fix: implicit scopes not granted

This fixes an issue where the intended implicit scopes were not granted.
authelia · Mar 11, 2024 · 5bc6215 · 5bc6215
1 parent ec78472
commit 5bc6215
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 9 deletions.
diff --git a/handler/oauth2/flow_client_credentials.go b/handler/oauth2/flow_client_credentials.go
@@ -45,13 +45,13 @@ func (c *ClientCredentialsGrantHandler) HandleTokenEndpointRequest(ctx context.C
 
 	if len(scopes) == 0 {
 		if pclient, ok := client.(oauth2.ClientCredentialsFlowRequestedScopeImplicitClient); ok && pclient.GetClientCredentialsFlowRequestedScopeImplicit() {
-			scopes = client.GetScopes()
+			request.SetRequestedScopes(client.GetScopes())
 		}
-	}
-
-	for _, scope := range scopes {
-		if !c.Config.GetScopeStrategy(ctx)(client.GetScopes(), scope) {
-			return errorsx.WithStack(oauth2.ErrInvalidScope.WithHintf("The OAuth 2.0 Client is not allowed to request scope '%s'.", scope))
+	} else {
+		for _, scope := range scopes {
+			if !c.Config.GetScopeStrategy(ctx)(client.GetScopes(), scope) {
+				return errorsx.WithStack(oauth2.ErrInvalidScope.WithHintf("The OAuth 2.0 Client is not allowed to request scope '%s'.", scope))
+			}
 		}
 	}
 

diff --git a/handler/oauth2/flow_client_credentials_test.go b/handler/oauth2/flow_client_credentials_test.go
@@ -185,6 +185,7 @@ func TestClientCredentialsGrantHandler_HandleTokenEndpointRequest(t *testing.T)
 							ID:         "test",
 							GrantTypes: []string{consts.GrantTypeClientCredentials},
 							Audience:   []string{"https://example.com"},
+							Scopes:     []string{"openid"},
 						},
 					},
 				},
@@ -205,6 +206,7 @@ func TestClientCredentialsGrantHandler_HandleTokenEndpointRequest(t *testing.T)
 						ID:         "test",
 						GrantTypes: []string{consts.GrantTypeClientCredentials},
 						Audience:   []string{"https://example.com"},
+						Scopes:     []string{"openid"},
 					},
 				},
 			},
@@ -225,8 +227,9 @@ func TestClientCredentialsGrantHandler_HandleTokenEndpointRequest(t *testing.T)
 							ID:         "test",
 							GrantTypes: []string{consts.GrantTypeClientCredentials},
 							Audience:   []string{"https://example.com"},
+							Scopes:     []string{"openid"},
 						},
-						implicit: true,
+						audience: true,
 					},
 				},
 			},
@@ -239,6 +242,61 @@ func TestClientCredentialsGrantHandler_HandleTokenEndpointRequest(t *testing.T)
 			},
 			"",
 		},
+		{
+			"ShouldSuccessfullyGrantAllScopes",
+			&oauth2.AccessRequest{
+				GrantTypes: oauth2.Arguments{consts.GrantTypeClientCredentials},
+				Request: oauth2.Request{
+					Session: &oauth2.DefaultSession{},
+					Client: &TestRequestedAudienceClient{
+						DefaultClient: &oauth2.DefaultClient{
+							ID:         "test",
+							GrantTypes: []string{consts.GrantTypeClientCredentials},
+							Audience:   []string{"https://exmaple.com"},
+							Scopes:     []string{"openid"},
+						},
+						scopes: true,
+					},
+				},
+			},
+			&oauth2.AccessRequest{
+				GrantTypes: oauth2.Arguments{consts.GrantTypeClientCredentials},
+				Request: oauth2.Request{
+					RequestedScope: []string{"openid"},
+					GrantedScope:   []string{"openid"},
+				},
+			},
+			"",
+		},
+		{
+			"ShouldSuccessfullyGrantAllScopesAndAudiences",
+			&oauth2.AccessRequest{
+				GrantTypes: oauth2.Arguments{consts.GrantTypeClientCredentials},
+				Request: oauth2.Request{
+					Session: &oauth2.DefaultSession{},
+					Client: &TestRequestedAudienceClient{
+						DefaultClient: &oauth2.DefaultClient{
+							ID:         "test",
+							GrantTypes: []string{consts.GrantTypeClientCredentials},
+							Audience:   []string{"https://exmaple.com"},
+							Scopes:     []string{"openid"},
+						},
+						scopes:   true,
+						audience: true,
+					},
+				},
+			},
+			&oauth2.AccessRequest{
+				GrantTypes: oauth2.Arguments{consts.GrantTypeClientCredentials},
+				Request: oauth2.Request{
+					RequestedScope:    []string{"openid"},
+					RequestedAudience: []string{"https://exmaple.com"},
+					GrantedScope:      []string{"openid"},
+					GrantedAudience:   []string{"https://exmaple.com"},
+				},
+			},
+			"",
+		},
 	}
 
 	for _, tc := range testCases {
@@ -296,9 +354,14 @@ func TestClientCredentialsGrantHandler_HandleTokenEndpointRequest(t *testing.T)
 type TestRequestedAudienceClient struct {
 	*oauth2.DefaultClient
 
-	implicit bool
+	audience bool
+	scopes   bool
 }
 
 func (c *TestRequestedAudienceClient) GetRequestedAudienceImplicit() bool {
-	return c.implicit
+	return c.audience
+}
+
+func (c *TestRequestedAudienceClient) GetClientCredentialsFlowRequestedScopeImplicit() bool {
+	return c.scopes
 }