mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-10 01:34:45 -06:00
SSO use ClientSecretPost if ClientSecretBasic is not available (#7357)
Co-authored-by: Timshel <timshel@users.noreply.github.com>
This commit is contained in:
parent
5c5e8e1a6f
commit
5447ee6af2
@ -1,16 +1,16 @@
|
|||||||
use std::{borrow::Cow, future::Future, pin::Pin, sync::LazyLock, time::Duration};
|
use std::{borrow::Cow, collections::HashSet, future::Future, pin::Pin, sync::LazyLock, time::Duration};
|
||||||
|
|
||||||
use openidconnect::{
|
use openidconnect::{
|
||||||
AccessToken, AsyncHttpClient, AuthDisplay, AuthPrompt, AuthenticationFlow, AuthorizationCode, AuthorizationRequest,
|
AccessToken, AsyncHttpClient, AuthDisplay, AuthPrompt, AuthType, AuthenticationFlow, AuthorizationCode,
|
||||||
ClientId, ClientSecret, CsrfToken, EmptyAdditionalClaims, EmptyExtraTokenFields, EndpointNotSet, EndpointSet,
|
AuthorizationRequest, ClientId, ClientSecret, CsrfToken, EmptyAdditionalClaims, EmptyExtraTokenFields,
|
||||||
HttpClientError, HttpRequest, HttpResponse, IdTokenClaims, IdTokenFields, Nonce, OAuth2TokenResponse,
|
EndpointNotSet, EndpointSet, HttpClientError, HttpRequest, HttpResponse, IdTokenClaims, IdTokenFields, Nonce,
|
||||||
PkceCodeChallenge, PkceCodeVerifier, RefreshToken, ResponseType, Scope, StandardErrorResponse,
|
OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RefreshToken, ResponseType, Scope, StandardErrorResponse,
|
||||||
StandardTokenResponse,
|
StandardTokenResponse,
|
||||||
core::{
|
core::{
|
||||||
CoreAuthDisplay, CoreAuthPrompt, CoreClient, CoreErrorResponseType, CoreGenderClaim, CoreIdTokenVerifier,
|
CoreAuthDisplay, CoreAuthPrompt, CoreClient, CoreClientAuthMethod, CoreErrorResponseType, CoreGenderClaim,
|
||||||
CoreJsonWebKey, CoreJweContentEncryptionAlgorithm, CoreJwsSigningAlgorithm, CoreProviderMetadata,
|
CoreIdTokenVerifier, CoreJsonWebKey, CoreJweContentEncryptionAlgorithm, CoreJwsSigningAlgorithm,
|
||||||
CoreResponseType, CoreRevocableToken, CoreRevocationErrorResponse, CoreTokenIntrospectionResponse,
|
CoreProviderMetadata, CoreResponseType, CoreRevocableToken, CoreRevocationErrorResponse,
|
||||||
CoreTokenResponse, CoreTokenType, CoreUserInfoClaims,
|
CoreTokenIntrospectionResponse, CoreTokenResponse, CoreTokenType, CoreUserInfoClaims,
|
||||||
},
|
},
|
||||||
http, url,
|
http, url,
|
||||||
};
|
};
|
||||||
@ -119,7 +119,21 @@ impl Client {
|
|||||||
Ok(metadata) => metadata,
|
Ok(metadata) => metadata,
|
||||||
};
|
};
|
||||||
|
|
||||||
let base_client = CoreClient::from_provider_metadata(provider_metadata, client_id, Some(client_secret));
|
let auth_methods: Option<HashSet<CoreClientAuthMethod>> = provider_metadata
|
||||||
|
.token_endpoint_auth_methods_supported()
|
||||||
|
.map(|v| v.iter().map(ToOwned::to_owned).collect());
|
||||||
|
|
||||||
|
let mut base_client = CoreClient::from_provider_metadata(provider_metadata, client_id, Some(client_secret));
|
||||||
|
|
||||||
|
if let Some(am) = auth_methods {
|
||||||
|
if am.contains(&CoreClientAuthMethod::ClientSecretBasic) {
|
||||||
|
base_client = base_client.set_auth_type(AuthType::BasicAuth); // Default
|
||||||
|
} else if am.contains(&CoreClientAuthMethod::ClientSecretPost) {
|
||||||
|
base_client = base_client.set_auth_type(AuthType::RequestBody);
|
||||||
|
} else {
|
||||||
|
err!(format!("No supported auth_methods (only basic or request body), advertised: {am:?}"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
let token_uri = if let Some(uri) = base_client.token_uri() {
|
let token_uri = if let Some(uri) = base_client.token_uri() {
|
||||||
uri.clone()
|
uri.clone()
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user