Update oauth2.go

Makefile

@@ -5,7 +5,7 @@ export PATH := $(PWD)/bin:$(PATH)
 
 VERSION ?= $(shell ./scripts/git-version)
 
-DOCKER_REPO=quay.io/dexidp/dex
+DOCKER_REPO=quay.io/profects/dex
 DOCKER_IMAGE=$(DOCKER_REPO):$(VERSION)
 
 $( shell mkdir -p bin )

connector/microsoft/microsoft.go

@@ -91,7 +91,9 @@ func (c *microsoftConnector) oauth2Config(scopes connector.Scopes) *oauth2.Confi
 	if c.groupsRequired(scopes.Groups) {
 		microsoftScopes = append(microsoftScopes, scopeGroups)
 	}
-
+	if scopes.OfflineAccess {
+		microsoftScopes = append(microsoftScopes, "offline_access")
+	}
 	return &oauth2.Config{
 		ClientID:     c.clientID,
 		ClientSecret: c.clientSecret,

server/oauth2.go

@@ -534,12 +534,14 @@ func (s *Server) validateCrossClientTrust(clientID, peerID string) (trusted bool
 }
 
 func validateRedirectURI(client storage.Client, redirectURI string) bool {
-	if !client.Public {
-		for _, uri := range client.RedirectURIs {
-			if redirectURI == uri {
-				return true
-			}
+
+	for _, uri := range client.RedirectURIs {
+		if redirectURI == uri {
+			return true
 		}
+	}
+	// If no redirect url matches for non-public client the redirect url is not valid
+	if !client.Public {
 		return false
 	}
 

server/server.go

@@ -253,10 +253,16 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 	}
 	handleWithCORS := func(p string, h http.HandlerFunc) {
 		var handler http.Handler = h
-		if len(c.AllowedOrigins) > 0 {
-			corsOption := handlers.AllowedOrigins(c.AllowedOrigins)
-			handler = handlers.CORS(corsOption)(handler)
-		}
+
+		// 		if len(c.AllowedOrigins) > 0 {
+		// 			corsOption := handlers.AllowedOrigins(c.AllowedOrigins)
+		// 			handler = handlers.CORS(corsOption)(handler)
+		// 		}
+
+		corsOptions := handlers.IgnoreOptions()
+		corsSettings := handlers.AllowedOrigins(c.AllowedOrigins)
+		handler = handlers.CORS(corsSettings, corsOptions)(handler)
+
 		r.Handle(path.Join(issuerURL.Path, p), handler)
 	}
 	r.NotFoundHandler = http.HandlerFunc(http.NotFound)