feat: add back support for request oidc param

2026-06-08 20:40:15 +00:00 · 2026-06-06 18:01:59 +03:00
parent f078e3549e
commit 47b7f1e6f2
6 changed files with 84 additions and 21 deletions
@@ -117,15 +117,36 @@ func (controller *OIDCController) authorize(c *gin.Context) {

 	var req service.AuthorizeRequest

-	err := c.ShouldBindWith(&req, binding.Query)
+	reqQueries := c.Request.URL.Query()

-	if err != nil {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:          err,
-			reason:       "Failed to bind JSON",
-			reasonPublic: "The client provided an invalid authorization request",
-		})
-		return
+	if reqQueries.Get("request") != "" {
+		requestObject, err := controller.oidc.DecodeAuthorizeJWT(reqQueries.Get("request"))
+
+		if err != nil {
+			controller.authorizeError(c, authorizeErrorParams{
+				err:          err,
+				reason:       "Failed to decode request object",
+				reasonPublic: "The client provided an invalid request object",
+			})
+			return
+		}
+
+		req = *requestObject
+	} else {
+		var queryReq service.AuthorizeRequest
+
+		err := c.ShouldBindWith(&queryReq, binding.Query)
+
+		if err != nil {
+			controller.authorizeError(c, authorizeErrorParams{
+				err:          err,
+				reason:       "Failed to bind query parameters",
+				reasonPublic: "The client provided invalid query parameters",
+			})
+			return
+		}
+
+		req = queryReq
 	}

 	client, ok := controller.oidc.GetClient(req.ClientID)
@@ -139,9 +160,7 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 		return
 	}

-	// TODO: handle request= parameter with JWTs
-
-	err = controller.oidc.ValidateAuthorizeParams(req)
+	err := controller.oidc.ValidateAuthorizeParams(req)

 	if err != nil {
 		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
@@ -20,6 +20,7 @@ import (
 	"slices"

 	"github.com/go-jose/go-jose/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -106,14 +107,15 @@ type TokenResponse struct {
 }

 type AuthorizeRequest struct {
-	Scope               string `form:"scope" binding:"required"`
-	ResponseType        string `form:"response_type" binding:"required"`
-	ClientID            string `form:"client_id" binding:"required"`
-	RedirectURI         string `form:"redirect_uri" binding:"required"`
-	State               string `form:"state"`
-	Nonce               string `form:"nonce"`
-	CodeChallenge       string `form:"code_challenge"`
-	CodeChallengeMethod string `form:"code_challenge_method"`
+	jwt.Claims
+	Scope               string `form:"scope" binding:"required" json:"scope"`
+	ResponseType        string `form:"response_type" binding:"required" json:"response_type"`
+	ClientID            string `form:"client_id" binding:"required" json:"client_id"`
+	RedirectURI         string `form:"redirect_uri" binding:"required" json:"redirect_uri"`
+	State               string `form:"state" json:"state"`
+	Nonce               string `form:"nonce" json:"nonce"`
+	CodeChallenge       string `form:"code_challenge" json:"code_challenge"`
+	CodeChallengeMethod string `form:"code_challenge_method" json:"code_challenge_method"`
 }

 type AuthorizeCodeEntry struct {
@@ -883,3 +885,22 @@ func (service *OIDCService) GetAuthorizeRequestByTicket(ticket string) (*Authori
 func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {
 	service.caches.authorize.Delete(ticket)
 }
+
+// TODO: support signed request objects in the future
+func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
+	var req AuthorizeRequest
+
+	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &req)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
+	}
+
+	claims, ok := token.Claims.(*AuthorizeRequest)
+
+	if !ok {
+		return nil, errors.New("failed to parse claims from authorize request jwt")
+	}
+
+	return claims, nil
+}