Use basic auth for Authelia token exchange

2026-05-24 18:04:28 +02:00
parent 1d68639225
commit 56d279a8e6
2 changed files with 23 additions and 1 deletions
--- a/src/internal/adapters/authelia/adapter.go
+++ b/src/internal/adapters/authelia/adapter.go
@@ -143,13 +143,13 @@ func (a *AutheliaAdapter) exchangeCode(_ context.Context, code string) (*tokenRe
 	body.Set("code", code)
 	body.Set("redirect_uri", a.cfg.RedirectURI)
 	body.Set("client_id", a.cfg.ClientID)
-	body.Set("client_secret", a.cfg.ClientSecret)

 	req, err := http.NewRequest(http.MethodPost, tokenURL, strings.NewReader(body.Encode()))
 	if err != nil {
 		return nil, fmt.Errorf("authelia: build token request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.SetBasicAuth(a.cfg.ClientID, a.cfg.ClientSecret)

 	resp, err := a.client.Do(req)
 	if err != nil {
--- a/src/internal/adapters/authelia/adapter_test.go
+++ b/src/internal/adapters/authelia/adapter_test.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"strings"
 	"testing"

@@ -179,6 +180,27 @@ func TestHandleCallback_Success_PreferredUsername(t *testing.T) {
 			if req.Method != http.MethodPost {
 				t.Errorf("expected POST, got %s", req.Method)
 			}
+			gotID, gotSecret, ok := req.BasicAuth()
+			if !ok {
+				t.Error("expected client_secret_basic authentication")
+			}
+			if gotID != "keycape" || gotSecret != "test-secret" {
+				t.Errorf("unexpected basic auth credentials for client %q", gotID)
+			}
+			rawBody, err := io.ReadAll(req.Body)
+			if err != nil {
+				t.Fatalf("read request body: %v", err)
+			}
+			form, err := url.ParseQuery(string(rawBody))
+			if err != nil {
+				t.Fatalf("parse request body: %v", err)
+			}
+			if form.Get("client_secret") != "" {
+				t.Error("client_secret must not be sent in the form body")
+			}
+			if form.Get("client_id") != "keycape" {
+				t.Errorf("client_id: want keycape, got %q", form.Get("client_id"))
+			}
 			return jsonResponse(tokenBody), nil
 		},
 	}