Fixes

dgellow · dgellow · commit 812c53a233a5 · 2025-07-03T11:52:49.000+02:00
diff --git a/integration/config/config.oauth-token-test.json b/integration/config/config.oauth-token-test.json
@@ -29,7 +29,7 @@
         "displayName": "Notion",
         "instructions": "Create a Notion integration token",
         "helpUrl": "https://developers.notion.com",
-        "tokenFormat": "^secret_[a-zA-Z0-9]{43}$"
+        "validation": "^secret_[a-zA-Z0-9]{43}$"
       }
     },
     "github": {
diff --git a/internal/auth/server.go b/internal/auth/server.go
@@ -100,24 +100,37 @@ func NewServer(config Config, store storage.Storage) (*Server, error) {
 
 	// Configure fosite
 	oauthConfig := &compose.Config{
-		AccessTokenLifespan:      config.TokenTTL,
-		RefreshTokenLifespan:     config.TokenTTL * 2,
-		AuthorizeCodeLifespan:    10 * time.Minute,
-		MinParameterEntropy:      minEntropy,
-		EnforcePKCE:              true,
-		ScopeStrategy:            fosite.HierarchicScopeStrategy,
-		AudienceMatchingStrategy: fosite.DefaultAudienceMatchingStrategy,
-		HashCost:                 12,
+		AccessTokenLifespan:            config.TokenTTL,
+		RefreshTokenLifespan:           config.TokenTTL * 2,
+		AuthorizeCodeLifespan:          10 * time.Minute,
+		TokenURL:                       config.Issuer + "/token",
+		ScopeStrategy:                  fosite.HierarchicScopeStrategy,
+		AudienceMatchingStrategy:       fosite.DefaultAudienceMatchingStrategy,
+		EnforcePKCEForPublicClients:    true,
+		EnablePKCEPlainChallengeMethod: false,
+		MinParameterEntropy:            minEntropy,
 	}
 
-	// Create provider using compose
-	provider := compose.ComposeAllEnabled(
+	// Create provider using compose with specific factories
+	provider := compose.Compose(
 		oauthConfig,
 		store,
-		secret,
-		nil, // RSA key not needed for our use case
+		&compose.CommonStrategy{
+			CoreStrategy: compose.NewOAuth2HMACStrategy(oauthConfig, secret, nil),
+		},
+		nil, // hasher
+		compose.OAuth2AuthorizeExplicitFactory,
+		compose.OAuth2ClientCredentialsGrantFactory,
+		compose.OAuth2PKCEFactory,
+		compose.OAuth2RefreshTokenGrantFactory,
+		compose.OAuth2TokenIntrospectionFactory,
 	)
 
+	// Set default session duration if not configured
+	if config.SessionDuration == 0 {
+		config.SessionDuration = 24 * time.Hour
+	}
+
 	return &Server{
 		provider:         provider,
 		storage:          store,
diff --git a/internal/server/auth_handlers.go b/internal/server/auth_handlers.go
@@ -75,6 +75,22 @@ func (h *AuthHandlers) AuthorizeHandler(w http.ResponseWriter, r *http.Request)
 	ctx := r.Context()
 	log.Logf("Authorize handler called: %s %s", r.Method, r.URL.Path)
 
+	// In development mode, generate a secure state parameter if missing
+	// This works around bugs in OAuth clients that don't send state
+	stateParam := r.URL.Query().Get("state")
+	if internal.IsDevelopmentMode() && len(stateParam) == 0 {
+		generatedState := crypto.GenerateSecureToken()
+		log.LogWarn("Development mode: generating state parameter '%s' for buggy client", generatedState)
+		q := r.URL.Query()
+		q.Set("state", generatedState)
+		r.URL.RawQuery = q.Encode()
+		// Also update the form values
+		if r.Form == nil {
+			_ = r.ParseForm()
+		}
+		r.Form.Set("state", generatedState)
+	}
+
 	// Parse the authorize request
 	ar, err := h.authServer.GetProvider().NewAuthorizeRequest(ctx, r)
 	if err != nil {
diff --git a/oauth-user-auth-plan.md b/oauth-user-auth-plan.md

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@`
`29`	`29`	`"displayName": "Notion",`
`30`	`30`	`"instructions": "Create a Notion integration token",`
`31`	`31`	`"helpUrl": "https://developers.notion.com",`
`32`		`- "tokenFormat": "^secret_[a-zA-Z0-9]{43}$"`
	`32`	`+ "validation": "^secret_[a-zA-Z0-9]{43}$"`
`33`	`33`	`}`
`34`	`34`	`},`
`35`	`35`	`"github": {`