53,16 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		stateValue := sessionSplit[0]
 		redirectURL := sessionSplit[1]
 		inputRoles := strings.Split(sessionSplit[2], ",")
-		scopes := strings.Split(sessionSplit[3], ",")
+		scopeString := sessionSplit[3]
+		scopes := []string{}
+		if scopeString != "" {
+			if strings.Contains(scopeString, ",") {
+				scopes = strings.Split(scopeString, ",")
+			}
+			if strings.Contains(scopeString, " ") {
+				scopes = strings.Split(scopeString, " ")
+			}
+		}
 		var user *models.User
 		oauthCode := ctx.Request.FormValue("code")
 		if oauthCode == "" {
diff --git a/server/handlers/token.go b/server/handlers/token.go
@@ -3,6 +3,7 @@ package handlers
 import (
 	"crypto/sha256"
 	"encoding/base64"
+	"fmt"
 	"net/http"
 	"strings"
 	"time"
@@ -105,7 +106,7 @@ func TokenHandler() gin.HandlerFunc {
 
 			if codeVerifier == "" && clientSecret == "" {
 				gc.JSON(http.StatusBadRequest, gin.H{
-					"error":             "invalid_dat",
+					"error":             "invalid_data",
 					"error_description": "The code verifier or client secret is required",
 				})
 				return
@@ -263,12 +264,14 @@ func TokenHandler() gin.HandlerFunc {
 			"roles":        roles,
 			"expires_in":   expiresIn,
 		}
-
+		fmt.Println("=> scopes:", scope)
+		fmt.Println("=> refreshToken:", authToken.RefreshToken)
 		if authToken.RefreshToken != nil {
+			log.Debug("Refresh token is present: ", fmt.Sprintf("%s:%s", sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint))
 			res["refresh_token"] = authToken.RefreshToken.Token
 			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
 		}
-
+		fmt.Printf("=> res %v", res)
 		gc.JSON(http.StatusOK, res)
 	}
 }
diff --git a/server/token/auth_token.go b/server/token/auth_token.go
@@ -91,7 +91,6 @@ func CreateAuthToken(gc *gin.Context, user *models.User, roles, scope []string,
 		AccessToken:           &JWTToken{Token: accessToken, ExpiresAt: accessTokenExpiresAt},
 		IDToken:               &JWTToken{Token: idToken, ExpiresAt: idTokenExpiresAt},
 	}
-
 	if utils.StringSliceContains(scope, "offline_access") {
 		refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce, loginMethod)
 		if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,6 @@ func CreateAuthToken(gc gin.Context, user models.User, roles, scope []string,`
`91`	`91`	`AccessToken: &JWTToken{Token: accessToken, ExpiresAt: accessTokenExpiresAt},`
`92`	`92`	`IDToken: &JWTToken{Token: idToken, ExpiresAt: idTokenExpiresAt},`
`93`	`93`	`}`
`94`		`-`
`95`	`94`	`if utils.StringSliceContains(scope, "offline_access") {`
`96`	`95`	`refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce, loginMethod)`
`97`	`96`	`if err != nil {`