sssd/SOURCES/0022-oidc_child-use-client-...

From 3e296c70d56e2aa83ce882d2ac1738f85606fd7a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 18 Aug 2022 14:01:34 +0200
Subject: [PATCH 22/24] oidc_child: use client secret if available to get
 device code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Some IdP have the concept of confidential client, i.e. clients where the
client's secret can be stored safely by the related application. For a
confidential client some IdPs expects that the client secret is used in
all requests together with the client ID although OAuth2 specs currently
only mention this explicitly for the token request. To make sure the
device code can be requested in this case the client secret is added to
the device code request if the secret is provided.

Resolves: https://github.com/SSSD/sssd/issues/6146

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit a4d4617efeff871c5d2762e35f9dec57fa24fb1a)

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
 src/oidc_child/oidc_child.c      |  2 +-
 src/oidc_child/oidc_child_curl.c | 12 +++++++++++-
 src/oidc_child/oidc_child_util.h |  2 +-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
index aeeac3595..c8d35d5d8 100644
--- a/src/oidc_child/oidc_child.c
+++ b/src/oidc_child/oidc_child.c
@@ -454,7 +454,7 @@ int main(int argc, const char *argv[])
     }
 
     if (opts.get_device_code) {
-        ret = get_devicecode(dc_ctx, opts.client_id);
+        ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);
         if (ret != EOK) {
             DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");
             goto done;
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
index df438e007..6e80c3abf 100644
--- a/src/oidc_child/oidc_child_curl.c
+++ b/src/oidc_child/oidc_child_curl.c
@@ -428,7 +428,7 @@ done:
 #define DEFAULT_SCOPE "user"
 
 errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
-                       const char *client_id)
+                       const char *client_id, const char *client_secret)
 {
     int ret;
 
@@ -443,6 +443,16 @@ errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
         return ENOMEM;
     }
 
+    if (client_secret != NULL) {
+        post_data = talloc_asprintf_append(post_data, "&client_secret=%s",
+                                           client_secret);
+        if (post_data == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Failed to add client secret to POST data.\n");
+            return ENOMEM;
+        }
+    }
+
     clean_http_data(dc_ctx);
     ret = do_http_request(dc_ctx, dc_ctx->device_authorization_endpoint,
                           post_data, NULL);
diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h
index ae5a72bc2..8b106ae79 100644
--- a/src/oidc_child/oidc_child_util.h
+++ b/src/oidc_child/oidc_child_util.h
@@ -73,7 +73,7 @@ errno_t get_openid_configuration(struct devicecode_ctx *dc_ctx,
 errno_t get_jwks(struct devicecode_ctx *dc_ctx);
 
 errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
-                       const char *client_id);
+                       const char *client_id, const char *client_secret);
 
 errno_t get_token(TALLOC_CTX *mem_ctx,
                   struct devicecode_ctx *dc_ctx, const char *client_id,
-- 
2.37.3
import sssd-2.7.3-4.el9_1.3 2 years ago			`From 3e296c70d56e2aa83ce882d2ac1738f85606fd7a Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Thu, 18 Aug 2022 14:01:34 +0200`
			`Subject: [PATCH 22/24] oidc_child: use client secret if available to get`
			`device code`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Some IdP have the concept of confidential client, i.e. clients where the`
			`client's secret can be stored safely by the related application. For a`
			`confidential client some IdPs expects that the client secret is used in`
			`all requests together with the client ID although OAuth2 specs currently`
			`only mention this explicitly for the token request. To make sure the`
			`device code can be requested in this case the client secret is added to`
			`the device code request if the secret is provided.`

			`Resolves: https://github.com/SSSD/sssd/issues/6146`

			`Reviewed-by: Justin Stephenson <jstephen@redhat.com>`
			`Reviewed-by: Pavel Březina <pbrezina@redhat.com>`
			`(cherry picked from commit a4d4617efeff871c5d2762e35f9dec57fa24fb1a)`

			`Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>`
			`---`
			`src/oidc_child/oidc_child.c \| 2 +-`
			`src/oidc_child/oidc_child_curl.c \| 12 +++++++++++-`
			`src/oidc_child/oidc_child_util.h \| 2 +-`
			`3 files changed, 13 insertions(+), 3 deletions(-)`

			`diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c`
			`index aeeac3595..c8d35d5d8 100644`
			`--- a/src/oidc_child/oidc_child.c`
			`+++ b/src/oidc_child/oidc_child.c`
			`@@ -454,7 +454,7 @@ int main(int argc, const char *argv[])`
			`}`

			`if (opts.get_device_code) {`
			`- ret = get_devicecode(dc_ctx, opts.client_id);`
			`+ ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);`
			`if (ret != EOK) {`
			`DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");`
			`goto done;`
			`diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c`
			`index df438e007..6e80c3abf 100644`
			`--- a/src/oidc_child/oidc_child_curl.c`
			`+++ b/src/oidc_child/oidc_child_curl.c`
			`@@ -428,7 +428,7 @@ done:`
			`#define DEFAULT_SCOPE "user"`

			`errno_t get_devicecode(struct devicecode_ctx *dc_ctx,`
			`- const char *client_id)`
			`+ const char client_id, const char client_secret)`
			`{`
			`int ret;`

			`@@ -443,6 +443,16 @@ errno_t get_devicecode(struct devicecode_ctx *dc_ctx,`
			`return ENOMEM;`
			`}`

			`+ if (client_secret != NULL) {`
			`+ post_data = talloc_asprintf_append(post_data, "&client_secret=%s",`
			`+ client_secret);`
			`+ if (post_data == NULL) {`
			`+ DEBUG(SSSDBG_OP_FAILURE,`
			`+ "Failed to add client secret to POST data.\n");`
			`+ return ENOMEM;`
			`+ }`
			`+ }`
			`+`
			`clean_http_data(dc_ctx);`
			`ret = do_http_request(dc_ctx, dc_ctx->device_authorization_endpoint,`
			`post_data, NULL);`
			`diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h`
			`index ae5a72bc2..8b106ae79 100644`
			`--- a/src/oidc_child/oidc_child_util.h`
			`+++ b/src/oidc_child/oidc_child_util.h`
			`@@ -73,7 +73,7 @@ errno_t get_openid_configuration(struct devicecode_ctx *dc_ctx,`
			`errno_t get_jwks(struct devicecode_ctx *dc_ctx);`

			`errno_t get_devicecode(struct devicecode_ctx *dc_ctx,`
			`- const char *client_id);`
			`+ const char client_id, const char client_secret);`

			`errno_t get_token(TALLOC_CTX *mem_ctx,`
			`struct devicecode_ctx dc_ctx, const char client_id,`
			`--`
			`2.37.3`