Switch to code authorization flow

dist/origin-web-common-services.js

@@ -21,6 +21,7 @@ angular.module('openshiftCommonServices', ['ab-base64'])
 
     RedirectLoginServiceProvider.OAuthClientID(AUTH_CFG.oauth_client_id);
     RedirectLoginServiceProvider.OAuthAuthorizeURI(AUTH_CFG.oauth_authorize_uri);
+    RedirectLoginServiceProvider.OAuthTokenURI(AUTH_CFG.oauth_token_uri);
     RedirectLoginServiceProvider.OAuthRedirectURI(URI(AUTH_CFG.oauth_redirect_base).segment("oauth").toString());
   });
 
@@ -2772,6 +2773,7 @@ angular.module('openshiftCommonServices')
 .provider('RedirectLoginService', function() {
   var _oauth_client_id = "";
   var _oauth_authorize_uri = "";
+  var _oauth_token_uri = "";
   var _oauth_redirect_uri = "";
 
   this.OAuthClientID = function(id) {
@@ -2786,6 +2788,12 @@ angular.module('openshiftCommonServices')
     }
     return _oauth_authorize_uri;
   };
+  this.OAuthTokenURI = function(uri) {
+    if (uri) {
+      _oauth_token_uri = uri;
+    }
+    return _oauth_token_uri;
+  };
   this.OAuthRedirectURI = function(uri) {
     if (uri) {
       _oauth_redirect_uri = uri;
@@ -2793,7 +2801,7 @@ angular.module('openshiftCommonServices')
     return _oauth_redirect_uri;
   };
 
-  this.$get = function($location, $q, Logger, base64) {
+  this.$get = function($injector, $location, $q, Logger, base64) {
     var authLogger = Logger.get("auth");
 
     var getRandomInts = function(length) {
@@ -2873,16 +2881,23 @@ angular.module('openshiftCommonServices')
           return $q.reject({error:'invalid_request', error_description:'RedirectLoginServiceProvider.OAuthRedirectURI not set'});
         }
 
-        var deferred = $q.defer();
-        var uri = new URI(_oauth_authorize_uri);
         // Never send a local fragment to remote servers
         var returnUri = new URI($location.url()).fragment("");
-        uri.query({
+        var authorizeParams = {
           client_id: _oauth_client_id,
           response_type: 'token',
           state: makeState(returnUri.toString()),
           redirect_uri: _oauth_redirect_uri
-        });
+        };
+
+        if (_oauth_token_uri) {
+          authorizeParams.response_type = "code";
+          // TODO: add PKCE
+        }
+
+        var deferred = $q.defer();
+        var uri = new URI(_oauth_authorize_uri);
+        uri.query(authorizeParams);
         authLogger.log("RedirectLoginService.login(), redirecting", uri.toString());
         window.location.href = uri.toString();
         // Return a promise we never intend to keep, because we're redirecting to another page
@@ -2894,6 +2909,39 @@ angular.module('openshiftCommonServices')
       // If no token and no error is present, resolves with {}
       // Example error codes: https://tools.ietf.org/html/rfc6749#section-5.2
       finish: function() {
+        // Obtain the $http service.
+        // Can't declare the dependency directly because it causes a cycle between $http->AuthInjector->AuthService->RedirectLoginService
+        var http = $injector.get("$http");
+
+        // handleParams handles error or access_token responses
+        var handleParams = function(params, stateData) {
+          // Handle an error response from the OAuth server
+          if (params.error) {
+            authLogger.log("RedirectLoginService.finish(), error", params.error, params.error_description, params.error_uri);
+            return $q.reject({
+              error: params.error,
+              error_description: params.error_description,
+              error_uri: params.error_uri
+            });
+          }
+
+          // Handle an access_token fragment response
+          if (params.access_token) {
+            return $q.when({
+              token: params.access_token,
+              ttl: params.expires_in,
+              then: stateData.then,
+              verified: stateData.verified
+            });
+          }
+
+          // No token and no error is invalid
+          return $q.reject({
+            error: "invalid_request",
+            error_description: "No API token returned"
+          });
+        };
+
         // Get url
         var u = new URI($location.url());
 
@@ -2902,32 +2950,51 @@ angular.module('openshiftCommonServices')
         var fragmentParams = new URI("?" + u.fragment()).query(true);
         authLogger.log("RedirectLoginService.finish()", queryParams, fragmentParams);
 
-        // Error codes can come in query params or fragment params
-        // Handle an error response from the OAuth server
-        var error = queryParams.error || fragmentParams.error;
-        if (error) {
-          var error_description = queryParams.error_description || fragmentParams.error_description;
-          var error_uri = queryParams.error_uri || fragmentParams.error_uri;
-          authLogger.log("RedirectLoginService.finish(), error", error, error_description, error_uri);
-          return $q.reject({
-            error: error,
-            error_description: error_description,
-            error_uri: error_uri
-          });
+        // immediate error
+        if (queryParams.error) {
+          return handleParams(queryParams, parseState(queryParams.state));
         }
+        // implicit error
+        if (fragmentParams.error) {
+          return handleParams(fragmentParams, parseState(fragmentParams.state));
+        }
+        // implicit success
+        if (fragmentParams.access_token) {
+          return handleParams(fragmentParams, parseState(fragmentParams.state));
+        }
+        // code flow
+        if (_oauth_token_uri && queryParams.code) {
+          // verify before attempting to exchange code for token
+          // hard-fail state verification errors for code exchange
+          var stateData = parseState(queryParams.state);
+          if (!stateData.verified) {
+            return $q.reject({
+              error: "invalid_request",
+              error_description: "Client state could not be verified"
+            });
+          }
 
-        var stateData = parseState(fragmentParams.state);
-
-        // Handle an access_token response
-        if (fragmentParams.access_token && (fragmentParams.token_type || "").toLowerCase() === "bearer") {
-          var deferred = $q.defer();
-          deferred.resolve({
-            token: fragmentParams.access_token,
-            ttl: fragmentParams.expires_in,
-            then: stateData.then,
-            verified: stateData.verified
+          var tokenPostData = [
+            "grant_type=authorization_code",
+            "code="         + encodeURIComponent(queryParams.code),
+            "redirect_uri=" + encodeURIComponent(_oauth_redirect_uri),
+            "client_id="    + encodeURIComponent(_oauth_client_id)
+          ].join("&");
+
+          return http({
+            method: "POST",
+            url: _oauth_token_uri,
+            headers: {
+              "Authorization": "Basic " + window.btoa(_oauth_client_id+":"),
+              "Content-Type": "application/x-www-form-urlencoded"
+            },
+            data: tokenPostData
+          }).then(function(response){
+            return handleParams(response.data, stateData);
+          }, function(response) {
+            authLogger.log("RedirectLoginService.finish(), error getting access token", response);
+            return handleParams(response.data, stateData);
           });
-          return deferred.promise;
         }
 
         // No token and no error is invalid

dist/origin-web-common.js

@@ -21,6 +21,7 @@ angular.module('openshiftCommonServices', ['ab-base64'])
 
     RedirectLoginServiceProvider.OAuthClientID(AUTH_CFG.oauth_client_id);
     RedirectLoginServiceProvider.OAuthAuthorizeURI(AUTH_CFG.oauth_authorize_uri);
+    RedirectLoginServiceProvider.OAuthTokenURI(AUTH_CFG.oauth_token_uri);
     RedirectLoginServiceProvider.OAuthRedirectURI(URI(AUTH_CFG.oauth_redirect_base).segment("oauth").toString());
   }]);
 
@@ -767,6 +768,7 @@ if (!window.OPENSHIFT_CONFIG) {
     },
     auth: {
       oauth_authorize_uri: "https://localhost:8443/oauth/authorize",
+      oauth_token_uri: "https://localhost:8443/oauth/token",
       oauth_redirect_base: "https://localhost:9000/dev-console",
       oauth_client_id: "openshift-web-console",
       logout_uri: ""
@@ -3895,6 +3897,7 @@ angular.module('openshiftCommonServices')
 .provider('RedirectLoginService', function() {
   var _oauth_client_id = "";
   var _oauth_authorize_uri = "";
+  var _oauth_token_uri = "";
   var _oauth_redirect_uri = "";
 
   this.OAuthClientID = function(id) {
@@ -3909,6 +3912,12 @@ angular.module('openshiftCommonServices')
     }
     return _oauth_authorize_uri;
   };
+  this.OAuthTokenURI = function(uri) {
+    if (uri) {
+      _oauth_token_uri = uri;
+    }
+    return _oauth_token_uri;
+  };
   this.OAuthRedirectURI = function(uri) {
     if (uri) {
       _oauth_redirect_uri = uri;
@@ -3916,7 +3925,7 @@ angular.module('openshiftCommonServices')
     return _oauth_redirect_uri;
   };
 
-  this.$get = ["$location", "$q", "Logger", "base64", function($location, $q, Logger, base64) {
+  this.$get = ["$injector", "$location", "$q", "Logger", "base64", function($injector, $location, $q, Logger, base64) {
     var authLogger = Logger.get("auth");
 
     var getRandomInts = function(length) {
@@ -3996,16 +4005,23 @@ angular.module('openshiftCommonServices')
           return $q.reject({error:'invalid_request', error_description:'RedirectLoginServiceProvider.OAuthRedirectURI not set'});
         }
 
-        var deferred = $q.defer();
-        var uri = new URI(_oauth_authorize_uri);
         // Never send a local fragment to remote servers
         var returnUri = new URI($location.url()).fragment("");
-        uri.query({
+        var authorizeParams = {
           client_id: _oauth_client_id,
           response_type: 'token',
           state: makeState(returnUri.toString()),
           redirect_uri: _oauth_redirect_uri
-        });
+        };
+
+        if (_oauth_token_uri) {
+          authorizeParams.response_type = "code";
+          // TODO: add PKCE
+        }
+
+        var deferred = $q.defer();
+        var uri = new URI(_oauth_authorize_uri);
+        uri.query(authorizeParams);
         authLogger.log("RedirectLoginService.login(), redirecting", uri.toString());
         window.location.href = uri.toString();
         // Return a promise we never intend to keep, because we're redirecting to another page
@@ -4017,6 +4033,39 @@ angular.module('openshiftCommonServices')
       // If no token and no error is present, resolves with {}
       // Example error codes: https://tools.ietf.org/html/rfc6749#section-5.2
       finish: function() {
+        // Obtain the $http service.
+        // Can't declare the dependency directly because it causes a cycle between $http->AuthInjector->AuthService->RedirectLoginService
+        var http = $injector.get("$http");
+
+        // handleParams handles error or access_token responses
+        var handleParams = function(params, stateData) {
+          // Handle an error response from the OAuth server
+          if (params.error) {
+            authLogger.log("RedirectLoginService.finish(), error", params.error, params.error_description, params.error_uri);
+            return $q.reject({
+              error: params.error,
+              error_description: params.error_description,
+              error_uri: params.error_uri
+            });
+          }
+
+          // Handle an access_token fragment response
+          if (params.access_token) {
+            return $q.when({
+              token: params.access_token,
+              ttl: params.expires_in,
+              then: stateData.then,
+              verified: stateData.verified
+            });
+          }
+
+          // No token and no error is invalid
+          return $q.reject({
+            error: "invalid_request",
+            error_description: "No API token returned"
+          });
+        };
+
         // Get url
         var u = new URI($location.url());
 
@@ -4025,32 +4074,51 @@ angular.module('openshiftCommonServices')
         var fragmentParams = new URI("?" + u.fragment()).query(true);
         authLogger.log("RedirectLoginService.finish()", queryParams, fragmentParams);
 
-        // Error codes can come in query params or fragment params
-        // Handle an error response from the OAuth server
-        var error = queryParams.error || fragmentParams.error;
-        if (error) {
-          var error_description = queryParams.error_description || fragmentParams.error_description;
-          var error_uri = queryParams.error_uri || fragmentParams.error_uri;
-          authLogger.log("RedirectLoginService.finish(), error", error, error_description, error_uri);
-          return $q.reject({
-            error: error,
-            error_description: error_description,
-            error_uri: error_uri
-          });
+        // immediate error
+        if (queryParams.error) {
+          return handleParams(queryParams, parseState(queryParams.state));
         }
+        // implicit error
+        if (fragmentParams.error) {
+          return handleParams(fragmentParams, parseState(fragmentParams.state));
+        }
+        // implicit success
+        if (fragmentParams.access_token) {
+          return handleParams(fragmentParams, parseState(fragmentParams.state));
+        }
+        // code flow
+        if (_oauth_token_uri && queryParams.code) {
+          // verify before attempting to exchange code for token
+          // hard-fail state verification errors for code exchange
+          var stateData = parseState(queryParams.state);
+          if (!stateData.verified) {
+            return $q.reject({
+              error: "invalid_request",
+              error_description: "Client state could not be verified"
+            });
+          }
 
-        var stateData = parseState(fragmentParams.state);
-
-        // Handle an access_token response
-        if (fragmentParams.access_token && (fragmentParams.token_type || "").toLowerCase() === "bearer") {
-          var deferred = $q.defer();
-          deferred.resolve({
-            token: fragmentParams.access_token,
-            ttl: fragmentParams.expires_in,
-            then: stateData.then,
-            verified: stateData.verified
+          var tokenPostData = [
+            "grant_type=authorization_code",
+            "code="         + encodeURIComponent(queryParams.code),
+            "redirect_uri=" + encodeURIComponent(_oauth_redirect_uri),
+            "client_id="    + encodeURIComponent(_oauth_client_id)
+          ].join("&");
+
+          return http({
+            method: "POST",
+            url: _oauth_token_uri,
+            headers: {
+              "Authorization": "Basic " + window.btoa(_oauth_client_id+":"),
+              "Content-Type": "application/x-www-form-urlencoded"
+            },
+            data: tokenPostData
+          }).then(function(response){
+            return handleParams(response.data, stateData);
+          }, function(response) {
+            authLogger.log("RedirectLoginService.finish(), error getting access token", response);
+            return handleParams(response.data, stateData);
           });
-          return deferred.promise;
         }
 
         // No token and no error is invalid

src/config.js

@@ -22,6 +22,7 @@ if (!window.OPENSHIFT_CONFIG) {
     },
     auth: {
       oauth_authorize_uri: "https://localhost:8443/oauth/authorize",
+      oauth_token_uri: "https://localhost:8443/oauth/token",
       oauth_redirect_base: "https://localhost:9000/dev-console",
       oauth_client_id: "openshift-web-console",
       logout_uri: ""

src/openshiftCommonServices.module.js

@@ -21,6 +21,7 @@ angular.module('openshiftCommonServices', ['ab-base64'])
 
     RedirectLoginServiceProvider.OAuthClientID(AUTH_CFG.oauth_client_id);
     RedirectLoginServiceProvider.OAuthAuthorizeURI(AUTH_CFG.oauth_authorize_uri);
+    RedirectLoginServiceProvider.OAuthTokenURI(AUTH_CFG.oauth_token_uri);
     RedirectLoginServiceProvider.OAuthRedirectURI(URI(AUTH_CFG.oauth_redirect_base).segment("oauth").toString());
   });
 

src/services/redirectLoginService.js

@@ -5,6 +5,7 @@ angular.module('openshiftCommonServices')
 .provider('RedirectLoginService', function() {
   var _oauth_client_id = "";
   var _oauth_authorize_uri = "";
+  var _oauth_token_uri = "";
   var _oauth_redirect_uri = "";
 
   this.OAuthClientID = function(id) {
@@ -19,6 +20,12 @@ angular.module('openshiftCommonServices')
     }
     return _oauth_authorize_uri;
   };
+  this.OAuthTokenURI = function(uri) {
+    if (uri) {
+      _oauth_token_uri = uri;
+    }
+    return _oauth_token_uri;
+  };
   this.OAuthRedirectURI = function(uri) {
     if (uri) {
       _oauth_redirect_uri = uri;
@@ -26,7 +33,7 @@ angular.module('openshiftCommonServices')
     return _oauth_redirect_uri;
   };
 
-  this.$get = function($location, $q, Logger, base64) {
+  this.$get = function($injector, $location, $q, Logger, base64) {
     var authLogger = Logger.get("auth");
 
     var getRandomInts = function(length) {
@@ -106,16 +113,23 @@ angular.module('openshiftCommonServices')
           return $q.reject({error:'invalid_request', error_description:'RedirectLoginServiceProvider.OAuthRedirectURI not set'});
         }
 
-        var deferred = $q.defer();
-        var uri = new URI(_oauth_authorize_uri);
         // Never send a local fragment to remote servers
         var returnUri = new URI($location.url()).fragment("");
-        uri.query({
+        var authorizeParams = {
           client_id: _oauth_client_id,
           response_type: 'token',
           state: makeState(returnUri.toString()),
           redirect_uri: _oauth_redirect_uri
-        });
+        };
+
+        if (_oauth_token_uri) {
+          authorizeParams.response_type = "code";
+          // TODO: add PKCE
+        }
+
+        var deferred = $q.defer();
+        var uri = new URI(_oauth_authorize_uri);
+        uri.query(authorizeParams);
         authLogger.log("RedirectLoginService.login(), redirecting", uri.toString());
         window.location.href = uri.toString();
         // Return a promise we never intend to keep, because we're redirecting to another page
@@ -127,6 +141,39 @@ angular.module('openshiftCommonServices')
       // If no token and no error is present, resolves with {}
       // Example error codes: https://tools.ietf.org/html/rfc6749#section-5.2
       finish: function() {
+        // Obtain the $http service.
+        // Can't declare the dependency directly because it causes a cycle between $http->AuthInjector->AuthService->RedirectLoginService
+        var http = $injector.get("$http");
+
+        // handleParams handles error or access_token responses
+        var handleParams = function(params, stateData) {
+          // Handle an error response from the OAuth server
+          if (params.error) {
+            authLogger.log("RedirectLoginService.finish(), error", params.error, params.error_description, params.error_uri);
+            return $q.reject({
+              error: params.error,
+              error_description: params.error_description,
+              error_uri: params.error_uri
+            });
+          }
+
+          // Handle an access_token fragment response
+          if (params.access_token) {
+            return $q.when({
+              token: params.access_token,
+              ttl: params.expires_in,
+              then: stateData.then,
+              verified: stateData.verified
+            });
+          }
+
+          // No token and no error is invalid
+          return $q.reject({
+            error: "invalid_request",
+            error_description: "No API token returned"
+          });
+        };
+
         // Get url
         var u = new URI($location.url());
 
@@ -135,32 +182,51 @@ angular.module('openshiftCommonServices')
         var fragmentParams = new URI("?" + u.fragment()).query(true);
         authLogger.log("RedirectLoginService.finish()", queryParams, fragmentParams);
 
-        // Error codes can come in query params or fragment params
-        // Handle an error response from the OAuth server
-        var error = queryParams.error || fragmentParams.error;
-        if (error) {
-          var error_description = queryParams.error_description || fragmentParams.error_description;
-          var error_uri = queryParams.error_uri || fragmentParams.error_uri;
-          authLogger.log("RedirectLoginService.finish(), error", error, error_description, error_uri);
-          return $q.reject({
-            error: error,
-            error_description: error_description,
-            error_uri: error_uri
-          });
+        // immediate error
+        if (queryParams.error) {
+          return handleParams(queryParams, parseState(queryParams.state));
         }
+        // implicit error
+        if (fragmentParams.error) {
+          return handleParams(fragmentParams, parseState(fragmentParams.state));
+        }
+        // implicit success
+        if (fragmentParams.access_token) {
+          return handleParams(fragmentParams, parseState(fragmentParams.state));
+        }
+        // code flow
+        if (_oauth_token_uri && queryParams.code) {
+          // verify before attempting to exchange code for token
+          // hard-fail state verification errors for code exchange
+          var stateData = parseState(queryParams.state);
+          if (!stateData.verified) {
+            return $q.reject({
+              error: "invalid_request",
+              error_description: "Client state could not be verified"
+            });
+          }
 
-        var stateData = parseState(fragmentParams.state);
-
-        // Handle an access_token response
-        if (fragmentParams.access_token && (fragmentParams.token_type || "").toLowerCase() === "bearer") {
-          var deferred = $q.defer();
-          deferred.resolve({
-            token: fragmentParams.access_token,
-            ttl: fragmentParams.expires_in,
-            then: stateData.then,
-            verified: stateData.verified
+          var tokenPostData = [
+            "grant_type=authorization_code",
+            "code="         + encodeURIComponent(queryParams.code),
+            "redirect_uri=" + encodeURIComponent(_oauth_redirect_uri),
+            "client_id="    + encodeURIComponent(_oauth_client_id)
+          ].join("&");
+
+          return http({
+            method: "POST",
+            url: _oauth_token_uri,
+            headers: {
+              "Authorization": "Basic " + window.btoa(_oauth_client_id+":"),
+              "Content-Type": "application/x-www-form-urlencoded"
+            },
+            data: tokenPostData
+          }).then(function(response){
+            return handleParams(response.data, stateData);
+          }, function(response) {
+            authLogger.log("RedirectLoginService.finish(), error getting access token", response);
+            return handleParams(response.data, stateData);
           });
-          return deferred.promise;
         }
 
         // No token and no error is invalid