Skip to content

add isConnectorAllowed check to handlePasswordGrant#4839

Open
canolgun wants to merge 1 commit into
dexidp:masterfrom
canolgun:fix/password-grant-allowedconnectors
Open

add isConnectorAllowed check to handlePasswordGrant#4839
canolgun wants to merge 1 commit into
dexidp:masterfrom
canolgun:fix/password-grant-allowedconnectors

Conversation

@canolgun

Copy link
Copy Markdown

handlePasswordGrant uses s.passwordConnector directly without validating against client.AllowedConnectors. The other three handlers that deal with connector selection all call isConnectorAllowed() — this adds the same check.

  • handleConnectorLogin (handlers.go:377): calls isConnectorAllowed
  • handleAuthorization (oauth2.go:535): calls isConnectorAllowed
  • handleTokenExchange (handlers.go:1835): calls isConnectorAllowed
  • handlePasswordGrant (handlers.go:1619): was missing the check

A client with restricted AllowedConnectors could use the password grant against a connector it shouldn't have access to.

The handlePasswordGrant handler uses s.passwordConnector directly
without validating against client.AllowedConnectors. The other three
handlers that deal with connector selection (handleConnectorLogin:377,
handleAuthorization:oauth2.go:535, handleTokenExchange:1835) all
call isConnectorAllowed(). This adds the same check to match.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant