Skip to content

Commit fb99cf3

Browse files
reject IDPs without supported response_types (#1645)
Co-authored-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>
1 parent a0bf2b4 commit fb99cf3

File tree

1 file changed

+18
-0
lines changed

1 file changed

+18
-0
lines changed

pkg/auth/idp/oauth2/provider.go

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ import (
3030
"time"
3131

3232
"github.com/minio/minio-go/v7/pkg/credentials"
33+
"github.com/minio/minio-go/v7/pkg/set"
3334

3435
"github.com/minio/console/pkg/auth/utils"
3536
"golang.org/x/crypto/pbkdf2"
@@ -142,6 +143,11 @@ func getLoginCallbackURL(r *http.Request) string {
142143
return redirectURL
143144
}
144145

146+
var supportedResponseTypes = set.CreateStringSet([]string{
147+
"code id_token",
148+
"code token id_token",
149+
}...)
150+
145151
// NewOauth2ProviderClient instantiates a new oauth2 client using the configured credentials
146152
// it returns a *Provider object that contains the necessary configuration to initiate an
147153
// oauth2 authentication flow
@@ -151,6 +157,18 @@ func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.
151157
return nil, err
152158
}
153159

160+
var supported bool
161+
for _, responseType := range ddoc.ResponseTypesSupported {
162+
if supportedResponseTypes.Contains(responseType) {
163+
supported = true
164+
continue
165+
}
166+
}
167+
168+
if !supported {
169+
return nil, fmt.Errorf("expected 'code id_token' response type - got %s, login not allowed", ddoc.ResponseTypesSupported)
170+
}
171+
154172
// If provided scopes are empty we use a default list or the user configured list
155173
if len(scopes) == 0 {
156174
scopes = strings.Split(getIDPScopes(), ",")

0 commit comments

Comments
 (0)