fix(oidc): use client secret from query params
This commit is contained in:
parent
489c39e16c
commit
08f94ad16b
1 changed files with 9 additions and 8 deletions
|
@ -77,20 +77,21 @@ defmodule ComfycampWeb.OauthController do
|
|||
end
|
||||
end
|
||||
|
||||
def token(conn, %{"code" => code_value, "redirect_uri" => redirect_uri}) do
|
||||
def token(conn, %{
|
||||
"code" => code_value,
|
||||
"redirect_uri" => redirect_uri,
|
||||
"client_id" => client_id,
|
||||
"client_secret" => client_secret
|
||||
}) do
|
||||
# Check that code is still valid and redirect uri has not been altered.
|
||||
%OIDCCode{redirect_uri: ^redirect_uri} = code = SSO.get_oidc_code!(code_value)
|
||||
|
||||
# Get client secret.
|
||||
[auth_header] = Plug.Conn.get_req_header(conn, "authorization")
|
||||
"Basic " <> client_secret = auth_header
|
||||
|
||||
# Check that client provided a valid secret for an active OIDC app.
|
||||
%OIDCApp{enabled: true} = oidc_app = SSO.get_oidc_app_by_secret!(client_secret)
|
||||
%OIDCApp{enabled: true, client_id: ^client_id} =
|
||||
oidc_app = SSO.get_oidc_app_by_secret!(client_secret)
|
||||
|
||||
# Check that OIDC app is referenced by provided code.
|
||||
app_client_id = oidc_app.client_id
|
||||
^app_client_id = code.oidc_app.client_id
|
||||
^client_id = code.oidc_app.client_id
|
||||
|
||||
# Delete the code.
|
||||
SSO.delete_oidc_code(code)
|
||||
|
|
Loading…
Reference in a new issue