From c0eae99f6ce5b1ec5145f63323817db6222290da Mon Sep 17 00:00:00 2001 From: can olgun Date: Thu, 18 Jun 2026 19:28:16 +0300 Subject: [PATCH] add isConnectorAllowed check to handlePasswordGrant The handlePasswordGrant handler uses s.passwordConnector directly without validating against client.AllowedConnectors. The other three handlers that deal with connector selection (handleConnectorLogin:377, handleAuthorization:oauth2.go:535, handleTokenExchange:1835) all call isConnectorAllowed(). This adds the same check to match. --- server/handlers.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/server/handlers.go b/server/handlers.go index c4d757dd5f..2f799a0e8a 100644 --- a/server/handlers.go +++ b/server/handlers.go @@ -1617,6 +1617,10 @@ func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, cli // Which connector connID := s.passwordConnector + if !isConnectorAllowed(client.AllowedConnectors, connID) { + s.tokenErrHelper(w, errInvalidGrant, "Connector not allowed for this client.", http.StatusBadRequest) + return + } conn, err := s.getConnector(ctx, connID) if err != nil { s.tokenErrHelper(w, errInvalidRequest, "Requested connector does not exist.", http.StatusBadRequest)