Skip to content

Commit cd5a254

Browse files
yashsinghcodesyashsinghcodes
authored
Merge pull request #318 from yashsinghcodes/main
fix: handle zScaler auth send client_id and client_secret in body
2 parents 1526577 + 34f7836 commit cd5a254

File tree

1 file changed

+21
-2
lines changed

1 file changed

+21
-2
lines changed

oauth2.go

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3626,6 +3626,11 @@ func GetOauth2ApplicationPermissionToken(ctx context.Context, user User, appAuth
36263626
return appAuth, fmt.Errorf("Missing oauth2 fields. Required: token_uri, client_id, client_secret, scopes")
36273627
}
36283628

3629+
zscalerAuth := strings.Contains(tokenUrl, ".zslogin.net")
3630+
if zscalerAuth && len(scope) == 0 {
3631+
scope = "https://api.zscaler.com"
3632+
}
3633+
36293634
refreshData := fmt.Sprintf("grant_type=client_credentials")
36303635
if len(grantType) > 0 {
36313636
refreshData = fmt.Sprintf("grant_type=%s", grantType)
@@ -3644,8 +3649,17 @@ func GetOauth2ApplicationPermissionToken(ctx context.Context, user User, appAuth
36443649
refreshData += fmt.Sprintf("&client_secret=%s", clientSecret)
36453650
}
36463651

3652+
if grantType == "client_credentials" && zscalerAuth {
3653+
refreshData += fmt.Sprintf("&client_id=%s", clientId)
3654+
refreshData += fmt.Sprintf("&client_secret=%s", clientSecret)
3655+
}
3656+
36473657
if len(scope) > 0 {
3648-
refreshData += fmt.Sprintf("&scope=%s", strings.Replace(scope, ",", " ", -1))
3658+
if zscalerAuth {
3659+
refreshData += fmt.Sprintf("&audience=%s", strings.Replace(scope, ",", " ", -1))
3660+
} else {
3661+
refreshData += fmt.Sprintf("&scope=%s", strings.Replace(scope, ",", " ", -1))
3662+
}
36493663
}
36503664

36513665
if strings.Contains(refreshData, "user_impersonation") && strings.Contains(refreshData, "azure") && !strings.Contains(refreshData, "resource=") {
@@ -3668,7 +3682,7 @@ func GetOauth2ApplicationPermissionToken(ctx context.Context, user User, appAuth
36683682
}
36693683

36703684
// Basic auth handler for client_credentials. May not always be the case, it's currently used by default
3671-
if grantType == "client_credentials" {
3685+
if grantType == "client_credentials" && !zscalerAuth {
36723686
authHeader := fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", clientId, clientSecret))))
36733687
req.Header.Set("Authorization", authHeader)
36743688
}
@@ -3706,6 +3720,11 @@ func GetOauth2ApplicationPermissionToken(ctx context.Context, user User, appAuth
37063720
req.Body = ioutil.NopCloser(bytes.NewBuffer([]byte(refreshData)))
37073721
req.ContentLength = int64(len(refreshData))
37083722

3723+
if !zscalerAuth {
3724+
authHeader := fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", clientId, clientSecret))))
3725+
req.Header.Set("Authorization", authHeader)
3726+
}
3727+
37093728
newresp, err = client.Do(req)
37103729
if err != nil {
37113730
log.Printf("[ERROR] Oauth2 application auth (2): Failed to autocorrect scopes -> audience: %s", err)

0 commit comments

Comments
 (0)