From 9f026caf5adf4bc99c4baf27163b087fdcfb2a17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= <jonatan@maennchen.ch>
Date: Tue, 3 Sep 2024 11:45:52 +0000
Subject: [PATCH 1/3] Update erlfmt & Format

---
 src/oidcc_backoff.erl             |  1 -
 src/oidcc_client_registration.erl |  1 -
 src/oidcc_logout.erl              |  1 -
 src/oidcc_token.erl               |  3 --
 src/oidcc_token_introspection.erl | 61 +++++++++++++++----------------
 5 files changed, 30 insertions(+), 37 deletions(-)

diff --git a/src/oidcc_backoff.erl b/src/oidcc_backoff.erl
index 514f1dd..a0803d9 100644
--- a/src/oidcc_backoff.erl
+++ b/src/oidcc_backoff.erl
@@ -8,7 +8,6 @@ Based on [`db_connection`](https://github.com/elixir-ecto/db_connection/blob/8ef
 """).
 ?MODULEDOC(#{since => <<"3.2.0">>}).
 
-
 -export_type([type/0]).
 -export_type([min/0]).
 -export_type([max/0]).
diff --git a/src/oidcc_client_registration.erl b/src/oidcc_client_registration.erl
index c516cef..e8e4f34 100644
--- a/src/oidcc_client_registration.erl
+++ b/src/oidcc_client_registration.erl
@@ -147,7 +147,6 @@ All unrecognized fields are stored in `extra_fields`.
         extra_fields :: #{binary() => term()}
     }.
 
-
 ?DOC(#{since => <<"3.0.0">>}).
 -type error() ::
     registration_not_supported
diff --git a/src/oidcc_logout.erl b/src/oidcc_logout.erl
index 140a279..46ef5f1 100644
--- a/src/oidcc_logout.erl
+++ b/src/oidcc_logout.erl
@@ -2,7 +2,6 @@
 
 -feature(maybe_expr, enable).
 
-
 -include("internal/doc.hrl").
 ?MODULEDOC("Logout from the OpenID Provider.").
 ?MODULEDOC(#{since => <<"3.0.0">>}).
diff --git a/src/oidcc_token.erl b/src/oidcc_token.erl
index 3e9fcdc..784b583 100644
--- a/src/oidcc_token.erl
+++ b/src/oidcc_token.erl
@@ -64,7 +64,6 @@ ID Token Wrapper.
 ?DOC(#{since => <<"3.0.0">>}).
 -type id() :: #oidcc_token_id{token :: binary(), claims :: oidcc_jwt_util:claims()}.
 
-
 ?DOC("""
 Access Token Wrapper.
 
@@ -154,7 +153,6 @@ See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3.
         body_extension => oidcc_http_util:query_params()
     }.
 
-
 ?DOC(#{since => <<"3.0.0">>}).
 -type refresh_opts() ::
     #{
@@ -184,7 +182,6 @@ See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3.
         trusted_audiences => [binary()] | any
     }.
 
-
 ?DOC(#{since => <<"3.0.0">>}).
 -type jwt_profile_opts() :: #{
     scope => oidcc_scope:scopes(),
diff --git a/src/oidcc_token_introspection.erl b/src/oidcc_token_introspection.erl
index 7f2b918..8f6e227 100644
--- a/src/oidcc_token_introspection.erl
+++ b/src/oidcc_token_introspection.erl
@@ -48,7 +48,6 @@ See https://datatracker.ietf.org/doc/html/rfc7662#section-2.2.
     iss :: binary()
 }.
 
-
 ?DOC(#{since => <<"3.0.0">>}).
 -type opts() :: #{
     preferred_auth_methods => [oidcc_auth_util:auth_method(), ...],
@@ -225,33 +224,33 @@ extract_response(TokenMap) ->
     Jti = maps:get(<<"jti">>, TokenMap, undefined),
     ClientId = maps:get(<<"client_id">>, TokenMap, undefined),
     {ok, #oidcc_token_introspection{
-                active = Active,
-                scope = oidcc_scope:parse(Scope),
-                client_id = ClientId,
-                username = Username,
-                exp = Exp,
-                token_type = TokenType,
-                iat = Iat,
-                nbf = Nbf,
-                sub = Sub,
-                aud = Aud,
-                iss = Iss,
-                jti = Jti,
-                extra = maps:without(
-                    [
-                        <<"scope">>,
-                        <<"active">>,
-                        <<"username">>,
-                        <<"exp">>,
-                        <<"client_id">>,
-                        <<"token_type">>,
-                        <<"iat">>,
-                        <<"nbf">>,
-                        <<"sub">>,
-                        <<"aud">>,
-                        <<"iss">>,
-                        <<"jti">>
-                    ],
-                    TokenMap
-                )
-            }}.
+        active = Active,
+        scope = oidcc_scope:parse(Scope),
+        client_id = ClientId,
+        username = Username,
+        exp = Exp,
+        token_type = TokenType,
+        iat = Iat,
+        nbf = Nbf,
+        sub = Sub,
+        aud = Aud,
+        iss = Iss,
+        jti = Jti,
+        extra = maps:without(
+            [
+                <<"scope">>,
+                <<"active">>,
+                <<"username">>,
+                <<"exp">>,
+                <<"client_id">>,
+                <<"token_type">>,
+                <<"iat">>,
+                <<"nbf">>,
+                <<"sub">>,
+                <<"aud">>,
+                <<"iss">>,
+                <<"jti">>
+            ],
+            TokenMap
+        )
+    }}.

From faf38309c1cc5ad6aad8793b2cc7f00947fd1596 Mon Sep 17 00:00:00 2001
From: Paul Swartz <paul@paulswartz.net>
Date: Tue, 3 Sep 2024 10:15:54 -0400
Subject: [PATCH 2/3] fix: partially revert "Don't send the same parameters in
 query string and JWT for redirect URL (#360)" (#375)

This reverts partially commit 3b0b5221a0c88ad733a3ffc769b5acada70c2afd.

This commit started to fail the OIDC conformance suite:
https://gitlab.com/paulswartz/ueberauth_oidcc_certification/-/pipelines/1391557144

In particular, the error is:

Required http request parameters and request object claims must match

```
Required parameter 'response_type' was not found in http request parameters
Required parameter 'client_id' was not found in http request parameters
```

`redirect_url` does not appear to be required, so we continue to leave
that out.
---
 src/oidcc_authorization.erl        | 2 ++
 test/oidcc_authorization_SUITE.erl | 2 ++
 test/oidcc_authorization_test.erl  | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/src/oidcc_authorization.erl b/src/oidcc_authorization.erl
index 64175b4..8cc2b1e 100644
--- a/src/oidcc_authorization.erl
+++ b/src/oidcc_authorization.erl
@@ -447,6 +447,8 @@ essential_params(QueryParams) ->
     lists:filter(
         fun
             ({<<"scope">>, _Value}) -> true;
+            ({<<"response_type">>, _Value}) -> true;
+            ({<<"client_id">>, _Value}) -> true;
             (_Other) -> false
         end,
         QueryParams
diff --git a/test/oidcc_authorization_SUITE.erl b/test/oidcc_authorization_SUITE.erl
index 2bcf919..61de536 100644
--- a/test/oidcc_authorization_SUITE.erl
+++ b/test/oidcc_authorization_SUITE.erl
@@ -44,6 +44,8 @@ create_redirect_url_inl_gov(_Config) ->
 
     ?assertMatch(
         #{
+            <<"client_id">> := <<"client_id">>,
+            <<"response_type">> := <<"code">>,
             <<"scope">> := <<"openid">>,
             <<"request">> := _
         },
diff --git a/test/oidcc_authorization_test.erl b/test/oidcc_authorization_test.erl
index c1c8f81..bc4bde6 100644
--- a/test/oidcc_authorization_test.erl
+++ b/test/oidcc_authorization_test.erl
@@ -211,6 +211,8 @@ create_redirect_url_with_request_object_test() ->
 
     ?assertMatch(
         #{
+            <<"client_id">> := <<"client_id">>,
+            <<"response_type">> := <<"code">>,
             <<"scope">> := <<"openid">>,
             <<"should_be_in">> := <<"both">>,
             <<"request">> := _

From 3db53d522dfc4134d46c387668f540baa6b8609f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= <jonatan@maennchen.ch>
Date: Tue, 3 Sep 2024 14:25:56 +0000
Subject: [PATCH 3/3] Release v3.2.3

---
 src/oidcc.app.src | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/oidcc.app.src b/src/oidcc.app.src
index d0c550b..cbe3b41 100644
--- a/src/oidcc.app.src
+++ b/src/oidcc.app.src
@@ -1,6 +1,6 @@
 {application, oidcc, [
     {description, "OpenID Connect client library for the BEAM."},
-    {vsn, "3.2.2"},
+    {vsn, "3.2.3"},
     {registered, []},
     {applications, [kernel, stdlib, inets, ssl, public_key, telemetry, jose]},
     {env, []},