Revert "Remove oauth2 patch that is no longer necessary"

This reverts commit fa752b25eb. Reason for revert: still needed until newer upstream Change-Id: Icecf71afaca21686b5b9abccbcc9f9fa1145ce41 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/323891 Tested-by: Isaac Moore <isaac.moore@instructure.com> QA-Review: Isaac Moore <isaac.moore@instructure.com> Product-Review: Isaac Moore <isaac.moore@instructure.com> Reviewed-by: Jacob Burroughs <jburroughs@instructure.com>
2023-08-01 16:01:40 +00:00 · 2023-08-01 16:01:40 +00:00 · 25f313de48
parent 80c61bcba0
commit 25f313de48
3 changed files with 46 additions and 0 deletions
--- a/app/models/authentication_provider/oauth.rb
+++ b/app/models/authentication_provider/oauth.rb
@ -19,6 +19,7 @@
 #

 require "oauth2"
+require "canvas/core_ext/oauth2"

 class AuthenticationProvider::OAuth < AuthenticationProvider::Delegated
  SENSITIVE_PARAMS = [:consumer_secret].freeze
--- a/app/models/authentication_provider/oauth2.rb
+++ b/app/models/authentication_provider/oauth2.rb
@ -19,6 +19,7 @@
 #

 require "oauth2"
+require "canvas/core_ext/oauth2"

 class OAuthValidationError < RuntimeError
 end
--- a/lib/canvas/core_ext/oauth2.rb
+++ b/lib/canvas/core_ext/oauth2.rb
@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+#
+# Copyright (C) 2016 - present Instructure, Inc.
+#
+# This file is part of Canvas.
+#
+# Canvas is free software: you can redistribute it and/or modify it under
+# the terms of the GNU Affero General Public License as published by the Free
+# Software Foundation, version 3 of the License.
+#
+# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+
+module Canvas::CoreExt
+  module OAuth2
+    def get_token(params, access_token_opts = {}, access_token_class = ::OAuth2::AccessToken)
+      params = ::OAuth2::Authenticator.new(id, secret, options[:auth_scheme]).apply(params)
+      opts = { raise_errors: options[:raise_errors], parse: params.delete(:parse) }
+      headers = params.delete(:headers) || {}
+      if options[:token_method] == :post
+        opts[:body] = params
+        opts[:headers] = { "Content-Type" => "application/x-www-form-urlencoded" }
+      else
+        opts[:params] = params
+        opts[:headers] = {}
+      end
+      opts[:headers].merge!(headers)
+      response = request(options[:token_method], token_url, opts)
+      # only change is on this line; Microsoft doesn't send back an access_token if you're doing a pure OpenID Connect auth
+      if options[:raise_errors] && !((response.parsed.is_a?(Hash) && response.parsed["access_token"]) || response.parsed["id_token"])
+        error = ::OAuth2::Error.new(response)
+        raise(error)
+      end
+      access_token_class.from_hash(self, response.parsed.merge(access_token_opts))
+    end
+  end
+end
+OAuth2::Client.prepend(Canvas::CoreExt::OAuth2)