fix: support for oidc post (forgot that)

2026-06-08 20:40:15 +00:00 · 2026-06-08 12:35:13 +03:00
parent 4e671ed48c
commit ede6e8084d
2 changed files with 17 additions and 18 deletions
@@ -115,13 +115,13 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 		return
 	}

-	var req service.AuthorizeRequest
-
 	reqQueries := c.Request.URL.Query()

-	if reqQueries.Get("request") != "" {
-		requestObject, err := controller.oidc.DecodeAuthorizeJWT(reqQueries.Get("request"))
+	var req service.AuthorizeRequest

+	// step 1: if we have a request object, decode it and ignore other params. If not, bind the params as usual
+	if raw := reqQueries.Get("request"); raw != "" {
+		requestObject, err := controller.oidc.DecodeAuthorizeJWT(raw)
 		if err != nil {
 			controller.authorizeError(c, authorizeErrorParams{
 				err:          err,
@@ -130,23 +130,22 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 			})
 			return
 		}
-
 		req = *requestObject
 	} else {
-		var queryReq service.AuthorizeRequest
-
-		err := c.ShouldBindWith(&queryReq, binding.Query)
-
-		if err != nil {
+		// step 2: by default we assume normal GET query parameters
+		bind := binding.Query
+		// step 3: if it's a POST request, we try form parameters
+		if c.Request.Method == http.MethodPost {
+			bind = binding.Form
+		}
+		if err := c.ShouldBindWith(&req, bind); err != nil {
 			controller.authorizeError(c, authorizeErrorParams{
 				err:          err,
-				reason:       "Failed to bind query parameters",
-				reasonPublic: "The client provided invalid query parameters",
+				reason:       "Failed to bind request parameters",
+				reasonPublic: "The client provided invalid parameters",
 			})
 			return
 		}
-
-		req = queryReq
 	}

 	client, ok := controller.oidc.GetClient(req.ClientID)
@@ -108,10 +108,10 @@ type TokenResponse struct {

 type AuthorizeRequest struct {
 	jwt.Claims
-	Scope               string `form:"scope" binding:"required" json:"scope" url:"scope"`
-	ResponseType        string `form:"response_type" binding:"required" json:"response_type" url:"response_type"`
-	ClientID            string `form:"client_id" binding:"required" json:"client_id" url:"client_id"`
-	RedirectURI         string `form:"redirect_uri" binding:"required" json:"redirect_uri" url:"redirect_uri"`
+	Scope               string `form:"scope" json:"scope" url:"scope"`
+	ResponseType        string `form:"response_type" json:"response_type" url:"response_type"`
+	ClientID            string `form:"client_id" json:"client_id" url:"client_id"`
+	RedirectURI         string `form:"redirect_uri" json:"redirect_uri" url:"redirect_uri"`
 	State               string `form:"state" json:"state" url:"state"`
 	Nonce               string `form:"nonce" json:"nonce" url:"nonce"`
 	CodeChallenge       string `form:"code_challenge" json:"code_challenge" url:"code_challenge"`