From 56d279a8e628d6a456d587d2a5a80e027157807e Mon Sep 17 00:00:00 2001 From: tegwick Date: Sun, 24 May 2026 18:04:28 +0200 Subject: [PATCH] Use basic auth for Authelia token exchange --- src/internal/adapters/authelia/adapter.go | 2 +- .../adapters/authelia/adapter_test.go | 22 +++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/src/internal/adapters/authelia/adapter.go b/src/internal/adapters/authelia/adapter.go index c860472..057c303 100644 --- a/src/internal/adapters/authelia/adapter.go +++ b/src/internal/adapters/authelia/adapter.go @@ -143,13 +143,13 @@ func (a *AutheliaAdapter) exchangeCode(_ context.Context, code string) (*tokenRe body.Set("code", code) body.Set("redirect_uri", a.cfg.RedirectURI) body.Set("client_id", a.cfg.ClientID) - body.Set("client_secret", a.cfg.ClientSecret) req, err := http.NewRequest(http.MethodPost, tokenURL, strings.NewReader(body.Encode())) if err != nil { return nil, fmt.Errorf("authelia: build token request: %w", err) } req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.SetBasicAuth(a.cfg.ClientID, a.cfg.ClientSecret) resp, err := a.client.Do(req) if err != nil { diff --git a/src/internal/adapters/authelia/adapter_test.go b/src/internal/adapters/authelia/adapter_test.go index c71756f..8035a97 100644 --- a/src/internal/adapters/authelia/adapter_test.go +++ b/src/internal/adapters/authelia/adapter_test.go @@ -7,6 +7,7 @@ import ( "fmt" "io" "net/http" + "net/url" "strings" "testing" @@ -179,6 +180,27 @@ func TestHandleCallback_Success_PreferredUsername(t *testing.T) { if req.Method != http.MethodPost { t.Errorf("expected POST, got %s", req.Method) } + gotID, gotSecret, ok := req.BasicAuth() + if !ok { + t.Error("expected client_secret_basic authentication") + } + if gotID != "keycape" || gotSecret != "test-secret" { + t.Errorf("unexpected basic auth credentials for client %q", gotID) + } + rawBody, err := io.ReadAll(req.Body) + if err != nil { + t.Fatalf("read request body: %v", err) + } + form, err := url.ParseQuery(string(rawBody)) + if err != nil { + t.Fatalf("parse request body: %v", err) + } + if form.Get("client_secret") != "" { + t.Error("client_secret must not be sent in the form body") + } + if form.Get("client_id") != "keycape" { + t.Errorf("client_id: want keycape, got %q", form.Get("client_id")) + } return jsonResponse(tokenBody), nil }, }