From d1fe86535ae88eb0ec8b3a64736bbc6c534c8089 Mon Sep 17 00:00:00 2001
From: Louis Chan <louischan@oursky.com>
Date: Wed, 6 Mar 2024 14:38:29 +0800
Subject: [PATCH] Revert to use client_id and redirect_uri in consent URL

---
 pkg/lib/oauth/handler/handler_authz.go | 31 ++++++++++++--------------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/pkg/lib/oauth/handler/handler_authz.go b/pkg/lib/oauth/handler/handler_authz.go
index 141f39168a6..e01928e0e70 100644
--- a/pkg/lib/oauth/handler/handler_authz.go
+++ b/pkg/lib/oauth/handler/handler_authz.go
@@ -175,7 +175,7 @@ func (h *AuthorizationHandler) HandleConsentWithUserCancel(req *http.Request) ht
 		var resultErr httputil.Result
 
 		if errors.As(err, &oauthError) {
-			resultErr = h.prepareConsentErrInvalidOAuthResponse(consentRequest, *oauthError)
+			resultErr = h.prepareConsentErrInvalidOAuthResponse(req, *oauthError)
 		} else {
 			h.Logger.WithError(err).Error("authz handler failed")
 			resultErr = authorizationResultError{
@@ -230,7 +230,7 @@ func (h *AuthorizationHandler) doHandleConsent(req *http.Request, withUserConsen
 		var resultErr httputil.Result
 
 		if errors.As(err, &oauthError) {
-			resultErr = h.prepareConsentErrInvalidOAuthResponse(consentRequest, *oauthError)
+			resultErr = h.prepareConsentErrInvalidOAuthResponse(req, *oauthError)
 		} else {
 			h.Logger.WithError(err).Error("authz handler failed")
 			resultErr = authorizationResultError{
@@ -665,26 +665,23 @@ func (h *AuthorizationHandler) generateSettingsActionResponse(
 	return nil
 }
 
-func (h *AuthorizationHandler) prepareConsentErrInvalidOAuthResponse(consent *consentRequest, oauthError protocol.OAuthProtocolError) httputil.Result {
+func (h *AuthorizationHandler) prepareConsentErrInvalidOAuthResponse(req *http.Request, oauthError protocol.OAuthProtocolError) httputil.Result {
 	resultErr := authorizationResultError{
-		Response:    oauthError.Response,
-		RedirectURI: consent.RedirectURI,
+		Response: oauthError.Response,
 	}
 
+	client := h.ClientResolver.ResolveClient(req.URL.Query().Get("client_id"))
+
 	// Only redirect if oauth session is expired / not found
 	// It mostly happens when user refresh the page or go back to the page after authenication
-	if oauthError.Type() != "invalid_request" {
-		return resultErr
-	}
-
-	client := h.ClientResolver.ResolveClient(consent.Client.ClientID)
-	if client == nil {
-		return resultErr
-	}
-
-	err := validateRedirectURI(client, h.HTTPProto, h.HTTPOrigin, h.AppDomains, consent.RedirectURI)
-	if err != nil {
-		return resultErr
+	if oauthError.Type() == "invalid_request" && client != nil {
+		redirectURI, err := url.Parse(req.URL.Query().Get("redirect_uri"))
+		if err == nil {
+			err = validateRedirectURI(client, h.HTTPProto, h.HTTPOrigin, h.AppDomains, redirectURI)
+			if err == nil {
+				resultErr.RedirectURI = redirectURI
+			}
+		}
 	}
 
 	return resultErr