Add support to PKCE in OIDC connector (#3777)

johnvan7 · web-flow · commit 25591eeaf41a · 2026-02-22T22:37:10.000+01:00
Signed-off-by: johnvan7 &lt;giovanni.vella98@gmail.com&gt;
Signed-off-by: Giovanni Vella &lt;giovanni.vella98@gmail.com&gt;
diff --git a/connector/bitbucketcloud/bitbucketcloud.go b/connector/bitbucketcloud/bitbucketcloud.go
@@ -111,12 +111,12 @@ func (b *bitbucketConnector) oauth2Config(scopes connector.Scopes) *oauth2.Confi
 	}
 }
 
-func (b *bitbucketConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
+func (b *bitbucketConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, []byte, error) {
 	if b.redirectURI != callbackURL {
-		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, b.redirectURI)
+		return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, b.redirectURI)
 	}
 
-	return b.oauth2Config(scopes).AuthCodeURL(state), nil
+	return b.oauth2Config(scopes).AuthCodeURL(state), nil, nil
 }
 
 type oauth2Error struct {
@@ -131,7 +131,7 @@ func (e *oauth2Error) Error() string {
 	return e.error + ": " + e.errorDescription
 }
 
-func (b *bitbucketConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+func (b *bitbucketConnector) HandleCallback(s connector.Scopes, connData []byte, r *http.Request) (identity connector.Identity, err error) {
 	q := r.URL.Query()
 	if errType := q.Get("error"); errType != "" {
 		return identity, &oauth2Error{errType, q.Get("error_description")}
diff --git a/connector/bitbucketcloud/bitbucketcloud_test.go b/connector/bitbucketcloud/bitbucketcloud_test.go
@@ -102,7 +102,7 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
 	expectNil(t, err)
 
 	bitbucketConnector := bitbucketConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient()}
-	identity, err := bitbucketConnector.HandleCallback(connector.Scopes{}, req)
+	identity, err := bitbucketConnector.HandleCallback(connector.Scopes{}, nil, req)
 
 	expectNil(t, err)
 	expectEquals(t, identity.Username, "some-login")
diff --git a/connector/connector.go b/connector/connector.go
@@ -63,10 +63,10 @@ type CallbackConnector interface {
 	// requested if one has already been issues. There's no good general answer
 	// for these kind of restrictions, and may require this package to become more
 	// aware of the global set of user/connector interactions.
-	LoginURL(s Scopes, callbackURL, state string) (string, error)
+	LoginURL(s Scopes, callbackURL, state string) (string, []byte, error)
 
 	// Handle the callback to the server and return an identity.
-	HandleCallback(s Scopes, r *http.Request) (identity Identity, err error)
+	HandleCallback(s Scopes, connData []byte, r *http.Request) (identity Identity, err error)
 }
 
 // SAMLConnector represents SAML connectors which implement the HTTP POST binding.
diff --git a/connector/gitea/gitea.go b/connector/gitea/gitea.go
@@ -102,11 +102,11 @@ func (c *giteaConnector) oauth2Config(_ connector.Scopes) *oauth2.Config {
 	}
 }
 
-func (c *giteaConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
+func (c *giteaConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, []byte, error) {
 	if c.redirectURI != callbackURL {
-		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", c.redirectURI, callbackURL)
+		return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q", c.redirectURI, callbackURL)
 	}
-	return c.oauth2Config(scopes).AuthCodeURL(state), nil
+	return c.oauth2Config(scopes).AuthCodeURL(state), nil, nil
 }
 
 type oauth2Error struct {
@@ -121,7 +121,7 @@ func (e *oauth2Error) Error() string {
 	return e.error + ": " + e.errorDescription
 }
 
-func (c *giteaConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+func (c *giteaConnector) HandleCallback(s connector.Scopes, connData []byte, r *http.Request) (identity connector.Identity, err error) {
 	q := r.URL.Query()
 	if errType := q.Get("error"); errType != "" {
 		return identity, &oauth2Error{errType, q.Get("error_description")}
diff --git a/connector/gitea/gitea_test.go b/connector/gitea/gitea_test.go
@@ -30,14 +30,14 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
 	expectNil(t, err)
 
 	c := giteaConnector{baseURL: s.URL, httpClient: newClient()}
-	identity, err := c.HandleCallback(connector.Scopes{}, req)
+	identity, err := c.HandleCallback(connector.Scopes{}, nil, req)
 
 	expectNil(t, err)
 	expectEquals(t, identity.Username, "some@email.com")
 	expectEquals(t, identity.UserID, "12345678")
 
 	c = giteaConnector{baseURL: s.URL, httpClient: newClient()}
-	identity, err = c.HandleCallback(connector.Scopes{}, req)
+	identity, err = c.HandleCallback(connector.Scopes{}, nil, req)
 
 	expectNil(t, err)
 	expectEquals(t, identity.Username, "some@email.com")
diff --git a/connector/github/github.go b/connector/github/github.go
@@ -194,12 +194,12 @@ func (c *githubConnector) oauth2Config(scopes connector.Scopes) *oauth2.Config {
 	}
 }
 
-func (c *githubConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
+func (c *githubConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, []byte, error) {
 	if c.redirectURI != callbackURL {
-		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
+		return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
 	}
 
-	return c.oauth2Config(scopes).AuthCodeURL(state), nil
+	return c.oauth2Config(scopes).AuthCodeURL(state), nil, nil
 }
 
 type oauth2Error struct {
@@ -214,7 +214,7 @@ func (e *oauth2Error) Error() string {
 	return e.error + ": " + e.errorDescription
 }
 
-func (c *githubConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+func (c *githubConnector) HandleCallback(s connector.Scopes, connData []byte, r *http.Request) (identity connector.Identity, err error) {
 	q := r.URL.Query()
 	if errType := q.Get("error"); errType != "" {
 		return identity, &oauth2Error{errType, q.Get("error_description")}
diff --git a/connector/github/github_test.go b/connector/github/github_test.go
@@ -152,15 +152,15 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
 	expectNil(t, err)
 
 	c := githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient()}
-	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)
+	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, nil, req)
 
 	expectNil(t, err)
 	expectEquals(t, identity.Username, "some-login")
 	expectEquals(t, identity.UserID, "12345678")
 	expectEquals(t, 0, len(identity.Groups))
 
 	c = githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient(), loadAllGroups: true}
-	identity, err = c.HandleCallback(connector.Scopes{Groups: true}, req)
+	identity, err = c.HandleCallback(connector.Scopes{Groups: true}, nil, req)
 
 	expectNil(t, err)
 	expectEquals(t, identity.Username, "some-login")
@@ -193,7 +193,7 @@ func TestLoginUsedAsIDWhenConfigured(t *testing.T) {
 	expectNil(t, err)
 
 	c := githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient(), useLoginAsID: true}
-	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)
+	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, nil, req)
 
 	expectNil(t, err)
 	expectEquals(t, identity.UserID, "some-login")
diff --git a/connector/gitlab/gitlab.go b/connector/gitlab/gitlab.go
@@ -122,11 +122,11 @@ func (c *gitlabConnector) oauth2Config(scopes connector.Scopes) *oauth2.Config {
 	}
 }
 
-func (c *gitlabConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
+func (c *gitlabConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, []byte, error) {
 	if c.redirectURI != callbackURL {
-		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", c.redirectURI, callbackURL)
+		return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q", c.redirectURI, callbackURL)
 	}
-	return c.oauth2Config(scopes).AuthCodeURL(state), nil
+	return c.oauth2Config(scopes).AuthCodeURL(state), nil, nil
 }
 
 type oauth2Error struct {
@@ -141,7 +141,7 @@ func (e *oauth2Error) Error() string {
 	return e.error + ": " + e.errorDescription
 }
 
-func (c *gitlabConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+func (c *gitlabConnector) HandleCallback(s connector.Scopes, connData []byte, r *http.Request) (identity connector.Identity, err error) {
 	q := r.URL.Query()
 	if errType := q.Get("error"); errType != "" {
 		return identity, &oauth2Error{errType, q.Get("error_description")}
diff --git a/connector/gitlab/gitlab_test.go b/connector/gitlab/gitlab_test.go
@@ -247,15 +247,15 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
 	expectNil(t, err)
 
 	c := gitlabConnector{baseURL: s.URL, httpClient: newClient()}
-	identity, err := c.HandleCallback(connector.Scopes{Groups: false}, req)
+	identity, err := c.HandleCallback(connector.Scopes{Groups: false}, nil, req)
 
 	expectNil(t, err)
 	expectEquals(t, identity.Username, "some@email.com")
 	expectEquals(t, identity.UserID, "12345678")
 	expectEquals(t, 0, len(identity.Groups))
 
 	c = gitlabConnector{baseURL: s.URL, httpClient: newClient()}
-	identity, err = c.HandleCallback(connector.Scopes{Groups: true}, req)
+	identity, err = c.HandleCallback(connector.Scopes{Groups: true}, nil, req)
 
 	expectNil(t, err)
 	expectEquals(t, identity.Username, "some@email.com")
@@ -283,7 +283,7 @@ func TestLoginUsedAsIDWhenConfigured(t *testing.T) {
 	expectNil(t, err)
 
 	c := gitlabConnector{baseURL: s.URL, httpClient: newClient(), useLoginAsID: true}
-	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)
+	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, nil, req)
 
 	expectNil(t, err)
 	expectEquals(t, identity.UserID, "joebloggs")
@@ -310,7 +310,7 @@ func TestLoginWithTeamWhitelisted(t *testing.T) {
 	expectNil(t, err)
 
 	c := gitlabConnector{baseURL: s.URL, httpClient: newClient(), groups: []string{"team-1"}}
-	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)
+	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, nil, req)
 
 	expectNil(t, err)
 	expectEquals(t, identity.UserID, "12345678")
@@ -337,7 +337,7 @@ func TestLoginWithTeamNonWhitelisted(t *testing.T) {
 	expectNil(t, err)
 
 	c := gitlabConnector{baseURL: s.URL, httpClient: newClient(), groups: []string{"team-2"}}
-	_, err = c.HandleCallback(connector.Scopes{Groups: true}, req)
+	_, err = c.HandleCallback(connector.Scopes{Groups: true}, nil, req)
 
 	expectNotNil(t, err, "HandleCallback error")
 	expectEquals(t, err.Error(), "gitlab: get groups: gitlab: user \"joebloggs\" is not in any of the required groups")
@@ -371,7 +371,7 @@ func TestRefresh(t *testing.T) {
 	})
 	expectNil(t, err)
 
-	identity, err := c.HandleCallback(connector.Scopes{OfflineAccess: true}, req)
+	identity, err := c.HandleCallback(connector.Scopes{OfflineAccess: true}, nil, req)
 	expectNil(t, err)
 	expectEquals(t, identity.Username, "some@email.com")
 	expectEquals(t, identity.UserID, "12345678")
@@ -435,7 +435,7 @@ func TestGroupsWithPermission(t *testing.T) {
 	expectNil(t, err)
 
 	c := gitlabConnector{baseURL: s.URL, httpClient: newClient(), getGroupsPermission: true}
-	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)
+	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, nil, req)
 	expectNil(t, err)
 
 	expectEquals(t, identity.Groups, []string{
diff --git a/connector/google/google.go b/connector/google/google.go
@@ -168,9 +168,9 @@ func (c *googleConnector) Close() error {
 	return nil
 }
 
-func (c *googleConnector) LoginURL(s connector.Scopes, callbackURL, state string) (string, error) {
+func (c *googleConnector) LoginURL(s connector.Scopes, callbackURL, state string) (string, []byte, error) {
 	if c.redirectURI != callbackURL {
-		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
+		return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
 	}
 
 	var opts []oauth2.AuthCodeOption
@@ -186,7 +186,7 @@ func (c *googleConnector) LoginURL(s connector.Scopes, callbackURL, state string
 		opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", c.promptType))
 	}
 
-	return c.oauth2Config.AuthCodeURL(state, opts...), nil
+	return c.oauth2Config.AuthCodeURL(state, opts...), nil, nil
 }
 
 type oauth2Error struct {
@@ -201,7 +201,7 @@ func (e *oauth2Error) Error() string {
 	return e.error + ": " + e.errorDescription
 }
 
-func (c *googleConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+func (c *googleConnector) HandleCallback(s connector.Scopes, connData []byte, r *http.Request) (identity connector.Identity, err error) {
 	q := r.URL.Query()
 	if errType := q.Get("error"); errType != "" {
 		return identity, &oauth2Error{errType, q.Get("error_description")}
diff --git a/connector/google/google_test.go b/connector/google/google_test.go
@@ -439,7 +439,7 @@ func TestPromptTypeConfig(t *testing.T) {
 			assert.Nil(t, err)
 			assert.Equal(t, test.expectedPromptTypeValue, conn.promptType)
 
-			loginURL, err := conn.LoginURL(connector.Scopes{OfflineAccess: true}, ts.URL+"/callback", "state")
+			loginURL, _, err := conn.LoginURL(connector.Scopes{OfflineAccess: true}, ts.URL+"/callback", "state")
 			assert.Nil(t, err)
 
 			urlp, err := url.Parse(loginURL)
diff --git a/connector/linkedin/linkedin.go b/connector/linkedin/linkedin.go
@@ -62,17 +62,17 @@ var (
 )
 
 // LoginURL returns an access token request URL
-func (c *linkedInConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
+func (c *linkedInConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, []byte, error) {
 	if c.oauth2Config.RedirectURL != callbackURL {
-		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q",
+		return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q",
 			callbackURL, c.oauth2Config.RedirectURL)
 	}
 
-	return c.oauth2Config.AuthCodeURL(state), nil
+	return c.oauth2Config.AuthCodeURL(state), nil, nil
 }
 
 // HandleCallback handles HTTP redirect from LinkedIn
-func (c *linkedInConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+func (c *linkedInConnector) HandleCallback(s connector.Scopes, connData []byte, r *http.Request) (identity connector.Identity, err error) {
 	q := r.URL.Query()
 	if errType := q.Get("error"); errType != "" {
 		return identity, &oauth2Error{errType, q.Get("error_description")}
diff --git a/connector/microsoft/microsoft.go b/connector/microsoft/microsoft.go
@@ -175,9 +175,9 @@ func (c *microsoftConnector) oauth2Config(scopes connector.Scopes) *oauth2.Confi
 	}
 }
 
-func (c *microsoftConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
+func (c *microsoftConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, []byte, error) {
 	if c.redirectURI != callbackURL {
-		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
+		return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
 	}
 
 	var options []oauth2.AuthCodeOption
@@ -188,10 +188,10 @@ func (c *microsoftConnector) LoginURL(scopes connector.Scopes, callbackURL, stat
 		options = append(options, oauth2.SetAuthURLParam("domain_hint", c.domainHint))
 	}
 
-	return c.oauth2Config(scopes).AuthCodeURL(state, options...), nil
+	return c.oauth2Config(scopes).AuthCodeURL(state, options...), nil, nil
 }
 
-func (c *microsoftConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+func (c *microsoftConnector) HandleCallback(s connector.Scopes, connData []byte, r *http.Request) (identity connector.Identity, err error) {
 	q := r.URL.Query()
 	if errType := q.Get("error"); errType != "" {
 		return identity, &oauth2Error{errType, q.Get("error_description")}
diff --git a/connector/microsoft/microsoft_test.go b/connector/microsoft/microsoft_test.go
@@ -39,7 +39,7 @@ func TestLoginURL(t *testing.T) {
 		tenant:      tenant,
 	}
 
-	loginURL, _ := conn.LoginURL(connector.Scopes{}, conn.redirectURI, testState)
+	loginURL, _, _ := conn.LoginURL(connector.Scopes{}, conn.redirectURI, testState)
 
 	parsedLoginURL, _ := url.Parse(loginURL)
 	queryParams := parsedLoginURL.Query()
@@ -70,7 +70,7 @@ func TestLoginURLWithOptions(t *testing.T) {
 		domainHint: domainHint,
 	}
 
-	loginURL, _ := conn.LoginURL(connector.Scopes{}, conn.redirectURI, "some-state")
+	loginURL, _, _ := conn.LoginURL(connector.Scopes{}, conn.redirectURI, "some-state")
 
 	parsedLoginURL, _ := url.Parse(loginURL)
 	queryParams := parsedLoginURL.Query()
@@ -91,7 +91,7 @@ func TestUserIdentityFromGraphAPI(t *testing.T) {
 	req, _ := http.NewRequest("GET", s.URL, nil)
 
 	c := microsoftConnector{apiURL: s.URL, graphURL: s.URL, tenant: tenant}
-	identity, err := c.HandleCallback(connector.Scopes{Groups: false}, req)
+	identity, err := c.HandleCallback(connector.Scopes{Groups: false}, nil, req)
 	expectNil(t, err)
 	expectEquals(t, identity.Username, "Jane Doe")
 	expectEquals(t, identity.UserID, "S56767889")
@@ -114,7 +114,7 @@ func TestUserGroupsFromGraphAPI(t *testing.T) {
 	req, _ := http.NewRequest("GET", s.URL, nil)
 
 	c := microsoftConnector{apiURL: s.URL, graphURL: s.URL, tenant: tenant}
-	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)
+	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, nil, req)
 	expectNil(t, err)
 	expectEquals(t, identity.Groups, []string{"a", "b"})
 }
diff --git a/connector/mock/connectortest.go b/connector/mock/connectortest.go
@@ -43,21 +43,21 @@ type Callback struct {
 }
 
 // LoginURL returns the URL to redirect the user to login with.
-func (m *Callback) LoginURL(s connector.Scopes, callbackURL, state string) (string, error) {
+func (m *Callback) LoginURL(s connector.Scopes, callbackURL, state string) (string, []byte, error) {
 	u, err := url.Parse(callbackURL)
 	if err != nil {
-		return "", fmt.Errorf("failed to parse callbackURL %q: %v", callbackURL, err)
+		return "", nil, fmt.Errorf("failed to parse callbackURL %q: %v", callbackURL, err)
 	}
 	v := u.Query()
 	v.Set("state", state)
 	u.RawQuery = v.Encode()
-	return u.String(), nil
+	return u.String(), nil, nil
 }
 
 var connectorData = []byte("foobar")
 
 // HandleCallback parses the request and returns the user's identity
-func (m *Callback) HandleCallback(s connector.Scopes, r *http.Request) (connector.Identity, error) {
+func (m *Callback) HandleCallback(s connector.Scopes, connData []byte, r *http.Request) (connector.Identity, error) {
 	return m.Identity, nil
 }
 
diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
diff --git a/connector/oidc/oidc_test.go b/connector/oidc/oidc_test.go
diff --git a/connector/openshift/openshift.go b/connector/openshift/openshift.go
diff --git a/connector/openshift/openshift_test.go b/connector/openshift/openshift_test.go
diff --git a/server/handlers.go b/server/handlers.go

Original file line number	Diff line number	Diff line change
`@@ -111,12 +111,12 @@ func (b bitbucketConnector) oauth2Config(scopes connector.Scopes) oauth2.Confi`
`111`	`111`	`}`
`112`	`112`	`}`
`113`	`113`
`114`		`-func (b *bitbucketConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {`
	`114`	`+func (b *bitbucketConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, []byte, error) {`
`115`	`115`	`if b.redirectURI != callbackURL {`
`116`		`- return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, b.redirectURI)`
	`116`	`+ return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, b.redirectURI)`
`117`	`117`	`}`
`118`	`118`
`119`		`- return b.oauth2Config(scopes).AuthCodeURL(state), nil`
	`119`	`+ return b.oauth2Config(scopes).AuthCodeURL(state), nil, nil`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`type oauth2Error struct {`
`@@ -131,7 +131,7 @@ func (e *oauth2Error) Error() string {`
`131`	`131`	`return e.error + ": " + e.errorDescription`
`132`	`132`	`}`
`133`	`133`
`134`		`-func (b bitbucketConnector) HandleCallback(s connector.Scopes, r http.Request) (identity connector.Identity, err error) {`
	`134`	`+func (b bitbucketConnector) HandleCallback(s connector.Scopes, connData []byte, r http.Request) (identity connector.Identity, err error) {`
`135`	`135`	`q := r.URL.Query()`
`136`	`136`	`if errType := q.Get("error"); errType != "" {`
`137`	`137`	`return identity, &oauth2Error{errType, q.Get("error_description")}`
Original file line number	Diff line number	Diff line change
`@@ -102,11 +102,11 @@ func (c giteaConnector) oauth2Config(_ connector.Scopes) oauth2.Config {`
`102`	`102`	`}`
`103`	`103`	`}`
`104`	`104`
`105`		`-func (c *giteaConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {`
	`105`	`+func (c *giteaConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, []byte, error) {`
`106`	`106`	`if c.redirectURI != callbackURL {`
`107`		`- return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", c.redirectURI, callbackURL)`
	`107`	`+ return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q", c.redirectURI, callbackURL)`
`108`	`108`	`}`
`109`		`- return c.oauth2Config(scopes).AuthCodeURL(state), nil`
	`109`	`+ return c.oauth2Config(scopes).AuthCodeURL(state), nil, nil`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`type oauth2Error struct {`
`@@ -121,7 +121,7 @@ func (e *oauth2Error) Error() string {`
`121`	`121`	`return e.error + ": " + e.errorDescription`
`122`	`122`	`}`
`123`	`123`
`124`		`-func (c giteaConnector) HandleCallback(s connector.Scopes, r http.Request) (identity connector.Identity, err error) {`
	`124`	`+func (c giteaConnector) HandleCallback(s connector.Scopes, connData []byte, r http.Request) (identity connector.Identity, err error) {`
`125`	`125`	`q := r.URL.Query()`
`126`	`126`	`if errType := q.Get("error"); errType != "" {`
`127`	`127`	`return identity, &oauth2Error{errType, q.Get("error_description")}`
Original file line number	Diff line number	Diff line change
`@@ -194,12 +194,12 @@ func (c githubConnector) oauth2Config(scopes connector.Scopes) oauth2.Config {`
`194`	`194`	`}`
`195`	`195`	`}`
`196`	`196`
`197`		`-func (c *githubConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {`
	`197`	`+func (c *githubConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, []byte, error) {`
`198`	`198`	`if c.redirectURI != callbackURL {`
`199`		`- return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)`
	`199`	`+ return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)`
`200`	`200`	`}`
`201`	`201`
`202`		`- return c.oauth2Config(scopes).AuthCodeURL(state), nil`
	`202`	`+ return c.oauth2Config(scopes).AuthCodeURL(state), nil, nil`
`203`	`203`	`}`
`204`	`204`
`205`	`205`	`type oauth2Error struct {`
`@@ -214,7 +214,7 @@ func (e *oauth2Error) Error() string {`
`214`	`214`	`return e.error + ": " + e.errorDescription`
`215`	`215`	`}`
`216`	`216`
`217`		`-func (c githubConnector) HandleCallback(s connector.Scopes, r http.Request) (identity connector.Identity, err error) {`
	`217`	`+func (c githubConnector) HandleCallback(s connector.Scopes, connData []byte, r http.Request) (identity connector.Identity, err error) {`
`218`	`218`	`q := r.URL.Query()`
`219`	`219`	`if errType := q.Get("error"); errType != "" {`
`220`	`220`	`return identity, &oauth2Error{errType, q.Get("error_description")}`
Original file line number	Diff line number	Diff line change
`@@ -122,11 +122,11 @@ func (c gitlabConnector) oauth2Config(scopes connector.Scopes) oauth2.Config {`
`122`	`122`	`}`
`123`	`123`	`}`
`124`	`124`
`125`		`-func (c *gitlabConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {`
	`125`	`+func (c *gitlabConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, []byte, error) {`
`126`	`126`	`if c.redirectURI != callbackURL {`
`127`		`- return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", c.redirectURI, callbackURL)`
	`127`	`+ return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q", c.redirectURI, callbackURL)`
`128`	`128`	`}`
`129`		`- return c.oauth2Config(scopes).AuthCodeURL(state), nil`
	`129`	`+ return c.oauth2Config(scopes).AuthCodeURL(state), nil, nil`
`130`	`130`	`}`
`131`	`131`
`132`	`132`	`type oauth2Error struct {`
`@@ -141,7 +141,7 @@ func (e *oauth2Error) Error() string {`
`141`	`141`	`return e.error + ": " + e.errorDescription`
`142`	`142`	`}`
`143`	`143`
`144`		`-func (c gitlabConnector) HandleCallback(s connector.Scopes, r http.Request) (identity connector.Identity, err error) {`
	`144`	`+func (c gitlabConnector) HandleCallback(s connector.Scopes, connData []byte, r http.Request) (identity connector.Identity, err error) {`
`145`	`145`	`q := r.URL.Query()`
`146`	`146`	`if errType := q.Get("error"); errType != "" {`
`147`	`147`	`return identity, &oauth2Error{errType, q.Get("error_description")}`
Original file line number	Diff line number	Diff line change
`@@ -168,9 +168,9 @@ func (c *googleConnector) Close() error {`
`168`	`168`	`return nil`
`169`	`169`	`}`
`170`	`170`
`171`		`-func (c *googleConnector) LoginURL(s connector.Scopes, callbackURL, state string) (string, error) {`
	`171`	`+func (c *googleConnector) LoginURL(s connector.Scopes, callbackURL, state string) (string, []byte, error) {`
`172`	`172`	`if c.redirectURI != callbackURL {`
`173`		`- return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)`
	`173`	`+ return "", nil, fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)`
`174`	`174`	`}`
`175`	`175`
`176`	`176`	`var opts []oauth2.AuthCodeOption`
`@@ -186,7 +186,7 @@ func (c *googleConnector) LoginURL(s connector.Scopes, callbackURL, state string`
`186`	`186`	`opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", c.promptType))`
`187`	`187`	`}`
`188`	`188`
`189`		`- return c.oauth2Config.AuthCodeURL(state, opts...), nil`
	`189`	`+ return c.oauth2Config.AuthCodeURL(state, opts...), nil, nil`
`190`	`190`	`}`
`191`	`191`
`192`	`192`	`type oauth2Error struct {`
`@@ -201,7 +201,7 @@ func (e *oauth2Error) Error() string {`
`201`	`201`	`return e.error + ": " + e.errorDescription`
`202`	`202`	`}`
`203`	`203`
`204`		`-func (c googleConnector) HandleCallback(s connector.Scopes, r http.Request) (identity connector.Identity, err error) {`
	`204`	`+func (c googleConnector) HandleCallback(s connector.Scopes, connData []byte, r http.Request) (identity connector.Identity, err error) {`
`205`	`205`	`q := r.URL.Query()`
`206`	`206`	`if errType := q.Get("error"); errType != "" {`
`207`	`207`	`return identity, &oauth2Error{errType, q.Get("error_description")}`