From 3e296c70d56e2aa83ce882d2ac1738f85606fd7a Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Thu, 18 Aug 2022 14:01:34 +0200

Subject: [PATCH 21/23] oidc_child: use client secret if available to get

 device code

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Some IdP have the concept of confidential client, i.e. clients where the

client's secret can be stored safely by the related application. For a

confidential client some IdPs expects that the client secret is used in

all requests together with the client ID although OAuth2 specs currently

only mention this explicitly for the token request. To make sure the

device code can be requested in this case the client secret is added to

the device code request if the secret is provided.

Resolves: https://github.com/SSSD/sssd/issues/6146

Reviewed-by: Justin Stephenson <jstephen@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

(cherry picked from commit a4d4617efeff871c5d2762e35f9dec57fa24fb1a)

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

---

 src/oidc_child/oidc_child.c      |  2 +-

 src/oidc_child/oidc_child_curl.c | 12 +++++++++++-

 src/oidc_child/oidc_child_util.h |  2 +-

 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c

index aeeac3595..c8d35d5d8 100644

--- a/src/oidc_child/oidc_child.c

+++ b/src/oidc_child/oidc_child.c

@@ -454,7 +454,7 @@ int main(int argc, const char *argv[])

     }

     if (opts.get_device_code) {

-        ret = get_devicecode(dc_ctx, opts.client_id);

+        ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);

         if (ret != EOK) {

             DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");

             goto done;

diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c

index df438e007..6e80c3abf 100644

--- a/src/oidc_child/oidc_child_curl.c

+++ b/src/oidc_child/oidc_child_curl.c

@@ -428,7 +428,7 @@ done:

 #define DEFAULT_SCOPE "user"

 errno_t get_devicecode(struct devicecode_ctx *dc_ctx,

-                       const char *client_id)

+                       const char *client_id, const char *client_secret)

 {

     int ret;

@@ -443,6 +443,16 @@ errno_t get_devicecode(struct devicecode_ctx *dc_ctx,

         return ENOMEM;

     }

+    if (client_secret != NULL) {

+        post_data = talloc_asprintf_append(post_data, "&client_secret=%s",

+                                           client_secret);

+        if (post_data == NULL) {

+            DEBUG(SSSDBG_OP_FAILURE,

+                  "Failed to add client secret to POST data.\n");

+            return ENOMEM;

+        }

+    }

+

     clean_http_data(dc_ctx);

     ret = do_http_request(dc_ctx, dc_ctx->device_authorization_endpoint,

                           post_data, NULL);

diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h

index ae5a72bc2..8b106ae79 100644

--- a/src/oidc_child/oidc_child_util.h

+++ b/src/oidc_child/oidc_child_util.h

@@ -73,7 +73,7 @@ errno_t get_openid_configuration(struct devicecode_ctx *dc_ctx,

 errno_t get_jwks(struct devicecode_ctx *dc_ctx);

 errno_t get_devicecode(struct devicecode_ctx *dc_ctx,

-                       const char *client_id);

+                       const char *client_id, const char *client_secret);

 errno_t get_token(TALLOC_CTX *mem_ctx,

                   struct devicecode_ctx *dc_ctx, const char *client_id,

-- 

2.37.3