Allow clearing default Azure and Google auth code options (#4315)

Allow users to clear the default IdP auth code options, by explicitly setting an empty idp_request_params map. To do this in a YAML config file, set: idp_request_params: {}
2025-04-29 18:36:30 +02:00 · 2023-06-27 09:11:54 -07:00 · 2023-06-27 09:11:54 -07:00 · 2bf83e20d8
commit 2bf83e20d8
parent 1f839554c9
5 changed files with 70 additions and 2 deletions
--- a/config/options_test.go
+++ b/config/options_test.go
@ -977,6 +977,28 @@ func TestOptions_GetCSRFSameSite(t *testing.T) {
 	}
 }

+func TestOptions_RequestParams(t *testing.T) {
+	cases := []struct {
+		label    string
+		config   string
+		expected map[string]string
+	}{
+		{"not present", "", nil},
+		{"explicitly empty", "idp_request_params: {}", map[string]string{}},
+	}
+	cfg := filepath.Join(t.TempDir(), "config.yaml")
+	for i := range cases {
+		c := &cases[i]
+		t.Run(c.label, func(t *testing.T) {
+			err := os.WriteFile(cfg, []byte(c.config), 0644)
+			require.NoError(t, err)
+			o, err := newOptionsFromConfig(cfg)
+			require.NoError(t, err)
+			assert.Equal(t, c.expected, o.RequestParams)
+		})
+	}
+}
+
 func encodeCert(cert *tls.Certificate) []byte {
 	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Certificate[0]})
 }
--- a/internal/identity/oidc/azure/microsoft.go
+++ b/internal/identity/oidc/azure/microsoft.go
@ -61,7 +61,7 @@ func New(ctx context.Context, o *oauth.Options) (*Provider, error) {
 	p.Provider = genericOidc

 	p.AuthCodeOptions = defaultAuthCodeOptions
-	if len(o.AuthCodeOptions) != 0 {
+	if o.AuthCodeOptions != nil {
 		p.AuthCodeOptions = o.AuthCodeOptions
 	}

--- a/internal/identity/oidc/azure/microsoft_test.go
+++ b/internal/identity/oidc/azure/microsoft_test.go
@ -0,0 +1,23 @@
+package azure
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pomerium/pomerium/internal/identity/oauth"
+)
+
+func TestAuthCodeOptions(t *testing.T) {
+	var options oauth.Options
+	p, err := New(context.Background(), &options)
+	require.NoError(t, err)
+	assert.Equal(t, defaultAuthCodeOptions, p.AuthCodeOptions)
+
+	options.AuthCodeOptions = map[string]string{}
+	p, err = New(context.Background(), &options)
+	require.NoError(t, err)
+	assert.Equal(t, map[string]string{}, p.AuthCodeOptions)
+}
--- a/internal/identity/oidc/google/google.go
+++ b/internal/identity/oidc/google/google.go
@ -55,7 +55,7 @@ func New(ctx context.Context, o *oauth.Options) (*Provider, error) {
 	p.Provider = genericOidc

 	p.AuthCodeOptions = defaultAuthCodeOptions
-	if len(o.AuthCodeOptions) != 0 {
+	if o.AuthCodeOptions != nil {
 		p.AuthCodeOptions = o.AuthCodeOptions
 	}
 	return &p, nil
--- a/internal/identity/oidc/google/google_test.go
+++ b/internal/identity/oidc/google/google_test.go
@ -0,0 +1,23 @@
+package google
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pomerium/pomerium/internal/identity/oauth"
+)
+
+func TestAuthCodeOptions(t *testing.T) {
+	var options oauth.Options
+	p, err := New(context.Background(), &options)
+	require.NoError(t, err)
+	assert.Equal(t, defaultAuthCodeOptions, p.AuthCodeOptions)
+
+	options.AuthCodeOptions = map[string]string{}
+	p, err = New(context.Background(), &options)
+	require.NoError(t, err)
+	assert.Equal(t, map[string]string{}, p.AuthCodeOptions)
+}