fix: remove reliance on access token and fix signature of client credentials oid provider

Author: gautierrog

client/client.go

@@ -222,26 +222,18 @@ func (o *OpkClient) oidcAuth(
 	if err != nil {
 		return nil, fmt.Errorf("error requesting OIDC tokens from OpenID Provider: %w", err)
 	}
-	providerToken := tokens.IDToken
-	if len(providerToken) == 0 {
-		if _, ok := o.Op.(providers.ClientCredentialsOpenIdProvider); ok && len(tokens.AccessToken) > 0 {
-			providerToken = tokens.AccessToken
-		}
-	}
-	if len(providerToken) == 0 {
-		return nil, fmt.Errorf("provider response missing ID token")
-	}
+	idToken := tokens.IDToken
 	o.refreshToken = tokens.RefreshToken
 	o.accessToken = tokens.AccessToken
 
 	// Sign over the payload from the ID token and client instance claims
-	cicToken, err := cic.Sign(signer, alg, providerToken)
+	cicToken, err := cic.Sign(signer, alg, idToken)
 	if err != nil {
 		return nil, fmt.Errorf("error creating cic token: %w", err)
 	}
 
 	// Combine our ID token and signature over the cic to create our PK Token
-	pkt, err := pktoken.New(providerToken, cicToken)
+	pkt, err := pktoken.New(idToken, cicToken)
 	if err != nil {
 		return nil, fmt.Errorf("error creating PK Token: %w", err)
 	}

providers/op.go

@@ -57,7 +57,6 @@ type RefreshableOpenIdProvider interface {
 // Interface for an OpenIdProvider that supports OAuth2 client credentials flow.
 type ClientCredentialsOpenIdProvider interface {
 	OpenIdProvider
-	RequestClientCredentialsTokens(ctx context.Context, scopes []string) (*simpleoidc.Tokens, error)
 }
 
 // Interface for an OpenIdProvider that supports key binding of the ID Token

providers/standard_provider.go

@@ -409,21 +409,18 @@ func (s *StandardOp) RequestTokens(ctx context.Context, cic *clientinstance.Clai
 		return nil, err
 	}
 
-	providerToken := tokens.IDToken
-	if s.ClientCredentialsFlow && len(providerToken) == 0 {
-		providerToken = tokens.AccessToken
-	}
+	idToken := tokens.IDToken
 
 	if s.GQSign {
-		if len(providerToken) == 0 {
-			return nil, fmt.Errorf("cannot apply GQ signature: missing provider token")
+		if len(idToken) == 0 {
+			return nil, fmt.Errorf("cannot apply GQ signature: missing id token")
 		}
 
 		var gqToken []byte
 		if s.ClientCredentialsFlow {
-			gqToken, err = CreateGQBoundToken(ctx, providerToken, s, string(cicHash))
+			gqToken, err = CreateGQBoundToken(ctx, idToken, s, string(cicHash))
 		} else {
-			gqToken, err = CreateGQToken(ctx, providerToken, s)
+			gqToken, err = CreateGQToken(ctx, idToken, s)
 		}
 		if err != nil {
 			return nil, err
@@ -434,7 +431,9 @@ func (s *StandardOp) RequestTokens(ctx context.Context, cic *clientinstance.Clai
 	return tokens, nil
 }
 
-func (s *StandardOp) RequestClientCredentialsTokens(ctx context.Context, scopes []string) (*simpleoidc.Tokens, error) {
+func (s *StandardOp) clientCredentialsRequestTokens(ctx context.Context, _ string) (*simpleoidc.Tokens, error) {
+	scopes := s.Scopes
+
 	if s.ClientSecret == "" {
 		return nil, fmt.Errorf("client credentials flow requires a client secret")
 	}
@@ -495,7 +494,7 @@ func (s *StandardOp) RequestClientCredentialsTokens(ctx context.Context, scopes
 		return nil, fmt.Errorf("failed to decode token response: %w", err)
 	}
 
-	if tokenResponse.AccessToken == "" && tokenResponse.IDToken == "" {
+	if tokenResponse.IDToken == "" {
 		return nil, fmt.Errorf("token endpoint response missing access_token and id_token")
 	}
 
@@ -506,10 +505,6 @@ func (s *StandardOp) RequestClientCredentialsTokens(ctx context.Context, scopes
 	}, nil
 }
 
-func (s *StandardOp) clientCredentialsRequestTokens(ctx context.Context, _ string) (*simpleoidc.Tokens, error) {
-	return s.RequestClientCredentialsTokens(ctx, s.Scopes)
-}
-
 func (s *StandardOp) deviceFlowRequestTokens(ctx context.Context, cicHash string) (*simpleoidc.Tokens, error) {
 	cookieHandler, err := configCookieHandler()
 	if err != nil {