Allow setting the response_mode on upstream OAuth 2.0 providers

Author: sandhose

crates/cli/src/sync.rs

@@ -232,6 +232,15 @@ pub async fn config_sync(
                 }
             };
 
+            let response_mode = match provider.response_mode {
+                mas_config::UpstreamOAuth2ResponseMode::Query => {
+                    mas_data_model::UpstreamOAuthProviderResponseMode::Query
+                }
+                mas_config::UpstreamOAuth2ResponseMode::FormPost => {
+                    mas_data_model::UpstreamOAuthProviderResponseMode::FormPost
+                }
+            };
+
             if discovery_mode.is_disabled() {
                 if provider.authorization_endpoint.is_none() {
                     error!("Provider has discovery disabled but no authorization endpoint set");
@@ -279,6 +288,7 @@ pub async fn config_sync(
                         jwks_uri_override: provider.jwks_uri,
                         discovery_mode,
                         pkce_mode,
+                        response_mode,
                         additional_authorization_parameters: provider
                             .additional_authorization_parameters
                             .into_iter()

crates/config/src/sections/mod.rs

@@ -51,6 +51,7 @@ pub use self::{
         ClaimsImports as UpstreamOAuth2ClaimsImports, DiscoveryMode as UpstreamOAuth2DiscoveryMode,
         EmailImportPreference as UpstreamOAuth2EmailImportPreference,
         ImportAction as UpstreamOAuth2ImportAction, PkceMethod as UpstreamOAuth2PkceMethod,
+        ResponseMode as UpstreamOAuth2ResponseMode,
         SetEmailVerification as UpstreamOAuth2SetEmailVerification,
         TokenAuthMethod as UpstreamOAuth2TokenAuthMethod, UpstreamOAuth2Config,
     },

crates/config/src/sections/upstream_oauth2.rs

@@ -105,6 +105,29 @@ impl ConfigurationSection for UpstreamOAuth2Config {
     }
 }
 
+/// The response mode we ask the provider to use for the callback
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, Default, JsonSchema)]
+#[serde(rename_all = "snake_case")]
+pub enum ResponseMode {
+    /// `query`: The provider will send the response as a query string in the
+    /// URL search parameters
+    #[default]
+    Query,
+
+    /// `form_post`: The provider will send the response as a POST request with
+    /// the response parameters in the request body
+    ///
+    /// <https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html>
+    FormPost,
+}
+
+impl ResponseMode {
+    #[allow(clippy::trivially_copy_pass_by_ref)]
+    const fn is_default(&self) -> bool {
+        matches!(self, ResponseMode::Query)
+    }
+}
+
 /// Authentication methods used against the OAuth 2.0 provider
 #[derive(Debug, Clone, Copy, Serialize, Deserialize, JsonSchema)]
 #[serde(rename_all = "snake_case")]
@@ -460,6 +483,10 @@ pub struct Provider {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub jwks_uri: Option<Url>,
 
+    /// The response mode we ask the provider to use for the callback
+    #[serde(default, skip_serializing_if = "ResponseMode::is_default")]
+    pub response_mode: ResponseMode,
+
     /// How claims should be imported from the `id_token` provided by the
     /// provider
     #[serde(default, skip_serializing_if = "ClaimsImports::is_default")]

crates/data-model/src/lib.rs

@@ -41,8 +41,8 @@ pub use self::{
         UpstreamOAuthAuthorizationSessionState, UpstreamOAuthLink, UpstreamOAuthProvider,
         UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderDiscoveryMode,
         UpstreamOAuthProviderImportAction, UpstreamOAuthProviderImportPreference,
-        UpstreamOAuthProviderPkceMode, UpstreamOAuthProviderSubjectPreference,
-        UpstreamOAuthProviderTokenAuthMethod,
+        UpstreamOAuthProviderPkceMode, UpstreamOAuthProviderResponseMode,
+        UpstreamOAuthProviderSubjectPreference, UpstreamOAuthProviderTokenAuthMethod,
     },
     user_agent::{DeviceType, UserAgent},
     users::{

crates/data-model/src/upstream_oauth2/mod.rs

@@ -16,6 +16,7 @@ pub use self::{
         ImportAction as UpstreamOAuthProviderImportAction,
         ImportPreference as UpstreamOAuthProviderImportPreference,
         PkceMode as UpstreamOAuthProviderPkceMode,
+        ResponseMode as UpstreamOAuthProviderResponseMode,
         SetEmailVerification as UpsreamOAuthProviderSetEmailVerification,
         SubjectPreference as UpstreamOAuthProviderSubjectPreference,
         TokenAuthMethod as UpstreamOAuthProviderTokenAuthMethod, UpstreamOAuthProvider,

crates/data-model/src/upstream_oauth2/provider.rs

@@ -116,6 +116,55 @@ impl std::fmt::Display for PkceMode {
     }
 }
 
+#[derive(Debug, Clone, Error)]
+#[error("Invalid response mode {0:?}")]
+pub struct InvalidResponseModeError(String);
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum ResponseMode {
+    #[default]
+    Query,
+    FormPost,
+}
+
+impl From<ResponseMode> for oauth2_types::requests::ResponseMode {
+    fn from(value: ResponseMode) -> Self {
+        match value {
+            ResponseMode::Query => oauth2_types::requests::ResponseMode::Query,
+            ResponseMode::FormPost => oauth2_types::requests::ResponseMode::FormPost,
+        }
+    }
+}
+
+impl ResponseMode {
+    #[must_use]
+    pub fn as_str(self) -> &'static str {
+        match self {
+            Self::Query => "query",
+            Self::FormPost => "form_post",
+        }
+    }
+}
+
+impl std::fmt::Display for ResponseMode {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(self.as_str())
+    }
+}
+
+impl std::str::FromStr for ResponseMode {
+    type Err = InvalidResponseModeError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s {
+            "query" => Ok(ResponseMode::Query),
+            "form_post" => Ok(ResponseMode::FormPost),
+            s => Err(InvalidResponseModeError(s.to_owned())),
+        }
+    }
+}
+
 #[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(rename_all = "snake_case")]
 pub enum TokenAuthMethod {
@@ -183,6 +232,7 @@ pub struct UpstreamOAuthProvider {
     pub encrypted_client_secret: Option<String>,
     pub token_endpoint_signing_alg: Option<JsonWebSignatureAlg>,
     pub token_endpoint_auth_method: TokenAuthMethod,
+    pub response_mode: ResponseMode,
     pub created_at: DateTime<Utc>,
     pub disabled_at: Option<DateTime<Utc>>,
     pub claims_imports: ClaimsImports,

crates/handlers/src/upstream_oauth2/authorize.rs

@@ -87,7 +87,8 @@ pub(crate) async fn get(
         provider.client_id.clone(),
         provider.scope.clone(),
         redirect_uri,
-    );
+    )
+    .with_response_mode(provider.response_mode.into());
 
     let data = if let Some(methods) = lazy_metadata.pkce_methods().await? {
         data.with_code_challenge_methods_supported(methods)

crates/handlers/src/upstream_oauth2/cache.rs

@@ -389,12 +389,13 @@ mod tests {
             pkce_mode: UpstreamOAuthProviderPkceMode::Auto,
             jwks_uri_override: None,
             authorization_endpoint_override: None,
-            token_endpoint_override: None,
             scope: Scope::from_iter([OPENID]),
+            token_endpoint_override: None,
             client_id: "client_id".to_owned(),
             encrypted_client_secret: None,
             token_endpoint_signing_alg: None,
             token_endpoint_auth_method: UpstreamOAuthProviderTokenAuthMethod::None,
+            response_mode: mas_data_model::UpstreamOAuthProviderResponseMode::Query,
             created_at: clock.now(),
             disabled_at: None,
             claims_imports: UpstreamOAuthProviderClaimsImports::default(),

crates/handlers/src/upstream_oauth2/link.rs

@@ -917,6 +917,7 @@ mod tests {
                     jwks_uri_override: None,
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
+                    response_mode: mas_data_model::UpstreamOAuthProviderResponseMode::Query,
                     additional_authorization_parameters: Vec::new(),
                 },
             )

crates/handlers/src/views/login.rs

@@ -411,6 +411,7 @@ mod test {
                     jwks_uri_override: None,
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
+                    response_mode: mas_data_model::UpstreamOAuthProviderResponseMode::Query,
                     additional_authorization_parameters: Vec::new(),
                 },
             )
@@ -446,6 +447,7 @@ mod test {
                     jwks_uri_override: None,
                     discovery_mode: mas_data_model::UpstreamOAuthProviderDiscoveryMode::Oidc,
                     pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
+                    response_mode: mas_data_model::UpstreamOAuthProviderResponseMode::Query,
                     additional_authorization_parameters: Vec::new(),
                 },
             )