git-mirrors/continuwuity
1
0
Fork 0
mirror of https://forgejo.ellis.link/continuwuation/continuwuity.git synced 2025-09-10 13:12:49 +02:00
Code Issues Projects Releases Packages Wiki Activity

OIDC: make response_mode optional

Browse source 
Fractal omits the `response_mode` field when in an auth flow (its value must be
the literal "S256", so it's mainly here for OIDC compliance I guess). Accepting
this lets it proceed to the next authentication step.
This commit is contained in:
lafleur 2025-08-09 01:03:44 +02:00
commit 696adfc90b
2 changed files with 4 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/web/oidc/consent.rs
View file

@ -1,4 +1,3 @@
use std::borrow::Cow;
use askama::Template; use askama::Template;
use axum::http::StatusCode; use axum::http::StatusCode;
use oxide_auth::frontends::simple::request::Body; use oxide_auth::frontends::simple::request::Body;
@ -27,11 +26,7 @@ pub fn oidc_consent_form(hostname: &str, query: &AuthorizationQuery) -> OidcResp
/// Render the html contents of the user consent page. /// Render the html contents of the user consent page.
fn consent_page(hostname: &str, query: &AuthorizationQuery, route: &str, nonce: &str) -> String { fn consent_page(hostname: &str, query: &AuthorizationQuery, route: &str, nonce: &str) -> String {
let response_mode = &query.response_mode.clone() let response_mode = &query.response_mode.clone().unwrap_or("fragment".to_string());
.unwrap_or_else(|| match query.redirect_uri.scheme() {
| "https" => Cow::Borrowed("fragment"),
| _ => Cow::Borrowed("query")
});
let template = ConsentPageTemplate { let template = ConsentPageTemplate {
nonce, nonce,
hostname, hostname,

15
src/web/oidc/login.rs
View file

@ -62,13 +62,9 @@ impl TryFrom<OidcRequest> for LoginQuery {
let Ok(redirect_uri) = Url::from_str(&redirect_uri) else { let Ok(redirect_uri) = Url::from_str(&redirect_uri) else {
return Err(LoginError("invalid field: redirect_uri".to_owned())); return Err(LoginError("invalid field: redirect_uri".to_owned()));
}; };
// response_mode is not strictly needed : its value defaults to "fragment" // response_mode is not strictly needed : it must be the literal "fragment"
// when over https. It's required by the spec but Fractal doesn't provide it. // when over https. It's required by the spec but Fractal doesn't provide it.
let response_mode = body.unique_value("response_mode") let response_mode = body.unique_value("response_mode").unwrap_or(Cow::Borrowed("fragment"));
.unwrap_or_else(|| match redirect_uri.scheme() {
| "https" => Cow::Borrowed("fragment"),
| _ => Cow::Borrowed("query")
});
let client_secret = body.unique_value("client_secret").map(|s| s.to_string()); let client_secret = body.unique_value("client_secret").map(|s| s.to_string());
Ok(Self { Ok(Self {
@ -108,12 +104,7 @@ pub fn oidc_login_form(hostname: &str, query: &AuthorizationQuery) -> OidcRespon
/// Render the html contents of the login page. /// Render the html contents of the login page.
fn login_page(hostname: &str, query: &AuthorizationQuery, route: &str, nonce: &str) -> String { fn login_page(hostname: &str, query: &AuthorizationQuery, route: &str, nonce: &str) -> String {
let response_mode = &query.response_mode let response_mode = &query.response_mode.clone().unwrap_or("fragment".to_string());
.clone()
.unwrap_or_else(|| match query.redirect_uri.scheme() {
| "https" => "fragment".to_string(),
| _ => "query".to_string()
});
let template = LoginPageTemplate { let template = LoginPageTemplate {
nonce, nonce,
hostname, hostname,