fix: refresh token activation (#1795)

* fix: oidc grant type check * docs: add offline_access scope * docs: update refresh token status in supported grant types * fix: update oidc pkg
2025-08-12 08:07:32 +00:00 · 2021-05-31 11:06:01 +02:00
parent 1f41cc5ca8
commit f8ab1f5b7b
10 changed files with 98 additions and 15 deletions
--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@@ -61,6 +61,10 @@ func (c *Client) ResponseTypes() []oidc.ResponseType {
 	return responseTypesToOIDC(c.OIDCResponseTypes)
 }

+func (c *Client) GrantTypes() []oidc.GrantType {
+	return grantTypesToOIDC(c.OIDCGrantTypes)
+}
+
 func (c *Client) DevMode() bool {
 	return c.ApplicationView.DevMode
 }
@@ -165,6 +169,27 @@ func responseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
 	}
 }

+func grantTypesToOIDC(grantTypes []model.OIDCGrantType) []oidc.GrantType {
+	oidcTypes := make([]oidc.GrantType, len(grantTypes))
+	for i, t := range grantTypes {
+		oidcTypes[i] = grantTypeToOIDC(t)
+	}
+	return oidcTypes
+}
+
+func grantTypeToOIDC(grantType model.OIDCGrantType) oidc.GrantType {
+	switch grantType {
+	case model.OIDCGrantTypeAuthorizationCode:
+		return oidc.GrantTypeCode
+	case model.OIDCGrantTypeImplicit:
+		return oidc.GrantTypeImplicit
+	case model.OIDCGrantTypeRefreshToken:
+		return oidc.GrantTypeRefreshToken
+	default:
+		return oidc.GrantTypeCode
+	}
+}
+
 func removeScopeWithPrefix(scopes []string, scopePrefix ...string) []string {
 	newScopeList := make([]string, 0)
 	for _, scope := range scopes {
--- a/internal/api/oidc/op.go
+++ b/internal/api/oidc/op.go
@@ -73,6 +73,7 @@ func NewProvider(ctx context.Context, config OPHandlerConfig, command *command.C
 	}
 	copy(config.OPConfig.CryptoKey[:], cryptoKey)
 	config.OPConfig.CodeMethodS256 = true
+	config.OPConfig.GrantTypeRefreshToken = true
 	metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount}
 	provider, err := op.NewOpenIDProvider(
 		ctx,
--- a/internal/domain/application_oidc.go
+++ b/internal/domain/application_oidc.go
@@ -190,6 +190,7 @@ func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType
 		compliance.NoneCompliant = true
 		compliance.Problems = append([]string{"Application.OIDC.V1.NoRedirectUris"}, compliance.Problems...)
 	}
+	CheckGrantTypes(compliance, grantTypes)
 	if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
 		CheckRedirectUrisImplicitAndCode(compliance, appType, redirectUris)
 	} else {
@@ -213,6 +214,13 @@ func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType
 	return compliance
 }

+func CheckGrantTypes(compliance *Compliance, grantTypes []OIDCGrantType) {
+	if containsOIDCGrantType(grantTypes, OIDCGrantTypeRefreshToken) && !containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.GrantType.Refresh.NoAuthCode")
+	}
+}
+
 func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
 	if authMethod != OIDCAuthMethodTypeNone {
 		compliance.NoneCompliant = true
@@ -238,7 +246,7 @@ func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType,
 		}
 		if appType == OIDCApplicationTypeNative && !onlyLocalhostIsHttp(redirectUris) {
 			compliance.NoneCompliant = true
-			compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.NativeShouldBeHttpLocalhost")
+			compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.RedirectUris.MustBeHttpLocalhost")
 		}
 	}
 	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
@@ -259,7 +267,7 @@ func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationTy
 		if appType == OIDCApplicationTypeNative {
 			if !onlyLocalhostIsHttp(redirectUris) {
 				compliance.NoneCompliant = true
-				compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
+				compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.RedirectUris.MustBeHttpLocalhost")
 			}
 			return
 		}
@@ -283,7 +291,7 @@ func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplic
 		}
 		if !onlyLocalhostIsHttp(redirectUris) && appType == OIDCApplicationTypeNative {
 			compliance.NoneCompliant = true
-			compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
+			compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.RedirectUris.MustBeHttpLocalhost")
 		}
 	}
 	if !compliance.NoneCompliant {
--- a/internal/static/i18n/de.yaml
+++ b/internal/static/i18n/de.yaml
@@ -695,11 +695,15 @@ Application:
        RedirectUris:
          CustomNotAllowed: Grant Type Implicit erlaubt keine custom Redirect Uris.
          HttpNotAllowed: Grant Type Implicit erlaubt keine http Redirect Uris.
-          NativeShouldBeHttpLocalhost: Grant Type Implicit erlaubt beim Apptype Native http nur mit localhost (http://localhost)
          HttpLocalhostOnlyForNative: Http://localhost Redirect Uri ist nur für Native Applikationen erlaubt.
      Native:
        AuthMethodType:
          NotNone: Bei Native Applikationen sollte der AuthMethodType none sein.
+        RedirectUris:
+          MustBeHttpLocalhost: Die Weiterleitung muss mit einem eigenen Protokoll, http://127.0.0.1, http://[::1] oder http://localhost beginnen.
      UserAgent:
        AuthMethodType:
          NotNone: Bei einem User Agent sollte der AuthMethodType none sein.
+      GrantType:
+        Refresh:
+          NoAuthCode: Refresh Token nur in Kombination mit Authorization Code erlaubt.
--- a/internal/static/i18n/en.yaml
+++ b/internal/static/i18n/en.yaml
@@ -696,11 +696,15 @@ Application:
        RedirectUris:
          CustomNotAllowed: Grant type implicit doesn't allow custom redirect uris
          HttpNotAllowed: Grant tpye implicit doesn't allow http redirect uris
-          NativeShouldBeHttpLocalhost: Grant tpye implicit only allowed http://localhost for native apptype
          HttpLocalhostOnlyForNative: Http://localhost redirect uri is only allowed for native applications.
      Native:
        AuthMethodType:
          NotNone: Native applications should have authmethodtype none.
+        RedirectUris:
+          MustBeHttpLocalhost: Redirect URIs must begin with your own protocol, http://127.0.0.1, http://[::1] or http://localhost.
      UserAgent:
        AuthMethodType:
          NotNone: User agent app should have authmethodtype none.
+      GrantType:
+        Refresh:
+          NoAuthCode: Refresh Token only allowed in combination with Authorization Code.