ory · aeneasr · Nov 9, 2020 · Oct 9, 2020 · Oct 14, 2020 · Oct 14, 2020
@@ -25,8 +25,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-
-	"github.com/pkg/errors"
 )
 
 func (f *Fosite) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequester, err error) {
@@ -66,7 +64,11 @@ func (f *Fosite) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequest
 	query.Add("state", ar.GetState())
 
 	var redirectURIString string
-	if !(len(ar.GetResponseTypes()) == 0 || ar.GetResponseTypes().ExactOne("code")) && !errors.Is(err, ErrUnsupportedResponseType) {
+	if ar.GetResponseMode() == ResponseModePost {
+		rw.Header().Add("Content-Type", "text/html;charset=UTF-8")
+		WriteAuthorizeFormPostResponse(redirectURI.String(), query, rw)
+		return
+	} else if ar.GetResponseMode() == ResponseModeFragment {
 		redirectURIString = redirectURI.String() + "#" + query.Encode()
 	} else {
 		for key, values := range redirectURI.Query() {

@@ -88,6 +88,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[0]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeQuery).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -106,6 +107,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[0]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeNone).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -124,6 +126,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeQuery).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -142,6 +145,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"foobar"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -160,6 +164,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[0]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -178,6 +183,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -196,6 +202,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[0]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code", "token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -214,6 +221,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code", "token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -233,6 +241,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code", "token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -252,6 +261,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"id_token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -271,6 +281,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -282,6 +293,24 @@ func TestWriteAuthorizeError(t *testing.T) {
 				assert.Equal(t, "no-cache", header.Get("Pragma"))
 			},
 		},
+		{
+			debug: true,
+			err:   ErrInvalidRequest.WithDebug("with-debug"),
+			mock: func(rw *MockResponseWriter, req *MockAuthorizeRequester) {
+				req.EXPECT().IsRedirectURIValid().Return(true)
+				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
+				req.EXPECT().GetState().Return("foostate")
+				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModePost).Times(1)
+				rw.EXPECT().Header().Times(3).Return(header)
+				rw.EXPECT().Write(gomock.Any()).AnyTimes()
+			},
+			checkHeader: func(t *testing.T, k int) {
+				assert.Equal(t, "no-store", header.Get("Cache-Control"))
+				assert.Equal(t, "no-cache", header.Get("Pragma"))
+				assert.Equal(t, "text/html;charset=UTF-8", header.Get("Content-Type"))
+			},
+		},
 	} {
 		t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
 			oauth2 := &Fosite{

@@ -22,14 +22,34 @@
 package fosite
 
 import (
+	"html/template"
+	"io"
 	"net/url"
 	"regexp"
+	"strconv"
 	"strings"
+	"time"
+
+	"golang.org/x/net/html"
+	goauth "golang.org/x/oauth2"
 
 	"github.com/asaskevich/govalidator"
 	"github.com/pkg/errors"
 )
 
+var formPostTemplate = template.Must(template.New("form_post").Parse(`<html>
+   <head>
+      <title>Submit This Form</title>
+   </head>
+   <body onload="javascript:document.forms[0].submit()">
+      <form method="post" action="{{ .RedirURL }}">
+         {{ range $key,$value := .Parameters }}
+		<input type="hidden" name="{{$key}}" value="{{index $value 0}}"/>
+         {{ end }}
+      </form>
+   </body>
+</html>`))
+
 // MatchRedirectURIWithClientRedirectURIs if the given uri is a registered redirect uri. Does not perform
 // uri validation.
 //
@@ -182,3 +202,105 @@ func IsLocalhost(redirectURI *url.URL) bool {
 	hn := redirectURI.Hostname()
 	return strings.HasSuffix(hn, ".localhost") || hn == "127.0.0.1" || hn == "::1" || hn == "localhost"
 }
+
+func WriteAuthorizeFormPostResponse(redirectURL string, parameters url.Values, rw io.Writer) {
+	_ = formPostTemplate.Execute(rw, struct {
+		RedirURL   string
+		Parameters url.Values
+	}{
+		RedirURL:   redirectURL,
+		Parameters: parameters,
+	})
+}
+func ParseFormPostResponse(redirectURL string, resp io.ReadCloser) (authorizationCode, stateFromServer, iDToken string, token goauth.Token, rFC6749Error RFC6749Error, err error) {
+
+	token = goauth.Token{}
+	rFC6749Error = RFC6749Error{}
+
+	doc, err := html.Parse(resp)
+	if err != nil {
+		return "", "", "", token, rFC6749Error, err
+	}
+	//doc>html>body
+	body := findBody(doc.FirstChild.FirstChild)
+	if body.Data != "body" {
+		return "", "", "", token, rFC6749Error, errors.New("Malformed html")
+	}
+	htmlEvent := body.Attr[0].Key
+	if htmlEvent != "onload" {
+		return "", "", "", token, rFC6749Error, errors.New("onload event is missing")
+	}
+	onLoadFunc := body.Attr[0].Val
+	if onLoadFunc != "javascript:document.forms[0].submit()" {
+		return "", "", "", token, rFC6749Error, errors.New("onload function is missing")
+	}
+	form := getNextNoneTextNode(body.FirstChild)
+	if form.Data != "form" {
+		return "", "", "", token, rFC6749Error, errors.New("html form is missing")
+	}
+	for _, attr := range form.Attr {
+		if attr.Key == "method" {
+			if attr.Val != "post" {
+				return "", "", "", token, rFC6749Error, errors.New("html form post method is missing")
+			}
+		} else {
+			if attr.Val != redirectURL {
+				return "", "", "", token, rFC6749Error, errors.New("html form post url is wrong")
+			}
+		}
+	}
+
+	for node := getNextNoneTextNode(form.FirstChild); node != nil; node = getNextNoneTextNode(node.NextSibling) {
+		var k, v string
+		for _, attr := range node.Attr {
+			if attr.Key == "name" {
+				k = attr.Val
+			} else if attr.Key == "value" {
+				v = attr.Val
+			}
+
+		}
+		switch k {
+		case "state":
+			stateFromServer = v
+		case "code":
+			authorizationCode = v
+		case "expires_in":
+			expires, err := strconv.Atoi(v)
+			if err != nil {
+				return "", "", "", token, rFC6749Error, err
+			}
+			token.Expiry = time.Now().UTC().Add(time.Duration(expires) * time.Second)
+		case "access_token":
+			token.AccessToken = v
+		case "token_type":
+			token.TokenType = v
+		case "refresh_token":
+			token.RefreshToken = v
+		case "error":
+			rFC6749Error.Name = v
+		case "error_description":
+			rFC6749Error.Description = v
+		case "id_token":
+			iDToken = v
+		}
+	}
+	return
+}
+
+func getNextNoneTextNode(node *html.Node) *html.Node {
+	nextNode := node.NextSibling
+	if nextNode != nil && nextNode.Type == html.TextNode {
+		nextNode = getNextNoneTextNode(node.NextSibling)
+	}
+	return nextNode
+}
+func findBody(node *html.Node) *html.Node {
+	if node != nil {
+		if node.Data == "body" {
+			return node
+		}
+		return findBody(node.NextSibling)
+	}
+	return nil
+}
@@ -22,6 +22,8 @@
 package fosite
 
 import (
+	"bytes"
+	"io/ioutil"
 	"net/url"
 	"testing"
 
@@ -257,6 +259,17 @@ func TestIsRedirectURISecure(t *testing.T) {
 	}
 }
 
+func TestWriteAuthorizeFormPostResponse(t *testing.T) {
+	var responseBuffer bytes.Buffer
+	redirectURL := "https://localhost:8080/cb"
+	parameters := url.Values{"code": {"lshr755nsg39fgur"}, "state": {"924659540232"}}
+	WriteAuthorizeFormPostResponse(redirectURL, parameters, &responseBuffer)
+	code, state, _, _, _, err := ParseFormPostResponse(redirectURL, ioutil.NopCloser(bytes.NewReader(responseBuffer.Bytes())))
+	assert.NoError(t, err)
+	assert.Equal(t, parameters.Get("code"), code)
+	assert.Equal(t, parameters.Get("state"), state)
+}
+
 func TestIsRedirectURISecureStrict(t *testing.T) {
 	for d, c := range []struct {
 		u   string

@@ -25,12 +25,22 @@ import (
 	"net/url"
 )
 
+type ResponseModeType string
+
+const (
+	ResponseModeNone     = ResponseModeType("")
+	ResponseModePost     = ResponseModeType("form_post")
+	ResponseModeQuery    = ResponseModeType("query")
+	ResponseModeFragment = ResponseModeType("fragment")
+)
+
 // AuthorizeRequest is an implementation of AuthorizeRequester
 type AuthorizeRequest struct {
-	ResponseTypes        Arguments `json:"responseTypes" gorethink:"responseTypes"`
-	RedirectURI          *url.URL  `json:"redirectUri" gorethink:"redirectUri"`
-	State                string    `json:"state" gorethink:"state"`
-	HandledResponseTypes Arguments `json:"handledResponseTypes" gorethink:"handledResponseTypes"`
+	ResponseTypes        Arguments        `json:"responseTypes" gorethink:"responseTypes"`
+	RedirectURI          *url.URL         `json:"redirectUri" gorethink:"redirectUri"`
+	State                string           `json:"state" gorethink:"state"`
+	HandledResponseTypes Arguments        `json:"handledResponseTypes" gorethink:"handledResponseTypes"`
+	ResponseMode         ResponseModeType `json:"ResponseMode" gorethink:"ResponseMode"`
 
 	Request
 }
@@ -41,6 +51,7 @@ func NewAuthorizeRequest() *AuthorizeRequest {
 		RedirectURI:          &url.URL{},
 		HandledResponseTypes: Arguments{},
 		Request:              *NewRequest(),
+		ResponseMode:         ResponseModeNone,
 	}
 }
 
@@ -86,3 +97,11 @@ func (d *AuthorizeRequest) DidHandleAllResponseTypes() bool {
 
 	return len(d.ResponseTypes) > 0
 }
+
+func (d *AuthorizeRequest) GetResponseMode() ResponseModeType {
+	return d.ResponseMode
+}
+
+func (d *AuthorizeRequest) SetResponseMode(responseMode ResponseModeType) {
+	d.ResponseMode = responseMode
+}
@@ -210,6 +210,23 @@ func (f *Fosite) validateResponseTypes(r *http.Request, request *AuthorizeReques
 	request.ResponseTypes = responseTypes
 	return nil
 }
+func (f *Fosite) validateResponseMode(r *http.Request, request *AuthorizeRequest) error {
+	responseMode := r.Form.Get("response_mode")
+
+	switch responseMode {
+	case string(ResponseModeNone):
+		request.ResponseMode = ResponseModeNone
+	case string(ResponseModeFragment):
+		request.ResponseMode = ResponseModeFragment
+	case string(ResponseModeQuery):
+		request.ResponseMode = ResponseModeQuery
+	case string(ResponseModePost):
+		request.ResponseMode = ResponseModePost
+	default:
+		return errors.WithStack(ErrUnsupportedResponseType.WithHintf("Request with unsupported response_mode \"%s\".", responseMode))
+	}
+	return nil
+}
 
 func (f *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (AuthorizeRequester, error) {
 	request := &AuthorizeRequest{
@@ -228,6 +245,10 @@ func (f *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (Auth
 	state := request.Form.Get("state")
 	request.State = state
 
+	if err := f.validateResponseMode(r, request); err != nil {
+		return request, err
+	}
+
 	client, err := f.Store.GetClient(ctx, request.GetRequestForm().Get("client_id"))
 	if err != nil {
 		return request, errors.WithStack(ErrInvalidClient.WithHint("The requested OAuth 2.0 Client does not exist.").WithCause(err).WithDebug(err.Error()))