From 672914ceb7052d44e9854b23f4d65825b9b39db8 Mon Sep 17 00:00:00 2001 From: Olivier Dumont Date: Tue, 30 Dec 2025 12:40:55 +0100 Subject: [PATCH] Remove insecure query parameter fallback for client credentials The discovery document only advertises client_secret_basic and client_secret_post as supported authentication methods. Query parameters are insecure because they are: - Logged in access logs - Stored in browser history - Exposed in referrer headers This fix removes the query parameter fallback, ensuring client secrets are only accepted via: - Authorization header (client_secret_basic) - POST form body (client_secret_post) This aligns the implementation with the advertised capabilities and prevents client secret exposure through query strings. --- internal/controller/oidc_controller.go | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/internal/controller/oidc_controller.go b/internal/controller/oidc_controller.go index 11a3732..2bddefb 100644 --- a/internal/controller/oidc_controller.go +++ b/internal/controller/oidc_controller.go @@ -384,7 +384,7 @@ func (controller *OIDCController) tokenError(c *gin.Context, errorCode string, e } func (controller *OIDCController) getClientCredentials(c *gin.Context) (string, string, error) { - // Try Basic Auth first + // Try Basic Auth first (client_secret_basic) authHeader := c.GetHeader("Authorization") if strings.HasPrefix(authHeader, "Basic ") { encoded := strings.TrimPrefix(authHeader, "Basic ") @@ -397,20 +397,15 @@ func (controller *OIDCController) getClientCredentials(c *gin.Context) (string, } } - // Try POST form parameters + // Try POST form parameters (client_secret_post) clientID := c.PostForm("client_id") clientSecret := c.PostForm("client_secret") if clientID != "" && clientSecret != "" { return clientID, clientSecret, nil } - // Try query parameters - clientID = c.Query("client_id") - clientSecret = c.Query("client_secret") - if clientID != "" && clientSecret != "" { - return clientID, clientSecret, nil - } - + // Do not accept credentials via query parameters as they are logged + // in access logs, browser history, and referrer headers return "", "", fmt.Errorf("client credentials not found") }