feat: add support for response_mode=form_post (#509)

This patch introduces support for `response_mode=form_post` as well as `response_mode` of `none` and `query` and `fragment`.

 To support this new feature your OAuth2 Client must implement the `fosite.ResponseModeClient` interface. We suggest to always return all response modes there unless you want to explicitly disable one of the response modes:

```go
func (c *Client) GetResponseModes() []fosite.ResponseModeType {
	return []fosite.ResponseModeType{
		fosite.ResponseModeDefault,
		fosite.ResponseModeFormPost,
		fosite.ResponseModeQuery,
		fosite.ResponseModeFragment,
	}
}
```

BREAKING CHANGES: As part of this change, methods `GetResponseMode`, `SetDefaultResponseMode`, `GetDefaultResponseMode ` where added to interface `AuthorizeRequester`. Also, methods `GetQuery`, `AddQuery`, and `GetFragment` were merged into one function `GetParameters` and `AddParameter` on the `AuthorizeResponder` interface. Methods on `AuthorizeRequest` and `AuthorizeResponse` changed accordingly and will need to be updated in your codebase. Additionally, the field `Debug` was renamed to `DebugField` and a new method `Debug() string` was added to `RFC6749Error`.

Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>

Author: ajanthan

authorize_error.go

@@ -25,8 +25,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-
-	"github.com/pkg/errors"
 )
 
 func (f *Fosite) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequester, err error) {
@@ -66,7 +64,11 @@ func (f *Fosite) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequest
 	query.Add("state", ar.GetState())
 
 	var redirectURIString string
-	if !(len(ar.GetResponseTypes()) == 0 || ar.GetResponseTypes().ExactOne("code")) && !errors.Is(err, ErrUnsupportedResponseType) {
+	if ar.GetResponseMode() == ResponseModeFormPost {
+		rw.Header().Add("Content-Type", "text/html;charset=UTF-8")
+		WriteAuthorizeFormPostResponse(redirectURI.String(), query, GetPostFormHTMLTemplate(*f), rw)
+		return
+	} else if ar.GetResponseMode() == ResponseModeFragment {
 		redirectURIString = redirectURI.String() + "#" + query.Encode()
 	} else {
 		for key, values := range redirectURI.Query() {

authorize_error_test.go

@@ -88,6 +88,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[0]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeQuery).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -106,6 +107,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[0]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeDefault).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -124,6 +126,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeQuery).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -142,6 +145,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"foobar"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -160,6 +164,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[0]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -178,6 +183,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -196,6 +202,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[0]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code", "token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -214,6 +221,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code", "token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -233,6 +241,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"code", "token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -252,6 +261,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"id_token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -271,6 +281,7 @@ func TestWriteAuthorizeError(t *testing.T) {
 				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
 				req.EXPECT().GetState().Return("foostate")
 				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFragment).Times(2)
 				rw.EXPECT().Header().Times(3).Return(header)
 				rw.EXPECT().WriteHeader(http.StatusFound)
 			},
@@ -282,6 +293,24 @@ func TestWriteAuthorizeError(t *testing.T) {
 				assert.Equal(t, "no-cache", header.Get("Pragma"))
 			},
 		},
+		{
+			debug: true,
+			err:   ErrInvalidRequest.WithDebug("with-debug"),
+			mock: func(rw *MockResponseWriter, req *MockAuthorizeRequester) {
+				req.EXPECT().IsRedirectURIValid().Return(true)
+				req.EXPECT().GetRedirectURI().Return(copyUrl(purls[1]))
+				req.EXPECT().GetState().Return("foostate")
+				req.EXPECT().GetResponseTypes().MaxTimes(2).Return(Arguments([]string{"token"}))
+				req.EXPECT().GetResponseMode().Return(ResponseModeFormPost).Times(1)
+				rw.EXPECT().Header().Times(3).Return(header)
+				rw.EXPECT().Write(gomock.Any()).AnyTimes()
+			},
+			checkHeader: func(t *testing.T, k int) {
+				assert.Equal(t, "no-store", header.Get("Cache-Control"))
+				assert.Equal(t, "no-cache", header.Get("Pragma"))
+				assert.Equal(t, "text/html;charset=UTF-8", header.Get("Content-Type"))
+			},
+		},
 	} {
 		t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
 			oauth2 := &Fosite{

authorize_helper.go

@@ -22,6 +22,9 @@
 package fosite
 
 import (
+	"fmt"
+	"html/template"
+	"io"
 	"net/url"
 	"regexp"
 	"strings"
@@ -30,6 +33,21 @@ import (
 	"github.com/pkg/errors"
 )
 
+var FormPostDefaultTemplate = template.Must(template.New("form_post").Parse(`<html>
+   <head>
+      <title>Submit This Form</title>
+   </head>
+   <body onload="javascript:document.forms[0].submit()">
+      <form method="post" action="{{ .RedirURL }}">
+         {{ range $key,$value := .Parameters }}
+            {{ range $parameter:= $value}}
+		      <input type="hidden" name="{{$key}}" value="{{$parameter}}"/>
+            {{end}}
+         {{ end }}
+      </form>
+   </body>
+</html>`))
+
 // MatchRedirectURIWithClientRedirectURIs if the given uri is a registered redirect uri. Does not perform
 // uri validation.
 //
@@ -182,3 +200,35 @@ func IsLocalhost(redirectURI *url.URL) bool {
 	hn := redirectURI.Hostname()
 	return strings.HasSuffix(hn, ".localhost") || hn == "127.0.0.1" || hn == "::1" || hn == "localhost"
 }
+
+func WriteAuthorizeFormPostResponse(redirectURL string, parameters url.Values, template *template.Template, rw io.Writer) {
+	_ = template.Execute(rw, struct {
+		RedirURL   string
+		Parameters url.Values
+	}{
+		RedirURL:   redirectURL,
+		Parameters: parameters,
+	})
+}
+
+func URLSetFragment(source *url.URL, fragment url.Values) {
+	var f string
+	for k, v := range fragment {
+		for _, vv := range v {
+			if len(f) != 0 {
+				f += fmt.Sprintf("&%s=%s", k, vv)
+			} else {
+				f += fmt.Sprintf("%s=%s", k, vv)
+			}
+		}
+	}
+	source.Fragment = f
+}
+
+func GetPostFormHTMLTemplate(f Fosite) *template.Template {
+	formPostHTMLTemplate := f.FormPostHTMLTemplate
+	if formPostHTMLTemplate == nil {
+		formPostHTMLTemplate = FormPostDefaultTemplate
+	}
+	return formPostHTMLTemplate
+}